DF-0517
IPV6_FW_GET leaks one unused mbuf per call + walks chain without lock
Summary
IPV6_FW_GET(:1101-1116): walks ip6_fw_chain NO crit NO lock while other CPU may mutate (same UAF surface as DF-0513). Loop body unconditionally m_get(M_WAITOK) for next entry(:1109) before checking chain end. When loop terminates after last real rule, trailing empty mbuf allocated+threaded onto returned chain, never consumed. One mbuf leaked per GET. Fix: alloc next at top of iteration after checking le_next!=NULL.