[bitmask-root] Don't redirect udp/53 traffic to vpn gateways

Fixes #863 (closed)
Fixes #835 (closed)

Solution was to add a RETURN in nat/bitmask for every gateway ip.
I haven't tested the Qubes OS code path. Now if connected the nat rules look like this:

pea@linbox:pkg s iptables -vnL  -t nat
Chain PREROUTING (policy ACCEPT 206 packets, 38107 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 206 packets, 38107 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 702 packets, 136K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   35  3488 bitmask    0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 719 packets, 111K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   34  3448 bitmask_postrouting  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain bitmask (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    42 RETURN     0    --  *      *       0.0.0.0/0            163.172.211.109     
    0     0 RETURN     0    --  *      *       0.0.0.0/0            51.158.144.31       
    0     0 RETURN     0    --  *      *       0.0.0.0/0            51.158.144.32       
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            127.0.1.1            udp dpt:53
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            127.0.0.1            udp dpt:53
   11   818 ACCEPT     17   --  *      *       0.0.0.0/0            127.0.0.53           udp dpt:53
    0     0 DNAT       17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:10.41.0.1:53
    0     0 DNAT       6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 to:10.41.0.1:53

Chain bitmask_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  17   --  *      *       0.0.0.0/0            10.41.0.1            udp dpt:53
    0     0 MASQUERADE  6    --  *      *       0.0.0.0/0            10.41.0.1            tcp dpt:53

Testing

1. Check the log output: DBG Executing bitmask-root cmd="/usr/sbin/bitmask-root firewall start 51.15.9.205 ..."
2. generate traffic: nc -v -u 51.15.9.205 53
3. tcpdump -ni any port 53
   Before you saw traffic to the DNS server (always 10.41.0.1). Now you will see ("Connection to 51.15.9.205 53 port [udp/domain] succeeded!").

Some commands for debugging

iptables-save -t nat
iptables -vnL -t nat --line-numbers
iptables -t nat -D bitmask 4 (delete line 4)