Hi Dave,

the following two patches fix two netfilter bugs:

- incorrect sequence number tracking in TCP conntrack in combination
  with NAT helpers that enlarge the packet, causing incorrectly
  detected out of window packets

- a regression in the connlimit match

The first patch is quite large for this late in the release cycle, so
if you prefer, I'll queue it up for net-next instead.

I'll pass on both to -stable once they hit upstream.

Please apply, thanks!