Stop using connection tracking for ssh connections

There is an issue with newer kernels (it seems to happen with 4.15.x)
that when conntrack is reloaded while a connection has packets in
flight, this connection going forward is neither considered INVALID
nor RELATED nor ESTABLISHED by the stateful tracking. While this is
certainly a bug somewhere in the kernel, we can be easily avoiding
this by just not using stateful filtering for ssh connections, as
we accept any connection from anywhere anyway.

Change-Id: I1b20644ce888930cd28d6eaf2c23787315e8199c

nodepool/elements/nodepool-base/install.d/20-iptables

@@ -53,9 +53,9 @@ cat > $ipv4_rules << EOF
 -A openstack-INPUT -i lo -j ACCEPT
 -A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
 #-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+# SSH from anywhere without -m state to avoid hanging connections on iptables-restore
+-A openstack-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
 -A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-# SSH from anywhere
--A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 # Public TCP ports
 -A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT
 # Ports 69 and 6385 allow to allow ironic VM nodes to reach tftp and
@@ -82,9 +82,9 @@ cat > $ipv6_rules << EOF
 -A INPUT -j openstack-INPUT
 -A openstack-INPUT -i lo -j ACCEPT
 -A openstack-INPUT -p ipv6-icmp -j ACCEPT
+# SSH from anywhere without -m state to avoid hanging connections on iptables-restore
+-A openstack-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
 -A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-# SSH from anywhere
--A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 # Public TCP ports
 -A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited