zones: restrict default ACCEPT rules to NEW ctstate

zones: restrict default ACCEPT rules to NEW ctstate

Restrict the per-zone default accept rules to only accept streams with
conntrack state NEW when drop_invalid is disabled.

This commit hardens the firewall in order to allow disabling drop_invalid
by default since ctstate INVALID also matches desired traffic like IPv6
neighbour discovery messages.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>