MFC r318283:

As of r318281 in HEAD (r318390 [in stable/10 & stable/11]), there is no
need to put a colon (:) in the message string.

MFC r318281:

Separate the ipfilter function/static string from the error with a
colon (:) in error messages to assist the user in parsing out the error
from where or which object the error message refers to.

MFC r316993, r316994, r316997 as follows:

r316993:

Fix CID 1372601 in ipfilter/lib/parsefields.c, possible NULL pointer
dereference should reallocarray() fail.

Reported by: Coverity CID 1372601

r316994:

Fix CID 1372600 in ipfilter/tools/ipf_y.y, possible NULL pointer
dereference should reallocarray() fail.

Reported by: Coverity CID 1372600

r316997:

Use warnx() to issue error message.

Reported by: cem

MFC r314627:

Fix leak (free str before returning when ctx's calloc fails).

Submitted by: trix_juniper.net (Tom Rix)
Reviewed by: cy, ngie
Discovered by: clang's static analyzer
Differential Revision: D9877

MFC r312787:

Currently the fragment info is placed at the top of the linked list
under a shared read lock. This patch attempts to upgrade the lock to
an exclusive write lock. If the exclusive write lock fails to be
obtained, the current fragment is not placed at the head of the list.

This portion of the patch was inspired by NetBSD ip_frag.c r1.4 (which
effectively removed the section of code that performed the reordering).

The patch to sys/contrib/ipfilter/netinet/ip_compat.h adds the
MUTEX_TRY_UPGRADE macro to support the patch to ip_frag.c.

The patch to contrib/ipfilter/lib/rwlock_emul.c supports this patch
by emulating the mutex in userspace when exercised by ipftest(1).

Inspired by: NetBSD ip_frag.c r1.4

MFC r271972

Fix ipfilter bug #536 ipnat can try to print rule as dstlist incorrectly.

Obtained from: ipfilter CVS repo (r1.14), netbsd CVS repo (r1.3)

MFC r271971

Fix ipfilter bug #553 gethost needs to zero entire IP address structure.

Obtained from: ipfilter CVS repo (r1.11)

MFC r271970

ipv6 address for test.hosts.dots in wrong byte order.

Obtained from: ipfilter CVS repo (r1.11), netbsd CVS repo (r1.5)

MFC r268532 and r268585. When world and kernel are built without INET6
support, the userland was still built with INET6 turned on.

PR: 190964
Approved by: glebius (mentor, implicit)

MFC r268286: Fix compile-time errors when NO_WERROR and WITHOUT_INET6_SUPPORT
(NO_INET6) are specified.

Approved by: glebius (mentor)

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Update ipfilter 4.1.28 --> 5.1.2.

Approved by: glebius (mentor)
BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)

- Prevent buffer overflow in IPFilter's load_http function used to load
ipfilter tables via http by the user-level ippool utility. Previously
the 1024-byte buffer used to store a http request coudld easily overflow
if the length of the hostname part of the url passes exceeded 496 bytes. [1]
- Use snprintf to prevent possieble buffer overflows in future. [2]
- Do not try to close the descriptor twice on failure. [2]

Reported by: Maksymilian Arciemowicz <cxib@securityreason.com> [1]
Obtained from: NetBSD CVS [2]
MFC after: 2 weeks

2020447 IPFilter's NAT can undo name server random port selection

Approved by: darrenr
MFC after: 1 week
Security: CERT VU#521769

Pullup IPFilter 4.1.28 from the vendor branch into HEAD.

MFC after: 7 days

This commit was generated by cvs2svn to compensate for changes in r172771,
which included commits to RCS files with non-trunk default branches.

Remove files no longer required to build IPFilter

Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13

This commit was generated by cvs2svn to compensate for changes in r170263,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts

MFC after: 1 weeks

This commit was generated by cvs2svn to compensate for changes in r161351,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts (and believe me...you don't want to know).

This commit was generated by cvs2svn to compensate for changes in r153877,
which included commits to RCS files with non-trunk default branches.

Fix some minor problems before release:
(1) "ipf -T" is broken for fetching single entries and
(2) loading rules with numbered collections does not order insertion right.
(3) stats aren't accumulated for hash table memory failures

Approved by: re (dwhite)

Don't use quad_t on FreeBSD (deprecated) so use "long long" instead.
Someday this should be converted to uint64_t and printstate.c changed to
use those horrid PRiud64 things.

Fix problems with building libipf:
ipf_dontuning.c - change the include to look in netinet for ipl.h
ipft_tx.c - make the private use of arrays with tcp flags info in them more
not use names that can be "confusing"

* Someone imported a lot of files with the wrong CVS tag, so lots of files need
that fixed in them....
* Keep unnecessary files out of the non-vendor part of this CVS repository.

This commit was generated by cvs2svn to compensate for changes in r145510,
which included commits to RCS files with non-trunk default branches.