Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Merge the remainder of kern_vimage.c and vimage.h into vnet.c and
vnet.h, we now use jails (rather than vimages) as the abstraction
for virtualization management, and what remained was specific to
virtual network stacks. Minor cleanups are done in the process,
and comments updated to reflect these changes.

Reviewed by: bz
Approved by: re (vimage blanket)

Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).

This is the first in a series of commits over the course
of the next few weeks.

Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.

We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.

Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch

Fix 3 issues relating to the use of "auth" rules in IPFilter, from sourceforge:
1837014 Kernel panics after authentication of an outgoing packet
1836992 Potential bugs in packet auth code (w/patches)
1836967 Kernel panic when using auth rule with keep state
and another reported only to FreeBSD by Andiry (see PR)

PR: kern/118251
Submitted by: Andriy Syrovenko <andriys@gmail.com>
Reviewed by: darrenr
MFC after: 5 days

Apply a few changes from ipfilter-current:
* Do not hold any locks over calls to copyin/copyout.
* Clean up some #ifdefs
* fix a possible mbuf leak when NAT fails on policy routed packets

PR: 117216

Pullup IPFilter 4.1.28 from the vendor branch into HEAD.

MFC after: 7 days

Pointer to an ICMP header was getting left behind after doing a pullup.

Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13

Resolve conflicts

MFC after: 2 weeks

fix "ipf -Z" reporting rubbish and possibly panic'ing box

MFC after: 4 days

Resolve conflicts

Fix -Wundef from compiling the amd64 LINT.

Fix some minor problems before release:
(1) "ipf -T" is broken for fetching single entries and
(2) loading rules with numbered collections does not order insertion right.
(3) stats aren't accumulated for hash table memory failures

Approved by: re (dwhite)

- Comment out duplicate rcsid strings in *.c files
- Move SIOCPROXY from ip_nat.h to ip_proxy.h and fix ip_proxy.h so that it
can be easily compiled into kdump, et al.

Merge the changes from 3.4.35 to 4.1.8 into the kernel source tree

Elminate 1 LOR (actually a recursive mutex grab) involving ipfilter where
we loop through all the list of NICs (struct ifnet), holding the lock on
it and then do a name lookup with ifunit() whilst holding it.

* The #ifdef's to cause mutex's for freebsd to be declared were meant to pick
up on USE_MUTEX being defined, but this patch
* Remove some code that's in a #ifndef FreeBSD that's no longer used.

Sprinkle in some __FreeBSD_version checks so that this compiles again. Don't
define PFIL_HOOKS anymore.

Submitted by: keramida

Using just m_pullup to get all of the interesting bits in packet into one
buffer doesn't work for ipv6 packets, so use m_defrag() here instead as an
easy drop-in replacement.

PR: 70399

Mess from update & merge - don't release the ifnet lock twice, just once
and after we're finished with it.

Update ipfilter from 3.4.31 -> 3.4.35. Some important changes:
* block packets that fail to create state table entries
* only allow non-fragmented packets to influence whether or not a logged
packet is the same as the one logged before.
* correct the ICMP packet checksum fixing up when processing ICMP errors for NAT
* implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX
and ipf_nattable_max)
* frsynclist() wasn't paying attention to all the places where interface
names are, like it should.
* fix comparing ICMP packets with established TCP state where only 8 bytes
of header are returned in the ICMP error.

MFC after: 1 week

Remove advertising clause from University of California Regent's
license, per letter dated July 22, 1999 and email from Peter Wemm,
Alan Cox and Robert Watson.

Approved by: core, peter, alc, rwatson

Back out M_* changes, per decision of the TRB.

Approved by: trb

Commit import changed from vendor branch of ipfilter to -current head

Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.

SMP locking for ifnet list.

Finally merge in the changes from ipfilter 3.4.29 to freebsd-current.
Main changes here are related to the ftp proxy and making that work better.

Commit changes that happened in IPFilter versions 3.4.27 - 3.4.28

Merge updates from 3.4.26 - 3.4.27.

bring in changes from 3.4.26.

fix conflicts (mostly damn rcs id's) generated by import

Backout inclusion of queue.h since rev 1.38 sys/file.h now has it
included in the right order.

Include sys/_lock.h and sys/_mutex.h to reduce namespace pollution.

Requested by: jhb

IPFilter munges multicast address packets on the loopback interface.

Submitted by: Frank Zolf
Approved by: jkh
MFC after: 0

fix conflicts created by import

fix conflicts

Fix conflicts creted by import.

fix conflicts from rcsids

We now keep the ip_id field in network byte order all the
time, so there is no need to make the distinction between
ip_output() and ip_input() cases.

Reviewed by: silence on freebsd-net

resolve conflicts

fix conflicts

define CSUM_DELAY_DATA to match merge

fix up conflicts

fix conflicts

Compute the checksum before handing the packet off to IPFilter.

Tested by: Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>

Fix bug in dealing with "hlen == 1 and opt > 1"

Add missing include machine/in_cksum.h.

Submitted by: n_hibma

Add $FreeBSD$

Bring over ipfilter v3_3_8 kernel sources, including merging the
local modifications.
Also fix initializing fr_running in KLD case.
Rename ipl_inited to fr_runninhg in mlfk_ipl

Approved by: jkh

Bring over ipfilter kernel sources, including merging the local modifications.

KERNEL -> _KERNEL

Add kernel parts of revived ipfilter (3.3.3.)