ipfilter: remove doubled semicolons

Local commit; ipfilter upstream is inactive.

Discussed with: cy
MFC after: 3 days

(cherry picked from commit 8fa63f44e64ebac444a4ac6451ac5e150cdcf8b1)

Git Hash: f3616c6d7ff5168d2e7883a831b60bbdc31367c6
Git Author: emaste@FreeBSD.org

MFC 57785538c6e0d7e8ca0f161ab95bae10fd304047 and
1e811efbc591699b872bea42b9de419c373199df:

57785538c6e0d7e8ca0f161ab95bae10fd304047)

Simplify the FreeBSD check using __FreeBSD__ compiler macro.

Rather than rely on __FreeBSD_version, defined in sys/param.h, use
__FreeBSD__ defined by the compiler.

Reported by: emaste
MFC after: 1 week

(cherry picked from commit 57785538c6e0d7e8ca0f161ab95bae10fd304047)

1e811efbc591699b872bea42b9de419c373199df:

Fix non-IPv6 build post 57785538c6e0d7e8ca0f161ab95bae10fd304047.

57785538c6e0d7e8ca0f161ab95bae10fd304047 change the test for FreeBSD
from __FreeBSD_version to __FreeBSD__. However this test was performed
before sys/param.h was included, therefore __FreeBSD_version was never
defined. As the test was never true opt_random_ip_id.h was never included.

Submitted by: bdragon
Reported by: bdragon

(cherry picked from commit 1e811efbc591699b872bea42b9de419c373199df)

Git Hash: 62607e8680e944f89cd7b5b7bca10698c66908b2
Git Author: cy@FreeBSD.org

MFC 4cd1807c7d2a67b633dd0c0bfde15091543a2514:

Retire the K&R/STD C __P prototype declarations.

In the old days when K&R C and STD C were each in use a workaround
(read hack) was required to allow the same code to work on each
without modification. All C compilers support STD C. We can finally
put the __P prototype to rest.

(cherry picked from commit 4cd1807c7d2a67b633dd0c0bfde15091543a2514)

Git Hash: 0c7a33852aa5cd28a9d9b19b8f8034d60a9cb50f
Git Author: cy@FreeBSD.org

MFC r363284-r363285, r363670

r363284:
pfil_run_hooks() can be called recursively, so we have to
define FASTROUTE_RECURSION in fil.c

Submitted by: christos@NetBSD.org
Reported by: christos@NetBSD.org
Obtained from: NetBSD r1.31

r363285:
Fix incorrect byte order in ipfstat -f output.
- make sure frag is initialized to 0
- initialize ipfr_p field

NetBSD PR: 55137
Submitted by: christos@NetBSD.org
Reported by: christos@NetBSD.org
Obtained from: NetBSD fil.c r1.32, ip_frag.c r1.8

r363670:
Continued ipfilter #ifdef cleanup. The r343701 log entry contains a
complete description.

MFC r348320:

Contuation of r343701, removal of irrelevant #ifdefs.

Approved by: re (gjb@)

MFC r343701 & r343732:

ipfilter #ifdef cleanup.

Remove #ifdefs for ancient and irrelevant operating systems from
ipfilter.

When ipfilter was written the UNIX and UNIX-like systems in use
were diverse and plentiful. IRIX, Tru64 (OSF/1) don't exist any
more. OpenBSD removed ipfilter shortly after the first time the
ipfilter license terms changed in the early 2000's. ipfilter on AIX,
HP/UX, and Linux never really caught on. Removal of code for operating
systems that ipfilter will never run on again will simplify the code
making it easier to fix bugs, complete partially implemented features,
and extend ipfilter.

Unsupported previous version FreeBSD code and some older NetBSD code
has also been removed.

What remains is supported FreeBSD, NetBSD, and illumos. FreeBSD and
NetBSD have collaborated exchanging patches, while illumos has expressed
willingness to have their ipfilter updated to 5.1.2, provided their
zone-specific updates to their ipfilter are merged (which are of interest
to FreeBSD to allow control of ipfilters in jails from the global zone).

Reviewed by: glebius@
Differential Revision: https://reviews.freebsd.org/D19006

MFC r316809:

Fix a use after free panic in ipfilter's fragment processing.
Memory is malloc'd, then a search for a match in the fragment table
is made and if the fragment matches, the wrong fragment table is
freed, causing a use after free panic. This commit fixes this.

A symptom of the problem is a kernel page fault in bcopy() called by
ipf_frag_lookup() at line 715 in ip_frag.c. Another symptom is a
kernel page fault in ipf_frag_delete() when called by ipf_frag_expire()
via ipf_slowtimer().

MFC r312787:

Currently the fragment info is placed at the top of the linked list
under a shared read lock. This patch attempts to upgrade the lock to
an exclusive write lock. If the exclusive write lock fails to be
obtained, the current fragment is not placed at the head of the list.

This portion of the patch was inspired by NetBSD ip_frag.c r1.4 (which
effectively removed the section of code that performed the reordering).

The patch to sys/contrib/ipfilter/netinet/ip_compat.h adds the
MUTEX_TRY_UPGRADE macro to support the patch to ip_frag.c.

The patch to contrib/ipfilter/lib/rwlock_emul.c supports this patch
by emulating the mutex in userspace when exercised by ipftest(1).

Inspired by: NetBSD ip_frag.c r1.4

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Remove extraneous blank line.

MFC after: 1 month
X-MFC with: r300259

Enable the two ip_frag tuneables. The code is there but the two
ip_frag tuneables aren't registered in the ipf_tuners linked list.
This commmit enables the two existing ip_frag tuneables by registering
them.

MFC after: 1 month

Add DTrace probes for packets flagged as bad by ipfilter. All probes
for bad packets are named ipf_fi_bad_*. An example of its use might be:

dtrace -n 'sdt:::ipf_fi_bad_* { stack(); }'

Reviewed by: Darren Reed <darrenr@reed.wattle.id.au>

Correctly define constants.

MFC after: 1 week

ipfilter bug #558 add in some missing frag table function comments.

Approved by: glebius (mentor)
Obtained from: ipfilter CVS repo (r1.36)

Implement the final missing sysctls by moving ipf_auth_softc_t from
ip_auth.c to ip_auth.h. ip_frag_soft_t moves from ip_frag.c to
ip_frag.h. mlfk_ipl.c creates sysctl MIBs that reference control blocks
that are dynamically created when IP Filter is loaded. This necessitated
creating them on-the-fly rather than statically at compile time.

Approved by: glebius (mentor)

Update ipfilter 4.1.28 --> 5.1.2.

Approved by: glebius (mentor)
BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)

Pullup IPFilter 4.1.28 from the vendor branch into HEAD.

MFC after: 7 days

Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13

Resolve conflicts

MFC after: 2 weeks

Resolve conflicts

Fix the following warnings on amd64:

/usr/src/sbin/ipf/ipftest/../../../sys/contrib/ipfilter/netinet/ip_frag.c: In function `fr_ipid_newfrag':
/usr/src/sbin/ipf/ipftest/../../../sys/contrib/ipfilter/netinet/ip_frag.c:397: warning: cast to pointer from integer of different size
/usr/src/sbin/ipf/ipftest/../../../sys/contrib/ipfilter/netinet/ip_frag.c: In function `fr_ipid_knownfrag':
/usr/src/sbin/ipf/ipftest/../../../sys/contrib/ipfilter/netinet/ip_frag.c:582: warning: cast from pointer to integer of different size

- Comment out duplicate rcsid strings in *.c files
- Move SIOCPROXY from ip_nat.h to ip_proxy.h and fix ip_proxy.h so that it
can be easily compiled into kdump, et al.

Merge the changes from 3.4.35 to 4.1.8 into the kernel source tree

Enable fine grained locking within IPFilter, using mtx(9) and sx(9) allowing
the the "needs giant" flag to be removed from the driver.

Update ipfilter from 3.4.31 -> 3.4.35. Some important changes:
* block packets that fail to create state table entries
* only allow non-fragmented packets to influence whether or not a logged
packet is the same as the one logged before.
* correct the ICMP packet checksum fixing up when processing ICMP errors for NAT
* implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX
and ipf_nattable_max)
* frsynclist() wasn't paying attention to all the places where interface
names are, like it should.
* fix comparing ICMP packets with established TCP state where only 8 bytes
of header are returned in the ICMP error.

MFC after: 1 week

Commit import changed from vendor branch of ipfilter to -current head

Finally merge in the changes from ipfilter 3.4.29 to freebsd-current.
Main changes here are related to the ftp proxy and making that work better.

Don't use "NULL" when "0" is really meant.
But in this case, "-1" is really meant.

Reviewed by: darrenr

bring in changes from 3.4.26.

fix conflicts (mostly damn rcs id's) generated by import

Backout inclusion of queue.h since rev 1.38 sys/file.h now has it
included in the right order.

Include sys/_lock.h and sys/_mutex.h to reduce namespace pollution.

Requested by: jhb

fix import/merge related code problems

fix conflicts created by import

fix security hole created by fragment cache

fix conflicts

fix conflicts from rcsids

fix conflicts

fix conflicts

Re add rev 1.11 diffs to ip_fil.h Also discover that I did not undefine
CVS_FUBAR (which no longer exists) and thus forgot to add $FreeBSD's.
Add them.

Approved by: jkh (is part of ipfilter upgrade)

Bring over ipfilter v3_3_8 kernel sources, including merging the
local modifications.
Also fix initializing fr_running in KLD case.
Rename ipl_inited to fr_runninhg in mlfk_ipl

Approved by: jkh

Bring over ipfilter kernel sources, including merging the local modifications.

KERNEL -> _KERNEL

Add kernel parts of revived ipfilter (3.3.3.)