nft-shared: Lookup matches in iptables_command_state

nft-shared: Lookup matches in iptables_command_state

Some matches may turn into multiple nft statements (naturally or via
translation). Such statements must parse into a single extension again
in order to rebuild the rule as it was.

Introduce nft_find_match_in_cs() to iterate through the lists and drop
tcp/udp port match caching in struct nft_xt_ctx which is not needed
anymore.

Note: Match reuse is not enabled unconditionally for all matches,
because iptables supports having multiple instances of the same
extension.

Signed-off-by: Phil Sutter <phil@nwl.cc>