MFC r327718:

When growing the state, also grow the seed array. Otherwise memory
that was not allocated will be accessed.

This necessitated refactoring state seed allocation from
ipf_state_soft_init() into a new common ipf_state_seed_alloc() function
as it is now also used by ipf_state_rehash() when changing the size of
the state hash table in addition to by ipf_state_soft_init() during
initialization.

According to Christos Zoulas <christos@NetBSD.org>:

The bug was encountered by a NetBSD vendor who's customer machines had
large ipfilter states. The bug was reliably triggered by resizing the
state variables using "ipf -T".

Submitted by: Christos Zoulas <christos@NetBSD.org>
Reviewed by: delphij, rgrimes
Obtained from: NetBSD ip_state.c CVS revs r1.9 and r1.10
Differential Revision: https://reviews.freebsd.org/D13755

MFC r327540:

Correct function name in description block.

MFC r323715:

Don't use an apostrophe in a possesive pronoun.

MFC r323478:

Improve the wording of a comment describing why EAGAIN is the error code.

MFC r316810, r316814, r316816, r316991:

Keep state incorrectly assumes keep frags. This is counter to the
ipfilter man pages. This also currently restricts keep frags to only when
keep state is used, which is redundant because keep state currently
assumes keep frags. This commit fixes this.

To the user this change means that to maintain the current behaviour
one must add keep frags to any ipfilter keep state rule (as documented
in the man pages).

This patch also allows the flexability to specify and use keep frags
separate from keep state, as documented in an example in ipf.conf.5,
instead of the currently broken behaviour.

MFC suggested by: rgrimes
Relnotes: yes

MFC r289480. Really fix ipfilter bug 3600459.

Obtained from: ipfilter cvs repo r1.48.2.25, r1.72 and NetBSD repo r1.4

MFC r287674, r287675. Fix ipfilter bug 3600459 NAT bucket count wrong.

Obtained from: ipfilter cvs repo r1.48.2.25

MFC r287651, r287652, r287653.

Fix mutex errors, fixup typos in comments.

Obtained from: NetBSD r1.4.
-This lie, anr those below, will be ignored--
> Description of fields to fill in above: 76 columns --|
> PR: If a GNATS PR is affected by the change.
> Submitted by: If someone else sent in the change.
> Reviewed by: If someone else reviewed your modification.
> Approved by: If you needed approval for this commit.
> Obtained from: If the change is from a third party.
> MFC after: N [day[s]|week[s]|month[s]]. Request a reminder email.
> MFH: Ports tree branch name. Request approval for merge.
> Relnotes: Set to 'yes' for mention in release notes.
> Security: Vulnerability reference (one per line) or description.
> Sponsored by: If the change was sponsored by an organization.
> Differential Revision: https://reviews.freebsd.org/D### (*full* phabric URL needed).
> Empty fields above will be automatically removed.

_M .
M sys/contrib/ipfilter/netinet/ip_state.c

MFC r287674, r287675. Fix ipfilter bug 3600459 NAT bucket count wrong.

Obtained from: ipfilter cvs repo r1.48.2.25

MFC r287651, r287652, r287653.

Fix mutex errors, fixup typos in comments.

Obtained from: NetBSD r1.4.
-This lie, anr those below, will be ignored--
> Description of fields to fill in above: 76 columns --|
> PR: If a GNATS PR is affected by the change.
> Submitted by: If someone else sent in the change.
> Reviewed by: If someone else reviewed your modification.
> Approved by: If you needed approval for this commit.
> Obtained from: If the change is from a third party.
> MFC after: N [day[s]|week[s]|month[s]]. Request a reminder email.
> MFH: Ports tree branch name. Request approval for merge.
> Relnotes: Set to 'yes' for mention in release notes.
> Security: Vulnerability reference (one per line) or description.
> Sponsored by: If the change was sponsored by an organization.
> Differential Revision: https://reviews.freebsd.org/D### (*full* phabric URL needed).
> Empty fields above will be automatically removed.

_M .
M sys/contrib/ipfilter/netinet/ip_state.c