firewall: allow also related traffic

This include ICMP error messages for allowed traffic.

Fixes QubesOS/qubes-issues#3406

qubesagent/firewall.py

@@ -556,7 +556,7 @@ class NftablesWorker(FirewallWorker):
             '  chain forward {{\n'
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
-            '    ct state established accept\n'
+            '    ct state established,related accept\n'
             '  }}\n'
             '}}\n'
         )

qubesagent/test_firewall.py

@@ -430,14 +430,14 @@ class TestNftablesWorker(TestCase):
             '  chain forward {\n'
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
-            '    ct state established accept\n'
+            '    ct state established,related accept\n'
             '  }\n'
             '}\n'
             'table ip6 qubes-firewall {\n'
             '  chain forward {\n'
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
-            '    ct state established accept\n'
+            '    ct state established,related accept\n'
             '  }\n'
             '}\n'
         ])