firewall: disable forwarding for mgmt interfaces in if-pre-up

Should be more robust and more importantly works when interfaces are
not renamed by mdev as is the situation now.

roles/firewall/templates/mgmt.intf.j2

@@ -11,6 +11,8 @@ iface {{ iface.name }}
     requires {{ iface.vrf.name }}
     pre-up ip link set $IFACE master {{ iface.vrf.name }}
 {% endif %}
+    pre-up sysctl -w net.ipv4.conf.$IFACE.forwarding=0
+    pre-up sysctl -w net.ipv6.conf.$IFACE.forwarding=0
 {% if iface.mtu %}
     mtu {{ iface.mtu }}
 {% endif %}