MFC 57785538c6e0d7e8ca0f161ab95bae10fd304047 and
1e811efbc591699b872bea42b9de419c373199df:

57785538c6e0d7e8ca0f161ab95bae10fd304047)

Simplify the FreeBSD check using __FreeBSD__ compiler macro.

Rather than rely on __FreeBSD_version, defined in sys/param.h, use
__FreeBSD__ defined by the compiler.

Reported by: emaste
MFC after: 1 week

(cherry picked from commit 57785538c6e0d7e8ca0f161ab95bae10fd304047)

1e811efbc591699b872bea42b9de419c373199df:

Fix non-IPv6 build post 57785538c6e0d7e8ca0f161ab95bae10fd304047.

57785538c6e0d7e8ca0f161ab95bae10fd304047 change the test for FreeBSD
from __FreeBSD_version to __FreeBSD__. However this test was performed
before sys/param.h was included, therefore __FreeBSD_version was never
defined. As the test was never true opt_random_ip_id.h was never included.

Submitted by: bdragon
Reported by: bdragon

(cherry picked from commit 1e811efbc591699b872bea42b9de419c373199df)

Git Hash: 62607e8680e944f89cd7b5b7bca10698c66908b2
Git Author: cy@FreeBSD.org

MFC 0f34c80f376345b98a972940dd4757e58d7beb06:

Replace the redundant MENTAT macro with SOLARIS.

MENTAT and SOLARIS are synonymous. Remove the extraneous duplicate
macro.

(cherry picked from commit 0f34c80f376345b98a972940dd4757e58d7beb06)

Git Hash: 8d6da0aae1c4ca288537c9875eaed1f65988e51f
Git Author: cy@FreeBSD.org

MFC7071734fae6019d1e3e44daf7deb4478582081cc:

Indentation cleanup resulting from the cleanup of #ifdefs.

The conscious decision was made not to perform any indentation or
whitespace cleanup while cleaning out old redunant #ifdefs. The
reason for this was to avoid confusing future readers of history and
diffs with cosmetic changes, making bisection of any possible bugs
introduced more difficult. This commit cleans up the whitespace
detritus left behind from the previous #ifdef cleanup commits.

(cherry picked from commit 7071734fae6019d1e3e44daf7deb4478582081cc)

Git Hash: 19bebaed370c527b531c79a7abbb9efcf8f37af1
Git Author: cy@FreeBSD.org

MFC 4cd1807c7d2a67b633dd0c0bfde15091543a2514:

Retire the K&R/STD C __P prototype declarations.

In the old days when K&R C and STD C were each in use a workaround
(read hack) was required to allow the same code to work on each
without modification. All C compilers support STD C. We can finally
put the __P prototype to rest.

(cherry picked from commit 4cd1807c7d2a67b633dd0c0bfde15091543a2514)

Git Hash: 0c7a33852aa5cd28a9d9b19b8f8034d60a9cb50f
Git Author: cy@FreeBSD.org

MFC r363284-r363285, r363670

r363284:
pfil_run_hooks() can be called recursively, so we have to
define FASTROUTE_RECURSION in fil.c

Submitted by: christos@NetBSD.org
Reported by: christos@NetBSD.org
Obtained from: NetBSD r1.31

r363285:
Fix incorrect byte order in ipfstat -f output.
- make sure frag is initialized to 0
- initialize ipfr_p field

NetBSD PR: 55137
Submitted by: christos@NetBSD.org
Reported by: christos@NetBSD.org
Obtained from: NetBSD fil.c r1.32, ip_frag.c r1.8

r363670:
Continued ipfilter #ifdef cleanup. The r343701 log entry contains a
complete description.

MFC r355670:

Rather than pass the address of the packet information control block to
ipf_pcksum6(), directly pass the adddress of the mbuf to it. This reduces
one pointer dereference. ipf_pcksum6() doesn't use the packet information
control block except to obtain the mbuf address.

MFC r355669:

in6_cksum() returns zero when checksums are good.

MFC r355156:

Include fin, the packet information structure (fr_info_t), in the
l4sums DTrace probe, making more information available for the diagnosis
of IPv6 checksum errors.

MFC r355142:

Move ipf_pcksum6() to its rightful place, in ip_fil_freebsd.c. This
FreeBSD-only function should live in the O/S specific source file.

This essentially reverts r349929 Now that ipftest and ipfreplay are
disabled in FreeBSD 11-stable.

MFC r355141:

Save a little stack by removing a used once intermediate variable.

MFC r355140:

Remove redundant #ifdef'd function definitions.

MFC r352737:

ipf mistakenly regards UDP packets with a checksum of 0xffff as bad.

Obtained from: NetBSD fil.c r1.30, NetBSD PR/54443

MFC r350882:

Initialize the frentry (the control block that defines a rule) checksum
to zero. Matching checksums save time and effort by mitigating the need
for full rule compare.

MFC r350881:

Calculate the number interface array elements using the new FR_NUM macro
instead of the hard-coded value of 4. This is a precursor to increasing
the number of interfaces speficied in "on {interface, ..., interface}".
Note that though this feature is coded in ipf_y.y, it is partially
supported in the ipfilter kld, meaning it does not work yet (and is yet
to be documented in ipf.5 too).

MFC r350880:

r272552 applied the patch from ipfilter upstream fil.c r1.129 to fix
broken ipfilter rule matches (upstream bug #554). The upstream patch
was incomplete, it resolved all but one rule compare issue. The issue
fixed here is when "{to, reply-to, dup-to} interface" are used in
conjuncion with "on interface". The match was only made if the on keyword
was specified in the same order in each case referencing the same rule.
This commit fixes this.

The reason for this is that interface name strings and comment keyword
comments are stored in a a variable length field starting at fr_names
in the frentry struct. These strings are placed into this variable length
in the order they are encountered by ipf_y.y and indexed through index
pointers in fr_ifnames, fr_comment or one of the frdest struct fd_name
fields. (Three frdest structs are within frentry.) Order matters and
this patch takes this into account.

While in here it was discovered that though ipfilter is designed to
pport multiple interface specifiations per rule (up to four), this
undocumented (the man page makes no mention of it) feature does not work.
A todo is to fix the multiple interfaces feature at a later date. To
understand the design decision as to why only four were intended, it is
suspected that the decision was made because Sun workstations and PCs
rarely if ever exceeded four NICs at the time, this is not true in 2019.

PR: 238796
Reported by: WHR <msl0000023508@gmail.com>

MFC r351380:

Specifying array sizes for fully initialized tables at compile time is
redundant.

MFC r350064:

As of upstream fil.c CVS r1.53 (March 1, 2009), prior to the import of
ipfilter 5.1.2 into FreeBSD-10, the fix for, 2580062 from/to targets
should be able to use any interface name, moved frentry.fr_cksum to
prior to frentry.fr_func thereby making this code redundant. After
investigating whether this fix to move fr_cksum was correct and if it
broke anything, it has been determined that the fix is correct and this
code is redundant. We remove it here.

MFC r350063:

Refactor, removing one compare.

This changes the return code however the caller only tests for 0 and != 0.
One might ask then, why multiple return codes when the caller only tests
for 0 and != 0? From what I can tell, Darren probably passed various
return codes for sake of debugging. The debugging code is long gone
however we can still use the different return codes using DTrace FBT
traces. We can still determine why the compare failed by examining the
differences between the fr1 and fr2 frentry structs, which is a simple
test in DTrace. This allows reducing the number of tests, improving the
code while not affecting our ability to capture information for
diagnostic purposes.

MFC r349979:

Recycle the unused FR_CMPSIZ macro which became orphaned in ipfilter 5
prior to its import into FreeBSD. This macro calculates the size to be
compared within the frentry structure. The ipfilter 4 version of the
macro calculated the compare size based upon the static size of the
frentry struct. Today it uses the ipfilter 5 method of calculating the
size based upon the new to ipfilter 5 fr_size value found in the
frentry struct itself.

No effective change in code is intended.

MFC r349917:

Remove a tautological test for adding a rule in the block that
adds rules.

MFC r349898, r349916:

ipfilter commands, in this case ipf(8), passes its operations and rules
via an ioctl interface. Rules can be added or removed and stats and
counters can be zeroed out. As the ipfilter interprets these
instructions or operations they are stored in an integer called
addrem (add/remove). 0 is add, 1 is remove, and 2 is clear stats and
counters. Much of this is not documented. This commit documents these
operations by replacing simple integers with a self documenting
enum along with a few basic comments.

MFC r349978:

style(9)

MFC r349927, r349929:

r349927:
Resolve IPv6 checksum errors with stateful inspection. According to
PR/203585 this appears to have been broken by r235959, which predates
the ipfilter 5.1.2 import into FreeBSD.

The IPv6 checksum calculation is incorrect. To resolve this we call
in6_cksum() to do the the heavy lifting for us, through a new function
ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
is added to aid with future debugging.

Plus whitespace adjustments (r348989).

PR: 203275, 203585
Differential Revision: https://reviews.freebsd.org/D20583

r349929:
Move the new ipf_pcksum6() function from ip_fil_freebsd.c to fil.c.
The reason for this is that ipftest(8), which still works on FreeBSD-11,
fails to link to it, breaking stable/11 builds.

ipftest(8) was broken (segfault) sometime during the FreeBSD-12 cycle.
glebius@ suggested we disable building it until I can get around to
fixing it. Hence this was not caught in -current.

The intention is to fix ipftest(8) as it is used by the netbsd-tests
(imported by ngie@ many moons ago) for regression testing.

MFC r348987, r348989:

Resolve IPv6 checksum errors with stateful inspection. According to
PR/203585 this appears to have been broken by r235959, which predates
the ipfilter 5.1.2 import into FreeBSD.

The IPv6 checksum calculation is incorrect. To resolve this we call
in6_cksum() to do the the heavy lifting for us, through a new function
ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
is added to aid with future debugging.

Plus whitespace adjustments (r348989).

PR: 203275, 203585
Differential Revision: https://reviews.freebsd.org/D20583

MFC r349401:

While working on PR/238796 I discovered an unused variable in frdest,
the next hop structure. It is likely this contributes to PR/238796
though other factors remain to be investigated.

PR: 238796

MFC r349399-349400,349567-349568:

Prompted by r349366, ipfilter is also does not conform to RFC 3128
by dropping TCP fragments with offset = 1.

In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.

MFC r349152:

Make ipf_objbytes a constant. ipf_objbytes is a table of internal data
structures that are saved across reboots by ipfs(8). The table is not
changed at runtime.

MFC r348666:

Clean up #ifdefs from old unsupported releases of FreeBSD.

Approved by: re (gjb@)

MFC r348575:

Properly define the fourth argument to ipf_check, the main entry point
into ipfilter. A proper definition simplifies dtrace scripts a little.

Approved by: re (delphij@)

MFC r348312:

style(9)

Approved by: re (gjb@)

MFC r348311:

Fix indentation and while at it simplfy the code.

Reported by: lwhsu@
Approved by: re (gjb@)

MFC r343703

Remove a reference to HP-UX in a comment.

MFC r343701 & r343732:

ipfilter #ifdef cleanup.

Remove #ifdefs for ancient and irrelevant operating systems from
ipfilter.

When ipfilter was written the UNIX and UNIX-like systems in use
were diverse and plentiful. IRIX, Tru64 (OSF/1) don't exist any
more. OpenBSD removed ipfilter shortly after the first time the
ipfilter license terms changed in the early 2000's. ipfilter on AIX,
HP/UX, and Linux never really caught on. Removal of code for operating
systems that ipfilter will never run on again will simplify the code
making it easier to fix bugs, complete partially implemented features,
and extend ipfilter.

Unsupported previous version FreeBSD code and some older NetBSD code
has also been removed.

What remains is supported FreeBSD, NetBSD, and illumos. FreeBSD and
NetBSD have collaborated exchanging patches, while illumos has expressed
willingness to have their ipfilter updated to 5.1.2, provided their
zone-specific updates to their ipfilter are merged (which are of interest
to FreeBSD to allow control of ipfilters in jails from the global zone).

Reviewed by: glebius@
Differential Revision: https://reviews.freebsd.org/D19006

MFC r343600:

Document the instance context pointer.

MFC r342547:

Remove another empty #ifdef block. This empty block also exists in
the upstream HEAD.

MFC r333392-r333393, r333427

r333392:
Fix memory leak. (CID 1199373).

r333393:
Document intentional fallthrough. (CID 976535)

r333427:
Fix style error introduced in r333393.

Reported by: jhb, imp, phk

Approved by: re (delphij)

MFC r306449:

Remove an extra etter.

MFC r316810, r316814, r316816, r316991:

Keep state incorrectly assumes keep frags. This is counter to the
ipfilter man pages. This also currently restricts keep frags to only when
keep state is used, which is redundant because keep state currently
assumes keep frags. This commit fixes this.

To the user this change means that to maintain the current behaviour
one must add keep frags to any ipfilter keep state rule (as documented
in the man pages).

This patch also allows the flexability to specify and use keep frags
separate from keep state, as documented in an example in ipf.conf.5,
instead of the currently broken behaviour.

MFC suggested by: rgrimes
Relnotes: yes

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Add DTrace probes for packets flagged as bad by ipfilter. All probes
for bad packets are named ipf_fi_bad_*. An example of its use might be:

dtrace -n 'sdt:::ipf_fi_bad_* { stack(); }'

Reviewed by: Darren Reed <darrenr@reed.wattle.id.au>

o Use new function ip_fillid() in all places throughout the kernel,
where we want to create a new IP datagram.
o Add support for RFC6864, which allows to set IP ID for atomic IP
datagrams to any value, to improve performance. The behaviour is
controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by
default.
o In case if we generate IP ID, use counter(9) to improve performance.
o Gather all code related to IP ID into ip_id.c.

Differential Revision: https://reviews.freebsd.org/D2177
Reviewed by: adrian, cy, rpaulo
Tested by: Emeric POUPON <emeric.poupon stormshield.eu>
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
Relnotes: yes

Correctly define constants.

MFC after: 1 week

ipfilter bug #554 Determining why a ipf rule matches is hard -- replace
ipfilter rule compare with new ipf_rule_compare() function.

Obtained from: ipfilter CVS rep (r1.129)

ipfiler bug #550 filter rule list corrupted with inserted rules

Obtained from: ipfilter CVS repo (r1.128); NetBSD CVS repo (r1.15)

Fix !INET6 build.

Update ipfilter 4.1.28 --> 5.1.2.

Approved by: glebius (mentor)
BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)

Fix defines in r241245. We actually don't define FreeBSD.

Reported & tested by: Oleg Ginzburg

A step in resolving mess with byte ordering for AF_INET. After this change:

- All packets in NETISR_IP queue are in net byte order.
- ip_input() is entered in net byte order and converts packet
to host byte order right _after_ processing pfil(9) hooks.
- ip_output() is entered in host byte order and converts packet
to net byte order right _before_ processing pfil(9) hooks.
- ip_fragment() accepts and emits packet in net byte order.
- ip_forward(), ip_mloopback() use host byte order (untouched actually).
- ip_fastforward() no longer modifies packet at all (except ip_ttl).
- Swapping of byte order there and back removed from the following modules:
pf(4), ipfw(4), enc(4), if_bridge(4).
- Swapping of byte order added to ipfilter(4), based on __FreeBSD_version
- __FreeBSD_version bumped.
- pfil(9) manual page updated.

Reviewed by: ray, luigi, eri, melifaro
Tested by: glebius (LE), ray (BE)

Merge the remainder of kern_vimage.c and vimage.h into vnet.c and
vnet.h, we now use jails (rather than vimages) as the abstraction
for virtualization management, and what remained was specific to
virtual network stacks. Minor cleanups are done in the process,
and comments updated to reflect these changes.

Reviewed by: bz
Approved by: re (vimage blanket)

Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).

This is the first in a series of commits over the course
of the next few weeks.

Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.

We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.

Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch

Fix 3 issues relating to the use of "auth" rules in IPFilter, from sourceforge:
1837014 Kernel panics after authentication of an outgoing packet
1836992 Potential bugs in packet auth code (w/patches)
1836967 Kernel panic when using auth rule with keep state
and another reported only to FreeBSD by Andiry (see PR)

PR: kern/118251
Submitted by: Andriy Syrovenko <andriys@gmail.com>
Reviewed by: darrenr
MFC after: 5 days

Apply a few changes from ipfilter-current:
* Do not hold any locks over calls to copyin/copyout.
* Clean up some #ifdefs
* fix a possible mbuf leak when NAT fails on policy routed packets

PR: 117216

Pullup IPFilter 4.1.28 from the vendor branch into HEAD.

MFC after: 7 days

Pointer to an ICMP header was getting left behind after doing a pullup.

Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13

Resolve conflicts

MFC after: 2 weeks

fix "ipf -Z" reporting rubbish and possibly panic'ing box

MFC after: 4 days

Resolve conflicts

Fix -Wundef from compiling the amd64 LINT.

Fix some minor problems before release:
(1) "ipf -T" is broken for fetching single entries and
(2) loading rules with numbered collections does not order insertion right.
(3) stats aren't accumulated for hash table memory failures

Approved by: re (dwhite)

- Comment out duplicate rcsid strings in *.c files
- Move SIOCPROXY from ip_nat.h to ip_proxy.h and fix ip_proxy.h so that it
can be easily compiled into kdump, et al.

Merge the changes from 3.4.35 to 4.1.8 into the kernel source tree

Elminate 1 LOR (actually a recursive mutex grab) involving ipfilter where
we loop through all the list of NICs (struct ifnet), holding the lock on
it and then do a name lookup with ifunit() whilst holding it.

* The #ifdef's to cause mutex's for freebsd to be declared were meant to pick
up on USE_MUTEX being defined, but this patch
* Remove some code that's in a #ifndef FreeBSD that's no longer used.

Sprinkle in some __FreeBSD_version checks so that this compiles again. Don't
define PFIL_HOOKS anymore.

Submitted by: keramida

Using just m_pullup to get all of the interesting bits in packet into one
buffer doesn't work for ipv6 packets, so use m_defrag() here instead as an
easy drop-in replacement.

PR: 70399

Mess from update & merge - don't release the ifnet lock twice, just once
and after we're finished with it.

Update ipfilter from 3.4.31 -> 3.4.35. Some important changes:
* block packets that fail to create state table entries
* only allow non-fragmented packets to influence whether or not a logged
packet is the same as the one logged before.
* correct the ICMP packet checksum fixing up when processing ICMP errors for NAT
* implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX
and ipf_nattable_max)
* frsynclist() wasn't paying attention to all the places where interface
names are, like it should.
* fix comparing ICMP packets with established TCP state where only 8 bytes
of header are returned in the ICMP error.

MFC after: 1 week

Remove advertising clause from University of California Regent's
license, per letter dated July 22, 1999 and email from Peter Wemm,
Alan Cox and Robert Watson.

Approved by: core, peter, alc, rwatson

Back out M_* changes, per decision of the TRB.

Approved by: trb

Commit import changed from vendor branch of ipfilter to -current head

Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.

SMP locking for ifnet list.

Finally merge in the changes from ipfilter 3.4.29 to freebsd-current.
Main changes here are related to the ftp proxy and making that work better.

Commit changes that happened in IPFilter versions 3.4.27 - 3.4.28

Merge updates from 3.4.26 - 3.4.27.

bring in changes from 3.4.26.

fix conflicts (mostly damn rcs id's) generated by import

Backout inclusion of queue.h since rev 1.38 sys/file.h now has it
included in the right order.

Include sys/_lock.h and sys/_mutex.h to reduce namespace pollution.

Requested by: jhb

IPFilter munges multicast address packets on the loopback interface.

Submitted by: Frank Zolf
Approved by: jkh
MFC after: 0

fix conflicts created by import

fix conflicts

Fix conflicts creted by import.

fix conflicts from rcsids

We now keep the ip_id field in network byte order all the
time, so there is no need to make the distinction between
ip_output() and ip_input() cases.

Reviewed by: silence on freebsd-net

resolve conflicts

fix conflicts

define CSUM_DELAY_DATA to match merge

fix up conflicts

fix conflicts

Compute the checksum before handing the packet off to IPFilter.

Tested by: Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>

Fix bug in dealing with "hlen == 1 and opt > 1"

Add missing include machine/in_cksum.h.

Submitted by: n_hibma

Add $FreeBSD$

Bring over ipfilter v3_3_8 kernel sources, including merging the
local modifications.
Also fix initializing fr_running in KLD case.
Rename ipl_inited to fr_runninhg in mlfk_ipl

Approved by: jkh

Bring over ipfilter kernel sources, including merging the local modifications.

KERNEL -> _KERNEL

Add kernel parts of revived ipfilter (3.3.3.)