CFP-12781: Host Firewall Before NodePort DNAT

[jakubhlavnicka]

Add CFP for enforcing host firewall ingress policy before NodePort DNAT/SNAT, which enables CiliumClusterwideNetworkPolicy to match on original external source IPs and NodePort destination ports.

Tracks: cilium/cilium#12781