move raw idletimer ahead of clat

This should make idletimer work better with received ipv6 packets
which we will later translate via clatd to ipv4.

Sample config from a bonito test device:

  *raw
  -A PREROUTING -j clat_raw_PREROUTING
  -A PREROUTING -j bw_raw_PREROUTING
  -A PREROUTING -j idletimer_raw_PREROUTING  <-- moves up two lines
  -A PREROUTING -j tetherctrl_raw_PREROUTING
  -A bw_raw_PREROUTING -i ipsec+ -j RETURN
  -A bw_raw_PREROUTING -m policy --dir in --pol ipsec -j RETURN
  -A bw_raw_PREROUTING -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
  -A clat_raw_PREROUTING -s 64:ff9b::/96 -d 2a00:79e1:abc:1539:9c61:cc49:8607:d7b/128 -i wlan0 -j DROP
  -A idletimer_raw_PREROUTING -i wlan0 -j IDLETIMER --timeout 15 --label 1 --send_nl_msg

Moving idletimer before clat is desirable, because we want the wakeup
events generated, moving idletimer before bw_raw is a required side
effect, as clat needs to be before bw_raw to make ingress accounting
correct, since it has to drop the packets that clatd will process
and the accounting will happen on the v4-* interface instead.

Since both bw_raw and idletimer are non-terminal, there is no real
difference to the behaviour with the new ordering between these two.

Unfortunately this will not fix any packets which get offloaded by
tc ebpf clat program, since they will never show up in ip6tables.

This will be resolved either via adding additional idletimer rules
to the v4-* interface, or by eliminating clatd and the v4-* interfaces
entirely (ie. moving to a purely ebpf based clat solution)

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7d856f74d1785d9a19d1f5faad95c8982f0a049a
2 files changed