port kube-proxy nftables to netlink API (?)

What's the problem?

OK, so the arguments for using `nft` rather than the netlink API in the nftables kube-proxy backend were: - The `nft` "API"/language is documented, the netlink API is not really. - The bytecode used by actual nftables rules is even less documented than the netlink API. - So if we use netlink/bytecode, it will be harder to understand what the code is doing, and harder to make changes. - In particular, there is really no good way to use the netlink/bytecode API other than to invoke `nft` and see what it does (e.g., `nft --debug netlink`) and then copying that. - ...and this changes depending on both CLI version and kernel version. - (Seriously, just read through https://github.com/google/nftables/issues?q=is%3Aissue. Some of them are kind of horrifying.) - `nft` is generally not good about being able to decompile nftables bytecode that it didn't write, so if we write rules with non-`nft`-generated bytecode, they will (at best) be invisible to admins using `nft list ruleset` and (at wors...