Convert NatController to iptables-restore.

This conversion is a bit more involved than previous ones, mostly
due to all the error unwinding.

For the sake of readability, this change limits itself to
converting mostly maintaining their order, with the exception
that it puts the rpfilter rule before all the LOCAL_FORWARD rules
to simplify error handling.

It also groups commands together as much as possible to simplify
error handling: because a set of iptables commands between
"*<table>" and "COMMIT" will either all succeed or all fail,
grouping commands together limits the number of required
error handling paths.

(cherry picked from commit eb7eb3ec)

Bug: 28362720
Test: bullhead builds,boots
Test: netd_{unit,integration}_test pass
Change-Id: I73b511e242773e559afef00fa29154267070691d
Merged-In: I3f72946de374a7deaeef88b1dd5589d9a20ccce7