Add iptables --hex-string support to firewall resource

[alexconrey]

TL;DR
Add string_hex parameter to the firewall resource when using iptables. Hex matching is useful for packet marking among other things.

Why?
Blocking a matching hex string is very useful for various types of attacks. The real world use case for this (aka. my motivation) was to block DNS reflection attacks. While the proper fix to these issues is usually within the application itself, sometimes we need to mitigate the issue until code can be fixed. With this PR, the following becomes possible:

common::fw_rules:
  '002 mark dns ANY queries UDP':
    proto: 'udp'
    dport: 53
    string_algo: 'bm'
    string_from: 40
    string_hex: '|0000FF0001|'
    recent: 'set'
    rname: 'dnsanyquery'
  '002 mark dns ANY queries TCP':
    proto: 'tcp'
    dport: 53
    string_algo: 'bm'
    string_from: 52
    string_hex: '|0000FF0001|'
    recent: 'set'
    rname: 'dnsanyquery'
  '002 ratelimit dns ANY queries UDP':
    proto: 'udp'
    action: 'drop'
    dport: 53
    string_algo: 'bm'
    string_from: 40
    string_hex: '|0000FF0001|'
    recent: 'rcheck'
    rname: 'dnsanyquery'
    rseconds: 60
    rhitcount: 3
  '002 ratelimit dns ANY queries TCP':
    proto: 'tcp'
    action: 'drop'
    dport: 53
    string_algo: 'bm'
    string_from: 52
    string_hex: '|0000FF0001|'
    recent: 'rcheck'
    rname: 'dnsanyquery'
    rseconds: 60
    rhitcount: 3

Rebased against master (using my own branch, which i should have done in the first place) per @sanfrancrisko request here: #902 (comment)

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (master@a562efd). Click here to learn what that means.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master     #907   +/-   ##
=========================================
  Coverage          ?   80.75%           
=========================================
  Files             ?       11           
  Lines             ?     1632           
  Branches          ?        0           
=========================================
  Hits              ?     1318           
  Misses            ?      314           
  Partials          ?        0           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a562efd...2fc144e. Read the comment docs.

[carabasdaniel]

Hi @alexconrey

Thank you for your contribution, this looks good.

[jkroepke]

@alexconrey @carabasdaniel

Does this work for ip6tables, too?

[mnejedlo-tds]

I don't consider my answer authoritative, but from what I can see in the diff I believe the answer is no, this patch does not include ip6tables support. There are no changes in the ip6tables provider to mirror the changes in the iptables provider.

[mnejedlo-tds]

Ip6tables provider as pull req. 923