This patch adds support to mask the nfmark value before the lookup
the the fw classifier. Unfortunately it has some drawbacks, so I'd
be interested if anyone can think of a better way.

The problem is that in order to avoid walking through all filters
contained in one instance, we need to mask the value before the
lookup. This means all filters share the same mask, which is
taken from the first filter created and stored in the filter head.
The user interface however always refers to a single filter,
not the head, so it can't be changed afterwards unless we just
overwrite it whenever a new filter is installed. Both is not
really perfect. The current patch doesn't allow to change the
mark and enforces that all filters use the same one, which I think
is better than allowing inconsistent configurations.

Any better ideas?