pf: convert DIOCSETDEBUG to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCCLRSTATUS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: fix recursive printing of nat anchors

Similar to the preceding fix for rules, ensure that we
recursively list wildcard anchors for nat rules.

MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

libpfctl: add pfctl_get_rule_h()

Add a handle variant of pfctl_get_rule(). This converts us from using
the nvlist variant to the netlink variant, and also moves us closer to a
world where all libpfctl functions take the handle.

While here have pfctl use the new function.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: use pfctl_add_rule_h() rather than pfctl_add_rule()

This ensures we use the handle opened with pfctl_open(), and also brings
us closer to the ideal state where everything uses the handle rather
than a file descriptor.

libpfctl: fix file descriptor leak

pfctl_get_rules_info() opened a netlink socket, but failed to close it again.
Fix this by factoring out the netlink-based function into a _h variant that
takes struct pfctl_handle, and implement pfctl_get_rules_info() based on that,
remembering to close the fd.

While here migrate all in-tree consumers to the _h variant.

MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCGETSTATUS to netlink

Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant
use netlink to obtain the information.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCSETSTATUSIF to netlink

While here also add a basic test case for it.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44368

pf: convert kill/clear state to use netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44090

pf: implement addrule via netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

libpfctl: introduce pfctl_handle

Consumers of libpfctl can (and in future, should) open a handle. This
handle is an opaque object which contains the /dev/pf file descriptor
and a netlink handle. This means that libpfctl users can open the handle
as root, then drop privileges and still access pf.

Already add the handle to pfctl_startstop() and pfctl_get_creatorids()
as these are new in main, and not present on stable branches. Other
calls will have handle-enabled alternatives implemented in subsequent
commits.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: Fix recursive printing of anchor labels

We recently noticed that the recursive printing of labels wasn't working
like the recursive printing of rules.

When running pfctl -sr -a* we get a listing of all rules, including the
ones inside anchors. On the other hand, when running pfctl -sl -a*, it
would only print the labels in the root level, just like without the
-a* argument.

As in our use-case we are interested on labels only and our labels are
unique even between anchors, we didn't add indentation or hierarchy to
the printing.

Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D42728

pf: support SCTP-specific timeouts

Allow SCTP state timeouts to be configured independently from TCP state
timeouts.

Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D42393

pf: allow states to be killed by their pre-NAT address

If a connection is NAT-ed we could previously only terminate it by its
ID or the post-NAT IP address. Allow users to specify they want look for
the state by its pre-NAT address. Usage: `pfctl -k nat -k <address>`.

See also: https://redmine.pfsense.org/issues/11556
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42312

pf: support basic filters for state listing

Allow users(pace) to specify a protocol, interface, address family and/
or address and mask, allowing the state listing to be pre-filtered in
the kernel.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42280

pf: implement start/stop calls via netlink

Implement equivalents to DIOCSTART and DIOCSTOP in netlink. Provide a
libpfctl implementation and add a basic test case, mostly to verify that
we still return the same errors as before the conversion

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42145

pf: add a way to list creator ids

Allow userspace to retrieve a list of distinct creator ids for the
current states.

This is used by pfSense, and used to require dumping all states to
userspace. It's rather inefficient to export a (potentially extremely
large) state table to obtain a handful (typically 2) of 32-bit integers.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42092

libpfctl: introduce state iterator

Allow consumers to start processing states as the kernel supplies them,
rather than having to build a full list and only then start processing.
Especially for very large state tables this can significantly reduce
memory use.

Without this change when retrieving 1M states time -l reports:

real 3.55
user 1.95
sys 1.05
318832 maximum resident set size
194 average shared memory size
15 average unshared data size
127 average unshared stack size
79041 page reclaims
0 page faults
0 swaps
0 block input operations
0 block output operations
15096 messages sent
250001 messages received
0 signals received
22 voluntary context switches
34 involuntary context switches

With it it reported:

real 3.32
user 1.88
sys 0.86
3220 maximum resident set size
195 average shared memory size
11 average unshared data size
128 average unshared stack size
260 page reclaims
0 page faults
0 swaps
0 block input operations
0 block output operations
15096 messages sent
250001 messages received
0 signals received
21 voluntary context switches
31 involuntary context switches

Reviewed by: mjg
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42091

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

pfctl: optionally clarify which anchors are layer 3 and which are Ethernet

When listing anchors pfctl lists both 'regular' layer 3 anchors and
Ethernet anchors. It's possible to have the same anchor name in both,
which can be confusing.

Mitigate this a little by explicitly marking where the Ethernet anchors
start. Avoid breaking scripts by only doing this at the second level
of verbosity.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: remove unneeded includes

We don't use nvlists (directly) or sysctls, so there's no need to
include the headers.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules

Introduce the OpenBSD syntax of "scrub" option for "match" and "pass"
rules and the "set reassemble" flag. The patch is backward-compatible,
pf.conf can be still written in FreeBSD-style.

Obtained from: OpenBSD
MFC after: never
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38025

pfctl: rule.label is a two-dimensional array

Fix checking for a non-empty first string.

PR: 269075
MFC after: 1 week
Reported by: nreilly@blackberry.com

pf: use time_to for timestamps

Use time_t rather than uint32_t to represent the timestamps. That means
we have 64 bits rather than 32 on all platforms except i386, avoiding
the Y2K38 issues on most platforms.

Reviewed by: Zhenlei Huang
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D36837

pfctl: fix recrusive printing of ethernet anchors

Similar to the preceding fix for layer three rules, ensure that we
recursively list wildcard anchors for ethernet rules.

MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D36417

pfctl: fix recrusive printing of anchors

Fix a couple of problems with printing of anchors, in particular recursive
printing, both of inline anchors and when requested explicitly with a '*'
in the anchor.
- Correct recursive printing of wildcard anchors (recurse into child anchors
rather than rules, which don't exist)
- Print multi-part anchor paths correctly (pr6065)
- Fix comments and prevent users from specifying multi-component names for
inline anchors.

tested by phessler
ok henning

Also fix the relevant pfctl test case to reflect the new (and now
correct) behaviour).

MFC after: 3 weeks
Obtained from: OpenBSD (mcbride, f9a568a27c740528301ca3419316c85a9fc7f1de)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D36416

pfctl: fix printing anchors

Ensure that we pass the (base) anchorname to the kernel, not the '/*'
suffix.

MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D36415

pfctl: fix out-of-bounds access

If pfctl is called with "pfctl -a ''" we read outside of the anchoropt
buffer. Check that the buffer is sufficiently long to avoid that.

Maintain the existing (and desired, because it's used as such in
/etc/periodic/security/520.pfdenied) behaviour of treating "-a ''" as a
request for the root anchor (or no anchor specified).

PR: 264128
Reviewed by: kp

pf: Add per-rule timestamps for rule and eth_rule

Similar to ipfw rule timestamps, these timestamps internally are
uint32_t snaps of the system time in seconds. The timestamp is CPU local
and updated each time a rule or a state associated with a rule or state
is matched.

Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34970

pfctl: fix recursive printing of rules

When asked to print rules recursively, correctly recurse for anchors
included in pf.conf with "anchorname/*".

PR: 262590
Reviewed by: kp
MFC after: 3 weeks

pf: handle duplicate rules gracefully

Reviewed by: kp
Reported by: dch
PR: 262971
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: support listing ethernet anchors

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: fix retrieving nested nat-anchors

When retrieving nat rules in anchors we need to set the path just like
we do for regular rules.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: fix retrieving nested anchors

PR: 262622
MFC after: 1 week
Reviewed by: kp

libpfct: factor out pfctl_get_rules_info()

Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info()
to retrieve rules information (ticket and total number of rules).

Use the new function in pfctl.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34443

libpfctl: support flushing rules/nat/eth

Move the code to flush regular rules, nat rules and Ethernet rules into
libpfctl for easier re-use.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34442

pfctl: support recursive printing of nat rules

PR: 252617
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D34455

pfctl: print ethernet rules when called with '-n'

Just as pfctl already does for other rules we print the ethernet rules
we would have loaded if '-n' is specified.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: support flushing ethernet rules

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: add anchor support for ether rules

Support anchors in ether rules.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32482

pf: Support clearing ether counters

Allow the evaluations/packets/bytes counters on Ethernet rules to be
cleared.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31748

pfctl: Print Ethernet rules

Extent pfctl to be able to read configured Ethernet filtering rules from
the kernel and print them.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31738

pfctl: delay label macro expansion until after rule optimisation

We used to expand the $nr macro in labels into the rule number prior to
the optimisation step. This would occasionally produce incorrect rule
numbers in the labels.

Delay all macro expansion until after the optimisation step to ensure
that we expand the correct values.

MFC after: 1 week
Reported by: Özkan KIRIK <ozkan.kirik@gmail.com>
Differential Revision: https://reviews.freebsd.org/D32488

pfctl: userspace adaptive syncookies configration

Hook up the userspace bits to configure syncookies in adaptive mode.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D32136

pfctl: use libpfctl to retrieve pf status

Rather than call DIOCGETSTATUS ourselves use the new libpfctl functions.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31697

pfctl: build fix

Fix the build issue introduced in e59eff9ad328 (pfctl: fix killing states by ID)

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: fix killing states by ID

Since the conversion to the new DIOCKILLSTATESNV the kernel no longer
exists the id and creatorid to be big-endian.
As a result killing states by id (i.e. `pfctl -k id -k 12345`) no longer
worked.

Reported by: Özkan KIRIK
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: syncookie configuration

pfctl and libpfctl code required to enable/disable the syncookie
feature.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31140

pfctl: cache getprotobynumber results

As for example pfctl -ss keeps calling it, it saves a lot of overhead
from elided parsing of /etc/nsswitch.conf and /etc/protocols.

Sample result when running a pre-nvlist binary with nfs root and dumping
7 mln states:
before: 24.817u 62.993s 1:28.52 99.1%
after: 8.064u 1.117s 0:18.87 48.5%

Idea by Jim Thompson

Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: Use DIOCGETSTATESNV

Migrate to using the new nvlist-based DIOCGETSTATESNV call to obtain the
states list.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30244

pf: Support killing 'matching' states

Optionally also kill states that match (i.e. are the NATed state or
opposite direction state entry for) the state we're killing.

See also https://redmine.pfsense.org/issues/8555

Submitted by: Steven Brown
Reviewed by: bcr (man page)
Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30092

pf: Allow states to by killed per 'gateway'

This allows us to kill states created from a rule with route-to/reply-to
set. This is particularly useful in multi-wan setups, where one of the
WAN links goes down.

Submitted by: Steven Brown
Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30058

pfctl: Start using DIOCKILLSTATESNV

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30055

pfctl: Start using DIOCCLRSTATESNV

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30053

pf: Allow multiple labels to be set on a rule

Allow up to 5 labels to be set on each rule.
This offers more flexibility in using labels. For example, it replaces
the customer 'schedule' keyword used by pfSense to terminate states
according to a schedule.

Reviewed by: glebius
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29936

pf: Optionally attempt to preserve rule counter values across ruleset updates

Usually rule counters are reset to zero on every update of the ruleset.
With keepcounters set pf will attempt to find matching rules between old
and new rulesets and preserve the rule counters.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29780

pfctl: Fix clearing rules counters

After the migration to libpfctl for rule retrieval we accidentally lost
support for clearing the rules counters.

Introduce a get_clear variant of pfctl_get_rule() which allows rules
counters to be cleared.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29727

pfctl, libpfctl: introduce pfctl_pool

Introduce pfctl_pool to be able to extend the pool part of the pf rule
without breaking the ABI.

Reviewed by: kp
MFC after: 4 weeks
Differential Revision: https://reviews.freebsd.org/D29721

libpfctl: Fix u_* counters

struct pf_rule had a few counter_u64_t counters. Those couldn't be
usefully comminicated with userspace, so the fields were doubled up in
uint64_t u_* versions.

Now that we use struct pfctl_rule (i.e. a fully userspace version) we
can safely change the structure and remove this wart.

Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29645

libpfctl: Switch to pfctl_rule

Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule.
Now that we use nvlists to communicate with the kernel these structures
can be fully decoupled.

Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29644

pfctl: Move ioctl abstraction functions into libpfctl

Introduce a library to wrap the pf ioctl interface.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29562

pfctl: Use the new DIOCGETRULENV ioctl

Create wrapper functions to handle the parsing of the nvlist and move
that code into pfctl_ioctl.c.
At some point this should be moved into a libpfctl.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29560

pfctl: Move to DIOCADDRULENV

Start using the new nvlist based ioctl to add rules.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29558

pfctl: Fix 'set skip' handling for groups

When we skip on a group the kernel will automatically skip on the member
interfaces. We still need to update our own cache though, or we risk
overruling the kernel afterwards.

This manifested as 'set skip' working initially, then not working when
the rules were reloaded.

PR: 229241
MFC after: 1 week

Extended pf(4) ioctl interface and pfctl(8) to allow bandwidths of
2^32 bps or greater to be used. Prior to this, bandwidth parameters
would simply wrap at the 2^32 boundary. The computations in the HFSC
scheduler and token bucket regulator have been modified to operate
correctly up to at least 100 Gbps. No other algorithms have been
examined or modified for correct operation above 2^32 bps (some may
have existing computation resolution or overflow issues at rates below
that threshold). pfctl(8) will now limit non-HFSC bandwidth
parameters to 2^32 - 1 before passing them to the kernel.

The extensions to the pf(4) ioctl interface have been made in a
backwards-compatible way by versioning affected data structures,
supporting all versions in the kernel, and implementing macros that
will cause existing code that consumes that interface to use version 0
without source modifications. If version 0 consumers of the interface
are used against a new kernel that has had bandwidth parameters of
2^32 or greater configured by updated tools, such bandwidth parameters
will be reported as 2^32 - 1 bps by those old consumers.

All in-tree consumers of the pf(4) interface have been updated. To
update out-of-tree consumers to the latest version of the interface,
define PFIOC_USE_LATEST ahead of any includes and use the code of
pfctl(8) as a guide for the ioctls of interest.

PR: 211730
Reviewed by: jmallett, kp, loos
MFC after: 2 weeks
Relnotes: yes
Sponsored by: RG Nets
Differential Revision: https://reviews.freebsd.org/D16782

pfctl: Remove unused function

Fix compile issues.

MFC after: 1 week

pfctl: Improve set skip handling for groups

Rely on the kernel to appropriately mark group members as skipped.
Once a group is skipped we can clear the update flag on all the members.

PR: 229241
Submitted by: Andreas Longwitz <longwitz AT incore.de>
MFC after: 1 week

pfctl: Don't retrieve interface list if '-n' is set

If '-n' is set we don't use the list of skip interfaces, so don't retrieve it.
This fixes issues if 'pfctl -n' is used before the pf module is loaded. This
was broken by r333181.

Reported by: Jakub Chromy <hicks AT cgi.cz>
MFC after: 1 week

pf: Return non-zero from 'status' if pf is not enabled

In the pf rc.d script the output of `/etc/rc.d/pf status` or `/etc/rc.d/pf
onestatus` always provided an exit status of zero. This made it fiddly to
programmatically determine if pf was running or not.

Return a non-zero status if the pf module is not loaded, extend pfctl to have
an option to return an error status if pf is not enabled.

PR: 228632
Submitted by: James Park-Watt <jimmypw AT gmail.com>
MFC after: 1 week

pfctl: Don't break connections on skipped interfaces on reload

On reload we used to first flush everything, including the list of skipped
interfaces. This can lead to termination of these connections if they send
packets before the new configuration is applied.

Note that this doesn't currently happen on 12 or 11, because of special EACCES
handling introduced in r315514. This special behaviour in tcp_output() may
change, hence the fix in pfctl.

PR: 214613

Free path before returnig.

CID: 977827

various: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

pfctl: fix nested inline anchors

Import the OpenBSD fix for nested inline anchors.

PR: 196314
Submitted by: krichy@cflinux.hu
Obtained from: OpenBSD

pfctl: Make most global variables static.

This will make it easier to link as a library.

Submitted by: Christian Mauderer <christian.mauderer@embedded-brains.de>

pfctl: Use const where possible.

This adds const qualifiers where it is possible.

Submitted by: Christian Mauderer <christian.mauderer@embedded-brains.de>

pfctl: Match prototype of pfctl_load_hostid.

The prototype and the implementation of the pfctl_load_hostid used a
different data type for one of the parameters.

Submitted by: Christian Mauderer <christian.mauderer@embedded-brains.de>

pfctl: Fix uninitialised veriable

In pfctl_set_debug() we used 'level' without ever initialising it.
We correctly parsed the option, but them failed to actually assign the parsed
value to 'level' before performing to ioctl() to configure the debug level.

PR: 202996
Submitted by: Andrej Kolontai

Only report the lack of ALTQ support if pfctl is using verbose (-v) mode.

PR: 194935
Submitted by: Jim Thompson
MFC after: 2 weeks

Move ALTQ from contrib to net/altq. The ALTQ code is for many years
discontinued by its initial authors. In FreeBSD the code was already
slightly edited during the pf(4) SMP project. It is about to be edited
more in the projects/ifnet. Moving out of contrib also allows to remove
several hacks to the make glue.

Reviewed by: net@

Fix compilation for 32-bit machines.

Instead of playing games with casts simply add 3 more members to the
structure pf_rule, that are used when the structure is passed via
ioctl().

PR: 187074

Better build fix.

Fix build on 32bit arches broken by me in r261882.

Once pf became not covered by a single mutex, many counters in it became
race prone. Some just gather statistics, but some are later used in
different calculations.

A real problem was the race provoked underflow of the states_cur counter
on a rule. Once it goes below zero, it wraps to UINT32_MAX. Later this
value is used in pf_state_expires() and any state created by this rule
is immediately expired.

Thus, make fields states_cur, states_tot and src_nodes of struct
pf_rule be counter(9)s.

Thanks to Dennis for providing me shell access to problematic box and
his help with reproducing, debugging and investigating the problem.

Thanks to: Dennis Yusupoff <dyr smartspb.net>
Also reported by: dumbbell, pgj, Rambler
Sponsored by: Nginx, Inc.

Remove __FreeBSD__ ifdefs.

Rewrite usage() so that its source code resembles what is printed.

o Create directory sys/netpfil, where all packet filters should
reside, and move there ipfw(4) and pf(4).

o Move most modified parts of pf out of contrib.

Actual movements:

sys/contrib/pf/net/*.c -> sys/netpfil/pf/
sys/contrib/pf/net/*.h -> sys/net/
contrib/pf/pfctl/*.c -> sbin/pfctl
contrib/pf/pfctl/*.h -> sbin/pfctl
contrib/pf/pfctl/pfctl.8 -> sbin/pfctl
contrib/pf/pfctl/*.4 -> share/man/man4
contrib/pf/pfctl/*.5 -> share/man/man5

sys/netinet/ipfw -> sys/netpfil/ipfw

The arguable movement is pf/net/*.h -> sys/net. There are
future plans to refactor pf includes, so I decided not to
break things twice.

Not modified bits of pf left in contrib: authpf, ftp-proxy,
tftp-proxy, pflogd.

The ipfw(4) movement is planned to be merged to stable/9,
to make head and stable match.

Discussed with: bz, luigi