Description: netfilter: ctnetlink: add a range check for l3/l4 protonum
References:
 https://twitter.com/grsecurity/status/1303646421158109185
 https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200908150947.12623-2-pablo@netfilter.org/
Notes:
 bwh> Introduced in 2.6.17 by commit c1d10adb4a52 "[NETFILTER]: Add
 bwh> ctnetlink port for nf_conntrack".
Bugs:
upstream: released (5.9-rc7) [1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6]
4.19-upstream-stable: released (4.19.150) [289fe546ea16c2dcb57c5198c5a7b7387604530e]
4.9-upstream-stable: released (4.9.239) [3f5bfa0a2c3401bfbc0cab5894df8262de619641]
sid: released (5.8.14-1)
4.19-buster-security: released (4.19.152-1)
4.9-stretch-security: released (4.9.240-1)