When inserting rules that match on connection tracking fields, datapath
support must be checked before allowing or denying the rule insertion.
Previously we only disallowed flows that had non-zero values for the
ct_* field, but allowed non-zero masks. This meant that, eg:
ct_state=-trk,...
Would be allowed, while
ct_state=+trk,...
Would be disallowed, due to lack of datapath support.
Fix this by performing the check on masks instead of the flows.