Fix the build after removing an unused af argument from unmask().

ok claudio@

Don't assume s->ifname is NUL terminated and printable.
As in pfsync_print_clr() use vis(3) in print_state(). This was also
found with afl though with a different input.

Adjust <sys/param.h> comments regarding use of use of MSIZE, or
delete <sys/param.h> if now possible
ok guenther

New attempt to make the -P flag work with -ss, so that states can be
printed with port names if desired.

tcpdump's pf_print_state.c has diverged significantly from pfctl's, so
the change to tcpdump's pf_print_state.c is not exactly the same as
pfctl's.

ok henning sthen

Teach some userland tools about NAT64. I think this is mostly from mikeb@
OK mcbride@

The ioctl to show states returns a pfsync_state which is in network byte
order and therefore a ntohs is needed to show the rdomain correctly.
OK henning@ dlg@

rtables are stacked on rdomains (it is possible to have multiple routing
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@

Second half of PF state table rearrangement.
- Mechanical change: Use arrays for state key pointers in pf_state, and
addr/port in pf_state_key, to allow the use of indexes.
- Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures.
In struct pfsync_state, both state keys are included even when identical.
- Also fix some bugs discovered in the existing code during testing.
(in particular, "block return" for TCP packets was not returning an RST)

ok henning beck deraadt
tested by otto dlg beck laurent

Special thanks to users Manuel Pata and Emilio Perea who did enough testing
to actually find some bugs.

Don't just ntohl() the hours, but everything of the state
creation time. OK mcbride@, henning@.

pf_state is no longer the same; modify pf_print_state.c to accept
pfsync_state (as in pfctl, but in network byte order).

ok henning@ toby@ pyr@

crank pf_state and pf_src_node byte and packet counters to u_in64_t, since
we're breaking pfsync compatibility this cycle anyways.

Requested by djm@, ok henning@, 'wheee!' deraadt@

Make pfsync printing consistent with rest of tcpdump regarding newlines,
pass -vv in to pf_print_state(), and print update count where appropriate.

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@

Don't assume s->ifname is NUL terminated and printable.
As in pfsync_print_clr() use vis(3) in print_state(). This was also
found with afl though with a different input.

Adjust <sys/param.h> comments regarding use of use of MSIZE, or
delete <sys/param.h> if now possible
ok guenther

New attempt to make the -P flag work with -ss, so that states can be
printed with port names if desired.

tcpdump's pf_print_state.c has diverged significantly from pfctl's, so
the change to tcpdump's pf_print_state.c is not exactly the same as
pfctl's.

ok henning sthen

Teach some userland tools about NAT64. I think this is mostly from mikeb@
OK mcbride@

The ioctl to show states returns a pfsync_state which is in network byte
order and therefore a ntohs is needed to show the rdomain correctly.
OK henning@ dlg@

rtables are stacked on rdomains (it is possible to have multiple routing
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@

Second half of PF state table rearrangement.
- Mechanical change: Use arrays for state key pointers in pf_state, and
addr/port in pf_state_key, to allow the use of indexes.
- Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures.
In struct pfsync_state, both state keys are included even when identical.
- Also fix some bugs discovered in the existing code during testing.
(in particular, "block return" for TCP packets was not returning an RST)

ok henning beck deraadt
tested by otto dlg beck laurent

Special thanks to users Manuel Pata and Emilio Perea who did enough testing
to actually find some bugs.

Don't just ntohl() the hours, but everything of the state
creation time. OK mcbride@, henning@.

pf_state is no longer the same; modify pf_print_state.c to accept
pfsync_state (as in pfctl, but in network byte order).

ok henning@ toby@ pyr@

crank pf_state and pf_src_node byte and packet counters to u_in64_t, since
we're breaking pfsync compatibility this cycle anyways.

Requested by djm@, ok henning@, 'wheee!' deraadt@

Make pfsync printing consistent with rest of tcpdump regarding newlines,
pass -vv in to pf_print_state(), and print update count where appropriate.

privilege separated tcpdump, joint work with otto@

tested by avsm@ vincent@ dhartmei@ markus@ hshoexer@ and others
go for it deraadt@