Home | History | Annotate | only in /src/sys/external/bsd/ipf
History log of /src/sys/external/bsd/ipf
RevisionDateAuthorComments
 1.37 24-Jun-2023  msaitoh Fix typo in comment.
 1.36 03-Feb-2023  christos Fix use after free on packet with broken lengths

Under the scenario with a packet with length of 67 bytes, a header length
using the default of 20 bytes and a TCP data offset (th_off) of 48 will
cause m_pullup() to fail to make sure bytes are arranged contiguously.
m_pullup() will free the mbuf chain and return a null. ipfilter stores
the resultant mbuf address (or the resulting NULL) in its fr_info_t
structure. Unfortunately the erroneous packet is not flagged for drop.
From FreeBSD via CY Schubert; originally reported by: Robert Morris
<rtm at lcs.mit.edu>
 1.35 05-Dec-2021  msaitoh s/recusive/recursive/ in comment.
 1.34 05-Dec-2021  msaitoh s/imples/implies/ in comment.
 1.33 09-Apr-2020  christos PR/55149: Kouichi Hashikawa: Get morefrag before we strip it out from off
 1.32 05-Apr-2020  christos branches: 1.32.2;
PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
Fix incorrect byte order.
 1.31 30-Sep-2019  bouyer Fix 2 bugs, reported by Edgar Fu� on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.
 1.30 08-Aug-2019  christos PR/54443: Edgar Fu�: ip mistakenly regards UDP packet with checksum field
0xffff as bad
 1.29 28-Jun-2019  christos branches: 1.29.2;
Revert previous and do the off == 1 case after we've taken the mask.
 1.28 26-Jun-2019  christos Conform to RFC 3128 by dropping TCP fragments with offset = 1.
In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.
From FreeBSD r349399, reported vy Cy Schubert
 1.27 26-Jun-2019  christos Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert
 1.26 26-Jun-2019  christos Remove redundant off != 0 check, from FreeBSD r349400, reported by Cy Schubert
 1.25 04-Feb-2019  mrg add fallthru comments.
 1.24 11-Jul-2018  maxv Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.
 1.23 03-Jun-2018  maxv branches: 1.23.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.
 1.22 04-Feb-2018  mrg branches: 1.22.2;
apply __attribute__((__used__)) for rcsid, etc.
 1.21 05-Sep-2017  christos Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.
 1.20 23-Apr-2017  christos branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)
 1.19 05-Aug-2016  christos partial sync with FreeBSD
 1.18 04-Apr-2016  christos branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)
 1.17 03-Apr-2016  christos Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.
 1.16 02-Apr-2015  khorben Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7
 1.15 16-Jun-2014  christos branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules
 1.14 20-Mar-2014  christos branches: 1.14.2;
kill sprintf
 1.13 27-Nov-2013  christos CID 976267: NULL deref check
 1.12 18-Sep-2013  rmind Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.
 1.11 12-Sep-2013  martin Remove unused variable
 1.10 30-Aug-2013  rmind bpf_filter: add a custom argument which can be passed to coprocessor routine.
 1.9 29-Aug-2013  rmind Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@
 1.8 09-Jan-2013  christos branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams
 1.7 20-Dec-2012  christos - Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams
 1.6 09-Oct-2012  christos remove wrong ntohl (from Aran Clauson)
 1.5 22-Jul-2012  darrenr branches: 1.5.2;
ansify new function definition
 1.4 22-Jul-2012  darrenr ansify new functio definitions
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.4 23-Jan-2013  yamt sync with head
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file fil.c was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file fil.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:17 +0000
 1.5.2.4 03-Dec-2017  jdolecek update from HEAD
 1.5.2.3 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.5.2.2 25-Feb-2013  tls resync with head
 1.5.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.8.2.1 18-May-2014  rmind sync with head
 1.14.2.1 10-Aug-2014  tls Rebase.
 1.15.4.3 28-Aug-2017  skrll Sync with HEAD
 1.15.4.2 05-Oct-2016  skrll Sync with HEAD
 1.15.4.1 06-Apr-2015  skrll Sync with HEAD
 1.15.2.4 09-Aug-2019  martin Pull up following revision(s) (requested by christos in ticket #1701):

sys/external/bsd/ipf/netinet/fil.c: revision 1.30

PR/54443: Edgar Fu�: ipf mistakenly regards UDP packet with checksum field
0xffff as bad
 1.15.2.3 29-Jun-2017  sborrill Pull up the following revisions(s) (requested by christos in ticket #1412):
sys/external/bsd/ipf/netinet/fil.c: revision 1.20
sys/external/bsd/ipf/netinet/ip_state.c: revision 1.7
sys/external/bsd/ipf/netinet/ip_frag.c: revision 1.5

Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5.
Free the right fragment. This will cause use after free issues and eventually
panic.
 1.15.2.2 29-Apr-2016  snj branches: 1.15.2.2.4;
Pull up following revision(s) (requested by christos in ticket #1152):
sys/external/bsd/ipf/netinet/fil.c: revision 1.17
Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.
 1.15.2.1 10-Apr-2015  snj branches: 1.15.2.1.2;
Pull up following revision(s) (requested by khorben in ticket #671):
external/bsd/ipf/dist/lib/interror.c: revision 1.4
sys/external/bsd/ipf/netinet/fil.c: revision 1.16
Fix for PR kern/48109 (and its duplicate kern/49807)
As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!
 1.15.2.2.4.1 12-Jul-2017  sborrill Pull up the following revisions(s) (requested by christos in ticket #1412):
sys/external/bsd/ipf/netinet/fil.c: revision 1.20
sys/external/bsd/ipf/netinet/ip_state.c: revision 1.7
sys/external/bsd/ipf/netinet/ip_frag.c: revision 1.5

Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5.
Free the right fragment. This will cause use after free issues and eventually
panic.
 1.15.2.1.2.1 25-Aug-2017  snj Pull up following revision(s) (requested by mrg in ticket #1412):
sys/external/bsd/ipf/netinet/fil.c: revision 1.20
sys/external/bsd/ipf/netinet/ip_frag.c: revision 1.5
sys/external/bsd/ipf/netinet/ip_state.c: revision 1.7
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)
--
Free the right fragment (Cy Schubert @ FreeBSD). This will cause use after free
issues and eventually panic.
 1.18.2.2 26-Apr-2017  pgoyette Sync with HEAD
 1.18.2.1 06-Aug-2016  pgoyette Sync with HEAD
 1.20.4.4 04-Oct-2019  martin Pull up following revision(s) (requested by bouyer in ticket #1399):

sys/external/bsd/ipf/netinet/fil.c: revision 1.31
sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: revision 1.32
sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: revision 1.33

Fix 2 bugs, reported by Edgar Fuss on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.

fix double space in comment
 1.20.4.3 09-Aug-2019  martin Pull up following revision(s) (requested by christos in ticket #1331):

sys/external/bsd/ipf/netinet/fil.c: revision 1.30

PR/54443: Edgar Fu�: ipf mistakenly regards UDP packet with checksum field
0xffff as bad
 1.20.4.2 26-Dec-2018  martin Pull up the following, requested by sevan in ticket #1144:

sys/external/bsd/ipf/netinet/fil.c 1.22

accidently commited to HEAD by mrg with a very misleading log message and
a bunch of unrelated changes - but really:

fix missing braces around a block (detected by newer gcc's indentation
checks).
 1.20.4.1 23-Sep-2017  snj Pull up following revision(s) (requested by christos in ticket #283):
sys/external/bsd/ipf/netinet/fil.c: revision 1.21
Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
 1.22.2.2 28-Jul-2018  pgoyette Sync with HEAD
 1.22.2.1 25-Jun-2018  pgoyette Sync with HEAD
 1.23.2.3 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.23.2.2 08-Apr-2020  martin Merge changes from current as of 20200406
 1.23.2.1 10-Jun-2019  christos Sync with HEAD
 1.29.2.3 12-Apr-2020  martin Pull up following revision(s) (requested by christos in ticket #827):

sys/external/bsd/ipf/netinet/fil.c: revision 1.32
sys/external/bsd/ipf/netinet/fil.c: revision 1.33
sys/external/bsd/ipf/netinet/ip_frag.c: revision 1.8

PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
Fix incorrect byte order.

PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
- make sure frag is initialized to 0
- initialize ipfr_p field

PR/55149: Kouichi Hashikawa: Get morefrag before we strip it out from off
 1.29.2.2 03-Oct-2019  martin Pull up following revision(s) (requested by bouyer in ticket #274):

sys/external/bsd/ipf/netinet/fil.c: revision 1.31
sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: revision 1.32
sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: revision 1.33

Fix 2 bugs, reported by Edgar Fuss on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.

fix double space in comment
 1.29.2.1 09-Aug-2019  martin Pull up following revision(s) (requested by christos in ticket #40):

sys/external/bsd/ipf/netinet/fil.c: revision 1.30

PR/54443: Edgar Fu�: ipf mistakenly regards UDP packet with checksum field
0xffff as bad
 1.32.2.1 20-Apr-2020  bouyer Sync with HEAD
 1.7 02-Sep-2022  thorpej Remove unnecessary inclusion of <net/netisr.h>.
 1.6 03-May-2018  maxv Remove now unused tcpip.h includes. Some were already unused before.
 1.5 30-May-2014  rmind branches: 1.5.26;
Include cdefs.h earlier for NetBSD.
 1.4 20-Oct-2013  christos branches: 1.4.2;
ifdef kernel used only variable
 1.3 22-Jul-2012  darrenr branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_auth.c was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_auth.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:17 +0000
 1.3.4.1 18-May-2014  rmind sync with head
 1.3.2.1 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.4.2.1 10-Aug-2014  tls Rebase.
 1.5.26.1 21-May-2018  pgoyette Sync with HEAD
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_auth.h was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_auth.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:18 +0000
 1.13 03-May-2018  maxv Remove m_copy completely.
 1.12 01-May-2018  maxv Remove unused alias to tcpiphdr.
 1.11 05-Aug-2016  christos branches: 1.11.14;
unifdef
 1.10 10-Jun-2016  ozaki-r branches: 1.10.2;
Avoid storing a pointer of an interface in a mbuf

Having a pointer of an interface in a mbuf isn't safe if we remove big
kernel locks; an interface object (ifnet) can be destroyed anytime in any
packet processing and accessing such object via a pointer is racy. Instead
we have to get an object from the interface collection (ifindex2ifnet) via
an interface index (if_index) that is stored to a mbuf instead of an
pointer.

The change provides two APIs: m_{get,put}_rcvif_psref that use psref(9)
for sleep-able critical sections and m_{get,put}_rcvif that use
pserialize(9) for other critical sections. The change also adds another
API called m_get_rcvif_NOMPSAFE, that is NOT MP-safe and for transition
moratorium, i.e., it is intended to be used for places where are not
planned to be MP-ified soon.

The change adds some overhead due to psref to performance sensitive paths,
however the overhead is not serious, 2% down at worst.

Proposed on tech-kern and tech-net.
 1.9 10-Jun-2016  ozaki-r Introduce m_set_rcvif and m_reset_rcvif

The API is used to set (or reset) a received interface of a mbuf.
They are counterpart of m_get_rcvif, which will come in another
commit, hide internal of rcvif operation, and reduce the diff of
the upcoming change.

No functional change.
 1.8 09-Jun-2016  pgoyette Enable building of ipfilter code as a separately-loaded module.
 1.7 20-Mar-2014  christos branches: 1.7.6;
kill sprintf
 1.6 09-Jan-2013  christos branches: 1.6.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams
 1.5 20-Dec-2012  christos - Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams
 1.4 15-Sep-2012  plunky the result of the construct

#define FOO defined(BAR)

#if FOO
[conditional code]
#endif

is "undefined", according to C99 6.10.1 note 4. So, change code like
that to use the following paradigm

#if defined(BAR)
#define FOO 1
#else
#define FOO 0
#endif

#if FOO
[conditional code]
#endif
 1.3 22-Jul-2012  darrenr branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.4 23-Jan-2013  yamt sync with head
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_compat.h was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_compat.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:18 +0000
 1.3.2.4 03-Dec-2017  jdolecek update from HEAD
 1.3.2.3 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.3.2.2 25-Feb-2013  tls resync with head
 1.3.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.6.2.1 18-May-2014  rmind sync with head
 1.7.6.2 05-Oct-2016  skrll Sync with HEAD
 1.7.6.1 09-Jul-2016  skrll Sync with HEAD
 1.10.2.1 06-Aug-2016  pgoyette Sync with HEAD
 1.11.14.2 21-May-2018  pgoyette Sync with HEAD
 1.11.14.1 02-May-2018  pgoyette Synch with HEAD
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_dns_pxy.c was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_dns_pxy.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:18 +0000
 1.8 28-Jun-2014  darrenr #534 destination list hashing not endian neutral
 1.7 01-Apr-2014  christos branches: 1.7.2;
Remove SCCS prefix from RCS string!
 1.6 14-Sep-2013  joerg Use __KERNEL_RCSID.
 1.5 03-Dec-2012  christos branches: 1.5.2;
PR/47270: Paul Goyette: ipftest -N aborts
1. check for NULL before de-refencing; in particular sel is assigned to NULL,
in the default case, and then couple of lines down we do sel->
2. gcc appears to optimize u_32_t hash[4], to u_32_t hash, since we only
use hash[0], disregarding the fact that we pass it to MD5Final() leading
to stack corruption. Use an explicit union, so that the compiler stops
butting its head where it shouldn't.

XXX: pullup to 6
 1.4 22-Jul-2012  darrenr branches: 1.4.2;
ansify new function definition
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.4 16-Jan-2013  yamt sync with (a bit old) head
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_dstlist.c was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_dstlist.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:18 +0000
 1.4.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.4.2.1 25-Feb-2013  tls resync with head
 1.5.2.1 18-May-2014  rmind sync with head
 1.7.2.1 10-Aug-2014  tls Rebase.
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_dstlist.h was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_dstlist.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:18 +0000
 1.8 11-Nov-2019  chs revert rev 1.7 (which removed the fd_local field from frdest_t).
this structure is part of the kernel/user ABI and so we would need to
version the ioctl ABI again in order to remove this field. but that's
a big pain so let's just leave the field there. the problem that
was being fixed in FreeBSD related to this was a failure to locate
filter rules in certain situations, but having an unused always-zero
field there won't cause that problem.
 1.7 26-Jun-2019  christos branches: 1.7.2;
Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert
 1.6 03-Jun-2018  maxv branches: 1.6.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.
 1.5 29-Jun-2013  rmind branches: 1.5.30;
- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.
 1.4 15-Sep-2012  plunky branches: 1.4.2;
the result of the construct

#define FOO defined(BAR)

#if FOO
[conditional code]
#endif

is "undefined", according to C99 6.10.1 note 4. So, change code like
that to use the following paradigm

#if defined(BAR)
#define FOO 1
#else
#define FOO 0
#endif

#if FOO
[conditional code]
#endif
 1.3 22-Jul-2012  darrenr branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_fil.h was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_fil.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:18 +0000
 1.3.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.3.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.4.2.1 28-Aug-2013  rmind sync with head
 1.5.30.1 25-Jun-2018  pgoyette Sync with HEAD
 1.6.2.1 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.7.2.1 11-Nov-2019  martin Pull up following revision(s) (requested by chs in ticket #418):

sys/external/bsd/ipf/netinet/ip_fil.h: revision 1.8

revert rev 1.7 (which removed the fd_local field from frdest_t).
this structure is part of the kernel/user ABI and so we would need to
version the ioctl ABI again in order to remove this field. but that's
a big pain so let's just leave the field there. the problem that
was being fixed in FreeBSD related to this was a failure to locate
filter rules in certain situations, but having an unused always-zero
field there won't cause that problem.
 1.5 08-Feb-2018  mrg updates for GCC 6:

- frentry_4_1_0_to_current() has duplicated code section, found via
the indent checker. didn't setup a test to confirm the bug/fix,
but the other 2 similar functions are similar here now.
 1.4 20-Mar-2014  christos kill sprintf
 1.3 22-Jul-2012  darrenr branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_fil_compat.c was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_fil_compat.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:18 +0000
 1.3.4.1 18-May-2014  rmind sync with head
 1.3.2.1 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.39 09-Jun-2024  mrg ipfilter(4): mark as MPSAFE.

my testing seems to work fine, and this version was known to work
on solaris with no global locking available.
 1.38 24-Jun-2023  msaitoh Fix typo in comment.
 1.37 28-Mar-2022  riastradh driver(9): devsw_detach never fails. Make it return void.

Prune a whole lotta dead branches as a result of this. (Some logic
calling this is also wrong for other reasons; devsw_detach is final
-- you should never have any reason to decide to roll it back. To be
cleaned up in subsequent commits...)

XXX kernel ABI change to devsw_detach signature requires bump
 1.36 08-Mar-2021  christos Adjust for fewer args in calling functions
 1.35 12-Jun-2020  roy branches: 1.35.2;
ipfilter: Prepare for life without in kernel RA
 1.34 21-Feb-2020  joerg Explicitly cast pointers to uintptr_t before casting to enums. They are
not necessarily the same size. Don't cast pointers to bool, check for
NULL instead.
 1.33 30-Sep-2019  bouyer branches: 1.33.2;
fix double space in comment
 1.32 30-Sep-2019  bouyer Fix 2 bugs, reported by Edgar Fu� on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.
 1.31 10-Aug-2018  maxv branches: 1.31.4;
Fix compilation of PF/IPF...
 1.30 10-Aug-2018  maxv Rename

ip6_undefer_csum -> in6_undefer_cksum
in6_delayed_cksum -> in6_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in6_offload.c. Add comments to explain what
we're doing.

Same as IPv4.
 1.29 11-Jul-2018  maxv Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.
 1.28 03-May-2018  maxv branches: 1.28.2;
Remove now unused tcpip.h includes. Some were already unused before.
 1.27 03-May-2018  maxv Remove m_copy completely.
 1.26 23-Jul-2017  christos branches: 1.26.2;
use the scoping functions (JINMEI, Tatuya)
 1.25 23-Jul-2017  christos From Edgar Fuss:
ipf's return-icmp doesn't work when the packet matched by the rule is
directed at a link local address. The problem is that
ipf_send_icmp_err() calls ipf_ifpaddr() to find an address of the
interface in question, but that routine discards link local addresses.
I guess the best fix is to simply use the destination address instead if
it is link local, i.e. treat the rule as if return-icmp-as-dest was
given in this case.
 1.24 20-Jul-2017  christos Fix ipf failing to sent TCP RST's on link-local interfaces by stuffing
the scope KAME style before calling the routing routines instead of after.
From Edgar Fuss.
 1.23 12-May-2017  christos branches: 1.23.2;
Call the right filter function for hook removal found by Stephen Borrill.
 1.22 14-Feb-2017  ozaki-r branches: 1.22.4;
Do ND in L2_output in the same manner as arpresolve

The benefits of this change are:
- The flow is consistent with IPv4 (and FreeBSD and OpenBSD)
- old: ip6_output => nd6_output (do ND if needed) => L2_output (lookup a stored cache)
- new: ip6_output => L2_output (lookup a cache. Do ND if cache not found)
- We can remove some workarounds in nd6_output
- We can move L2 specific operations to their own place
- The performance slightly improves because one cache lookup is reduced
 1.21 28-Dec-2016  christos branches: 1.21.2;
use the proper hook function
 1.20 26-Dec-2016  christos pfil(9) improvements to handle address changes:

Add:
PFIL_IFADDR call on interface reconfig (mbuf is ioctl #)
PFIL_IFNET call on interface attach/detach (mbuf is PFIL_IFNET_*)

from rmind@
 1.19 08-Dec-2016  ozaki-r Add rtcache_unref to release points of rtentry stemming from rtcache

In the MP-safe world, a rtentry stemming from a rtcache can be freed at any
points. So we need to protect rtentries somehow say by reference couting or
passive references. Regardless of the method, we need to call some release
function of a rtentry after using it.

The change adds a new function rtcache_unref to release a rtentry. At this
point, this function does nothing because for now we don't add a reference
to a rtentry when we get one from a rtcache. We will add something useful
in a further commit.

This change is a part of changes for MP-safe routing table. It is separated
to avoid one big change that makes difficult to debug by bisecting.
 1.18 18-Jul-2016  pgoyette Rearrange code to avoid testing an error value that has not been set.

Also, for the built-in case, rather than re-inserting our devsw and
then ignoring the EEXIST error, don't bother re-inserting.

CID 1364140
 1.17 17-Jul-2016  pgoyette Another case of not calling devsw_attach() for built-in device modules
 1.16 07-Jul-2016  ozaki-r branches: 1.16.2;
Switch the address list of intefaces to pslist(9)

As usual, we leave the old list to avoid breaking kvm(3) users.
 1.15 20-Jun-2016  knakahara apply if_output_lock() to L3 callers which call ifp->if_output() of L2(or L3 tunneling).
 1.14 10-Jun-2016  ozaki-r Introduce m_set_rcvif and m_reset_rcvif

The API is used to set (or reset) a received interface of a mbuf.
They are counterpart of m_get_rcvif, which will come in another
commit, hide internal of rcvif operation, and reduce the diff of
the upcoming change.

No functional change.
 1.13 09-Jun-2016  pgoyette Enable building of ipfilter code as a separately-loaded module.
 1.12 20-Jan-2016  riastradh Pass the requisite number of arguments to ip_output from ipf.

Fortunately the last argument, struct socket *so, is used only when
flags includes IP_DF (0x4000), which is not the case here -- we pass
IP_FORWARDING (0x0001).
 1.11 25-Jul-2014  dholland branches: 1.11.4;
Add d_discard to all struct cdevsw instances I could find.

All have been set to "nodiscard"; some should get a real implementation.
 1.10 05-Jun-2014  rmind - Implement pktqueue interface for lockless IP input queue.
- Replace ipintrq and ip6intrq with the pktqueue mechanism.
- Eliminate kernel-lock from ipintr() and ip6intr().
- Some preparation work to push softnet_lock out of ipintr().

Discussed on tech-net.
 1.9 13-May-2014  bouyer Make sure *(if_output)() is called with KERNEL_LOCK held.
Add some KASSERT for this.
See http://mail-index.netbsd.org/tech-net/2014/04/09/msg004511.html
for details.
 1.8 16-Mar-2014  dholland branches: 1.8.2;
Change (mostly mechanically) every cdevsw/bdevsw I can find to use
designated initializers.

I have not built every extant kernel so I have probably broken at
least one build; however I've also found and fixed some wrong
cdevsw/bdevsw entries so even if so I think we come out ahead.
 1.7 01-Nov-2013  mrg move variable definition/set inside the same #ifdef of the usage.
 1.6 14-Sep-2013  martin Remove unused variable and ifdef another like their use
 1.5 29-Jun-2013  rmind - Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.
 1.4 15-Jan-2013  msaitoh branches: 1.4.2;
Fix off-by-one read error.
 1.3 22-Jul-2012  darrenr branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.4 23-Jan-2013  yamt sync with head
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_fil_netbsd.c was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_fil_netbsd.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:18 +0000
 1.3.2.3 03-Dec-2017  jdolecek update from HEAD
 1.3.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.3.2.1 25-Feb-2013  tls resync with head
 1.4.2.2 18-May-2014  rmind sync with head
 1.4.2.1 28-Aug-2013  rmind sync with head
 1.8.2.1 10-Aug-2014  tls Rebase.
 1.11.4.5 28-Aug-2017  skrll Sync with HEAD
 1.11.4.4 05-Feb-2017  skrll Sync with HEAD
 1.11.4.3 05-Oct-2016  skrll Sync with HEAD
 1.11.4.2 09-Jul-2016  skrll Sync with HEAD
 1.11.4.1 19-Mar-2016  skrll Sync with HEAD
 1.16.2.6 20-Mar-2017  pgoyette Sync with HEAD
 1.16.2.5 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.16.2.4 26-Jul-2016  pgoyette Rename LOCALCOUNT_INITIALIZER to DEVSW_MODULE_INIT. This better describes
what we're doing, and why.
 1.16.2.3 26-Jul-2016  pgoyette Sync with HEAD
 1.16.2.2 19-Jul-2016  pgoyette Instead of repeatedly typing the conditional initialization of the
.d_localcount members in the various {b,c}devsw, define an initializer
macro and use it. This also removes the need for defining new symbols
for each 'struct localcount'.

As suggested by riastradh@
 1.16.2.1 17-Jul-2016  pgoyette Adapt some modular drivers to the localcount(9) world. We're still
not actually using the localcount stuff, but we need to differentiate
between built-in vs loaded drivers and allocate a "struct localcount"
only for loaded drivers.
 1.21.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.22.4.6 19-May-2017  pgoyette Resolve conflicts from previous merge (all resulting from $NetBSD
keywork expansion)
 1.22.4.5 02-May-2017  pgoyette Keep NetBSD version in sync with sys/params.h

XXX When localcount is finally committed to HEAD, it will need a version
XXX bump, so we'll need to make the bump here, too
 1.22.4.4 29-Apr-2017  pgoyette Remove more unnecessary #include for sys/localcount.h
 1.22.4.3 29-Apr-2017  pgoyette Revise previous. Rather than explicitly including <sys/localcount.h>
in all the places where {b,c}devsw is initialized, just include it
from <sys/conf.h>. This avoids an include-sequence dependancy.
 1.22.4.2 29-Apr-2017  pgoyette Add DEVSW_MODULE_INIT to existing device-driver modules, so that they
willl have a localcount defined and thus be permitted to load. Without
a localcount, loading the module will return EINVAL.

XXX the dtrace and drm stuff might need to be fed back upstream?
 1.22.4.1 27-Apr-2017  pgoyette Restore all work from the former pgoyette-localcount branch (which is
now abandoned doe to cvs merge botch).

The branch now builds, and installs via anita. There are still some
problems (cgd is non-functional and all atf tests time-out) but they
will get resolved soon.
 1.23.2.2 04-Oct-2019  martin Pull up following revision(s) (requested by bouyer in ticket #1399):

sys/external/bsd/ipf/netinet/fil.c: revision 1.31
sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: revision 1.32
sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: revision 1.33

Fix 2 bugs, reported by Edgar Fuss on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.

fix double space in comment
 1.23.2.1 14-Aug-2017  snj Pull up following revision(s) (requested by christos in ticket #206):
sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: 1.24-1.26
Fix ipf failing to sent TCP RST's on link-local interfaces by stuffing
the scope KAME style before calling the routing routines instead of after.
From Edgar Fuss.
--
From Edgar Fuss:
ipf's return-icmp doesn't work when the packet matched by the rule is
directed at a link local address. The problem is that
ipf_send_icmp_err() calls ipf_ifpaddr() to find an address of the
interface in question, but that routine discards link local addresses.
I guess the best fix is to simply use the destination address instead if
it is link local, i.e. treat the rule as if return-icmp-as-dest was
given in this case.
--
use the scoping functions (JINMEI, Tatuya)
 1.26.2.3 06-Sep-2018  pgoyette Sync with HEAD

Resolve a couple of conflicts (result of the uimin/uimax changes)
 1.26.2.2 28-Jul-2018  pgoyette Sync with HEAD
 1.26.2.1 21-May-2018  pgoyette Sync with HEAD
 1.28.2.3 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.28.2.2 08-Apr-2020  martin Merge changes from current as of 20200406
 1.28.2.1 10-Jun-2019  christos Sync with HEAD
 1.31.4.1 03-Oct-2019  martin Pull up following revision(s) (requested by bouyer in ticket #274):

sys/external/bsd/ipf/netinet/fil.c: revision 1.31
sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: revision 1.32
sys/external/bsd/ipf/netinet/ip_fil_netbsd.c: revision 1.33

Fix 2 bugs, reported by Edgar Fuss on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.

fix double space in comment
 1.33.2.1 29-Feb-2020  ad Sync with head.
 1.35.2.1 03-Apr-2021  thorpej Sync with HEAD.
 1.8 05-Apr-2020  christos PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
- make sure frag is initialized to 0
- initialize ipfr_p field
 1.7 03-Jun-2018  maxv branches: 1.7.2; 1.7.6;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.
 1.6 03-May-2018  maxv Remove now unused tcpip.h includes. Some were already unused before.
 1.5 23-Apr-2017  christos branches: 1.5.10;
Free the right fragment (Cy Schubert @ FreeBSD). This will cause use after free
issues and eventually panic.
 1.4 13-Jan-2017  christos Don't play with the linked list while holding only a read lock!
 1.3 22-Jul-2012  darrenr branches: 1.3.2; 1.3.14; 1.3.16; 1.3.18; 1.3.20; 1.3.24;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_frag.c was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_frag.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:18 +0000
 1.3.24.1 12-Jul-2017  sborrill Pull up the following revisions(s) (requested by christos in ticket #1412):
sys/external/bsd/ipf/netinet/fil.c: revision 1.20
sys/external/bsd/ipf/netinet/ip_state.c: revision 1.7
sys/external/bsd/ipf/netinet/ip_frag.c: revision 1.5

Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5.
Free the right fragment. This will cause use after free issues and eventually
panic.
 1.3.20.2 26-Apr-2017  pgoyette Sync with HEAD
 1.3.20.1 20-Mar-2017  pgoyette Sync with HEAD
 1.3.18.1 25-Aug-2017  snj Pull up following revision(s) (requested by mrg in ticket #1412):
sys/external/bsd/ipf/netinet/fil.c: revision 1.20
sys/external/bsd/ipf/netinet/ip_frag.c: revision 1.5
sys/external/bsd/ipf/netinet/ip_state.c: revision 1.7
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)
--
Free the right fragment (Cy Schubert @ FreeBSD). This will cause use after free
issues and eventually panic.
 1.3.16.2 28-Aug-2017  skrll Sync with HEAD
 1.3.16.1 05-Feb-2017  skrll Sync with HEAD
 1.3.14.1 29-Jun-2017  sborrill Pull up the following revisions(s) (requested by christos in ticket #1412):
sys/external/bsd/ipf/netinet/fil.c: revision 1.20
sys/external/bsd/ipf/netinet/ip_state.c: revision 1.7
sys/external/bsd/ipf/netinet/ip_frag.c: revision 1.5

Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5.
Free the right fragment. This will cause use after free issues and eventually
panic.
 1.3.2.1 03-Dec-2017  jdolecek update from HEAD
 1.5.10.2 25-Jun-2018  pgoyette Sync with HEAD
 1.5.10.1 21-May-2018  pgoyette Sync with HEAD
 1.7.6.1 12-Apr-2020  martin Pull up following revision(s) (requested by christos in ticket #827):

sys/external/bsd/ipf/netinet/fil.c: revision 1.32
sys/external/bsd/ipf/netinet/fil.c: revision 1.33
sys/external/bsd/ipf/netinet/ip_frag.c: revision 1.8

PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
Fix incorrect byte order.

PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
- make sure frag is initialized to 0
- initialize ipfr_p field

PR/55149: Kouichi Hashikawa: Get morefrag before we strip it out from off
 1.7.2.1 08-Apr-2020  martin Merge changes from current as of 20200406
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_frag.h was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_frag.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:19 +0000
 1.7 03-Jun-2018  maxv Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.
 1.6 16-Oct-2016  mrg branches: 1.6.14;
fix !INET6 builds
 1.5 20-Mar-2014  christos branches: 1.5.6; 1.5.10;
kill sprintf
 1.4 30-Jul-2012  pgoyette branches: 1.4.2; 1.4.4;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_ftp_pxy.c was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_ftp_pxy.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:19 +0000
 1.4.4.1 18-May-2014  rmind sync with head
 1.4.2.2 03-Dec-2017  jdolecek update from HEAD
 1.4.2.1 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.5.10.1 04-Nov-2016  pgoyette Sync with HEAD
 1.5.6.1 05-Dec-2016  skrll Sync with HEAD
 1.6.14.1 25-Jun-2018  pgoyette Sync with HEAD
 1.2 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.1 23-Mar-2012  christos branches: 1.1.2; 1.1.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1.4.3 30-Oct-2012  yamt sync with head
 1.1.4.2 17-Apr-2012  yamt sync with head
 1.1.4.1 23-Mar-2012  yamt file ip_h323_pxy.c was added on branch yamt-pagecache on 2012-04-17 00:08:15 +0000
 1.1.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.1.2.1 23-Mar-2012  joerg file ip_h323_pxy.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:19 +0000
 1.7 09-Jun-2016  pgoyette Enable building of ipfilter code as a separately-loaded module.
 1.6 20-Mar-2014  christos branches: 1.6.6;
kill sprintf
 1.5 27-Feb-2014  joerg A member of a non-null struct pointer can't be null.
 1.4 14-Sep-2013  martin Remove unused variable
 1.3 22-Jul-2012  darrenr branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_htable.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_htable.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:19 +0000
 1.3.4.1 18-May-2014  rmind sync with head
 1.3.2.2 03-Dec-2017  jdolecek update from HEAD
 1.3.2.1 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.6.6.1 09-Jul-2016  skrll Sync with HEAD
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_htable.h was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_htable.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:19 +0000
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_ipsec_pxy.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_ipsec_pxy.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:19 +0000
 1.4 20-Mar-2014  christos kill sprintf
 1.3 22-Jul-2012  darrenr branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_irc_pxy.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_irc_pxy.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:19 +0000
 1.3.4.1 18-May-2014  rmind sync with head
 1.3.2.1 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.8 03-Jun-2018  maxv Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.
 1.7 03-May-2018  maxv Remove now unused tcpip.h includes. Some were already unused before.
 1.6 28-Mar-2013  christos branches: 1.6.34;
Destroying the mutex once is enough.
 1.5 27-Mar-2013  christos call mutex destroy in fini, so that we don't end up with a lockdebug panic
when we re-attach.
 1.4 15-Sep-2012  plunky the result of the construct

#define FOO defined(BAR)

#if FOO
[conditional code]
#endif

is "undefined", according to C99 6.10.1 note 4. So, change code like
that to use the following paradigm

#if defined(BAR)
#define FOO 1
#else
#define FOO 0
#endif

#if FOO
[conditional code]
#endif
 1.3 22-Jul-2012  darrenr branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_log.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_log.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:19 +0000
 1.3.2.2 23-Jun-2013  tls resync from head
 1.3.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.6.34.2 25-Jun-2018  pgoyette Sync with HEAD
 1.6.34.1 21-May-2018  pgoyette Sync with HEAD
 1.5 09-Jun-2016  pgoyette Enable building of ipfilter code as a separately-loaded module.
 1.4 20-Mar-2014  christos branches: 1.4.6;
kill sprintf
 1.3 22-Jul-2012  darrenr branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_lookup.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_lookup.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:20 +0000
 1.3.4.1 18-May-2014  rmind sync with head
 1.3.2.2 03-Dec-2017  jdolecek update from HEAD
 1.3.2.1 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.4.6.1 09-Jul-2016  skrll Sync with HEAD
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_lookup.h was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_lookup.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:20 +0000
 1.27 08-Sep-2024  rillig fix a/an grammar in obvious cases
 1.26 02-Feb-2022  msaitoh branches: 1.26.10;
s/Incluse/Include/
 1.25 21-Sep-2021  christos don't opencode kauth_cred_get()
 1.24 26-May-2021  christos Fix ip_nat memory leak and use-after-free, wrong element freed (Cy Schubert)
https://cgit.freebsd.org/src/commit/?id=323a4e2c4e285e6f8eee8db3fe2cb74
 1.23 01-Aug-2020  maxv branches: 1.23.6; 1.23.8;
Remove #ifdef BRIDGE_IPF, compile in the code by default. Sent to
tech-net@.
 1.22 24-Jun-2020  jdolecek reduce stack usage in ipf_nat_ioctl()

also, in SIOCADNAT, make sure to not leak kernel data
 1.21 04-Feb-2019  mrg add fallthru comments.
 1.20 03-Jun-2018  maxv branches: 1.20.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.
 1.19 03-May-2018  maxv Remove now unused tcpip.h includes. Some were already unused before.
 1.18 01-Jul-2017  khorben branches: 1.18.4;
Typo
 1.17 04-Oct-2016  sborrill Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.
 1.16 17-Mar-2016  khorben branches: 1.16.2;
Fix matching of ICMP queries when NAT'd through IPF

This notably fixes MTU updates for hosts issueing ICMP queries through a
NAT performed by NetBSD with IPF.
 1.15 06-Oct-2015  prlw1 Update comments to match previous change (avoid panic in SIOCGNATL)
 1.14 07-Aug-2015  prlw1 Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.
 1.13 12-Jul-2014  darrenr branches: 1.13.2; 1.13.4;
PR kern/47665
For ICMP packets, use the "oicmpid" and "nicmpid" fields explicitly rather
than overloading those with "port" in them and expecting them to work.
 1.12 28-Jun-2014  darrenr #537 NAT rules with sticky have incorrect hostmap IP address
 1.11 27-Feb-2014  joerg branches: 1.11.2;
Checking the return value of an allocator works better, when looking at
the stored pointer.
 1.10 14-Sep-2013  martin Remove unused variables
 1.9 09-Jan-2013  christos branches: 1.9.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams
 1.8 05-Jan-2013  christos Fix bucket and chain counts on nat lists from Geoff Adams:

The problem was that ipf_nat_delete wasn't swapping inbound and
outbound hash codes for inbound NAT entries, so it was essentially
always looking in the wrong buckets in those cases. But because of
the way the linked list works, I don't think any NAT entries were
actually leaked. But since all the bucket counters and chain count
were getting messed up, things did start to go bad after a while.
(New NAT entries wouldn't be created, for instance.)

The fix is in the ipf_nat_delete function, itself; the other changes
are a slight refactoring of one method and adding some comments
that helped me figure out how the linked list with pointer-back-pointers
worked.

Also note that I haven't looked through the logic in ipf_nat_rehash;
it's likely that that might miss some things for the same reason.

I also haven't yet looked into the ipf_nat_newrdr problem with mappings
already existing. That'll be next.
 1.7 20-Dec-2012  christos - Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams
 1.6 30-Jul-2012  pgoyette branches: 1.6.2;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)
 1.5 22-Jul-2012  darrenr ansify new function definition
 1.4 22-Jul-2012  darrenr ansify new function definition
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.4 23-Jan-2013  yamt sync with head
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_nat.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_nat.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:20 +0000
 1.6.2.3 03-Dec-2017  jdolecek update from HEAD
 1.6.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.6.2.1 25-Feb-2013  tls resync with head
 1.9.2.1 18-May-2014  rmind sync with head
 1.11.2.1 10-Aug-2014  tls Rebase.
 1.13.4.5 28-Aug-2017  skrll Sync with HEAD
 1.13.4.4 05-Dec-2016  skrll Sync with HEAD
 1.13.4.3 19-Mar-2016  skrll Sync with HEAD
 1.13.4.2 27-Dec-2015  skrll Sync with HEAD (as of 26th Dec)
 1.13.4.1 22-Sep-2015  skrll Sync with HEAD
 1.13.2.3 24-Dec-2016  snj Pull up following revision(s) (requested by sborrill in ticket #1261):
sys/external/bsd/ipf/netinet/ip_nat.c: revision 1.17
sys/external/bsd/ipf/netinet/ip_nat6.c: revision 1.10
Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.
 1.13.2.2 29-Apr-2016  snj branches: 1.13.2.2.2;
Pull up following revision(s) (requested by khorben in ticket #1148):
sys/external/bsd/ipf/netinet/ip_nat.c: revision 1.16
Fix matching of ICMP queries when NAT'd through IPF
This notably fixes MTU updates for hosts issueing ICMP queries through a
NAT performed by NetBSD with IPF.
 1.13.2.1 08-Aug-2015  martin Pull up following revision(s) (requested by prlw1 in ticket #939):
sys/external/bsd/ipf/netinet/ip_nat.h: revision 1.7
sys/external/bsd/ipf/netinet/ip_nat.c: revision 1.14
sys/external/bsd/ipf/netinet/ip_nat6.c: revision 1.8
Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.
 1.13.2.2.2.1 18-Jan-2017  skrll Sync with netbsd-5
 1.16.2.1 04-Nov-2016  pgoyette Sync with HEAD
 1.18.4.2 25-Jun-2018  pgoyette Sync with HEAD
 1.18.4.1 21-May-2018  pgoyette Sync with HEAD
 1.20.2.1 10-Jun-2019  christos Sync with HEAD
 1.23.8.1 31-May-2021  cjep sync with head
 1.23.6.1 17-Jun-2021  thorpej Sync w/ HEAD.
 1.26.10.1 02-Aug-2025  perseant Sync with HEAD
 1.8 07-May-2022  mrg remove conditional code that defines members of natstat_t.

kernels without INET6 support end up with a different size of
this structure than the userland does and then it errors:

# ipnat -l
70:ioctl(SIOCGNATS) object size mismatch for copying out ipfobj

with these members (which are zeroed at ipf init) enabled, the
size check works.


XXX: pullup-9 (change tested there.)
 1.7 07-Aug-2015  prlw1 Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.
 1.6 09-Jan-2013  christos branches: 1.6.12; 1.6.14;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams
 1.5 05-Jan-2013  christos Fix bucket and chain counts on nat lists from Geoff Adams:

The problem was that ipf_nat_delete wasn't swapping inbound and
outbound hash codes for inbound NAT entries, so it was essentially
always looking in the wrong buckets in those cases. But because of
the way the linked list works, I don't think any NAT entries were
actually leaked. But since all the bucket counters and chain count
were getting messed up, things did start to go bad after a while.
(New NAT entries wouldn't be created, for instance.)

The fix is in the ipf_nat_delete function, itself; the other changes
are a slight refactoring of one method and adding some comments
that helped me figure out how the linked list with pointer-back-pointers
worked.

Also note that I haven't looked through the logic in ipf_nat_rehash;
it's likely that that might miss some things for the same reason.

I also haven't yet looked into the ipf_nat_newrdr problem with mappings
already existing. That'll be next.
 1.4 15-Sep-2012  plunky the result of the construct

#define FOO defined(BAR)

#if FOO
[conditional code]
#endif

is "undefined", according to C99 6.10.1 note 4. So, change code like
that to use the following paradigm

#if defined(BAR)
#define FOO 1
#else
#define FOO 0
#endif

#if FOO
[conditional code]
#endif
 1.3 22-Jul-2012  darrenr branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 23-Jan-2013  yamt sync with head
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_nat.h was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_nat.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:20 +0000
 1.3.2.3 03-Dec-2017  jdolecek update from HEAD
 1.3.2.2 25-Feb-2013  tls resync with head
 1.3.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.6.14.1 22-Sep-2015  skrll Sync with HEAD
 1.6.12.1 08-Aug-2015  martin Pull up following revision(s) (requested by prlw1 in ticket #939):
sys/external/bsd/ipf/netinet/ip_nat.h: revision 1.7
sys/external/bsd/ipf/netinet/ip_nat.c: revision 1.14
sys/external/bsd/ipf/netinet/ip_nat6.c: revision 1.8
Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.
 1.13 08-Sep-2024  rillig fix a/an grammar in obvious cases
 1.12 10-Feb-2021  christos branches: 1.12.24;
From Cy Schubert:

ipfilter: Use the softn (NAT softc) host map size in ip_nat6
calculation. The ipfilter NAT table host map size is a tunable
that defaults to a macro value defined at build time. HOSTMAP_SIZE
is saved in softn (the ipnat softc) at initialization. It can be
tuned (changed) at runtime using the ipf -T command. If the
hostmap_size tunable is adjusted the calculation to determine where
to put new entries in the table was incorrect. Use the tunable in
the NAT softc instead of the static build time value.
 1.11 03-May-2018  maxv branches: 1.11.14;
Remove now unused tcpip.h includes. Some were already unused before.
 1.10 04-Oct-2016  sborrill branches: 1.10.14;
Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.
 1.9 06-Oct-2015  prlw1 branches: 1.9.2;
Update comments to match previous change (avoid panic in SIOCGNATL)
 1.8 07-Aug-2015  prlw1 Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.
 1.7 01-Apr-2014  christos branches: 1.7.4; 1.7.6;
Remove SCCS prefix from RCS string!
 1.6 14-Sep-2013  joerg Use __KERNEL_RCSID.
 1.5 14-Sep-2013  martin Remove a few unused variables, ifdef others like their use
 1.4 09-Jan-2013  christos branches: 1.4.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams
 1.3 22-Jul-2012  darrenr branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.4 23-Jan-2013  yamt sync with head
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_nat6.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_nat6.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:20 +0000
 1.3.2.3 03-Dec-2017  jdolecek update from HEAD
 1.3.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.3.2.1 25-Feb-2013  tls resync with head
 1.4.2.1 18-May-2014  rmind sync with head
 1.7.6.3 05-Dec-2016  skrll Sync with HEAD
 1.7.6.2 27-Dec-2015  skrll Sync with HEAD (as of 26th Dec)
 1.7.6.1 22-Sep-2015  skrll Sync with HEAD
 1.7.4.2 24-Dec-2016  snj Pull up following revision(s) (requested by sborrill in ticket #1261):
sys/external/bsd/ipf/netinet/ip_nat.c: revision 1.17
sys/external/bsd/ipf/netinet/ip_nat6.c: revision 1.10
Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.
 1.7.4.1 08-Aug-2015  martin branches: 1.7.4.1.4;
Pull up following revision(s) (requested by prlw1 in ticket #939):
sys/external/bsd/ipf/netinet/ip_nat.h: revision 1.7
sys/external/bsd/ipf/netinet/ip_nat.c: revision 1.14
sys/external/bsd/ipf/netinet/ip_nat6.c: revision 1.8
Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.
 1.7.4.1.4.1 18-Jan-2017  skrll Sync with netbsd-5
 1.9.2.1 04-Nov-2016  pgoyette Sync with HEAD
 1.10.14.1 21-May-2018  pgoyette Sync with HEAD
 1.11.14.1 03-Apr-2021  thorpej Sync with HEAD.
 1.12.24.1 02-Aug-2025  perseant Sync with HEAD
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_netbios_pxy.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_netbios_pxy.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:20 +0000
 1.5 09-Jun-2016  pgoyette Enable building of ipfilter code as a separately-loaded module.
 1.4 20-Mar-2014  christos branches: 1.4.6;
kill sprintf
 1.3 22-Jul-2012  darrenr branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_pool.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_pool.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:21 +0000
 1.3.4.1 18-May-2014  rmind sync with head
 1.3.2.2 03-Dec-2017  jdolecek update from HEAD
 1.3.2.1 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.4.6.1 09-Jul-2016  skrll Sync with HEAD
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_pool.h was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_pool.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:21 +0000
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_pptp_pxy.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_pptp_pxy.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:21 +0000
 1.8 08-Sep-2024  rillig fix a/an grammar in obvious cases
 1.7 03-Jun-2018  maxv branches: 1.7.38;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.
 1.6 03-May-2018  maxv Remove now unused tcpip.h includes. Some were already unused before.
 1.5 22-Jul-2012  darrenr branches: 1.5.38;
ansify new function definition
 1.4 22-Jul-2012  darrenr h323 proxy removed
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_proxy.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_proxy.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:21 +0000
 1.5.38.2 25-Jun-2018  pgoyette Sync with HEAD
 1.5.38.1 21-May-2018  pgoyette Sync with HEAD
 1.7.38.1 02-Aug-2025  perseant Sync with HEAD
 1.4 15-Sep-2012  plunky the result of the construct

#define FOO defined(BAR)

#if FOO
[conditional code]
#endif

is "undefined", according to C99 6.10.1 note 4. So, change code like
that to use the following paradigm

#if defined(BAR)
#define FOO 1
#else
#define FOO 0
#endif

#if FOO
[conditional code]
#endif
 1.3 22-Jul-2012  darrenr branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_proxy.h was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_proxy.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:21 +0000
 1.3.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_raudio_pxy.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_raudio_pxy.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:21 +0000
 1.5 14-Sep-2013  martin Remove unused variables
 1.4 30-Jul-2012  pgoyette branches: 1.4.2; 1.4.4;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_rcmd_pxy.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_rcmd_pxy.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:21 +0000
 1.4.4.1 18-May-2014  rmind sync with head
 1.4.2.1 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.4 20-Mar-2014  christos kill sprintf
 1.3 22-Jul-2012  darrenr branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_rpcb_pxy.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_rpcb_pxy.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:21 +0000
 1.3.4.1 18-May-2014  rmind sync with head
 1.3.2.1 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_scan.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_scan.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:21 +0000
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_scan.h was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_scan.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:21 +0000
 1.12 18-Apr-2020  christos be consistent about byte flipping (cosmetic no functional change)
 1.11 03-Jun-2018  maxv branches: 1.11.2; 1.11.12;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.
 1.10 12-Oct-2017  christos branches: 1.10.2;
put back the cast.
 1.9 12-Oct-2017  christos When growing the state, remember to grow the seed array, otherwise we'll end
up accessing memory we did not allocate.
 1.8 01-Jul-2017  khorben Typo
 1.7 23-Apr-2017  christos branches: 1.7.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)
 1.6 14-Sep-2013  martin branches: 1.6.4; 1.6.6; 1.6.8; 1.6.10; 1.6.16;
Remove unused variables
 1.5 09-Jan-2013  christos branches: 1.5.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams
 1.4 20-Dec-2012  christos - Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams
 1.3 22-Jul-2012  darrenr branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.4 23-Jan-2013  yamt sync with head
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_state.c was added on branch yamt-pagecache on 2012-04-17 00:08:16 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_state.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:22 +0000
 1.3.2.3 03-Dec-2017  jdolecek update from HEAD
 1.3.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.3.2.1 25-Feb-2013  tls resync with head
 1.5.2.1 18-May-2014  rmind sync with head
 1.6.16.2 03-Jan-2018  snj Pull up following revision(s) (requested by sborrill in ticket #1525):
sys/external/bsd/ipf/netinet/ip_state.c: 1.9-1.10
When growing the state, remember to grow the seed array, otherwise we'll end
up accessing memory we did not allocate.
--
put back the cast.
 1.6.16.1 12-Jul-2017  sborrill Pull up the following revisions(s) (requested by christos in ticket #1412):
sys/external/bsd/ipf/netinet/fil.c: revision 1.20
sys/external/bsd/ipf/netinet/ip_state.c: revision 1.7
sys/external/bsd/ipf/netinet/ip_frag.c: revision 1.5

Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5.
Free the right fragment. This will cause use after free issues and eventually
panic.
 1.6.10.1 26-Apr-2017  pgoyette Sync with HEAD
 1.6.8.2 03-Jan-2018  snj Pull up following revision(s) (requested by sborrill in ticket #1525):
sys/external/bsd/ipf/netinet/ip_state.c: 1.9-1.10
When growing the state, remember to grow the seed array, otherwise we'll end
up accessing memory we did not allocate.
--
put back the cast.
 1.6.8.1 25-Aug-2017  snj Pull up following revision(s) (requested by mrg in ticket #1412):
sys/external/bsd/ipf/netinet/fil.c: revision 1.20
sys/external/bsd/ipf/netinet/ip_frag.c: revision 1.5
sys/external/bsd/ipf/netinet/ip_state.c: revision 1.7
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)
--
Free the right fragment (Cy Schubert @ FreeBSD). This will cause use after free
issues and eventually panic.
 1.6.6.1 28-Aug-2017  skrll Sync with HEAD
 1.6.4.2 03-Jan-2018  snj Pull up following revision(s) (requested by sborrill in ticket #1525):
sys/external/bsd/ipf/netinet/ip_state.c: 1.9-1.10
When growing the state, remember to grow the seed array, otherwise we'll end
up accessing memory we did not allocate.
--
put back the cast.
 1.6.4.1 29-Jun-2017  sborrill Pull up the following revisions(s) (requested by christos in ticket #1412):
sys/external/bsd/ipf/netinet/fil.c: revision 1.20
sys/external/bsd/ipf/netinet/ip_state.c: revision 1.7
sys/external/bsd/ipf/netinet/ip_frag.c: revision 1.5

Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5.
Free the right fragment. This will cause use after free issues and eventually
panic.
 1.7.4.1 17-Nov-2017  snj Pull up following revision(s) (requested by sborrill in ticket #352):
sys/external/bsd/ipf/netinet/ip_state.c: 1.9-1.10
When growing the state, remember to grow the seed array, otherwise we'll end
up accessing memory we did not allocate.
--
put back the cast.
 1.10.2.1 25-Jun-2018  pgoyette Sync with HEAD
 1.11.12.1 20-Apr-2020  bouyer Sync with HEAD
 1.11.2.1 21-Apr-2020  martin Sync with HEAD
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_state.h was added on branch yamt-pagecache on 2012-04-17 00:08:17 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_state.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:22 +0000
 1.6 03-May-2018  maxv Remove now unused tcpip.h includes. Some were already unused before.
 1.5 14-Sep-2013  martin branches: 1.5.28;
Fix return value of ipf_sync_nat
 1.4 22-Jul-2012  martin branches: 1.4.2; 1.4.4;
Fix printf format
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_sync.c was added on branch yamt-pagecache on 2012-04-17 00:08:17 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_sync.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:22 +0000
 1.4.4.1 18-May-2014  rmind sync with head
 1.4.2.1 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.5.28.1 21-May-2018  pgoyette Sync with HEAD
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_sync.h was added on branch yamt-pagecache on 2012-04-17 00:08:17 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_sync.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:22 +0000
 1.6 03-Jun-2018  maxv Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.
 1.5 30-Jul-2012  pgoyette branches: 1.5.38;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)
 1.4 22-Jul-2012  darrenr ansify new function definition
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ip_tftp_pxy.c was added on branch yamt-pagecache on 2012-04-17 00:08:17 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ip_tftp_pxy.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:22 +0000
 1.5.38.1 25-Jun-2018  pgoyette Sync with HEAD
 1.5 09-Jan-2013  christos Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams
 1.4 20-Dec-2012  christos - Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams
 1.3 22-Jul-2012  darrenr branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 23-Jan-2013  yamt sync with head
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ipf_rb.h was added on branch yamt-pagecache on 2012-04-17 00:08:17 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ipf_rb.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:22 +0000
 1.3.2.1 25-Feb-2013  tls resync with head
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file ipl.h was added on branch yamt-pagecache on 2012-04-17 00:08:17 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file ipl.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:22 +0000
 1.6 15-Dec-2015  christos PR/50559: David Binderman: Add missing free()'s after calls to randomize().
 1.5 20-Mar-2014  christos branches: 1.5.6;
kill sprintf
 1.4 15-Sep-2013  martin Remove unused variable
 1.3 22-Jul-2012  darrenr branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file radix_ipf.c was added on branch yamt-pagecache on 2012-04-17 00:08:17 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file radix_ipf.c was added on branch jmcneill-usbmp on 2012-04-17 19:25:22 +0000
 1.3.4.1 18-May-2014  rmind sync with head
 1.3.2.2 03-Dec-2017  jdolecek update from HEAD
 1.3.2.1 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.5.6.1 27-Dec-2015  skrll Sync with HEAD (as of 26th Dec)
 1.3 22-Jul-2012  darrenr Merge IPFilter 5.1.2 into HEAD
 1.2 23-Mar-2012  christos branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files
 1.1 23-Mar-2012  christos branches: 1.1.1;
Initial revision
 1.1.1.2 22-Jul-2012  darrenr Import IPFilter 5.1.2
 1.1.1.1 23-Mar-2012  christos import kernel portion of ipfilter 5.1.1
 1.2.4.3 30-Oct-2012  yamt sync with head
 1.2.4.2 17-Apr-2012  yamt sync with head
 1.2.4.1 23-Mar-2012  yamt file radix_ipf.h was added on branch yamt-pagecache on 2012-04-17 00:08:17 +0000
 1.2.2.2 17-Apr-2012  joerg Re-add new ipf on the jmcneill-usbmp branch.
 1.2.2.1 23-Mar-2012  joerg file radix_ipf.h was added on branch jmcneill-usbmp on 2012-04-17 19:25:23 +0000

RSS XML Feed