Feat: make firewall patterns ECS compliant (1/2)

[kares]

This is the first part of converting the patterns (the other part will be reviewing all of our CISCO messages).

We used the opportunity to share some common ground between iptables based firewall backends. Thus there's a new IPTABLES sub-pattern used by both SHOREWALL and SFW2 (SuSE firewall 2). Should also make the patterns more robust compared to our legacy matching (e.g. only IPv4 was matched previously for SHOREWALL).

There's a (minor) blocking issue on grok which causes IPv6 fields (e.g. iptables.length) to not type cast properly.

Beats has a standalone iptables, we're using the same field naming conventions here.

Since SFW2 and SHOREWALL both share most of their heavy lifting through the IPTABLES sub-pattern it should be enough to only review the one. Here's a sample use-case:

May 28 17:23:25 myHost kernel: [3124658.791874] Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=1.2.3.4 DST=192.168.0.10 LEN=141 TOS=0x00 PREC=0x00 TTL=63 ID=55251 PROTO=UDP SPT=5353 DPT=5335 LEN=121

    "timestamp"=>"May 28 17:23:25",
    "host"=>{"hostname"=>"myHost"},
    "shorewall"=>{
        "firewall"=>{"type"=>"FORWARD", "action"=>"REJECT"}
    },
    "source"=>{"port"=>5353, "ip"=>"1.2.3.4"},
    "destination"=>{"port"=>5335, "ip"=>"192.168.0.10"}
    "network"=>{"transport"=>"UDP"},
    "iptables"=>{
        "input_interface"=>"eth2",
        "output_interface"=>"eth2",
        "length"=>141,
        "tos"=>"00",
        "precedence_bits"=>"00",
        "ttl"=>63,
        "id"=>"55251"
    }

[kares]

// cc @ebeahan @webmat if you guys find some time double-checking (mostly the new) IPTABLES captures

[kares]

@yaauie this is now good for a LS review - there's minor legacy updates (non-breaking) as I was lazy to write more specs to work-around the issue of the SFW2 being broken when OUT=eth0 is specified in legacy mode.