This uses a manual way to trigger the NDK build (the default with
on-the-fly Android.mk files does not work for us).

The additional data can be helpful to identify the exact policy to
delete.

In dual-stack environments the IPv6 connectivity (via autoconfiguration)
might be established before the IPv4 connectivity (via DHCP).  It seems
Android triggers the CONNECTIVITY_ACTION broadcast already when the first
family is fully configured.  At that time we might not be able to find an
IPv4 source address.  And since Android does not trigger the broadcast
again if IPv4 connectivity is established, the connection is broken
afterwards.

So we store the connectivity state and if we are reportedly connected but
still find no source address we trigger a roam event to recheck for an IPv4
address.  This will cause regular rechecks if a device enters an IPv6-only
network, but I guess that's rare (otherwise we could limit the number of
rechecks done between connectivity changes).

Before fwmarks were used protected sockets were bound to the outbound
interface via SO_BINDTODEVICE.  This does not always seem to work well
together with our connect()/getsockname() trick if the server is covered
by the traffic selectors.  Calling protect() again after disconnecting
the socket seems to help, but if there is no connectivity at all we still
get the virtual IP back (maybe protect() does not bind the socket to any
interface then).

When roaming from a mobile network to WiFi on Android 5.x the event
received via ConnectivityManager is triggered before the mobile
connection is fully torn down (i.e. before the interface is disabled and
the routes disappear).  So for strongSwan the current path still seems
valid and since no roam event is triggered later the daemon never switches
to WiFi and the connection is broken afterwards.

A possible solution to this is enabling roam events in the kernel-netlink
plugin.  That would trigger an event when the device is finally disconnected
from the mobile network.  However, this could actually take a some time,
during which traffic continues to be sent via mobile network instead of WiFi.
That's because Android now uses multiple routing tables, routing rules and
fwmarks to direct traffic to the appropriate interface/table, but in our
plugin we don't have the information available that would allow us to make
the switch to a different network/routing table earlier (and we actually
prefer the current path if it is still valid).  Additionally, the plugin
produces quite a bit more events than ConnectivityManager (which was one
of the reasons to use the latter in the first place).

This custom kernel-net implementation is now specifically tailored for
Android.  Roam events are still triggered via ConnectivityManager but
the source address is determined via connect()/getsockname() on a VPN
excluded UDP socket, which does use the correct routing table as intended
by Android.  That way the daemon immediately sees a different source IP
when connectivity changes even if the device is connected to multiple
networks concurrently.

Similar to other kernel interfaces, the libipsec backends uses the flag for
different purposes, and therefore should get separate flags.

While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.