To do list:

* Make the system do the right thing (withdraw ip neigh /
  ip route / iptables rules) when VMs power off or when
  their network gets detached.
  Right now the rules are only reconfigured when:
  * a VM starts (ancestor VMs get reconfigured)
  * a VM gets unpaused (same as before)
  * a VM network gets attached (same as before)
  * a VM's FW rules get altered (parent ProxyVM and sibling
    VMs get reconfigured, and this reconfiguration only
    affects iptables rules)
* Make the system do the right thing when `static_ip`
  is changed / enabled / disabled, without requiring a
  VM restart.
  * Key point (but not only point): appvm fwrules that
    were setup need to be un-setup, which means that
    our current algorithm "look at VMs with static_ip"
    will not work to un-setup those fwrules.
  * Define very clearly when fw state is modified
    for appvm, as that requires execution of code
    in the appvm, and tracking how and when to
    undo that state transition.
* Evaluate network access permissions when appvm
  is attached to netvm, vs attached to proxyvm to netvm,
  vs attached to proxyvm to proxyvm to netvm.
* Prolly need to write some important automated tests.