When C/R-ing a net namespace with --empty-ns net option we should also
skip netfilter rules too (as per https://github.com/docker/docker/issues/27597).

However, there's one thing to be handled -- local TCP blocking rules are
expected to be there on restore by restore_iptables() which is no longer
the case, so put them back manually.

Test included, checked on zdtm/static/socket-tcpbuf-local :)

v2: Full scripts for empty netns setup.

https://github.com/xemul/criu/issues/246Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>