netfilter: P2 backports from upstream
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2044272 Tested: iptables, nftables test suite, netfilter kernel selftests Conflicts: none
Most severe bugs fixed here are wrt. matching concatenated ranges such as "10.2.3.4 . 1-1024".
One corner case causes wrong matching, another corner case results in a set to become non-matching until next element add or removal when a set is flushed and re-created as-before in the same transaction.
Another bug fix worth mentioning is data corruption for stateless nat with ip fragmentation; before the fix the layer 4 checksum was updated not only for the first fragment, causing payload to be overwritten with the l4 checksum.
Signed-off-by: Florian Westphal fwestpha@redhat.com