Rework pflogd(8)'s fork+exec model; re-exec the unpriv child, not the
privileged parent.

Based on feedback from deraadt@ and bluhm@ (worked on syslogd).

ok deraadt@

fork+exec model for pflogd(8); move pcap init to the re-exec'd privsep
parent and use 'legit' fdpassing primitives to send the bpf fd to the
unprivileged child process.

Also reduces the pledge(2) promises in the unpriv child to just
"stdio recvfd"

with help from deraadt, pcap feedback from canacar

ok deraadt@

pflogd contained the same "privsep error" as tcpdump -- assuming that
it can ioctl()'s against a bpf device node. Privsep that operation
via a message to the parent process. Unfortunately "rpath wpath cpath"
is still needed due to SIGHUP handling, but I have asked canacar the
expert to look into this.

bump default snaplen so that pfloghdr + ip hdr + prot hdr usually fit

If the log file is invalid/incompatible, try to rename the bad log file
and continue with a new name instead of suspending.
ok mcbride@

Try to preserve the integrity of the log file in case of errors/unexpected
shutdowns etc. Also check logfile integrity on startup and suspend
logging if an inconsistency is detected.
ok dhartmei@

privilege seperated pflogd

_pflogd user and group must be created for proper operation.

ok frantzen@ henning@ mcbride@ deraadt@