netfilter: bridge: replace physindev with physinif in nf_bridge_info
netfilter: nfnetlink_log: use proper helper for fetching physinif
netfilter: nf_queue: remove excess nf_bridge variable
netfilter: nf_tables: check if catch-all set element is active in next generation
netfilter: nf_tables: do not allow mismatch field size and set key length
netfilter: nf_tables: mark newset as dead on transaction abort
netfilter: nf_tables: reject invalid set policy
netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description
netfilter: nf_tables: skip dead set elements in netlink dump
netfilter: nf_tables: validate chain type update if available
netfilter: nft_limit: do not ignore unsupported flags
netfilter: propagate net to nf_bridge_get_physindevв следующем обновлении было
netfilter: nf_tables: reject QUEUE/DROP verdict parameters
netfilter: nf_tables: restrict anonymous set and map names to 16 bytes
netfilter: nf_tables: validate NFPROTO_* family
netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain
netfilter: nft_limit: reject configurations that cause integer overflow
а потом
netfilter: conntrack: correct window scaling with retransmitted SYN
netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
и
netfilter: nft_compat: narrow down revision to unsigned 8-bits
netfilter: nft_compat: reject unused compat flag
netfilter: nft_compat: restrict match/target protocol to u16
netfilter: nft_ct: reject direction for ct id
netfilter: nft_set_pipapo: add helper to release pcpu scratch area
netfilter: nft_set_pipapo: remove scratch_aligned pointer
netfilter: nft_set_pipapo: store index in scratch maps
netfilter: nft_set_rbtree: skip end interval element from gc
следом
netfilter: ipset: fix performance regression in swap operation
netfilter: ipset: Missing gc cancellations fixed
а потом уже
netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new
netfilter: nf_tables: register hooks last when adding new chain/flowtable
netfilter: nf_tables: set dormant flag on hook register failure
netfilter: nf_tables: use kzalloc for hook allocation
netfilter: nft_flow_offload: release dst in case direct xmit path is used
netfilter: nft_flow_offload: reset dst in route object after setting up flow
и теперь уже
netfilter: bridge: confirm multicast packets before passing them up the stack
netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()
ну и конечно
netfilter: nf_tables: do not compare internal table flags on updates
netfilter: nf_tables: Fix a memory leak in nf_tables_updchain
netfilter: nft_set_pipapo: release elements in clone only from destroy path
и это получается всё бэкпортировано в 6.6 и не было сделано раньше