MFC r352737:

ipf mistakenly regards UDP packets with a checksum of 0xffff as bad.

Obtained from: NetBSD fil.c r1.30, NetBSD PR/54443

MFC r351380:

Specifying array sizes for fully initialized tables at compile time is
redundant.

MFC r349927, r349929:

r349927:
Resolve IPv6 checksum errors with stateful inspection. According to
PR/203585 this appears to have been broken by r235959, which predates
the ipfilter 5.1.2 import into FreeBSD.

The IPv6 checksum calculation is incorrect. To resolve this we call
in6_cksum() to do the the heavy lifting for us, through a new function
ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
is added to aid with future debugging.

Plus whitespace adjustments (r348989).

PR: 203275, 203585
Differential Revision: https://reviews.freebsd.org/D20583

r349929:
Move the new ipf_pcksum6() function from ip_fil_freebsd.c to fil.c.
The reason for this is that ipftest(8), which still works on FreeBSD-11,
fails to link to it, breaking stable/11 builds.

ipftest(8) was broken (segfault) sometime during the FreeBSD-12 cycle.
glebius@ suggested we disable building it until I can get around to
fixing it. Hence this was not caught in -current.

The intention is to fix ipftest(8) as it is used by the netbsd-tests
(imported by ngie@ many moons ago) for regression testing.

MFC r348987, r348989:

Resolve IPv6 checksum errors with stateful inspection. According to
PR/203585 this appears to have been broken by r235959, which predates
the ipfilter 5.1.2 import into FreeBSD.

The IPv6 checksum calculation is incorrect. To resolve this we call
in6_cksum() to do the the heavy lifting for us, through a new function
ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
is added to aid with future debugging.

Plus whitespace adjustments (r348989).

PR: 203275, 203585
Differential Revision: https://reviews.freebsd.org/D20583

MFC r343600:

Document the instance context pointer.

MFC r342547:

Remove another empty #ifdef block. This empty block also exists in
the upstream HEAD.

MFC r333392-r333393, r333427

r333392:
Fix memory leak. (CID 1199373).

r333393:
Document intentional fallthrough. (CID 976535)

r333427:
Fix style error introduced in r333393.

Reported by: jhb, imp, phk

MFC r316810, r316814, r316816, r316991:

Keep state incorrectly assumes keep frags. This is counter to the
ipfilter man pages. This also currently restricts keep frags to only when
keep state is used, which is redundant because keep state currently
assumes keep frags. This commit fixes this.

To the user this change means that to maintain the current behaviour
one must add keep frags to any ipfilter keep state rule (as documented
in the man pages).

This patch also allows the flexability to specify and use keep frags
separate from keep state, as documented in an example in ipf.conf.5,
instead of the currently broken behaviour.

MFC suggested by: rgrimes
Relnotes: yes

MFC r275199.

Correctly define constants.

MFC r272552

ipfilter bug #554 Determining why a ipf rule matches is hard -- replace
ipfilter rule compare with new ipf_rule_compare() function.

Obtained from: ipfilter CVS rep (r1.129)

MFC r272551

ipfiler bug #550 filter rule list corrupted with inserted rules

Obtained from: ipfilter CVS repo (r1.128); NetBSD CVS repo (r1.15)

MFC r275199.

Correctly define constants.

MFC r272552

ipfilter bug #554 Determining why a ipf rule matches is hard -- replace
ipfilter rule compare with new ipf_rule_compare() function.

Obtained from: ipfilter CVS rep (r1.129)

MFC r272551

ipfiler bug #550 filter rule list corrupted with inserted rules

Obtained from: ipfilter CVS repo (r1.128); NetBSD CVS repo (r1.15)