layer3: add option to enable stateful firewall on client network

Add the following option to the client config section in
`/etc/config/gateway` to enable a basic stateful firewall:

```
config client
    option stateful_firewall '1'
```

The firewall will forward icmp mesages and allow any outbound client
traffic and related inbound traffic.

Acked-by: Fabian Bläse <fabian@blaese.de>

src/packages/fff/fff-layer3-config/files/etc/layer3.d/30-network-client

@@ -57,6 +57,12 @@ configure() {
 	else
 		echo "WARNING: No Interface for client specified"
 	fi
+
+	# stateful firewall
+	uci -q del network.client.fff_stateful_firewall
+	if [ "$(uci -q get gateway.@client[0].stateful_firewall)" = 1 ]; then
+		uci set network.client.fff_stateful_firewall=1
+	fi
 }
 
 apply() {

src/packages/fff/fff-layer3/files/usr/lib/firewall.d/20-stateful-firewall

@@ -0,0 +1,56 @@
+[ "$(uci -q get network.client.fff_stateful_firewall)" != 1 ] && return
+
+nft -f - << EOF
+table ip filter {
+	chain forward-client {
+		ct state {
+			established,
+			related,
+		} accept \
+		comment "accept traffic originating from clients"
+
+		ip protocol icmp icmp type {
+			echo-reply,
+			destination-unreachable,
+			echo-request,
+			time-exceeded,
+			parameter-problem,
+		} accept \
+		comment "accept icmp"
+
+		counter drop \
+		comment "drop the rest"
+	}
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname br-client goto forward-client
+	}
+}
+
+table ip6 filter {
+	chain forward-client {
+		ct state {
+			established,
+			related,
+		} accept \
+		comment "accept traffic originating from clients"
+
+		ip6 nexthdr icmpv6 icmpv6 type {
+			destination-unreachable,
+			packet-too-big,
+			time-exceeded,
+			parameter-problem,
+			echo-request,
+			echo-reply,
+		} accept \
+		comment "accept icmpv6 for basic ipv6 functionality"
+
+		counter drop \
+		comment "drop the rest"
+	}
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname br-client goto forward-client
+	}
+}
+EOF