nwfilters: support for TCP flags evaluation

This patch adds support for the evaluation of TCP flags in nwfilters.

It adds documentation to the web page and extends the tests as well.
Also, the nwfilter schema is extended.

The following are some example for rules using the tcp flags:

<rule action='accept' direction='in'>
    <tcp state='NONE' flags='SYN/ALL' dsptportstart='80'/>
</rule>
<rule action='drop' direction='in'>
    <tcp state='NONE' flags='SYN/ALL'/>
</rule>

docs/schemas/nwfilter.rng

@@ -81,6 +81,7 @@
                   <ref name="common-port-attributes"/>
                   <ref name="common-ip-attributes-p1"/>
                   <ref name="common-ip-attributes-p2"/>
+                  <ref name="tcp-attributes"/>
                   <ref name="comment-attribute"/>
                 </element>
               </zeroOrMore>
@@ -184,6 +185,7 @@
                   <ref name="common-port-attributes"/>
                   <ref name="common-ipv6-attributes-p1"/>
                   <ref name="common-ipv6-attributes-p2"/>
+                  <ref name="tcp-attributes"/>
                   <ref name="comment-attribute"/>
                 </element>
               </zeroOrMore>
@@ -606,6 +608,14 @@
     </optional>
   </define>
 
+  <define name="tcp-attributes">
+    <optional>
+      <attribute name="flags">
+        <ref name="tcpflags-type"/>
+      </attribute>
+    </optional>
+  </define>
+
   <!-- ################  type library ################ -->
 
   <define name="UUID">
@@ -872,4 +882,10 @@
       <param name="pattern">((NEW|ESTABLISHED|RELATED|INVALID)(,(NEW|ESTABLISHED|RELATED|INVALID))*|NONE)</param>
     </data>
   </define>
+
+  <define name='tcpflags-type'>
+    <data type="string">
+      <param name="pattern">((SYN|ACK|URG|PSH|FIN|RST)(,(SYN|ACK|URG|PSH|FIN|RST))*|ALL|NONE)/((SYN|ACK|URG|PSH|FIN|RST)(,(SYN|ACK|URG|PSH|FIN|RST))*|ALL|NONE)</param>
+    </data>
+  </define>
 </grammar>