NOTE: this depends on a kernel patch, so please merge that before this can be merged. Also, apart from build testing and running the binaries on an unpatched kernel (and confirming the netlink payload is formatted as it should be) this is untested. This series adds the nftables side of "socket wildcard" a new expression that extracts whether the associated socket is bound to the ANY address or not. iptables originally had this behavior by default when using "-m socket --transparent", but this was missing from nftables. Also, the last patch in the series allows one to override the "nft" executable used by the tests.
