MFC r349927, r349929:

r349927:
Resolve IPv6 checksum errors with stateful inspection. According to
PR/203585 this appears to have been broken by r235959, which predates
the ipfilter 5.1.2 import into FreeBSD.

The IPv6 checksum calculation is incorrect. To resolve this we call
in6_cksum() to do the the heavy lifting for us, through a new function
ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
is added to aid with future debugging.

Plus whitespace adjustments (r348989).

PR: 203275, 203585
Differential Revision: https://reviews.freebsd.org/D20583

r349929:
Move the new ipf_pcksum6() function from ip_fil_freebsd.c to fil.c.
The reason for this is that ipftest(8), which still works on FreeBSD-11,
fails to link to it, breaking stable/11 builds.

ipftest(8) was broken (segfault) sometime during the FreeBSD-12 cycle.
glebius@ suggested we disable building it until I can get around to
fixing it. Hence this was not caught in -current.

The intention is to fix ipftest(8) as it is used by the netbsd-tests
(imported by ngie@ many moons ago) for regression testing.

MFC r348987, r348989:

Resolve IPv6 checksum errors with stateful inspection. According to
PR/203585 this appears to have been broken by r235959, which predates
the ipfilter 5.1.2 import into FreeBSD.

The IPv6 checksum calculation is incorrect. To resolve this we call
in6_cksum() to do the the heavy lifting for us, through a new function
ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
is added to aid with future debugging.

Plus whitespace adjustments (r348989).

PR: 203275, 203585
Differential Revision: https://reviews.freebsd.org/D20583

MFC 349843:

Update frtuc struct comments. It not only defines TCP things we are
interested in but also UDP.

While at it document the source and destination port variables.

MFC r349842:

Correct the description for the low port in the port compare struct.

Adjust the high port description to match that of the low port
description.

MFC r342385:

Remove an empty #if block.

The interesting thing is that looking through Darren's commit logs,
the line containing an extern ppsratecheck() definition was removed
from the v5-1-RELEASE branch but not from HEAD (I have taken his
CVS tree and converted it to GIT). There is a commit adding an
additional #if defined to the empty block. I can only assume that
this was intentional for something later. Looking through HEAD the
extern ppsratecheck() is there. However if we put it back it would
conflict with a static ppsratecheck() definition in fil.c when
building ipftest.

Therefore we remove this empty block.

ppsratecheck() is a function in the FreeBSD kernel. However ipftest
cannot call the ppsratecheck() in the kernel. Therefore one exists in
fil.c for use when building the userland ipftest utility which
approximates the packet filter in userland for testing of ipfilter
rules against packets captured with tcpdump.

MFC r342377:

Remove NETBSD_PF. NETBSD_PF is a flag that defines whether the pfil(9)
framework is available. pfil(9) has been in FreeBSD since FreeBSD 5
and according to svn log was first committed to HEAD in 2000, therefore
it is safe to say the check is no longer needed in FreeBSD.

pfil(9) first appeared in NetBSD 1.3 (hence the name NETBSD_PF).
Therefore it is safe to say that it is supported by every NetBSD system
today. The framework also exists in illumos.

As ipfilter code is shared and exchanged between FreeBSD and NetBSD, and
at some point in the future illumos too, and as all three platforms have
pfil(9), the redundant NETBSD_PF #defines and #ifdefs are removed.

MFC r341280:

Clean up a rather useless conditional structure member definition.

MFC r318606:

Refactor & compact struct i6addr_t #ifdef: remove redundant structure
definintion when USE_INET6 is false.

MFC r311950 (by bz):

Get rid of a compiler warning which I saw too often.
Include netinet/in.h before ip_compat.t which will then check if
IPPROTO_IPIP is defined or not. Doing it the other way round,
ip_compat.h would not find it defined and netinet/in.h then
redefine it.

MFC r304953:

Define ipfilter's SOLARIS macro in a defined and portable way.

Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D7671

MFC r304959 (by kib):

Complete r304953.

Sponsored by: The FreeBSD Foundation

MFC r304964:

Follow-up to r304953, in which I broke the build: apparently the SOLARIS
macro is defined in lots of different places in ipfilter, so replace all
of the nonportable definitions with portable ones.

Pointy hat to: dim

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Convert ipfilter from timeout(9) to callout(9).

Submitted by: jhb
Approved by: glebius (mentor)
Approved by: re (blanket)

Update ipfilter 4.1.28 --> 5.1.2.

Approved by: glebius (mentor)
BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)

2020447 IPFilter's NAT can undo name server random port selection

Approved by: darrenr
MFC after: 1 week
Security: CERT VU#521769

Pullup IPFilter 4.1.28 from the vendor branch into HEAD.

MFC after: 7 days

Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13

Resolve conflicts

MFC after: 2 weeks

Resolve conflicts

Fix -Wundef from compiling the amd64 LINT.

Add an include for netinet/ip_compat.h directly so that we don't need to
add another special file in the creation of ioctls.c for kdump.

Merge the changes from 3.4.35 to 4.1.8 into the kernel source tree

Darnit, through a maze of twisty passages, ipfilter needs to have PFIL_HOOKS
defined. Revert part of the previous commit to fix this.

Sprinkle in some __FreeBSD_version checks so that this compiles again. Don't
define PFIL_HOOKS anymore.

Submitted by: keramida

From __FreeBSD_version 600001 on PFIL_HOOKS is permanently in the kernel and
doesn't require to include opt_pfil_hooks.h.

Update ipfilter from 3.4.31 -> 3.4.35. Some important changes:
* block packets that fail to create state table entries
* only allow non-fragmented packets to influence whether or not a logged
packet is the same as the one logged before.
* correct the ICMP packet checksum fixing up when processing ICMP errors for NAT
* implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX
and ipf_nattable_max)
* frsynclist() wasn't paying attention to all the places where interface
names are, like it should.
* fix comparing ICMP packets with established TCP state where only 8 bytes
of header are returned in the ICMP error.

MFC after: 1 week

Do the dreaded s/dev_t/struct cdev */
Bump __FreeBSD_version accordingly.

Commit import changed from vendor branch of ipfilter to -current head

Commit changes that happened in IPFilter versions 3.4.27 - 3.4.28

bring in changes from 3.4.26.

fix conflicts (mostly damn rcs id's) generated by import

KSE Milestone 2
Note ALL MODULES MUST BE RECOMPILED
make the kernel aware that there are smaller units of scheduling than the
process. (but only allow one thread per process at this time).
This is functionally equivalent to teh previousl -current except
that there is a thread associated with each process.

Sorry john! (your next MFC will be a doosie!)

Reviewed by: peter@freebsd.org, dillon@freebsd.org

X-MFC after: ha ha ha ha

fix conflicts created by import

fix conflicts

activate pfil_hooks and covert ipfilter to use it

fix conflicts

remove duplicate prototypes

fix conflicts

Re add rev 1.11 diffs to ip_fil.h Also discover that I did not undefine
CVS_FUBAR (which no longer exists) and thus forgot to add $FreeBSD's.
Add them.

Approved by: jkh (is part of ipfilter upgrade)

Bring over ipfilter v3_3_8 kernel sources, including merging the
local modifications.
Also fix initializing fr_running in KLD case.
Rename ipl_inited to fr_runninhg in mlfk_ipl

Approved by: jkh

Apply patches in rev 1.2 and 1.9 that I forgot

Pointe out by: bde

Bring over ipfilter kernel sources, including merging the local modifications.

Add kernel parts of revived ipfilter (3.3.3.)