netfilter: nf_tables: disable toggling dormant table state more than once

jira VULN-430
subsystem-update netfilter: centos-stream-9 cfd9694
commit-author Florian Westphal <fw@strlen.de>
commit c9bd265

nft -f -<<EOF
add table ip t
add table ip t { flags dormant; }
add chain ip t c { type filter hook input priority 0; }
add table ip t
EOF

Triggers a splat from nf core on next table delete because we lose
track of right hook register state:

WARNING: CPU: 2 PID: 1597 at net/netfilter/core.c:501 __nf_unregister_net_hook
RIP: 0010:__nf_unregister_net_hook+0x41b/0x570
 nf_unregister_net_hook+0xb4/0xf0
 __nf_tables_unregister_hook+0x160/0x1d0
[..]

The above should have table in *active* state, but in fact no
hooks were registered.

Reject on/off/on games rather than attempting to fix this.

Fixes: 179d9ba ("netfilter: nf_tables: fix table flag updates")
	Reported-by: "Lee, Cherie-Anne" <cherie.lee@starlabs.sg>
	Cc: Bing-Jhong Billy Jheng <billy@starlabs.sg>
	Cc: info@starlabs.sg
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit c9bd265)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

Author: pvts-mat

net/netfilter/nf_tables_api.c

@@ -1159,6 +1159,10 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
 	     flags & NFT_TABLE_F_OWNER))
 		return -EOPNOTSUPP;
 
+	/* No dormant off/on/off/on games in single transaction */
+	if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
+		return -EINVAL;
+
 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
 				sizeof(struct nft_trans_table));
 	if (trans == NULL)