Adaptive state timeouts

protect against state table filling up under attacks
goal: remove malicious states as soon as possible, but still allow new legitimate connections, never break existing legitimate connections
existing timeouts are tcp.first (120s), tcp.opening (30s), tcp.established (24h)
new adaptive.start, adaptive.end (number of state entries)
when state table size exceeds adaptive.start, all timeout values are scaled down linearly (becoming 0s when adaptive.end is reached)
works with custom global and per-rule timeouts