Between dump and restore of a tcp conn we have to keep the connection
blocked, since the socket doesn't exists in the kernel at this time
and any packet from peer will result in RST. Thus, add the -j DROP rule
for every connection we're about to repair.

Later, when we support containers, this will be extended to stop the
whole networking in a CT instead of cherry-peeking connections.

It does system("iptables ...") for this, but I'd prefer using the
libnetfilter-devel sometime in the future.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>