defer firewall updates to iptables data structures

defer firewall updates to iptables data structures

One of two patches that fixes bug #1194438.

In the iptables firewall driver, each port method (update_port_filter,
prepare_port_filter, remove_port_filter) makes O(N) calls, where
N=len(firewall.ports), to IptablesManager methods that update dozens
of data structures. When the firewall methods are called in sequence,
e.g., by SecurityGroupAgentRpcMixin, the calls to IptablesManager's
methods start to add up.

This patch changes IptablesFirewallDriver to defer and coalesce calls
to IptablesManager. Now a sequence of M port method calls results in
O(N) calls to IptablesManager methods instead of O(N*M) as before.

Change-Id: If17eeaec197beae8b8aecffca1f19d4535a7226e