ipfw: add protected rule for orphaned dynamic states

When we have enabled V_dyn_keep_states, states that become ORPHANED
will keep pointer to original rule. Then this rule pointer is used
to apply rule action after ipfw_dyn_lookup_state().
Some rule actions use IPFW_INC_RULE_COUNTER() directly to this rule
pointer to increment rule counters, but other rule actions use
chain->map[f_pos] instead. The last case leads to incrementing counters
on the wrong rule, because ORPHANED states have not parent rule in
chain->map[].
To solve this we add protected rule, that will be matched only by
packets that are handled by ORPHANED states. This is `count' rule
that is prior to the default rule:

65535 count ip from any to any not // orphaned dynamic states counter

Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D51460