This reworks how tcp options are handled in nft internally. First patches refactor and condense code. In particular, it removes the duplication of 'sack-perm'/permitted maxseg/mss lexer keys -- synproxy and tcp option used different tokens, leading to confusing sytax errors when using the 'wrong' word in the 'wrong' place. patch 5 is the first one with a new feature: it allows to check for presence of any tcp option kind, i.e. 'tcp option $number'. patch 6 and 7 add 'raw' payload matching for tcp options to allow testing for tcp options that do not have an internal template.
