netfilter: late backports from upstream

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2121393

This patch set fixes a myriad of bugs in netfilter.

Those are:

1. re-enable conntrack expectation events. This is a regression in the 9.1 development cycle.

2. netfilter: nf_tables: fix null deref due to zeroed list head Fix crash during error unwinding if a memory allocation failed.

3. A couple of patches to avoid nonsensical flags/combinations. In recent months there was a huge number of bug reports all caused by "creative" unsupported combinations, hence these patches to catch all of this as early as possible.

4. Data coherency fixes, this could cause netlink dumps to miss the "intr" flag to signal that the dump is inconsistent.

5. Fix crash in classic ebtables. While we don't ship this binary, the syscall interface is still there.

6. nft_tproxy must not be used in OUTPUT hook, but the check was missing. Using it in output results in a crash, i.e. this can't break existing setups.

7. restrict the number of operations permitted on "implicit chains".

8. fix a memory leak in br_netfilter when skb had metadata dst already assigned.

9. tighten IRC DCC parsing; it was possible to make conntrack open a dnat from remote client, by adding the "DCC" command to a PING, clients that reflected this text trigged the "DCC" port forward logic.

Signed-off-by: Florian Westphal fwestpha@redhat.com