firewall: add option to send REJECT replies

[wadey]

This change allows you to configure the firewall to send REJECT packets when a packet is denied.

firewall:
  # Action to take when a packet is not allowed by the firewall rules.
  # Can be one of:
  #   `drop` (default): silently drop the packet.
  #   `reject`: send a reject reply.
  #     - For TCP, this will be a RST "Connection Reset" packet.
  #     - For other protocols, this will be an ICMP port unreachable packet.
  outbound_action: drop
  inbound_action: drop

These packets are only sent to established tunnels, and only on the overlay network (currently IPv4 only).

ICMP:

$ ping -c1 192.168.100.3
PING 192.168.100.3 (192.168.100.3) 56(84) bytes of data.
From 192.168.100.3 icmp_seq=2 Destination Port Unreachable

--- 192.168.100.3 ping statistics ---
2 packets transmitted, 0 received, +1 errors, 100% packet loss, time 31ms

TCP:

$ ncat -nzv -w5 192.168.100.2 2000
Ncat: Connection refused.

UDP:

$ ncat -nzuv -w5 192.168.100.3 3000
Ncat: Connected to 192.168.100.3:3000.
Ncat: Connection refused.

This change also modifies the smoke test to capture tcpdump pcaps from both the inside and outside to inspect what is going on over the wire. It also now does TCP and UDP packet tests using the Nmap version of ncat.