Copy stable/11@r303970 to releng/11.0 as part of the 11.0-RELEASE
cycle.

Prune svn:mergeinfo from the new branch, and rename it to RC1.

Update __FreeBSD_version.

Use the quarterly branch for the default FreeBSD.conf pkg(8) repo and
the dvd1.iso packages population.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFC r303760:

Fix a regression in pf.conf while parsing the 'interval' keyword.

The bug was introduced by r287009.

PR: 210924
Submitted by: kp@
Sponsored by: Rubicon Communications (Netgate)
Pointy hat to: loos
Approved by: re (gjb)

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

pf: Filter on and set vlan PCP values

Adopt the OpenBSD syntax for setting and filtering on VLAN PCP values. This
introduces two new keywords: 'set prio' to set the PCP value, and 'prio' to
filter on it.

Reviewed by: allanjude, araujo
Approved by: re (gjb)
Obtained from: OpenBSD (mostly)
Differential Revision: https://reviews.freebsd.org/D6786

sbin: minor spelling fixes.

No functional change.

Use nitems() from sys/param.h.

MFC after: 2 weeks.

Merge the projects/release-pkg branch to head.

This allows packaging the base system with pkg(8), including
but not limited to providing the ability to provide upstream
binary update possibilities for non-tier-1 architectures.

This merge is a requirement of the 11.0-RELEASE, and as such,
thank you to everyone that has tested the project branch.

Documentation in build(7) etc. is still somewhat sparse, but
updates to those parts will follow.

Sponsored by: The FreeBSD Foundation

Make pfctl(8) more flexible when parsing bandwidth values.

This is the current behaviour in OpenBSD and a similar patch exist in
pfSense too.

Obtained from: OpenBSD (partly - rev. 1.625)
MFC after: 2 weeks
Sponsored by: Rubicon Communications (Netgate)

DIRDEPS_BUILD: Regenerate without local dependencies.

These are no longer needed after the recent 'beforebuild: depend' changes
and hooking DIRDEPS_BUILD into a subset of FAST_DEPEND which supports
skipping 'make depend'.

Sponsored by: EMC / Isilon Storage Division

Make pfctl(8) work on strict-alignment platforms, by copying a pair of
embedded structures out of a packed, unaligned struct into local copies
on the stack which are aligned.

The original patch to do this was submitted by Guy Yur <guyyur@gmail.com>,
and this is conceptually the same change, but restructured with the
#ifndef __NO_STRICT_ALIGNMENT wrapper, similar to how the same issue is
handled in the kernel pf code.

PR: 185617
PR: 206658

pfctl: Fix uninitialised veriable

In pfctl_set_debug() we used 'level' without ever initialising it.
We correctly parsed the option, but them failed to actually assign the parsed
value to 'level' before performing to ioctl() to configure the debug level.

PR: 202996
Submitted by: Andrej Kolontai

pf: Remove support for 'scrub fragment crop|drop-ovl'

The crop/drop-ovl fragment scrub modes are not very useful and likely to confuse
users into making poor choices.
It's also a fairly large amount of complex code, so just remove the support
altogether.

Users who have 'scrub fragment crop|drop-ovl' in their pf configuration will be
implicitly converted to 'scrub fragment reassemble'.

Reviewed by: gnn, eri
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D3466

Add ALTQ(9) support for the CoDel algorithm.

CoDel is a parameterless queue discipline that handles variable bandwidth
and RTT.

It can be used as the single queue discipline on an interface or as a sub
discipline of existing queue disciplines such as PRIQ, CBQ, HFSC, FAIRQ.

Differential Revision: https://reviews.freebsd.org/D3272
Reviewd by: rpaulo, gnn (previous version)
Obtained from: pfSense
Sponsored by: Rubicon Communications (Netgate)

Only report the lack of ALTQ support if pfctl is using verbose (-v) mode.

PR: 194935
Submitted by: Jim Thompson
MFC after: 2 weeks

ALTQ FAIRQ discipline import from DragonFLY

Differential Revision: https://reviews.freebsd.org/D2847
Reviewed by: glebius, wblock(manpage)
Approved by: gnn(mentor)
Obtained from: pfSense
Sponsored by: Netgate

Add META_MODE support.

Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision: D2796
Reviewed by: brooks imp

Move ALTQ from contrib to net/altq. The ALTQ code is for many years
discontinued by its initial authors. In FreeBSD the code was already
slightly edited during the pf(4) SMP project. It is about to be edited
more in the projects/ifnet. Moving out of contrib also allows to remove
several hacks to the make glue.

Reviewed by: net@

Convert sbin/ to LIBADD
Reduce overlinking

mdoc: remove superfluous paragraph macros.

Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.

Fix compilation for 32-bit machines.

Instead of playing games with casts simply add 3 more members to the
structure pf_rule, that are used when the structure is passed via
ioctl().

PR: 187074

Better build fix.

Fix build on 32bit arches broken by me in r261882.

Once pf became not covered by a single mutex, many counters in it became
race prone. Some just gather statistics, but some are later used in
different calculations.

A real problem was the race provoked underflow of the states_cur counter
on a rule. Once it goes below zero, it wraps to UINT32_MAX. Later this
value is used in pf_state_expires() and any state created by this rule
is immediately expired.

Thus, make fields states_cur, states_tot and src_nodes of struct
pf_rule be counter(9)s.

Thanks to Dennis for providing me shell access to problematic box and
his help with reproducing, debugging and investigating the problem.

Thanks to: Dennis Yusupoff <dyr smartspb.net>
Also reported by: dumbbell, pgj, Rambler
Sponsored by: Nginx, Inc.

Use feature_present(3) to determine whether to open an INET or an
INET6 socket when needed to allow pfctl to work on noinet and noinet6
kernels (and try to provide a fallback using AF_LINK as best effort).
Adjust the Makefile to also respect relevant src.conf(5) options
for compile time decisions on INET and INET6 support.

Reviewed by: glebius (no objections)
MFC after: 1 week

Remove __FreeBSD__ ifdefs.

Rewrite usage() so that its source code resembles what is printed.

Import pf_print_state.c 1.54 from OpenBSD

Original log:
pfctl -ss printed state levels for ICMPv6. Disable this the same
way it has already been done for ICMPv4.

Difference with OpenBSD:
- WITHOUT_INET6 safe

Obtained from: OpenBSD

- Get rid of #ifdef __FreeBSD__.
- Use correct format when printing uint64_t.

Minor mdoc fix.

o Create directory sys/netpfil, where all packet filters should
reside, and move there ipfw(4) and pf(4).

o Move most modified parts of pf out of contrib.

Actual movements:

sys/contrib/pf/net/*.c -> sys/netpfil/pf/
sys/contrib/pf/net/*.h -> sys/net/
contrib/pf/pfctl/*.c -> sbin/pfctl
contrib/pf/pfctl/*.h -> sbin/pfctl
contrib/pf/pfctl/pfctl.8 -> sbin/pfctl
contrib/pf/pfctl/*.4 -> share/man/man4
contrib/pf/pfctl/*.5 -> share/man/man5

sys/netinet/ipfw -> sys/netpfil/ipfw

The arguable movement is pf/net/*.h -> sys/net. There are
future plans to refactor pf includes, so I decided not to
break things twice.

Not modified bits of pf left in contrib: authpf, ftp-proxy,
tftp-proxy, pflogd.

The ipfw(4) movement is planned to be merged to stable/9,
to make head and stable match.

Discussed with: bz, luigi

Switch the default WARNS level for sbin/ to 6.

Submitted by: Ulrich Spörlein

Link pf 4.1 to the build:
- move ftp-proxy from libexec to usr.sbin
- add tftp-proxy
- new altq mtag link

Approved by: re (kensmith)

Add missing library dependencies.

Adapt Makefiles for pfctl(8) and authpf(8) to 3.7 sources.

Remove -I from CFLAGS. This splipped in with the 3.5 import (as I was
building on a box with older pfvar.h installed). Didn't intend to commit it.

Requested by: ru (on a C&P to ipfw's Makefile)

Removed redundant and unsafe BINDIR redefinition.

Commit userland part of pf version 3.5 from OpenBSD (OPENBSD_3_5_BASE).

Remove advertising clause from University of California Regent's license,
per letter dated July 22, 1999.

Approved by: core, imp

Add skeleton build dirs for pf userland:
libexec/ftp-proxy - ftp proxy for pf
sbin/pfctl - equivalent to sbin/ipf
sbin/pflogd - deamon logging packets via if_pflog in pcap format
usr.sbin/authpf - authentification shell to modify pf rulesets

Bring along some altq headers used to satisfy pfctl/authpf compile. This
helps to keep the diff down and will make it easy to have a altq-patchset
use the full powers of pf.

Also make sure that the pf headers are installed.

This does not link anything to the build. There will be a NO_PF switch for
make.conf once pf userland is linked.

Approved by: bms(mentor)