refactor: ensure that using previous replaced does not remove files and reload unless necessary

The old implemenation of `previous: replaced` would remove all files and reload the
firewall every time, even if not necessary - it wasn't technically idempotent, although
it would check the new files to see if they matched the old files, and report
`changed: false` if nothing actually changed state.

The new implementation uses an in-memory backend to apply the changes, then checks if
anything changed, and then removes the files and reloads firewall only if something
actually changed.

Signed-off-by: Rich Megginson <rmeggins@redhat.com>

Author: richm

README.md

@@ -818,23 +818,21 @@ NOTE: `service` - to see how to manage services, see the service section.
 
 ### runtime
 
-Enable changes in runtime configuration. If `runtime` parameter is not provided, the default will be set to `True`.
+Enable changes in runtime configuration.  By default, this is `true` if the
+system is booted, or `false` if not booted (i.e. `bootc` system).
 
 ```yaml
-runtime: true
+runtime: false
 ```
 
 ### permanent
 
-Enable changes in permanent configuration. If `permanent` parameter is not provided, the default will be set to `True`.
+Enable changes in permanent configuration. By default, this is `true`.
 
 ```yaml
-permanent: true
+permanent: false
 ```
 
-The permanent and runtime settings are independent, so you can set only the runtime, or only the permanent.  You cannot
-set both permanent and runtime to `false`.
-
 ### previous
 
 If you want to completely wipe out all existing firewall configuration, add