enhance NF filter capabilities

closes https://gitlab.labs.nic.cz/turris/turris-build/issues/64

# CONFIG_NETFILTER_XT_TARGET_HMARK
This option adds the "HMARK" target.
The target allows you to create rules in the "raw" and "mangle" tables which set the skbuff mark by means of hash calculation within a given range. The nfmark can influence the routing method and can also be used by other subsystems to change their behaviour.

# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP 
This option adds a "TCPOPTSTRIP" target, which allows you to strip TCP options from TCP packets.

# CONFIG_NETFILTER_XT_MATCH_CGROUP
Socket/process control group matching allows you to match locally generated packets based on which net_cls control group processes belong to.

# CONFIG_NETFILTER_XT_MATCH_IPCOMP
This match extension allows you to match a range of CPIs(16 bits) inside IPComp header of IPSec packets.

# CONFIG_NETFILTER_XT_MATCH_L2TP 
This option adds an "L2TP" match, which allows you to match against L2TP protocol header fields.

# CONFIG_NETFILTER_XT_MATCH_OSF
This option selects the Passive OS Fingerprinting match module that allows to passively match the remote operating system by analyzing incoming TCP SYN packets.
Rules and loading software can be downloaded from http://www.ioremap.net/projects/osf

# CONFIG_NETFILTER_XT_MATCH_SCTP
With this option enabled, you will be able to use the `sctp' match in order to match on SCTP source/destination ports and SCTP chunk types.