more work on the fail-over code

I'm getting more and more of the fail-over code done. It now implements conntrack exemption (NOTRACK) for the sync device, and also blocks all incoming/outgoing network traffic on any node that is currently in 'slave' state. This means that all interfaces can be configured, any applications can be running, sockets bound, ... - but none of that will be visible to the network until the node is propagated to master state.
This needs explicit support for new netfilter hooks in the core network stack (I call them l2hooks, other people NETFILTER_PACKET).

Main parts that are missing:

  • Correctly deal with sync packet loss situations
  • Replicate expectations (needs conntrack expect notifications)
  • Testing on SMP systems, there might be locking bugs