MFC 57785538c6e0d7e8ca0f161ab95bae10fd304047 and
1e811efbc591699b872bea42b9de419c373199df:

57785538c6e0d7e8ca0f161ab95bae10fd304047)

Simplify the FreeBSD check using __FreeBSD__ compiler macro.

Rather than rely on __FreeBSD_version, defined in sys/param.h, use
__FreeBSD__ defined by the compiler.

Reported by: emaste
MFC after: 1 week

(cherry picked from commit 57785538c6e0d7e8ca0f161ab95bae10fd304047)

1e811efbc591699b872bea42b9de419c373199df:

Fix non-IPv6 build post 57785538c6e0d7e8ca0f161ab95bae10fd304047.

57785538c6e0d7e8ca0f161ab95bae10fd304047 change the test for FreeBSD
from __FreeBSD_version to __FreeBSD__. However this test was performed
before sys/param.h was included, therefore __FreeBSD_version was never
defined. As the test was never true opt_random_ip_id.h was never included.

Submitted by: bdragon
Reported by: bdragon

(cherry picked from commit 1e811efbc591699b872bea42b9de419c373199df)

Git Hash: 62607e8680e944f89cd7b5b7bca10698c66908b2
Git Author: cy@FreeBSD.org

MFC e673debe7db8ba95e4ee3b549d2570e71d19b596:

Simplify BSD macro tests.

All FreeBSD and NetBSD are BSD >= 199306 and have been for a long time.

(cherry picked from commit e673debe7db8ba95e4ee3b549d2570e71d19b596)

Git Hash: ba6bb2487a7e159556d8ef9ba773fb4fa65dd823
Git Author: cy@FreeBSD.org

MFC 0f34c80f376345b98a972940dd4757e58d7beb06:

Replace the redundant MENTAT macro with SOLARIS.

MENTAT and SOLARIS are synonymous. Remove the extraneous duplicate
macro.

(cherry picked from commit 0f34c80f376345b98a972940dd4757e58d7beb06)

Git Hash: 8d6da0aae1c4ca288537c9875eaed1f65988e51f
Git Author: cy@FreeBSD.org

MFC7071734fae6019d1e3e44daf7deb4478582081cc:

Indentation cleanup resulting from the cleanup of #ifdefs.

The conscious decision was made not to perform any indentation or
whitespace cleanup while cleaning out old redunant #ifdefs. The
reason for this was to avoid confusing future readers of history and
diffs with cosmetic changes, making bisection of any possible bugs
introduced more difficult. This commit cleans up the whitespace
detritus left behind from the previous #ifdef cleanup commits.

(cherry picked from commit 7071734fae6019d1e3e44daf7deb4478582081cc)

Git Hash: 19bebaed370c527b531c79a7abbb9efcf8f37af1
Git Author: cy@FreeBSD.org

MFC 4cd1807c7d2a67b633dd0c0bfde15091543a2514:

Retire the K&R/STD C __P prototype declarations.

In the old days when K&R C and STD C were each in use a workaround
(read hack) was required to allow the same code to work on each
without modification. All C compilers support STD C. We can finally
put the __P prototype to rest.

(cherry picked from commit 4cd1807c7d2a67b633dd0c0bfde15091543a2514)

Git Hash: 0c7a33852aa5cd28a9d9b19b8f8034d60a9cb50f
Git Author: cy@FreeBSD.org

MFC: 83edbc3cb54fba6b37a68270c232df7b785bd222

ipfilter: Retire pre-standard C support.

All C compilers in 2021 support standard C and architectures that did
not were retired long ago. Simplify by removing now redundant
pre-standard C code.

MFC after: 1 week

(cherry picked from commit 83edbc3cb54fba6b37a68270c232df7b785bd222)

Git Hash: 58e43f89f17cf807b77270e15b91c46bfdfd1e77
Git Author: cy@FreeBSD.org

MFC r358560:

Retire macros:

BSD_GE_YEAR
BSD_GT_YEAR
BSD_LT_YEAR

MFC r358559:

Remove the now unused FREEBSD_GE_REV, FREEBSD_GT_REV, and FREEBSD_LT_REV
macros.

MFC r358558:

Continuing the effort started in r343701, #ifdef cleanup, checking for
__FreeBSD_version > 3.0 and 5.0 is redundant.

MFC r349362:

The definition of icmptypes in ip_compt.h is dead code as it already
use the icmptypes in ip_icmp.h.

MFC r349331:

Clean out duplicate definitions of TCP macros also found in netinet/tcp.h.

MFC r343705:

new_kmem_alloc(9) is a Solaris/illumos malloc(9). FreeBSD and NetBSD
never get here, however a test for SOLARIS, as redundant as this test is,
serves to document that this is the illumos definition. This should help
those who come after me to follow the code more easily.

MFC r343701 & r343732:

ipfilter #ifdef cleanup.

Remove #ifdefs for ancient and irrelevant operating systems from
ipfilter.

When ipfilter was written the UNIX and UNIX-like systems in use
were diverse and plentiful. IRIX, Tru64 (OSF/1) don't exist any
more. OpenBSD removed ipfilter shortly after the first time the
ipfilter license terms changed in the early 2000's. ipfilter on AIX,
HP/UX, and Linux never really caught on. Removal of code for operating
systems that ipfilter will never run on again will simplify the code
making it easier to fix bugs, complete partially implemented features,
and extend ipfilter.

Unsupported previous version FreeBSD code and some older NetBSD code
has also been removed.

What remains is supported FreeBSD, NetBSD, and illumos. FreeBSD and
NetBSD have collaborated exchanging patches, while illumos has expressed
willingness to have their ipfilter updated to 5.1.2, provided their
zone-specific updates to their ipfilter are merged (which are of interest
to FreeBSD to allow control of ipfilters in jails from the global zone).

Reviewed by: glebius@
Differential Revision: https://reviews.freebsd.org/D19006

MFC r342377:

Remove NETBSD_PF. NETBSD_PF is a flag that defines whether the pfil(9)
framework is available. pfil(9) has been in FreeBSD since FreeBSD 5
and according to svn log was first committed to HEAD in 2000, therefore
it is safe to say the check is no longer needed in FreeBSD.

pfil(9) first appeared in NetBSD 1.3 (hence the name NETBSD_PF).
Therefore it is safe to say that it is supported by every NetBSD system
today. The framework also exists in illumos.

As ipfilter code is shared and exchanged between FreeBSD and NetBSD, and
at some point in the future illumos too, and as all three platforms have
pfil(9), the redundant NETBSD_PF #defines and #ifdefs are removed.

MFC r341279:

Clean up a redundant non-redefinition of IFNAMSIZ. IFNAMSIZ
is defined in net/if.h, therefore the condition is never met and
confusing to those who follow.

MFC r341650:

Remove an ugly Ultrix hack. Ultrix has been AWOL since the last ice
age, more to come.

MFC r337410:

Remove redundant and incorrect default definition of AF_INET6. AF_INET6
is defined in sys/socket.h where it's defined as 28.

A bit of trivia: On NetBSD AF_INET6 is defined as 24. On Solaris it is
defined as 26. This is probably why Darren defaulted to 26, because
ipfilter was originally written for SunOS 4 and Solaris many moons ago.

MFC r312787:

Currently the fragment info is placed at the top of the linked list
under a shared read lock. This patch attempts to upgrade the lock to
an exclusive write lock. If the exclusive write lock fails to be
obtained, the current fragment is not placed at the head of the list.

This portion of the patch was inspired by NetBSD ip_frag.c r1.4 (which
effectively removed the section of code that performed the reordering).

The patch to sys/contrib/ipfilter/netinet/ip_compat.h adds the
MUTEX_TRY_UPGRADE macro to support the patch to ip_frag.c.

The patch to contrib/ipfilter/lib/rwlock_emul.c supports this patch
by emulating the mutex in userspace when exercised by ipftest(1).

Inspired by: NetBSD ip_frag.c r1.4

MFC r304953:

Define ipfilter's SOLARIS macro in a defined and portable way.

Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D7671

MFC r304959 (by kib):

Complete r304953.

Sponsored by: The FreeBSD Foundation

MFC r304964:

Follow-up to r304953, in which I broke the build: apparently the SOLARIS
macro is defined in lots of different places in ipfilter, so replace all
of the nonportable definitions with portable ones.

Pointy hat to: dim

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

These files were getting sys/malloc.h and vm/uma.h with header pollution
via sys/mbuf.h

In ipfilter(4) there is the ipftest(1) program, that compiles half of the
ipfilter code as userland application. To reduce kernel structure knowledge
include if_var.h only if a file is compiled with _KERNEL defined.
In !_KERNEL case, provide our own definition of struct ifnet, that will
satisfy ipftest(1). This was already done earlier to struct ifaddr in
r279029. Protect the definition with _NET_IF_VAR_H_, since kernel part
of ipfilter may include if_var.h and ip_compat.h.

Sponsored by: Netflix
Sponsored by: Nginx, Inc.

Honour WITH and WITHOUT_INET6_SUPPORT.

Approved by: glebius (mentor)
MFC after: 3 days

Remove redundant USE_INET6 test that enables INET6 in the ipfilter userland
regardless of the setting in make.conf.

PR: 190964
Approved by: glebius (mentor)
MFC after: 1 week

Substitute flags from historical mbuf(9) allocator with modern ones.

Sponsored by: Nginx, Inc.

Include lock.h before mutex.h.

Remove additional non-FreeBSD code.

Approved by: glebius (mentor)
Approved by: re (blanket)

Update ipfilter 4.1.28 --> 5.1.2.

Approved by: glebius (mentor)
BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)

Adjust a few old checks to use __FreeBSD_version macro to
determine which version of FreeBSD kernel we're compiling.

Approved by: kib (mentor)

We don't need the definition for in_cksum repeated here since we get
it from machine/in_cksum.h. This definition prevents us from using
hand-tuned assembler versions of in_cksum.

# this fixes the modules build on arm for ipfilter.

Retire the MALLOC and FREE macros. They are an abomination unto style(9).

MFC after: 3 months

Replace all calls to minor() with dev2unit().

After I removed all the unit2minor()/minor2unit() calls from the kernel
yesterday, I realised calling minor() everywhere is quite confusing.
Character devices now only have the ability to store a unit number, not
a minor number. Remove the confusion by using dev2unit() everywhere.

This commit could also be considered as a bug fix. A lot of drivers call
minor(), while they should actually be calling dev2unit(). In -CURRENT
this isn't a problem, but it turns out we never had any problem reports
related to that issue in the past. I suspect not many people connect
more than 256 pieces of the same hardware.

Reviewed by: kib

2020447 IPFilter's NAT can undo name server random port selection

Approved by: darrenr
MFC after: 1 week
Security: CERT VU#521769

Apply a few changes from ipfilter-current:
* Do not hold any locks over calls to copyin/copyout.
* Clean up some #ifdefs
* fix a possible mbuf leak when NAT fails on policy routed packets

PR: 117216

Pullup IPFilter 4.1.28 from the vendor branch into HEAD.

MFC after: 7 days

Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13

Resolve conflicts

MFC after: 2 weeks

Add mcopywrap prototype to ip_compat.h
Remove h323 proxy from ip_proxy (copyright issue)

Resolve conflicts

Fix -Wundef from compiling the amd64 LINT.

Enable building /sbin/ipf (but not the rescue version) with the ability to
parse bpf strings for filter rules in ipf.conf

Enable IPFilter to correctly determine if BPF has been optioned into the
kernel it is being compiled against and subsequently enable using BPF for
packet matching in ipf rules.

Don't use quad_t on FreeBSD (deprecated) so use "long long" instead.
Someday this should be converted to uint64_t and printstate.c changed to
use those horrid PRiud64 things.

Merge the changes from 3.4.35 to 4.1.8 into the kernel source tree

Enable fine grained locking within IPFilter, using mtx(9) and sx(9) allowing
the the "needs giant" flag to be removed from the driver.

Update ipfilter from 3.4.31 -> 3.4.35. Some important changes:
* block packets that fail to create state table entries
* only allow non-fragmented packets to influence whether or not a logged
packet is the same as the one logged before.
* correct the ICMP packet checksum fixing up when processing ICMP errors for NAT
* implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX
and ipf_nattable_max)
* frsynclist() wasn't paying attention to all the places where interface
names are, like it should.
* fix comparing ICMP packets with established TCP state where only 8 bytes
of header are returned in the ICMP error.

MFC after: 1 week

Recognise NOINET6 as an indication to not build IPv6 enabled source even
if FreeBSD header files, etc, support it.

Submitted by: Sergey Mokryshev <mokr@mokr.net>

Replace the if_name and if_unit members of struct ifnet with new members
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.

This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.

Approved By: re (in principle)
Reviewed By: njl, imp
Tested On: i386, amd64, sparc64
Obtained From: NetBSD (if_xname)

Commit import changed from vendor branch of ipfilter to -current head

Finally merge in the changes from ipfilter 3.4.29 to freebsd-current.
Main changes here are related to the ftp proxy and making that work better.

Commit changes that happened in IPFilter versions 3.4.27 - 3.4.28

Merge updates from 3.4.26 - 3.4.27.

bring in changes from 3.4.26.

fix conflicts (mostly damn rcs id's) generated by import

fix conflicts created by import

fix conflicts

Include sys/param.h for `__FreeBSD_version' rather than the non-existent
osreldate.h.

Submitted by: dougb

fix conflicts from rcsids

resolve conflicts

fix up conflicts

Re add rev 1.11 diffs to ip_fil.h Also discover that I did not undefine
CVS_FUBAR (which no longer exists) and thus forgot to add $FreeBSD's.
Add them.

Approved by: jkh (is part of ipfilter upgrade)

Bring over ipfilter v3_3_8 kernel sources, including merging the
local modifications.
Also fix initializing fr_running in KLD case.
Rename ipl_inited to fr_runninhg in mlfk_ipl

Approved by: jkh

Bring over ipfilter kernel sources, including merging the local modifications.

Revive mlfk_ipl here. This version is slightly changed from
the old one: an unnecessary define (KLD_MODULE) has been deleted and
the initialisation of the module is done after domaininit was called
to be sure inet is running.

Some slight changed were made to ip_auth.c and ip_state.c in order
to assure including of sys/systm.h in case we make a kld

Make sure ip_fil does nmot include osreldate in kernel mode

Remove mlfk_ipl.c from here: no sources allowed in these directories!

Add kernel parts of revived ipfilter (3.3.3.)