MFC e673debe7db8ba95e4ee3b549d2570e71d19b596:

Simplify BSD macro tests.

All FreeBSD and NetBSD are BSD >= 199306 and have been for a long time.

(cherry picked from commit e673debe7db8ba95e4ee3b549d2570e71d19b596)

Git Hash: ba6bb2487a7e159556d8ef9ba773fb4fa65dd823
Git Author: cy@FreeBSD.org

MFC 0f34c80f376345b98a972940dd4757e58d7beb06:

Replace the redundant MENTAT macro with SOLARIS.

MENTAT and SOLARIS are synonymous. Remove the extraneous duplicate
macro.

(cherry picked from commit 0f34c80f376345b98a972940dd4757e58d7beb06)

Git Hash: 8d6da0aae1c4ca288537c9875eaed1f65988e51f
Git Author: cy@FreeBSD.org

MFC 4cd1807c7d2a67b633dd0c0bfde15091543a2514:

Retire the K&R/STD C __P prototype declarations.

In the old days when K&R C and STD C were each in use a workaround
(read hack) was required to allow the same code to work on each
without modification. All C compilers support STD C. We can finally
put the __P prototype to rest.

(cherry picked from commit 4cd1807c7d2a67b633dd0c0bfde15091543a2514)

Git Hash: 0c7a33852aa5cd28a9d9b19b8f8034d60a9cb50f
Git Author: cy@FreeBSD.org

MFC r363277-r363283

r363277:
Only use the use_inet6 variable when INET6 is a build option.

This is a prerequisite to upcoming argument processing cleanups which
will resolve consistency as was done with ippool previously.

PR: 247952

r363278:
fr_family (the protocol family) must be AF_INET or AF_INET6, as in
the kernel, not an arbitrary 4 or 6.

This only affected printing ipfilter stats and rules from a kernel
dump. (This is currently undocumented.)

PR: 247952

r363279:
Historically ipfstat listings and stats only listed IPv4 or IPv6 output.
ipfstat would list IPv4 outputs by default while -6 would produce IPv6
outputs. This commit combines the ipfstat -i and -o outputs into one
listing of IPv4 and IPv6 rules. The -4 option lists only IPv4 rules
(as the default before) while -6 continues to list only rules that affect
IPv6.

PR: 247952
Reported by: joeb1@a1poweruser.com

r363280:
ipfstat -t defaults to IPv4 output. Make consistent with ipfstat -i
and ipfstat -o where without an argument IPv4 and IPv6 states are
shown. Use -4 and -6 to limit the display to IPv4 or IPv6 respectively.

PR: 247952

r363281:
Make ipfstat -t header generic when IPv4 and IPv6 output are
displayed in the same display.

PR: 247952

r363282:
The output from usage() need not contain usage for -t when STATETOP
is not compiled in.

PR: 247952

MFC -fno-common fixes: r359389, r359394, r359397-r359399, r359403-r359404,
r359406, r359413-r359416, r359425, r359427, r359432-r359433, r359443,
r359675-r359677

Note: this is not necessarily a complete fix to get these programs to build
with -fno-common applied.

r359389:
config(8): fixes for -fno-common

Move this handful of definitions into main.c, properly declare these as
extern in config.h. This fixes the config(8) build with -fno-common.

Unexplained in my previous commit to gas, -fno-common will become the
default in GCC10 and LLVM11, so it's worth addressing these in advance.

r359394:
MFV r359393: tcsh: import 6974bc35a5cd

This removes an extra variable definition that causes the -fno-common build
to fail, which will be a new default in GCC10/LLVM11.

r359397:
zfs: fix -fno-common issues

A similar (or identical?) fix has already landed in OpenZFS.

-fno-common will become the default in GCC10/LLVM11.

r359398:
sh: remove duplicate el definition

el is declared extern in myhistedit.h and defined in histedit.c. Remove the
duplicate definition in input.c to appease the -fno-common build.

-fno-common will become the default in GCC10/LLVM11.

r359399:
telnet: remove some duplicate definitions, mark terminaltype extern

Most of these were already properly declared and defined elsewhere, this is
effectively just a minor cleanup that fixes the -fno-common build.

-fno-common will become the default in GCC10/LLVM11.

r359403:
Revert 359399: telnet -fno-common bits

There was a large misfire from my local diff that I need to investigate, and
this version committed did not build.

r359404:
Re-apply r359399: telnet -fno-common fix

line and auth_level's redefinitions are just extraneous

telnetd will #define extern and then include ext.h to allocate storage for
all of these extern'd vars; however, two of them are actually defined in
libtelnet instead. Instead of doing an #ifdef extern dance around those
function pointers, just add an EXTERN macro to make it easier to
differentiate by sight which ones will get allocated in globals.c and which
ones are defined elsewhere.

r359406:
telnet: kill off remaining duplicate definition

r359413:
ipfilter: remove duplicate definition of 'thishost'

thishost is already defined in lib/initparse.c; no need for this one. This
fixes the ipfilter build with -fno-common.

-fno-common will become the default in GCC10/LLVM11.

r359414:
iscontrol: move definition of vflag/iscsidev to iscontrol.c

Mark the declaration extern as these are used elsewhere; this fixes the
build with -fno-common.

r359415:
userboot: mark host_fsops as extern

This is already defined elsewhere; mark this declaration extern to the fix
the -fno-common build.

r359416:
systat: remove redundant definition of kd

kd is already properly declared in extern.h and defined in main.c, rendering
this definition useless. This fixes the -fno-common build.

r359425:
locate: fix -fno-common build

Just a single variable declaration to extern and define elsewhere here,
myctype.

-fno-common will become a default in GCC10/LLVM11.

r359427:
fsck_ffs/fsdb: fix -fno-common build

This one is also a small list:

- 3x duplicate definition (ufs2_zino, returntosingle, nflag)
- 5x 'needs extern', 3/5 of which are referenced in fsdb

-fno-common will become the default in GCC10/LLVM11.

r359432:
gdb: compile with -fcommon explicitly

As described in the comment, gdb relies on some of the linker magic that
happens with -fcommon. I suspect the life expectancy of gdb-in-base is low
enough that this isn't worth spending much time addressing, especially given
the vintage. Hit it with the -fcommon hammer so that it continues to just
work.

r359433:
bmake: fix -fno-common build

debug was declared extern, but debug_file was not; correct this and define
debug_file in main.c (as debug is) to fix the -fno-common build.

-fno-common will become the default with GCC10/LLVM11.

r359443:
MFV r359442: bmake: import -fno-common fix build back from upstream

sjg@ committed the local patch previously committed upstream; pull it in to
vendor/ to ease any potential stress of future imports.

r359675:
kqueue tests: fix -fno-common build

vnode_fd and kqfd are both shared among multiple CU; define them exactly
once.

In the case of vnode_fd, it was simply the declaration that needed
correction.

-fno-common will become the default in GCC10/LLVM11.

r359676:
ntpd: fix build with -fno-common

Only a small nit here: psl should be declared extern and defined exactly
once.

-fno-common will become the default in GCC10/LLVM11.

r359677:
yp*: fix -fno-common build

This is mostly two problems spread out far and wide:
- ypldap_process should be declared properly
- debug is defined differently in many programs

For the latter, just extern it and define it everywhere that actually needs
it. This mostly works out nicely for ^/libexec/ypxfr, which can remove the
assignment at the beginning of main in favor of defining it properly.

-fno-common will become the default in GCC10/LLVM11.

MFC r358064:

As with ipf(8), give ippool(8) the ability to load IP pools from multiple
files. This allows for loading, during the same invocation of ippool, of
multiple sources of input using multiple tools to concurrently maintain the
files such as fail2ban, macro preprocessors, and manually.

MFC r352738:

Teach the ippool parser about address families. This is a precursor
to implementing IPv6 support within ippool which requires reworking
radix_ipf.c.

MFC r352786:

Implement the dynamic add (-A) and removal (-R) of ippool pools
from the command line. Prior to this the functionality was mostly there
however since the pool type (-t) was not recognized by the -A and -R
command options -- not recognized by getopt(). Additionally the code to
implement the dynamic add and removal of pools didn't work.

When dynamically adding (-A) a pool a type (-t) to specify if the pool
is a tree or hash pool must be specified. When dynamically removing (-R)
a pool, omitting -t will cause a search-and-destroy which will remove
both types of pools matching the name given (-m).

PR: 218433

MFC r352785:

The no resolve (OPT_NORESOLVE) does nothing. Additionally, it (-R)
conflicts with the command option of the same name (also -R).
Remove the superfluous and confusing non-global non-command -R option.

PR: 218433

MFC r322075:

loadpoolfile() implements a -R (NORESOLVE) option which is not listed
in usage(). This commit trues up usage() with loadpoolfile().

MFC r320664:

Document supported poollist() (ippool -l) options in usage() and in
ippool.8 man page.

MFC r320428:

In poolnodecommand() (ippool -a and ippool -r) -m (pool name) is not
optional.

MFC r320221:

poolflush() has no positional arguments.

MFC r320187:

Fix -S handling within poolcommand(). Specifying a seed (-S) is only
valid when adding a pool (ippool -A), not when removing a pool
(ippool -R). It is a command line syntax error if specifying a seed (-S)
is specified when emoving a pool (-R).

MFC r320143:

Flag poolnodecommand() (ippool -a and ippool -r) command line syntax
errors.

MFC r320120:

poolcommand() (ippool -A and ippool -R) seed takes an argument.

MFC r320095:

Flag poolcommand() (ippool -A and ippool -R) command line syntax errors.

MFC r319930:

Chase r319848: remove -v option from getopt() call.

MFC r319929:

-n (do nothing) is not a commmand option.

MFC r319848:

-v (verbose) is not a command option. (See ippool.1 for a definition
of command options).

MFC r319822:

Flag loadpoolfile() (ippool -f) command line syntax errors.

MFC r319821:

Identify poolstats() (ippool -s) command line syntax errors.

MFC r319820:

Identify command line syntax errors in poolflush() (ippool -F).

MFC r319810:

Remove redundant assignment of infile from optarg in loadpoolfile()
which was previously assigned from optarg in the argument list from
main().

MFC r319795:

Disable the -O (output fields) option in poollist() (ippool -l) for
now. The option does not presently work. However, similar functions in
ipfstat (for state) and ipnat (for nat) do work and provide outputs that
can be easily parsed by shell scripts or subsequently loaded into CSV
files. The intention here is to return to this option to make it work.
I suspect the problem is in printpoolfields.c.

MFC r319794:

Flag poollist() (ippool -l) command line syntax errors.

MFC r319273:

Remove NORESOLVE (-R) option from poollist() (ippool -l). It is not
used in poollist().

MFC r349450-349451:

Update usage() to refect the current state of ipmon.

PR: 238816

MFC r343701 & r343732:

ipfilter #ifdef cleanup.

Remove #ifdefs for ancient and irrelevant operating systems from
ipfilter.

When ipfilter was written the UNIX and UNIX-like systems in use
were diverse and plentiful. IRIX, Tru64 (OSF/1) don't exist any
more. OpenBSD removed ipfilter shortly after the first time the
ipfilter license terms changed in the early 2000's. ipfilter on AIX,
HP/UX, and Linux never really caught on. Removal of code for operating
systems that ipfilter will never run on again will simplify the code
making it easier to fix bugs, complete partially implemented features,
and extend ipfilter.

Unsupported previous version FreeBSD code and some older NetBSD code
has also been removed.

What remains is supported FreeBSD, NetBSD, and illumos. FreeBSD and
NetBSD have collaborated exchanging patches, while illumos has expressed
willingness to have their ipfilter updated to 5.1.2, provided their
zone-specific updates to their ipfilter are merged (which are of interest
to FreeBSD to allow control of ipfilters in jails from the global zone).

Reviewed by: glebius@
Differential Revision: https://reviews.freebsd.org/D19006

MFC r315368:

calloc() and realloc() modernization.

This commit replaces calloc calls, which called calloc() as if it were
malloc() by allocating a multiple of objects as a sizeof multiplied by
the number of objects. The patch rectifies this by calling calloc() as
it was meant to be called.

This commit also replaces realloc() with reallocarray() in a similar
fashion as above. Instead of calculating the memory to reallocated
(changed) by multiplying sizeof by the number of objects, the sizeof
and number are passed as separate arguments to reallocarray(), letting
reallocarray() do the multiplication instead. Like the calloc()
adjustment above, this is approach is cleaner and more elegant than
than the previous code.

This has been tested on my production firewall and a laptop (also
running ipfilter).

Submitted by: pfg

MFC 317830:

Ifdef out a redundant if statement when INET6 is disabled.

Revert r318203: Neglected to put "MFC 318203:" in the log.

Pointy hat to: cy

Ifdef out a redundant if statement when INET6 is disabled.

MFC r316993, r316994, r316997 as follows:

r316993:

Fix CID 1372601 in ipfilter/lib/parsefields.c, possible NULL pointer
dereference should reallocarray() fail.

Reported by: Coverity CID 1372601

r316994:

Fix CID 1372600 in ipfilter/tools/ipf_y.y, possible NULL pointer
dereference should reallocarray() fail.

Reported by: Coverity CID 1372600

r316997:

Use warnx() to issue error message.

Reported by: cem

MFC r312791:

Use normal KNF cuddling of elses.

Reported by: bde

MFC r312777, r312780:

Issue an error message when an incorrect flush argument is encountered
(and style fixup).

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Remove dead code.

Approved by: re@ (hrs@)
MFC after: 1 week

Revert r288682

I meant to do this on ^/user/ngie/more-tests

Pointyhat to: ngie (use svn info next time...)

ipf(1): Use strchr(3) instead of deprecated index(3)

Reviewed by: cy
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D2607

Stop including if_var.h from userland.

Sponsored by: Nginx, Inc.

o Use new function ip_fillid() in all places throughout the kernel,
where we want to create a new IP datagram.
o Add support for RFC6864, which allows to set IP ID for atomic IP
datagrams to any value, to improve performance. The behaviour is
controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by
default.
o In case if we generate IP ID, use counter(9) to improve performance.
o Gather all code related to IP ID into ip_id.c.

Differential Revision: https://reviews.freebsd.org/D2177
Reviewed by: adrian, cy, rpaulo
Tested by: Emeric POUPON <emeric.poupon stormshield.eu>
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
Relnotes: yes

#552 destination port not zero after parsing nat rule

Approved by: glebius (mentor)
Obtained from: netbsd CVS repo (r1.4), ipfilter CVS repo (r1.38)

3561691 gethost never returns an ipv6 address

Approved by: glebius (mentor)
Obtained from: ipfilter CVS repo (r1.34), netbsd CVS repo (r1.4)

#551 ipf.conf address structure not properly zero filled

Approved by: glebius (mentor)
Obtained from: ipfilter CVS repo (r1.37), netbsd CVS repo (r1.3)

Update ipfilter 4.1.28 --> 5.1.2.

Approved by: glebius (mentor)
BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)

Use pcap's bpf header, not our own copy of it.

Fix a typo that causes the for loop to exit immediately. There's
identical loop a few lines above.

Reviewed by: sam
Approved by: ed (mentor)
Silence from: darrenr (maintainer)

2020447 IPFilter's NAT can undo name server random port selection

Approved by: darrenr
MFC after: 1 week
Security: CERT VU#521769

Pullup IPFilter 4.1.28 from the vendor branch into HEAD.

MFC after: 7 days

ipfstat should parse "any" when used with -D/-S command line options

PR: bin/113879
Submitted by: kabe@sra-tohoku.co.jp
Reviewed by: darrenr
Approved by: re

Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13

This commit was generated by cvs2svn to compensate for changes in r170263,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts

MFC after: 1 weeks

fix "ipf -Z" reporting rubbish and possibly panic'ing box

MFC after: 4 days

Resolve conflicts (and believe me...you don't want to know).

arm defaults to unsigned char as well.

Enable building /sbin/ipf (but not the rescue version) with the ability to
parse bpf strings for filter rules in ipf.conf

Fix tinderbox build on ppc.

Requested by: mlaier

Patches from Ruslam Ermilov to remove NetBSD bits from Makefiles and cleanup
build problems with rescue.

Fix include directives that were missing the netinet include directory, where
the ipl.h file is found. Also add back in ip_fil.c, which somehow went missing
in action.

* Someone imported a lot of files with the wrong CVS tag, so lots of files need
that fixed in them....
* Keep unnecessary files out of the non-vendor part of this CVS repository.

This commit was generated by cvs2svn to compensate for changes in r145510,
which included commits to RCS files with non-trunk default branches.