Clamp MSS when tethering to fix broken fragmentation.

Adds a netfilter rule to allow tethering with ISPs that don't support
fragmented packets, but do advertise an appropraite path MTU.

Background: some ISPs don't support IP fragmentation, either because
they're afraid of IP fragmentation attacks, or their routers are braindead.
Usually this isn't an issue for connecting clients because their DHCP
responses include an interface MTU equal to the path MTU.  In response, the
client ensures during TCP handshakes that connections use an MSS that
results in TCP/IP packets never being fragmented.

However, problems occur when the connecting "client" is a NAT router (such
as a tethering phone).  Often the phone-tethered host interface (e.g., USB
RNDIS, 802.11, etc.) uses a preset MTU (usually 1500) that exceeds the path
MTU advertised by the ISP.  The host will open TCP connections with
too-large of an MSS, and inevitably large packets will become fragmented
and lost.  The fix is to have the router (phone) mangle TCP handshakes to
clamp the MSS such that generated TCP/IP packets never exceed the path MTU.
This implements such a fix as described in the iptables(8) man page.