pf: convert DIOCSETDEBUG to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCNATLOOK to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCCLRSTATUS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCGETSTATUS to netlink

Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant
use netlink to obtain the information.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCSETSTATUSIF to netlink

While here also add a basic test case for it.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44368

pf: convert kill/clear state to use netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44090

pf: implement addrule via netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: export missing state information

We did not export all of the information pfctl expected to print via the
new netlink code. This manifested as pfctl printing 'rtableid: 0', even
when there is no rtable set.

While we're addressing that also export other missing fields such as
dummynet, min_ttl, max_mss, ..

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: implement DIOCGETRULES via netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: support basic filters for state listing

Allow users(pace) to specify a protocol, interface, address family and/
or address and mask, allowing the state listing to be pre-filtered in
the kernel.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42280

pf: convert rule addition to netlink

The nvlist-based version will be removed in FreeBSD 16.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42279

pf: implement start/stop calls via netlink

Implement equivalents to DIOCSTART and DIOCSTOP in netlink. Provide a
libpfctl implementation and add a basic test case, mostly to verify that
we still return the same errors as before the conversion

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42145

pf: add a way to list creator ids

Allow userspace to retrieve a list of distinct creator ids for the
current states.

This is used by pfSense, and used to require dumping all states to
userspace. It's rather inefficient to export a (potentially extremely
large) state table to obtain a handful (typically 2) of 32-bit integers.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42092

pf: convert state retrieval to netlink

Use netlink to export pf's state table.

The primary motivation is to improve how we deal with very large state
stables. With the previous implementation we had to build the entire
list (both in the kernel and in userspace) before we could start
processing. With netlink we start to get data in userspace while the
kernel is still generating more. This reduces peak memory consumption
(which can get to the GB range once we hit millions of states).

Netlink also makes future extension easier, in that we can easily add
fields to the state export without breaking userspace. In that regard
it's similar to an nvlist-based approach, except that it also deals
with transport to userspace and that it performs significantly better
than nvlists. Testing has failed to measure a performance difference
between the previous struct-copy based ioctl and the netlink approach.

Differential Revision: https://reviews.freebsd.org/D38888