- Copy stable/10 (r259064) to releng/10.0 as part of the
10.0-RELEASE cycle.
- Update __FreeBSD_version [1]
- Set branch name to -RC1

[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so
start releng/10.0 at '100' so the branch is started with
a value ending in zero.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Update ipfilter 4.1.28 --> 5.1.2.

Approved by: glebius (mentor)
BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)

Forcibly defining _KERNEL is bad idea. Toss some code so that ip_var.h
isn't included with forced _KERNEL define.

Fix typo: s/pakcet/packet

MFP4: @176978-176982, 176984, 176990-176994, 177441

"Whitspace" churn after the VIMAGE/VNET whirls.

Remove the need for some "init" functions within the network
stack, like pim6_init(), icmp_init() or significantly shorten
others like ip6_init() and nd6_init(), using static initialization
again where possible and formerly missed.

Move (most) variables back to the place they used to be before the
container structs and VIMAGE_GLOABLS (before r185088) and try to
reduce the diff to stable/7 and earlier as good as possible,
to help out-of-tree consumers to update from 6.x or 7.x to 8 or 9.

This also removes some header file pollution for putatively
static global variables.

Revert VIMAGE specific changes in ipfilter::ip_auth.c, that are
no longer needed.

Reviewed by: jhb
Discussed with: rwatson
Sponsored by: The FreeBSD Foundation
Sponsored by: CK Software GmbH
MFC after: 6 days

Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit

Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.

Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().

Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).

All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).

(*) netipsec/keysock.c did not validate depending on compile time options.

Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation

Fix 3 issues relating to the use of "auth" rules in IPFilter, from sourceforge:
1837014 Kernel panics after authentication of an outgoing packet
1836992 Potential bugs in packet auth code (w/patches)
1836967 Kernel panic when using auth rule with keep state
and another reported only to FreeBSD by Andiry (see PR)

PR: kern/118251
Submitted by: Andriy Syrovenko <andriys@gmail.com>
Reviewed by: darrenr
MFC after: 5 days

Apply a few changes from ipfilter-current:
* Do not hold any locks over calls to copyin/copyout.
* Clean up some #ifdefs
* fix a possible mbuf leak when NAT fails on policy routed packets

PR: 117216

Pullup IPFilter 4.1.28 from the vendor branch into HEAD.

MFC after: 7 days

Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13

Resolve conflicts

MFC after: 2 weeks

Resolve conflicts

Fix -Wundef from compiling the amd64 LINT.

- Comment out duplicate rcsid strings in *.c files
- Move SIOCPROXY from ip_nat.h to ip_proxy.h and fix ip_proxy.h so that it
can be easily compiled into kdump, et al.

Merge the changes from 3.4.35 to 4.1.8 into the kernel source tree

* Remove some code that's in a #ifndef FreeBSD that's no longer used.

Enable fine grained locking within IPFilter, using mtx(9) and sx(9) allowing
the the "needs giant" flag to be removed from the driver.

revert section of code that calls netisr_queue() to match v1.33 of this file

#ifdef's for FreeBSD are wrong, causing too many variable declaractions to
disappear.

Update ipfilter from 3.4.31 -> 3.4.35. Some important changes:
* block packets that fail to create state table entries
* only allow non-fragmented packets to influence whether or not a logged
packet is the same as the one logged before.
* correct the ICMP packet checksum fixing up when processing ICMP errors for NAT
* implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX
and ipf_nattable_max)
* frsynclist() wasn't paying attention to all the places where interface
names are, like it should.
* fix comparing ICMP packets with established TCP state where only 8 bytes
of header are returned in the ICMP error.

MFC after: 1 week

Update netisr handling; Each SWI now registers its queue, and all queue
drain routines are done by swi_net, which allows for better queue control
at some future point. Packets may also be directly dispatched to a netisr
instead of queued, this may be of interest at some installations, but
currently defaults to off.

Reviewed by: hsu, silby, jayanth, sam
Sponsored by: DARPA, NAI Labs

Commit import changed from vendor branch of ipfilter to -current head

Commit import changed from vendor branch of ipfilter to -current head

Replace aux mbufs with packet tags:

o instead of a list of mbufs use a list of m_tag structures a la openbsd
o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit
ABI/module number cookie
o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and
use this in defining openbsd-compatible m_tag_find and m_tag_get routines
o rewrite KAME use of aux mbufs in terms of packet tags
o eliminate the most heavily used aux mbufs by adding an additional struct
inpcb parameter to ip_output and ip6_output to allow the IPsec code to
locate the security policy to apply to outbound packets
o bump __FreeBSD_version so code can be conditionalized
o fixup ipfilter's call to ip_output based on __FreeBSD_version

Reviewed by: julian, luigi (silent), -arch, -net, darren
Approved by: julian, silence from everyone else
Obtained from: openbsd (mostly)
MFC after: 1 month

Commit changes that happened in IPFilter versions 3.4.27 - 3.4.28

bring in changes from 3.4.26.

fix conflicts (mostly damn rcs id's) generated by import

Change two occurrences of HTONS() to use htons().

Fix warning (unused variable)

Submitted by: LINT, -Werror

Backout inclusion of queue.h since rev 1.38 sys/file.h now has it
included in the right order.

Include sys/_lock.h and sys/_mutex.h to reduce namespace pollution.

Requested by: jhb

fix conflicts created by import

fix conflicts

Lock down the network interface queues. The queue mutex must be obtained
before adding/removing packets from the queue. Also, the if_obytes and
if_omcasts fields should only be manipulated under protection of the mutex.

IF_ENQUEUE, IF_PREPEND, and IF_DEQUEUE perform all necessary locking on
the queue. An IF_LOCK macro is provided, as well as the old (mutex-less)
versions of the macros in the form _IF_ENQUEUE, _IF_QFULL, for code which
needs them, but their use is discouraged.

Two new macros are introduced: IF_DRAIN() to drain a queue, and IF_HANDOFF,
which takes care of locking/enqueue, and also statistics updating/start
if necessary.

Follow BSD/OS and NetBSD, keep the ip_id field in network order all the time.

Requested by: wollman

Change __FreeBSD_Version into the proper __FreeBSD_version.

Submitted by: Alain.Thivillon@hsc.fr (Alain Thivillon) (for ip_fil.c)

fix conflicts

fix up conflicts

fix conflicts

Re add rev 1.11 diffs to ip_fil.h Also discover that I did not undefine
CVS_FUBAR (which no longer exists) and thus forgot to add $FreeBSD's.
Add them.

Approved by: jkh (is part of ipfilter upgrade)

Bring over ipfilter v3_3_8 kernel sources, including merging the
local modifications.
Also fix initializing fr_running in KLD case.
Rename ipl_inited to fr_runninhg in mlfk_ipl

Approved by: jkh

Bring over ipfilter kernel sources, including merging the local modifications.

KERNEL -> _KERNEL

Revive mlfk_ipl here. This version is slightly changed from
the old one: an unnecessary define (KLD_MODULE) has been deleted and
the initialisation of the module is done after domaininit was called
to be sure inet is running.

Some slight changed were made to ip_auth.c and ip_state.c in order
to assure including of sys/systm.h in case we make a kld

Make sure ip_fil does nmot include osreldate in kernel mode

Remove mlfk_ipl.c from here: no sources allowed in these directories!

Add kernel parts of revived ipfilter (3.3.3.)