nftables: enable using env var

[robmry]

Draft PR:

• stacked on nftables: integration test updates #50048

- What I did

• related to nftables: CI testing #49641

For testing - if env var DOCKER_FIREWALL_BACKEND=nftables, and nft is available, use the nftables backend instead of nftables.

We'll need daemon options for controlling the backend, so we'll also need decide what to do about the existing options ... but this change isn't that ... it's just so we can set the env var to pick the backend for a CI run.

- How I did it

The firewalld handler is now initialised before network driver registration. So, make sure an OnReloaded callback isn't processed while the bridge driver is still setting up.

- How to verify it

- Human readable description for the release notes

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

LGTM

[vvoland]

Do we want to have a release note for this one?

[thaJeztah]

IIUC, (also per discussion on slack) this only allows enabling the bits that are still very much "work in progress", so not intended as user-facing change. It does no harm (without using the env-var), but likely not yet gives anything "testable" for users.

[robmry]

Do we want to have a release note for this one?

Probably not ... the nftables implementation is still all queuing up for review, so the env-var doesn't actually do much yet (apart from make it easier to write tests and run nftables in the upcoming commits).