Reorder the commands in whitelist chains.

Currently FirewallController::replaceUidChain uses the same
layout when building whitelist and blacklist chains: first it
writes the exception rules (e.g., system apps, RST packets,
ICMPv6 packets, etc.), and then the UIDs in the chain.

This works, but it looks strange because unlike whitelist chains,
insertion into whitelist chains always happens at the front of
the chain. Make whitelist chains start with the UIDs, so that
when UIDs are added at the beginning, they are contiguous to the
UIDs that are already there.

Bug: 32073253
Test: netd_{unit,integration}_test passes
Test: bullhead builds, boots
Test: fw_powersave chain looks sane
Change-Id: I8a0ac7a33604455171b56e1d503cfe028a37a062