Home | History | Annotate | only in /src/sys/net/npf
History log of /src/sys/net/npf
RevisionDateAuthorComments
 1.2 19-Sep-2013  rmind NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
 1.1 22-Aug-2010  rmind branches: 1.1.2; 1.1.4; 1.1.10; 1.1.14; 1.1.24; 1.1.28;
Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.1.28.1 18-May-2014  rmind sync with head
 1.1.24.1 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.1.14.1 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.1.10.2 05-Mar-2011  rmind sync with head
 1.1.10.1 22-Aug-2010  rmind file Makefile was added on branch rmind-uvmplock on 2011-03-05 20:55:54 +0000
 1.1.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.1.4.1 22-Aug-2010  uebayasi file Makefile was added on branch uebayasi-xip on 2010-10-22 09:23:14 +0000
 1.1.2.2 09-Oct-2010  yamt sync with head
 1.1.2.1 22-Aug-2010  yamt file Makefile was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.2 17-Apr-2025  gdt npf: Adjust README following tech-kern@ discussion

This text has been adjusted to follow the rough consensus of the
public comments and a number of off-list comments.
 1.1 29-Sep-2018  rmind branches: 1.1.2; 1.1.6; 1.1.40;
NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.1.40.1 02-Aug-2025  perseant Sync with HEAD
 1.1.6.2 10-Jun-2019  christos Sync with HEAD
 1.1.6.1 29-Sep-2018  christos file README was added on branch phil-wifi on 2019-06-10 22:09:46 +0000
 1.1.2.2 30-Sep-2018  pgoyette Ssync with HEAD
 1.1.2.1 29-Sep-2018  pgoyette file README was added on branch pgoyette-compat on 2018-09-30 01:45:56 +0000
 1.24 01-Jun-2025  joe kernel: extract rules, lookup socket, process filtering, reviews by christos@
 1.23 30-May-2020  rmind branches: 1.23.26;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.22 23-Jul-2019  rmind branches: 1.22.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.21 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.20 02-Jan-2017  rmind branches: 1.20.14; 1.20.16;
NPF: implement dynamic handling of interface addresses (the kernel part).
 1.19 26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.18 09-Dec-2016  christos This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!
 1.17 19-Jul-2014  rmind branches: 1.17.2; 1.17.4; 1.17.8; 1.17.10;
NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.16 08-Nov-2013  rmind branches: 1.16.2;
NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 1.15 19-Sep-2013  rmind NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
 1.14 19-Sep-2013  rmind - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
 1.13 02-Jun-2013  rmind branches: 1.13.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.
 1.12 12-Mar-2013  christos normali{s,z}e
 1.11 10-Mar-2013  christos Split the npflog cloner and auto-load the extensions.
 1.10 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.9 10-Dec-2012  rmind Add NPF "rndblock" extension to randomly drop packets (using a random function
with a percentage or modulo operation). This is a demo module, although it can
be used for packet loss simulation. Example of a procedure in npf.conf:

procedure "somedrop" {
# Drop 1.9% of the traffic
rndblock: percentage 1.9
}
 1.8 16-Sep-2012  rmind Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
 1.7 15-Jul-2012  rmind branches: 1.7.2;
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.6 06-Feb-2012  rmind branches: 1.6.2;
- Split NPF rule procedure code into a separate module (no functional changes).
- Simplify some code, add more comments, some asserts.
- G/C unused rule hook code.
 1.5 29-Nov-2011  rmind branches: 1.5.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.4 18-Dec-2010  rmind branches: 1.4.6; 1.4.10;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.3 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.2 16-Sep-2010  rmind branches: 1.2.2; 1.2.4;
NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.2.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.2.4.1 16-Sep-2010  uebayasi file files.npf was added on branch uebayasi-xip on 2010-10-22 09:23:14 +0000
 1.2.2.2 09-Oct-2010  yamt sync with head
 1.2.2.1 16-Sep-2010  yamt file files.npf was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.4.10.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.4.10.3 16-Jan-2013  yamt sync with (a bit old) head
 1.4.10.2 30-Oct-2012  yamt sync with head
 1.4.10.1 17-Apr-2012  yamt sync with head
 1.4.6.2 05-Mar-2011  rmind sync with head
 1.4.6.1 18-Dec-2010  rmind file files.npf was added on branch rmind-uvmplock on 2011-03-05 20:55:54 +0000
 1.5.2.1 18-Feb-2012  mrg merge to -current.
 1.6.2.4 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.6.2.3 15-Dec-2012  riz Pull up following revision(s) (requested by rmind in ticket #745):
distrib/sets/lists/comp/shl.mi: revision 1.241
distrib/sets/lists/modules/mi: revision 1.49
distrib/sets/lists/base/md.sparc64: revision 1.171
lib/npf/ext_rndblock/npfext_rndblock.c: revision 1.1
distrib/sets/lists/base/ad.mips64eb: revision 1.106
distrib/sets/lists/modules/md.evbppc: revision 1.29
sys/net/npf/npf_ext_rndblock.c: revision 1.1
lib/npf/Makefile: revision 1.2
sys/modules/npf_ext_rndblock/Makefile: revision 1.1
lib/npf/ext_rndblock/Makefile: revision 1.1
distrib/sets/lists/base/ad.mips64el: revision 1.106
lib/npf/ext_rndblock/shlib_version: revision 1.1
distrib/sets/lists/base/md.amd64: revision 1.182
distrib/sets/lists/base/shl.mi: revision 1.643
sys/net/npf/files.npf: revision 1.9
sys/modules/Makefile: revision 1.117
Add NPF "rndblock" extension to randomly drop packets (using a random function
with a percentage or modulo operation). This is a demo module, although it can
be used for packet loss simulation. Example of a procedure in npf.conf:
procedure "somedrop" {
# Drop 1.9% of the traffic
rndblock: percentage 1.9
}
 1.6.2.2 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #693):
lib/npf/ext_normalise/shlib_version: revision 1.1
lib/libnpf/npf.c: revision 1.13
distrib/sets/lists/modules/mi: revision 1.48
sys/net/npf/npf_rproc.c: revision 1.3
sys/net/npf/npf_rproc.c: revision 1.4
sys/modules/npf/Makefile: revision 1.11
usr.sbin/npf/npfctl/npfctl.h: revision 1.20
lib/npf/ext_log/npfext_log.c: revision 1.1
lib/libnpf/npf.h: revision 1.11
sys/net/npf/npf_inet.c: revision 1.17
sys/net/npf/npf_log.c: file removal
sys/net/npf/npf_handler.c: revision 1.22
distrib/sets/lists/base/shl.mi: revision 1.636
sys/net/npf/npf_impl.h: revision 1.23
usr.sbin/npf/npfctl/Makefile: revision 1.8
lib/npf/Makefile: revision 1.1
lib/npf/ext_log/shlib_version: revision 1.1
lib/Makefile: revision 1.189
distrib/sets/lists/comp/shl.mi: revision 1.236
usr.sbin/npf/npfctl/npf_build.c: revision 1.14
distrib/sets/lists/base/mi: revision 1.1007
usr.sbin/npf/npfctl/npf_scan.l: revision 1.6
distrib/sets/lists/base/mi: revision 1.1009
sys/net/npf/npf.h: revision 1.21
lib/npf/ext_normalise/npfext_normalise.c: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.105
lib/libnpf/Makefile: revision 1.3
etc/mtree/NetBSD.dist.base: revision 1.106
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.1
sys/net/npf/npf_ctl.c: revision 1.18
lib/npf/ext_log/Makefile: revision 1.1
distrib/sets/lists/comp/mi: revision 1.1781
usr.sbin/npf/npfctl/npf_var.h: revision 1.4
sys/net/npf/npf.c: revision 1.13
sys/modules/Makefile: revision 1.111
sys/net/npf/npf_ext_log.c: revision 1.1
lib/npf/Makefile.inc: revision 1.1
sys/net/npf/npf_ext_normalise.c: revision 1.1
sys/net/npf/files.npf: revision 1.8
sys/rump/net/lib/libnpf/Makefile: revision 1.2
sys/modules/npf_ext_log/Makefile: revision 1.1
lib/npf/ext_normalise/Makefile: revision 1.1
usr.sbin/npf/npfctl/npfctl.c: revision 1.20
usr.sbin/npf/npfctl/npf_parse.y: revision 1.13
sys/modules/npf_ext_normalise/Makefile: revision 1.1
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
Add /usr/lib/npf.
Add ./usr/libdata/debug/usr/lib/npf for rmind
Fix MKDEBUG set lists
ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.6.2.1 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.7.2.5 03-Dec-2017  jdolecek update from HEAD
 1.7.2.4 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.7.2.3 23-Jun-2013  tls resync from head
 1.7.2.2 25-Feb-2013  tls resync with head
 1.7.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.13.2.1 18-May-2014  rmind sync with head
 1.16.2.1 10-Aug-2014  tls Rebase.
 1.17.10.1 18-Jan-2017  skrll Sync with netbsd-5
 1.17.8.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.17.4.1 05-Feb-2017  skrll Sync with HEAD
 1.17.2.1 18-Dec-2016  snj Pull up following revision(s) (requested by rmind in ticket #1319):
sys/modules/npf/Makefile: revision 1.19
sys/net/npf/files.npf: revision 1.18
sys/net/npf/lpm.c: revision 1.1
sys/net/npf/lpm.h: revision 1.1
sys/net/npf/npf_impl.h: revision 1.62
sys/net/npf/npf_tableset.c: revision 1.24
sys/net/npf/npf_tableset_ptree.c: file removal
sys/rump/net/lib/libnpf/Makefile: revision 1.18
This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!
--
ditch ptree and use lpm
--
remove ptree add lpm
 1.20.16.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.20.16.1 10-Jun-2019  christos Sync with HEAD
 1.20.14.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.22.2.1 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.23.26.1 02-Aug-2025  perseant Sync with HEAD
 1.6 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.5 29-Jan-2017  christos branches: 1.5.12; 1.5.14;
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.4 26-Dec-2016  christos branches: 1.4.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.3 13-Mar-2013  christos branches: 1.3.6; 1.3.14; 1.3.18; 1.3.22;
add missing argument
 1.2 13-Mar-2013  christos don't auto-unload
 1.1 10-Mar-2013  christos Split the npflog cloner and auto-load the extensions.
 1.3.22.2 20-Mar-2017  pgoyette Sync with HEAD
 1.3.22.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.3.18.1 05-Feb-2017  skrll Sync with HEAD
 1.3.14.2 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.3.14.1 13-Mar-2013  yamt file if_npflog.c was added on branch yamt-pagecache on 2014-05-22 11:41:09 +0000
 1.3.6.3 03-Dec-2017  jdolecek update from HEAD
 1.3.6.2 23-Jun-2013  tls resync from head
 1.3.6.1 13-Mar-2013  tls file if_npflog.c was added on branch tls-maxphys on 2013-06-23 06:20:25 +0000
 1.4.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.5.14.1 10-Jun-2019  christos Sync with HEAD
 1.5.12.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.2 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.1 29-Jan-2017  christos branches: 1.1.2; 1.1.4; 1.1.8; 1.1.18; 1.1.20; 1.1.22;
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.1.22.1 10-Jun-2019  christos Sync with HEAD
 1.1.20.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.1.18.2 03-Dec-2017  jdolecek update from HEAD
 1.1.18.1 29-Jan-2017  jdolecek file if_npflog.h was added on branch tls-maxphys on 2017-12-03 11:39:03 +0000
 1.1.8.2 21-Apr-2017  bouyer Sync with HEAD
 1.1.8.1 29-Jan-2017  bouyer file if_npflog.h was added on branch bouyer-socketcan on 2017-04-21 16:54:05 +0000
 1.1.4.2 20-Mar-2017  pgoyette Sync with HEAD
 1.1.4.1 29-Jan-2017  pgoyette file if_npflog.h was added on branch pgoyette-localcount on 2017-03-20 06:57:50 +0000
 1.1.2.2 05-Feb-2017  skrll Sync with HEAD
 1.1.2.1 29-Jan-2017  skrll file if_npflog.h was added on branch nick-nhusb on 2017-02-05 13:40:58 +0000
 1.6 12-Jun-2019  christos Avoid LOCKDEBUG pserialize panic by implementing suggestion #1 from

http://mail-index.netbsd.org/current-users/2019/02/24/msg035220.html:

Convert the mutex to spin-lock at IPL_NET (but it is excessive) and
convert the memory allocations in that code path to KM_NOSLEEP.
 1.5 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.4 01-Jun-2017  chs branches: 1.4.8; 1.4.10; 1.4.12;
remove checks for failure after memory allocation calls that cannot fail:

kmem_alloc() with KM_SLEEP
kmem_zalloc() with KM_SLEEP
percpu_alloc()
pserialize_create()
psref_class_create()

all of these paths include an assertion that the allocation has not failed,
so callers should not assert that again.
 1.3 26-Dec-2016  rmind branches: 1.3.2; 1.3.6; 1.3.8;
Fix kmem_free() in hashmap_remove().
 1.2 26-Dec-2016  rmind Fix kmem_free() sizes in hashmap_rehash() and lpm_clear().
 1.1 09-Dec-2016  christos branches: 1.1.2;
This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!
 1.1.2.4 27-Dec-2016  snj Pull up following revision(s) (requested by rmind in ticket #1340):
sys/net/npf/lpm.c: revision 1.3
Fix kmem_free() in hashmap_remove().
 1.1.2.3 26-Dec-2016  snj Pull up following revision(s) (requested by rmind in ticket #1339):
sys/net/npf/lpm.c: revision 1.2
Fix kmem_free() sizes in hashmap_rehash() and lpm_clear().
 1.1.2.2 18-Dec-2016  snj Pull up following revision(s) (requested by rmind in ticket #1319):
sys/modules/npf/Makefile: revision 1.19
sys/net/npf/files.npf: revision 1.18
sys/net/npf/lpm.c: revision 1.1
sys/net/npf/lpm.h: revision 1.1
sys/net/npf/npf_impl.h: revision 1.62
sys/net/npf/npf_tableset.c: revision 1.24
sys/net/npf/npf_tableset_ptree.c: file removal
sys/rump/net/lib/libnpf/Makefile: revision 1.18
This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!
--
ditch ptree and use lpm
--
remove ptree add lpm
 1.1.2.1 09-Dec-2016  snj file lpm.c was added on branch netbsd-7 on 2016-12-18 07:40:50 +0000
 1.3.8.3 28-Aug-2017  skrll Sync with HEAD
 1.3.8.2 05-Feb-2017  skrll Sync with HEAD
 1.3.8.1 26-Dec-2016  skrll file lpm.c was added on branch nick-nhusb on 2017-02-05 13:40:58 +0000
 1.3.6.2 18-Jan-2017  skrll Sync with netbsd-5
 1.3.6.1 26-Dec-2016  skrll file lpm.c was added on branch netbsd-7-nhusb on 2017-01-18 08:46:46 +0000
 1.3.2.2 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.3.2.1 26-Dec-2016  pgoyette file lpm.c was added on branch pgoyette-localcount on 2017-01-07 08:56:50 +0000
 1.4.12.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.4.12.1 10-Jun-2019  christos Sync with HEAD
 1.4.10.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.4.8.2 03-Dec-2017  jdolecek update from HEAD
 1.4.8.1 01-Jun-2017  jdolecek file lpm.c was added on branch tls-maxphys on 2017-12-03 11:39:03 +0000
 1.3 12-Jun-2019  christos Avoid LOCKDEBUG pserialize panic by implementing suggestion #1 from

http://mail-index.netbsd.org/current-users/2019/02/24/msg035220.html:

Convert the mutex to spin-lock at IPL_NET (but it is excessive) and
convert the memory allocations in that code path to KM_NOSLEEP.
 1.2 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.1 09-Dec-2016  christos branches: 1.1.2; 1.1.4; 1.1.8; 1.1.10; 1.1.22; 1.1.24; 1.1.26;
This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!
 1.1.26.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.1.26.1 10-Jun-2019  christos Sync with HEAD
 1.1.24.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.1.22.2 03-Dec-2017  jdolecek update from HEAD
 1.1.22.1 09-Dec-2016  jdolecek file lpm.h was added on branch tls-maxphys on 2017-12-03 11:39:03 +0000
 1.1.10.2 05-Feb-2017  skrll Sync with HEAD
 1.1.10.1 09-Dec-2016  skrll file lpm.h was added on branch nick-nhusb on 2017-02-05 13:40:58 +0000
 1.1.8.2 18-Jan-2017  skrll Sync with netbsd-5
 1.1.8.1 09-Dec-2016  skrll file lpm.h was added on branch netbsd-7-nhusb on 2017-01-18 08:46:46 +0000
 1.1.4.2 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.1.4.1 09-Dec-2016  pgoyette file lpm.h was added on branch pgoyette-localcount on 2017-01-07 08:56:50 +0000
 1.1.2.2 18-Dec-2016  snj Pull up following revision(s) (requested by rmind in ticket #1319):
sys/modules/npf/Makefile: revision 1.19
sys/net/npf/files.npf: revision 1.18
sys/net/npf/lpm.c: revision 1.1
sys/net/npf/lpm.h: revision 1.1
sys/net/npf/npf_impl.h: revision 1.62
sys/net/npf/npf_tableset.c: revision 1.24
sys/net/npf/npf_tableset_ptree.c: file removal
sys/rump/net/lib/libnpf/Makefile: revision 1.18
This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!
--
ditch ptree and use lpm
--
remove ptree add lpm
 1.1.2.1 09-Dec-2016  snj file lpm.h was added on branch netbsd-7 on 2016-12-18 07:40:50 +0000
 1.44 27-Aug-2020  riastradh npf: Make sure to initialize portmap_lock only once.

PR kern/55586
 1.43 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.42 07-Feb-2020  thorpej Use percpu_foreach_xcall() to gather volatile per-cpu counters. These
must be serialized against the interrupts / soft-interrupts in which
they're manipulated, as well as protected from non-atomic 64-bit memory
loads on 32-bit platforms.
 1.41 25-Aug-2019  rmind branches: 1.41.2;
- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
 1.40 11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.39 06-Aug-2019  christos - npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)
 1.38 23-Jul-2019  rmind branches: 1.38.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.37 19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.36 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.35 12-Sep-2018  christos Fix lockdebug diagnostic error of trying to acquire an rw_lock from a
pserialized active context. From riastradh@
 1.34 01-Jun-2017  chs branches: 1.34.8; 1.34.10;
remove checks for failure after memory allocation calls that cannot fail:

kmem_alloc() with KM_SLEEP
kmem_zalloc() with KM_SLEEP
percpu_alloc()
pserialize_create()
psref_class_create()

all of these paths include an assertion that the allocation has not failed,
so callers should not assert that again.
 1.33 26-Dec-2016  christos branches: 1.33.6;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.32 10-Dec-2016  christos add functionality to lookup a nat entry from the connection list.
 1.31 29-Oct-2015  christos branches: 1.31.2;
Simplify even further and fix non-modular kernels:
We cannot use the init at attach() trick, because other npf ext modules
will load before the attach function is called on non modular kernels.
 1.30 27-Oct-2015  christos modules don't define MODULAR.
 1.29 27-Oct-2015  christos simplify (and fix) logic.
 1.28 19-Oct-2015  martin Ifdef npf_init() the same way as all it's callers are protected.
 1.27 19-Oct-2015  christos Fix the code so that it works in all 3 cases: non-modular, modular/builtin,
modular/filesystem. In the non-modular case we initialize through attach.
In the modular/builtin case we define the module to be class misc so it
attaches late (after percpu is initialized) since driver modules attach
too early. In the modular/filesystem case we define it to be a driver
module since we autoload it via /dev/npf open.
 1.26 18-Oct-2015  jmcneill Defer initialization of built-in npf module until other pseudo-devices
are initialized. MODULE_CLASS_DRIVER modules are now initialized before
autoconfiguration starts, but npf_init has a dependency on percpu(9) which
doesn't work until CPUs have attached (at least on ARM).
 1.25 18-Oct-2015  christos needs to be driver, otherwise it will not load!
 1.24 17-Oct-2015  jmcneill mark this MODULE_CLASS_MISC as npf_init cannot run when builtin driver modules are initialized
 1.23 20-Aug-2015  christos include "ioconf.h" to get the 'void <driver>attach(int count);' prototype.
 1.22 25-Jul-2014  dholland branches: 1.22.4;
Add d_discard to all struct cdevsw instances I could find.

All have been set to "nodiscard"; some should get a real implementation.
 1.21 23-Jul-2014  rmind NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.20 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.19 16-Mar-2014  dholland branches: 1.19.2;
Change (mostly mechanically) every cdevsw/bdevsw I can find to use
designated initializers.

I have not built every extant kernel so I have probably broken at
least one build; however I've also found and fixed some wrong
cdevsw/bdevsw entries so even if so I think we come out ahead.
 1.18 08-Nov-2013  rmind NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 1.17 19-Sep-2013  rmind - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
 1.16 02-Jun-2013  rmind branches: 1.16.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.
 1.15 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.14 29-Oct-2012  rmind Implement NPF table listing and preservation of entries on reload.
Bump the version.
 1.13 16-Sep-2012  rmind Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
 1.12 15-Jul-2012  rmind branches: 1.12.2;
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.11 22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.10 13-Mar-2012  elad Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.

Most of these changes were brought up in the following messages:

http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html
http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html
http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html

Thanks to christos, manu, njoly, and jmmv for input.

Huge thanks to pgoyette for spinning these changes through some build
cycles and ATF.
 1.9 11-Mar-2012  rmind - Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
 1.8 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.7 15-Jan-2012  rmind branches: 1.7.2;
- Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
 1.6 06-Nov-2011  tron branches: 1.6.4;
Change module class to driver as npf(4) is a pseudo device.
 1.5 25-Apr-2011  yamt branches: 1.5.4;
fix module build
 1.4 02-Feb-2011  rmind branches: 1.4.2;
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.
 1.3 18-Jan-2011  rmind branches: 1.3.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.2 18-Dec-2010  rmind branches: 1.2.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.1 22-Aug-2010  rmind branches: 1.1.2; 1.1.4;
Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.1.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.1.4.1 22-Aug-2010  uebayasi file npf.c was added on branch uebayasi-xip on 2010-10-22 09:23:14 +0000
 1.1.2.2 09-Oct-2010  yamt sync with head
 1.1.2.1 22-Aug-2010  yamt file npf.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.2.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.3.2.1 08-Feb-2011  bouyer Sync with HEAD
 1.4.2.3 31-May-2011  rmind sync with head
 1.4.2.2 05-Mar-2011  rmind sync with head
 1.4.2.1 02-Feb-2011  rmind file npf.c was added on branch rmind-uvmplock on 2011-03-05 20:55:54 +0000
 1.5.4.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.5.4.3 30-Oct-2012  yamt sync with head
 1.5.4.2 17-Apr-2012  yamt sync with head
 1.5.4.1 10-Nov-2011  yamt sync with head
 1.6.4.3 05-Apr-2012  mrg sync to latest -current.
 1.6.4.2 24-Feb-2012  mrg sync to -current.
 1.6.4.1 18-Feb-2012  mrg merge to -current.
 1.7.2.7 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.7.2.6 24-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #702):
sys/net/npf/npf_tableset.c: revision 1.15
usr.sbin/npf/npfctl/npfctl.h: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.6
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.10
sys/net/npf/npf_state_tcp.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.24
sys/net/npf/npf.h: revision 1.22
sys/net/npf/npf_ctl.c: revision 1.19
sys/net/npf/npf.c: revision 1.14
usr.sbin/npf/npfctl/npfctl.8: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.21
npf_tcp_inwindow: inspect the sequence numbers even if the packet contains no
data, fixing up only the RST to the initial SYN. This makes off-path attacks
more difficult. For the reference, see &quot;Reflection Scan: an Off-Path Attack
on TCP&quot; by Jan Wrobel.
Implement NPF table listing and preservation of entries on reload.
Bump the version.
npfctl(8): mention table listing.
 1.7.2.5 19-Nov-2012  msaitoh Fix a bug that the patch was incorrectly applied with last commit.
 1.7.2.4 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #693):
lib/npf/ext_normalise/shlib_version: revision 1.1
lib/libnpf/npf.c: revision 1.13
distrib/sets/lists/modules/mi: revision 1.48
sys/net/npf/npf_rproc.c: revision 1.3
sys/net/npf/npf_rproc.c: revision 1.4
sys/modules/npf/Makefile: revision 1.11
usr.sbin/npf/npfctl/npfctl.h: revision 1.20
lib/npf/ext_log/npfext_log.c: revision 1.1
lib/libnpf/npf.h: revision 1.11
sys/net/npf/npf_inet.c: revision 1.17
sys/net/npf/npf_log.c: file removal
sys/net/npf/npf_handler.c: revision 1.22
distrib/sets/lists/base/shl.mi: revision 1.636
sys/net/npf/npf_impl.h: revision 1.23
usr.sbin/npf/npfctl/Makefile: revision 1.8
lib/npf/Makefile: revision 1.1
lib/npf/ext_log/shlib_version: revision 1.1
lib/Makefile: revision 1.189
distrib/sets/lists/comp/shl.mi: revision 1.236
usr.sbin/npf/npfctl/npf_build.c: revision 1.14
distrib/sets/lists/base/mi: revision 1.1007
usr.sbin/npf/npfctl/npf_scan.l: revision 1.6
distrib/sets/lists/base/mi: revision 1.1009
sys/net/npf/npf.h: revision 1.21
lib/npf/ext_normalise/npfext_normalise.c: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.105
lib/libnpf/Makefile: revision 1.3
etc/mtree/NetBSD.dist.base: revision 1.106
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.1
sys/net/npf/npf_ctl.c: revision 1.18
lib/npf/ext_log/Makefile: revision 1.1
distrib/sets/lists/comp/mi: revision 1.1781
usr.sbin/npf/npfctl/npf_var.h: revision 1.4
sys/net/npf/npf.c: revision 1.13
sys/modules/Makefile: revision 1.111
sys/net/npf/npf_ext_log.c: revision 1.1
lib/npf/Makefile.inc: revision 1.1
sys/net/npf/npf_ext_normalise.c: revision 1.1
sys/net/npf/files.npf: revision 1.8
sys/rump/net/lib/libnpf/Makefile: revision 1.2
sys/modules/npf_ext_log/Makefile: revision 1.1
lib/npf/ext_normalise/Makefile: revision 1.1
usr.sbin/npf/npfctl/npfctl.c: revision 1.20
usr.sbin/npf/npfctl/npf_parse.y: revision 1.13
sys/modules/npf_ext_normalise/Makefile: revision 1.1
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
Add /usr/lib/npf.
Add ./usr/libdata/debug/usr/lib/npf for rmind
Fix MKDEBUG set lists
ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.7.2.3 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.7.2.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.7.2.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.12.2.5 03-Dec-2017  jdolecek update from HEAD
 1.12.2.4 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.12.2.3 23-Jun-2013  tls resync from head
 1.12.2.2 25-Feb-2013  tls resync with head
 1.12.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.16.2.1 18-May-2014  rmind sync with head
 1.19.2.1 10-Aug-2014  tls Rebase.
 1.22.4.4 28-Aug-2017  skrll Sync with HEAD
 1.22.4.3 05-Feb-2017  skrll Sync with HEAD
 1.22.4.2 27-Dec-2015  skrll Sync with HEAD (as of 26th Dec)
 1.22.4.1 22-Sep-2015  skrll Sync with HEAD
 1.31.2.4 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.31.2.3 26-Jul-2016  pgoyette Rename LOCALCOUNT_INITIALIZER to DEVSW_MODULE_INIT. This better describes
what we're doing, and why.
 1.31.2.2 19-Jul-2016  pgoyette Instead of repeatedly typing the conditional initialization of the
.d_localcount members in the various {b,c}devsw, define an initializer
macro and use it. This also removes the need for defining new symbols
for each 'struct localcount'.

As suggested by riastradh@
 1.31.2.1 18-Jul-2016  pgoyette Rump drivers are always installed via devsw_attach() so we need to
always allocate a 'struct localcount' for these drivers whenever they
are built as modules.
 1.33.6.2 29-Apr-2017  pgoyette Remove more unnecessary #include for sys/localcount.h
 1.33.6.1 27-Apr-2017  pgoyette Restore all work from the former pgoyette-localcount branch (which is
now abandoned doe to cvs merge botch).

The branch now builds, and installs via anita. There are still some
problems (cgd is non-functional and all atf tests time-out) but they
will get resolved soon.
 1.34.10.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.34.10.1 10-Jun-2019  christos Sync with HEAD
 1.34.8.2 26-Jan-2019  pgoyette Sync with HEAD
 1.34.8.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.38.2.4 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.38.2.3 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #141):

usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
 1.38.2.2 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.38.2.1 07-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #25):

sys/net/npf/npf_conn.h: revision 1.17
sys/net/npf/npf.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.28
sys/net/npf/npf_conn.c: revision 1.29

Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.

- npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)
 1.41.2.1 29-Feb-2020  ad Sync with head.
 1.68 09-Oct-2025  joe PR kern/59615 introduce layer checks for 10 userland 11 kernel
 1.67 01-Jul-2025  joe branches: 1.67.2;
kernel code for layer 2 filtering in NPF

reviewed by christos@
 1.66 01-Jun-2025  joe NPF copyright 2025
 1.65 31-May-2025  joe Userland: npf rule parser for user and group id
 1.64 12-Feb-2023  kardel branches: 1.64.6;
PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream as https://github.com/rmind/npf/pull/115
 1.63 30-May-2020  rmind branches: 1.63.20;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.62 25-Aug-2019  rmind Move PACKET_TAG_NPF where it belongs to.
 1.61 21-Aug-2019  rmind npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.
 1.60 23-Jul-2019  rmind branches: 1.60.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.59 19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.58 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.57 19-Apr-2018  christos branches: 1.57.2;
s/static inline/static __inline/g for consistency.
 1.56 08-Mar-2018  maxv Declare NPC_FMTERR, and use it to kick malformed packets. Several sanity
checks are added in IPv6; after we see the first IPPROTO_FRAGMENT header,
we are allowed to fail to advance, otherwise we kick the packet.

Sent on tech-net@ a few days ago, no response, but I'm committing it now
anyway.
 1.55 15-Dec-2017  maxv branches: 1.55.2;
Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = 7777)
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = 6666)
Will bypass a rule of the kind "block port 6666". Here NPF reads the
crafted UDP header, sees 7777, lets the packet in; later the kernel reads
the real UDP header, and delivers it on port 6666.

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
 1.54 29-Jan-2017  christos branches: 1.54.6;
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.53 26-Dec-2016  rmind branches: 1.53.2;
Bump NPF_VERSION to 19.
 1.52 26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.51 10-Dec-2016  christos Welcome to version 18:
- Connection state keys are not stored and loaded using the logical key
contents.
- connection finder key is stored in a map that contains the key and the
direction.
 1.50 10-Dec-2016  christos add functionality to lookup a nat entry from the connection list.
 1.49 09-Dec-2016  christos make this compile again
 1.48 08-Dec-2016  rmind NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus
pass-through them on other interfaces. Per discussion with christos@.
 1.47 10-Aug-2014  rmind branches: 1.47.2; 1.47.4; 1.47.6; 1.47.8; 1.47.12;
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.
 1.46 23-Jul-2014  rmind npf_iscached: add an assert.
 1.45 23-Jul-2014  rmind NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.44 20-Jul-2014  rmind NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.43 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.42 29-Jun-2014  rmind NPF:
- Populate the BPF external memory store with L3 information.
- Eliminate NPF_COP_L3 call and just use the data in the memstore.
- Bump NPF_VERSION.
 1.41 25-Jun-2014  rmind Adjust NPF to the recent BPF / BPF JIT changes and make it work again.
All regression tests are happy now (hi alnsn!).
 1.40 30-May-2014  rmind - npf_nat_freepolicy: handle a race condition when a new connection might
be associated with a NAT policy which is going away and npfctl reload
would wait for its natural expiration (potentially long time).
- Remove npf_ruleset_natreload() by merging into npf_ruleset_reload().
- npf_ruleset_reload: eliminate a small time period when a valid NAT
policy might be inactive during the reload operation.
 1.39 19-May-2014  jakllsch Add ability to have mbufs disappear (to another interface) during
npf_rproc_run(). For upcoming npf_ext_route extension.

Guidance and ok by rmind@.
 1.38 14-Mar-2014  rmind branches: 1.38.2;
NPF: add support for "stateful-ends".
 1.37 13-Feb-2014  rmind NPF: add support for IPv6-to-IPv6 Network Prefix Translation (NPTv6),
as per RFC 6296. Add a unit test. Also, bump NPF_VERSION.

Thanks to S.P.Zeidler for the help with NPTv6 work!
 1.36 07-Feb-2014  rmind NPF: add support for static (stateless) NAT.
 1.35 06-Feb-2014  rmind Add support for CDB based NPF tables.
 1.34 06-Dec-2013  rmind NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
less usual setups which are possible when using 'map' with a custom
filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
direction-agnostic elsewhere.
 1.33 12-Nov-2013  rmind NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is
just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).

Few misc fixes. Bump NPF_VERSION.
 1.32 08-Nov-2013  rmind NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 1.31 19-Sep-2013  rmind - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
 1.30 11-Mar-2013  christos branches: 1.30.6;
use sizeof(req) to find if it was empty or not (from uwe)
 1.29 11-Mar-2013  christos *"" is not constant according to gcc. So we move the responsibility for adding
a , to the users of the macro.
 1.28 11-Mar-2013  christos - avoid trailing , in dependencies when there are none other the npf module
itself.
- remove if_npflog dependency from npf_ext_log.
 1.27 10-Feb-2013  rmind - Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
 1.26 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.25 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.24 23-Dec-2012  rmind - Add NPF version check in proplist as well, not only ioctl. Bump the version.
- Fix a bug in table entry lookup.
- Updates/fixes to the man pages. Misc.
 1.23 10-Dec-2012  rmind npf_rwrcksum: handle delayed checksums in the network stack; also fix
non-NPF_NAT_PORTS case and add some comments. PR/47235.
 1.22 29-Oct-2012  rmind Implement NPF table listing and preservation of entries on reload.
Bump the version.
 1.21 16-Sep-2012  rmind Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
 1.20 19-Jul-2012  spz branches: 1.20.2;
teach npf ipv6-icmp
reviewed by rmind@
 1.19 15-Jul-2012  rmind - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.18 01-Jul-2012  rmind NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 1.17 22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.16 14-Apr-2012  rmind Update rumpdev_npf; use WARNS=4.
 1.15 11-Mar-2012  rmind - Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
 1.14 06-Feb-2012  rmind branches: 1.14.2;
- Split NPF rule procedure code into a separate module (no functional changes).
- Simplify some code, add more comments, some asserts.
- G/C unused rule hook code.
 1.13 05-Feb-2012  rmind Multiple NPF fixes, add better error reporting from kernel side, add some
asserts, bump the version.
 1.12 15-Jan-2012  rmind - Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
 1.11 29-Nov-2011  rmind branches: 1.11.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.10 06-Nov-2011  rmind Few fixes, KNF/style, bump the NPF version.
 1.9 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.8 02-Feb-2011  rmind branches: 1.8.2; 1.8.6;
Bump NPF_VERSION.
 1.7 02-Feb-2011  rmind NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.
 1.6 18-Jan-2011  rmind branches: 1.6.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.5 18-Dec-2010  rmind branches: 1.5.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.4 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.3 25-Sep-2010  rmind branches: 1.3.2; 1.3.4;
Add nbuf_advfetch() and simplify some code slightly.
 1.2 16-Sep-2010  rmind NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.3.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.3.4.1 25-Sep-2010  uebayasi file npf.h was added on branch uebayasi-xip on 2010-10-22 09:23:14 +0000
 1.3.2.2 09-Oct-2010  yamt sync with head
 1.3.2.1 25-Sep-2010  yamt file npf.h was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.5.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.6.2.1 08-Feb-2011  bouyer Sync with HEAD
 1.8.6.6 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.8.6.5 23-Jan-2013  yamt sync with head
 1.8.6.4 16-Jan-2013  yamt sync with (a bit old) head
 1.8.6.3 30-Oct-2012  yamt sync with head
 1.8.6.2 17-Apr-2012  yamt sync with head
 1.8.6.1 10-Nov-2011  yamt sync with head
 1.8.2.2 05-Mar-2011  rmind sync with head
 1.8.2.1 02-Feb-2011  rmind file npf.h was added on branch rmind-uvmplock on 2011-03-05 20:55:54 +0000
 1.11.2.3 29-Apr-2012  mrg sync to latest -current.
 1.11.2.2 05-Apr-2012  mrg sync to latest -current.
 1.11.2.1 18-Feb-2012  mrg merge to -current.
 1.14.2.13 05-Apr-2018  martin Pullup the following revision, requested by maxv in ticket #1542:

sys/net/npf/npf.h 1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = 7777)
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = 6666)
Will bypass a rule of the kind "block port 6666". Here NPF reads the
crafted UDP header, sees 7777, lets the packet in; later the kernel reads
the real UDP header, and delivers it on port 6666.

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
 1.14.2.12 11-Feb-2013  riz branches: 1.14.2.12.2;
Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.14.2.11 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.14.2.10 07-Jan-2013  riz Pull up following revision(s) (requested by rmind in ticket #776):
usr.sbin/npf/npfctl/npf.conf.5: revision 1.26
usr.sbin/npf/npfctl/npfctl.c: revision 1.26
dist/pf/usr.sbin/ftp-proxy/npf.c: revision 1.2
lib/libnpf/npf.c: revision 1.15
sys/net/npf/npf_ctl.c: revision 1.20
lib/libnpf/npf.h: revision 1.12
lib/libnpf/npf.3: revision 1.6
lib/libnpf/npf.3: revision 1.7
usr.sbin/npf/npfctl/npf_build.c: revision 1.17
sys/net/npf/npf.h: revision 1.24
- Add NPF version check in proplist as well, not only ioctl. Bump the version.
- Fix a bug in table entry lookup.
- Updates/fixes to the man pages. Misc.
Remove a superfluous quote and fix a recurring typo.
ftp-proxy: disable NPF bits for now; it will be re-done.
 1.14.2.9 16-Dec-2012  riz Pull up following revision(s) (requested by rmind in ticket #746):
sys/net/npf/npf_inet.c: revision 1.18
sys/net/npf/npf_mbuf.c: revision 1.8
sys/net/npf/npf.h: revision 1.23
npf_rwrcksum: handle delayed checksums in the network stack; also fix
non-NPF_NAT_PORTS case and add some comments. PR/47235.
 1.14.2.8 24-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #702):
sys/net/npf/npf_tableset.c: revision 1.15
usr.sbin/npf/npfctl/npfctl.h: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.6
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.10
sys/net/npf/npf_state_tcp.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.24
sys/net/npf/npf.h: revision 1.22
sys/net/npf/npf_ctl.c: revision 1.19
sys/net/npf/npf.c: revision 1.14
usr.sbin/npf/npfctl/npfctl.8: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.21
npf_tcp_inwindow: inspect the sequence numbers even if the packet contains no
data, fixing up only the RST to the initial SYN. This makes off-path attacks
more difficult. For the reference, see &quot;Reflection Scan: an Off-Path Attack
on TCP&quot; by Jan Wrobel.
Implement NPF table listing and preservation of entries on reload.
Bump the version.
npfctl(8): mention table listing.
 1.14.2.7 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #693):
lib/npf/ext_normalise/shlib_version: revision 1.1
lib/libnpf/npf.c: revision 1.13
distrib/sets/lists/modules/mi: revision 1.48
sys/net/npf/npf_rproc.c: revision 1.3
sys/net/npf/npf_rproc.c: revision 1.4
sys/modules/npf/Makefile: revision 1.11
usr.sbin/npf/npfctl/npfctl.h: revision 1.20
lib/npf/ext_log/npfext_log.c: revision 1.1
lib/libnpf/npf.h: revision 1.11
sys/net/npf/npf_inet.c: revision 1.17
sys/net/npf/npf_log.c: file removal
sys/net/npf/npf_handler.c: revision 1.22
distrib/sets/lists/base/shl.mi: revision 1.636
sys/net/npf/npf_impl.h: revision 1.23
usr.sbin/npf/npfctl/Makefile: revision 1.8
lib/npf/Makefile: revision 1.1
lib/npf/ext_log/shlib_version: revision 1.1
lib/Makefile: revision 1.189
distrib/sets/lists/comp/shl.mi: revision 1.236
usr.sbin/npf/npfctl/npf_build.c: revision 1.14
distrib/sets/lists/base/mi: revision 1.1007
usr.sbin/npf/npfctl/npf_scan.l: revision 1.6
distrib/sets/lists/base/mi: revision 1.1009
sys/net/npf/npf.h: revision 1.21
lib/npf/ext_normalise/npfext_normalise.c: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.105
lib/libnpf/Makefile: revision 1.3
etc/mtree/NetBSD.dist.base: revision 1.106
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.1
sys/net/npf/npf_ctl.c: revision 1.18
lib/npf/ext_log/Makefile: revision 1.1
distrib/sets/lists/comp/mi: revision 1.1781
usr.sbin/npf/npfctl/npf_var.h: revision 1.4
sys/net/npf/npf.c: revision 1.13
sys/modules/Makefile: revision 1.111
sys/net/npf/npf_ext_log.c: revision 1.1
lib/npf/Makefile.inc: revision 1.1
sys/net/npf/npf_ext_normalise.c: revision 1.1
sys/net/npf/files.npf: revision 1.8
sys/rump/net/lib/libnpf/Makefile: revision 1.2
sys/modules/npf_ext_log/Makefile: revision 1.1
lib/npf/ext_normalise/Makefile: revision 1.1
usr.sbin/npf/npfctl/npfctl.c: revision 1.20
usr.sbin/npf/npfctl/npf_parse.y: revision 1.13
sys/modules/npf_ext_normalise/Makefile: revision 1.1
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
Add /usr/lib/npf.
Add ./usr/libdata/debug/usr/lib/npf for rmind
Fix MKDEBUG set lists
ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.14.2.6 25-Jul-2012  jdc branches: 1.14.2.6.4;
Pull up revisions:
src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
src/sys/net/npf/npf.h revision 1.20
src/sys/net/npf/npf_alg_icmp.c revision 1.11
src/sys/net/npf/npf_impl.h revision 1.19
src/sys/net/npf/npf_inet.c revisions 1.15,1.16
src/sys/net/npf/npf_instr.c revision 1.14
src/sys/net/npf/npf_ncode.h revision 1.10
src/sys/net/npf/npf_processor.c revision 1.12
src/sys/net/npf/npf_session.c revision 1.16
src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
src/sys/net/npf/npf_state.c revision 1.10
src/sys/net/npf/npf_state_tcp.c revision 1.10
src/usr.sbin/npf/npftest/npfstream.c revision 1.2
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).

Add missing __dead.

teach npf ipv6-icmp
reviewed by rmind@

- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.

- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.14.2.5 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.14.2.4 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.14.2.3 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.14.2.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
 1.14.2.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.14.2.12.2.1 05-Apr-2018  martin Pullup the following revision, requested by maxv in ticket #1542:

sys/net/npf/npf.h 1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = 7777)
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = 6666)
Will bypass a rule of the kind "block port 6666". Here NPF reads the
crafted UDP header, sees 7777, lets the packet in; later the kernel reads
the real UDP header, and delivers it on port 6666.

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
 1.14.2.6.4.2 05-Apr-2018  martin Pullup the following revision, requested by maxv in ticket #1542:

sys/net/npf/npf.h 1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = 7777)
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = 6666)
Will bypass a rule of the kind "block port 6666". Here NPF reads the
crafted UDP header, sees 7777, lets the packet in; later the kernel reads
the real UDP header, and delivers it on port 6666.

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
 1.14.2.6.4.1 16-Dec-2012  riz Pull up following revision(s) (requested by rmind in ticket #746):
sys/net/npf/npf_inet.c: revision 1.18
sys/net/npf/npf_mbuf.c: revision 1.8
sys/net/npf/npf.h: revision 1.23
npf_rwrcksum: handle delayed checksums in the network stack; also fix
non-NPF_NAT_PORTS case and add some comments. PR/47235.
 1.20.2.5 03-Dec-2017  jdolecek update from HEAD
 1.20.2.4 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.20.2.3 23-Jun-2013  tls resync from head
 1.20.2.2 25-Feb-2013  tls resync with head
 1.20.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.30.6.1 18-May-2014  rmind sync with head
 1.38.2.1 10-Aug-2014  tls Rebase.
 1.47.12.1 05-Apr-2018  martin Pullup the following revision, requested by maxv in ticket #1593:

sys/net/npf/npf.h 1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = 7777)
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = 6666)
Will bypass a rule of the kind "block port 6666". Here NPF reads the
crafted UDP header, sees 7777, lets the packet in; later the kernel reads
the real UDP header, and delivers it on port 6666.

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
 1.47.8.2 20-Mar-2017  pgoyette Sync with HEAD
 1.47.8.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.47.6.1 05-Apr-2018  martin Pullup the following revision, requested by maxv in ticket #1593:

sys/net/npf/npf.h 1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = 7777)
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = 6666)
Will bypass a rule of the kind "block port 6666". Here NPF reads the
crafted UDP header, sees 7777, lets the packet in; later the kernel reads
the real UDP header, and delivers it on port 6666.

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
 1.47.4.1 05-Feb-2017  skrll Sync with HEAD
 1.47.2.1 05-Apr-2018  martin Pullup the following revision, requested by maxv in ticket #1593:

sys/net/npf/npf.h 1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = 7777)
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = 6666)
Will bypass a rule of the kind "block port 6666". Here NPF reads the
crafted UDP header, sees 7777, lets the packet in; later the kernel reads
the real UDP header, and delivers it on port 6666.

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
 1.53.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.54.6.2 09-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #817):

sys/net/npf/npf_inet.c: revision 1.38-1.44
sys/net/npf/npf_handler.c: revision 1.38-1.39
sys/net/npf/npf_alg_icmp.c: revision 1.26
sys/net/npf/npf.h: revision 1.56
sys/net/npf/npf_sendpkt.c: revision 1.17-1.18

Declare NPC_FMTERR, and use it to kick malformed packets. Several sanity
checks are added in IPv6; after we see the first IPPROTO_FRAGMENT header,
we are allowed to fail to advance, otherwise we kick the packet.
Sent on tech-net@ a few days ago, no response, but I'm committing it now
anyway.

Switch nptr to uint8_t, and use nbuf_ensure_contig. Makes us use fewer
magic values.

Remove dead branches, 'npc' can't be NULL (and it is dereferenced
earlier).

Fix two consecutive mistakes.

The first mistake was npf_inet.c rev1.37:
"Don't reassemble ipv6 fragments, instead treat the first fragment
as a regular packet (subject to filtering rules), and pass
subsequent fragments in the same group unconditionally."

Doing this was entirely wrong, because then a packet just had to push
the L4 payload in a secondary fragment, and NPF wouldn't apply rules on
it - meaning any IPv6 packet could bypass >=L4 filtering. This mistake
was supposed to be a fix for the second mistake.

The second mistake was that ip6_reass_packet (in npf_reassembly) was
getting called with npc->npc_hlen. But npc_hlen pointed to the last
encountered header in the IPv6 chain, which was not necessarily the
fragment header. So ip6_reass_packet was given garbage, and would fail,
resulting in the packet getting kicked. So basically IPv6 was broken by
NPF.

The first mistake is reverted, and the second one is fixed by doing:
- hlen = sizeof(struct ip6_frag);
+ hlen = 0;

Now the iteration stops on the fragment header, and the call to
ip6_reass_packet is valid.

My npf_inet.c rev1.38 is partially reverted: we don't need to worry
about failing properly to advance; once the packet is reassembled
npf_cache_ip gets called again, and this time the whole chain should be
there.

Tested with a simple UDPv6 server - send a 3000-byte-sized buffer, the
packet gets correctly reassembled by NPF now.

Mmh, put back the RFC6946 check (about dummy fragments), otherwise NPF
is not happy in npf_reassembly, because NPC_IPFRAG is again returned after
the packet was reassembled.

I'm wondering whether it would not be better to just remove the fragment
header in frag6_input directly.

Fix the "return-rst" rule on IPv6 packets.
The scopes needed to be set on the addresses before invoking ip6_output,
because ip6_output needs them. The reason they are not here already is
because pfil_run_hooks (in ip6_input) is called _before_ the kernel
initializes the scopes.

Until now ip6_output was always failing, and the IPv6-TCP-RST packet was
never actually sent.

Perhaps it would be better to have the kernel initialize the scopes
before invoking pfil_run_hooks, but several things will need to be fixed
in several places.

Tested with a simple TCPv6 server. Until now the client would block
waiting for an answer that never came; now it receives an RST right away
and closes the connection, as expected.
I believe that the same problem exists in the "return-icmp" rules, but I
can't investigate this right now (some problems with wireshark).

Fix the IPv6 payload computation in npf_tcpsaw. It was incorrect, and this
caused the "return-rst" rules to send back an RST with the wrong ACK when
the received SYN had an IPv6 option.

Set the scopes before calling icmp6_error(). This fixes a bug similar to
the one I fixed in rev1.17: since the scopes were not set the packet was
never actually sent.

Tested with wireshark, now the ICMPv6 reply is correctly sent, as
expected.

Don't read the L4 payload after IPPROTO_AH when handling IPv6 packets.
AH must be considered as the payload, otherwise a

block all
pass in proto ah from any
pass out proto ah from any

configuration will actually block everything, because NPF checks the
protocol against the one found after AH, and not AH itself.

In addition it may have been a problem for stateful connections; an AH
packet sent by an attacker with an incorrect authentication and a correct
TCP/UDP/whatever payload from an active connection could manage to change
NPF's FSM state, which would perhaps have altered the legitimate
connection with the authenticated remote IPsec host.

Note that IPv4 already doesn't go beyond AH, which is the correct
behavior.

Add XXX (we don't handle IPv6 Jumbograms), and whitespace.
 1.54.6.1 04-Apr-2018  martin Pull up following revision(s) (requested by maxv in ticket #693):

sys/net/npf/npf.h: revision 1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:

packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = 7777)
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = 6666)

Will bypass a rule of the kind "block port 6666". Here NPF reads the
crafted UDP header, sees 7777, lets the packet in; later the kernel reads
the real UDP header, and delivers it on port 6666.

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
 1.55.2.4 26-Jan-2019  pgoyette Sync with HEAD
 1.55.2.3 30-Sep-2018  pgoyette Ssync with HEAD
 1.55.2.2 22-Apr-2018  pgoyette Sync with HEAD
 1.55.2.1 15-Mar-2018  pgoyette Synch with HEAD
 1.57.2.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.57.2.1 10-Jun-2019  christos Sync with HEAD
 1.60.2.4 14-Mar-2023  martin Pull up following revision(s) (requested by kardel in ticket #119):

sys/net/npf/npf_mbuf.c: revision 1.25
sys/net/npf/npf.h: revision 1.64
sys/net/npf/npf_sendpkt.c: revision 1.23

PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream ashttps://github.com/rmind/npf/pull/115
 1.60.2.3 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.60.2.2 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #141):

usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
 1.60.2.1 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #139):

lib/libnpf/npf.c: revision 1.47
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.10
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.10
sys/net/npf/npf.h: revision 1.61
sys/net/npf/npf_ctl.c: revision 1.56
sys/net/npf/npf_os.c: revision 1.15
lib/libnpf/libnpf.3: revision 1.10
sys/net/npf/npf_tableset.c: revision 1.34
usr.sbin/npf/npfctl/npfctl.c: revision 1.61
sys/net/npf/npf_impl.h: revision 1.77
lib/libnpf/npf.h: revision 1.37

- npftest: fix a memleak in a unit test (standalone path only).
- Minor style fixes. No functional change.
npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.
 1.63.20.1 14-Mar-2023  martin Pull up following revision(s) (requested by kardel in ticket #119):

sys/net/npf/npf_mbuf.c: revision 1.25
sys/net/npf/npf.h: revision 1.64
sys/net/npf/npf_sendpkt.c: revision 1.23

PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream ashttps://github.com/rmind/npf/pull/115
 1.64.6.1 02-Aug-2025  perseant Sync with HEAD
 1.67.2.1 13-Oct-2025  martin Pull up following revision(s) (requested by joe in ticket #53):

sys/net/npf/npf.h: revision 1.68
sys/net/npf/npf_ruleset.c: revision 1.57

PR kern/59615 introduce layer checks for 10 userland 11 kernel
 1.22 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.21 25-Aug-2019  rmind - npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
 1.20 23-Jul-2019  rmind branches: 1.20.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.19 19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.18 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.17 12-Sep-2018  christos Fix lockdebug diagnostic error of trying to acquire an rw_lock from a
pserialized active context. From riastradh@
 1.16 26-Dec-2016  christos branches: 1.16.14; 1.16.16;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.15 11-Aug-2014  rmind branches: 1.15.2; 1.15.4;
- Add and use npf_alg_export().
- npf_conn_import: handle NAT metadata correctly.
- npf_nat_newpolicy: restore the policy ID.
- npfctl_load: fix error code handling for the limit cases.
- npf_config_import: fix the inverted logic.
- npfctl_load: improve error handling.
 1.14 20-Jul-2014  rmind branches: 1.14.2;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.13 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.12 17-Feb-2014  rmind branches: 1.12.2;
npf_alg_session: fix inverted logic in the previous commit.
 1.11 16-Feb-2014  rmind NPF: pass ALG functions via npfa_funcs_t structure.
 1.10 06-Dec-2013  rmind NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
less usual setups which are possible when using 'map' with a custom
filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
direction-agnostic elsewhere.
 1.9 02-Jun-2013  rmind branches: 1.9.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.
 1.8 20-Mar-2013  christos Make ALG's autoloadable by providing in the config file:
alg "algname"
 1.7 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.6 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.5 15-Jul-2012  rmind branches: 1.5.2;
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.4 22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.3 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.2 11-Nov-2010  rmind branches: 1.2.6; 1.2.10; 1.2.14; 1.2.16;
NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.1 22-Aug-2010  rmind branches: 1.1.2; 1.1.4;
Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.1.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.1.4.1 22-Aug-2010  uebayasi file npf_alg.c was added on branch uebayasi-xip on 2010-10-22 09:23:14 +0000
 1.1.2.2 09-Oct-2010  yamt sync with head
 1.1.2.1 22-Aug-2010  yamt file npf_alg.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.2.16.5 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.2.16.4 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.2.16.3 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.2.16.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.2.16.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.2.14.1 24-Feb-2012  mrg sync to -current.
 1.2.10.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.10.3 23-Jan-2013  yamt sync with head
 1.2.10.2 30-Oct-2012  yamt sync with head
 1.2.10.1 17-Apr-2012  yamt sync with head
 1.2.6.2 05-Mar-2011  rmind sync with head
 1.2.6.1 11-Nov-2010  rmind file npf_alg.c was added on branch rmind-uvmplock on 2011-03-05 20:55:54 +0000
 1.5.2.4 03-Dec-2017  jdolecek update from HEAD
 1.5.2.3 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.5.2.2 23-Jun-2013  tls resync from head
 1.5.2.1 25-Feb-2013  tls resync with head
 1.9.2.1 18-May-2014  rmind sync with head
 1.12.2.1 10-Aug-2014  tls Rebase.
 1.14.2.1 29-Aug-2014  martin Pull up following revision(s) (requested by rmind in ticket #56):
sys/net/npf/npf_ctl.c: revision 1.39
usr.sbin/npf/npfctl/npfctl.c: revision 1.43
lib/libnpf/npf.c: revision 1.33
lib/libnpf/npf.c: revision 1.34
sys/net/npf/npf_impl.h: revision 1.59
sys/net/npf/npf_ctl.c: revision 1.40
sys/net/npf/npf_conn.c: revision 1.11
sys/net/npf/npf_alg.c: revision 1.15
sys/net/npf/npf_conn.c: revision 1.12
sys/net/npf/npf_nat.c: revision 1.33
sys/net/npf/npf_nat.c: revision 1.34
Add and use npf_alg_export().
npf_conn_import: handle NAT metadata correctly.
npf_nat_newpolicy: restore the policy ID.
npfctl_load: fix error code handling for the limit cases.
npf_config_import: fix the inverted logic.
npfctl_load: improve error handling.
npf_conn_import: add a missing stat counter increment.
npf_nat_import: add a missing reference and make a comment.
npf_config_submit: finally, include the saved connections.
 1.15.4.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.15.2.1 05-Feb-2017  skrll Sync with HEAD
 1.16.16.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.16.16.1 10-Jun-2019  christos Sync with HEAD
 1.16.14.2 26-Jan-2019  pgoyette Sync with HEAD
 1.16.14.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.20.2.2 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.20.2.1 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #141):

usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
 1.33 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.32 23-Jul-2019  rmind branches: 1.32.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.31 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.30 23-Mar-2018  maxv branches: 1.30.2;
In addition to checking L4 in the cache, here we also need to check the
protocol. The NPF entry point does not ensure that

ICMPv6 can be set only in IPv6
ICMPv4 can be set only in IPv4

So we could have ICMPv6 in IPv4.
 1.29 22-Mar-2018  maxv Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.
 1.28 22-Mar-2018  maxv Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.

Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.
 1.27 22-Mar-2018  maxv Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.

We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).

Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.

Discussed with rmind@.
 1.26 12-Mar-2018  maxv Remove dead branches, 'npc' can't be NULL (and it is dereferenced
earlier).
 1.25 10-Dec-2017  rmind branches: 1.25.2;
- npf_cop_table: handle non-IP packets in the ether (fixes PR/52290).
- npfa_icmp_nat: do not recompute the checksum if no port translation.
- npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT.
- npflog: report the packet direction correctly.
 1.24 26-Dec-2016  christos branches: 1.24.8;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.23 20-Jul-2014  rmind branches: 1.23.2; 1.23.4; 1.23.6; 1.23.8; 1.23.12;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.22 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.21 08-Jun-2014  spz fix typo in comment
 1.20 19-Feb-2014  rmind branches: 1.20.2;
NPF: fix the recent breakage of the traceroute ALG. Also, simplify and
refactor a little bit.
 1.19 16-Feb-2014  rmind NPF: pass ALG functions via npfa_funcs_t structure.
 1.18 06-Dec-2013  rmind NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
less usual setups which are possible when using 'map' with a custom
filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
direction-agnostic elsewhere.
 1.17 02-Jun-2013  rmind branches: 1.17.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.
 1.16 20-Mar-2013  christos Make ALG's autoloadable by providing in the config file:
alg "algname"
 1.15 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.14 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.13 16-Sep-2012  rmind npf_icmp_uniqid: split into npf_icmp_uniqid4() and npf_icmp_uniqid6() parts.
 1.12 10-Sep-2012  rmind branches: 1.12.2;
npf_icmp_uniqid: inspect the correct npc_info for IPv4/v6.
 1.11 19-Jul-2012  spz teach npf ipv6-icmp
reviewed by rmind@
 1.10 15-Jul-2012  rmind - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.9 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.8 29-Nov-2011  rmind branches: 1.8.2; 1.8.4;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.7 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.6 18-Jan-2011  rmind branches: 1.6.4; 1.6.8;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.5 18-Dec-2010  rmind branches: 1.5.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.4 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.3 25-Sep-2010  rmind branches: 1.3.2; 1.3.4;
Add nbuf_advfetch() and simplify some code slightly.
 1.2 16-Sep-2010  rmind NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.3.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.3.4.1 25-Sep-2010  uebayasi file npf_alg_icmp.c was added on branch uebayasi-xip on 2010-10-22 09:23:14 +0000
 1.3.2.2 09-Oct-2010  yamt sync with head
 1.3.2.1 25-Sep-2010  yamt file npf_alg_icmp.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.5.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.6.8.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.6.8.4 23-Jan-2013  yamt sync with head
 1.6.8.3 30-Oct-2012  yamt sync with head
 1.6.8.2 17-Apr-2012  yamt sync with head
 1.6.8.1 10-Nov-2011  yamt sync with head
 1.6.4.2 05-Mar-2011  rmind sync with head
 1.6.4.1 18-Jan-2011  rmind file npf_alg_icmp.c was added on branch rmind-uvmplock on 2011-03-05 20:55:54 +0000
 1.8.4.8 17-May-2018  martin Pull up following revision(s) via patch (requested by maxv in ticket #1549):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27,1.28

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.

We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).

Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.

Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.
 1.8.4.7 11-Feb-2013  riz branches: 1.8.4.7.2;
Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.8.4.6 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.8.4.5 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #679):
sys/net/npf/npf_session.c: revision 1.18
usr.sbin/npf/npftest/npftest.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.7
usr.sbin/npf/npftest/npftest.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.5
sys/net/npf/npf_alg_icmp.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.3
npftest:
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.
Tested on sparc64 by martin@, all tests pass.
Add two new command line options to help integration into ATF:
-L lists the available test cases, -T executes a single named test.
Fix printf format
Mark npf_session_worker as __dead.
More __dead
npf_icmp_uniqid: split into npf_icmp_uniqid4() and npf_icmp_uniqid6() parts.
 1.8.4.4 13-Sep-2012  riz Pull up following revision(s) (requested by rmind in ticket #555):
sys/net/npf/npf_alg_icmp.c: revision 1.12
npf_icmp_uniqid: inspect the correct npc_info for IPv4/v6.
 1.8.4.3 25-Jul-2012  jdc branches: 1.8.4.3.2;
Pull up revisions:
src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
src/sys/net/npf/npf.h revision 1.20
src/sys/net/npf/npf_alg_icmp.c revision 1.11
src/sys/net/npf/npf_impl.h revision 1.19
src/sys/net/npf/npf_inet.c revisions 1.15,1.16
src/sys/net/npf/npf_instr.c revision 1.14
src/sys/net/npf/npf_ncode.h revision 1.10
src/sys/net/npf/npf_processor.c revision 1.12
src/sys/net/npf/npf_session.c revision 1.16
src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
src/sys/net/npf/npf_state.c revision 1.10
src/sys/net/npf/npf_state_tcp.c revision 1.10
src/usr.sbin/npf/npftest/npfstream.c revision 1.2
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).

Add missing __dead.

teach npf ipv6-icmp
reviewed by rmind@

- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.

- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.8.4.2 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.8.4.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.8.4.7.2.1 17-May-2018  martin Pull up following revision(s) via patch (requested by maxv in ticket #1549):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27,1.28

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.

We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).

Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.

Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.
 1.8.4.3.2.1 01-Nov-2012  matt sync with netbsd-6-0-RELEASE.
 1.8.2.1 24-Feb-2012  mrg sync to -current.
 1.12.2.5 03-Dec-2017  jdolecek update from HEAD
 1.12.2.4 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.12.2.3 23-Jun-2013  tls resync from head
 1.12.2.2 25-Feb-2013  tls resync with head
 1.12.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.17.2.1 18-May-2014  rmind sync with head
 1.20.2.1 10-Aug-2014  tls Rebase.
 1.23.12.1 14-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #1605):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.
Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.
 1.23.8.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.23.6.1 14-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #1605):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.
Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.
 1.23.4.1 05-Feb-2017  skrll Sync with HEAD
 1.23.2.1 14-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #1605):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.
Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.
 1.24.8.2 14-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #823):

sys/net/npf/npf_inet.c: revision 1.45-1.47
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.30
sys/net/npf/npf_sendpkt.c: revision 1.19

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.

We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.

Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Retrieve the complete IPv4 header right away, and make sure we did retrieve
the IPv6 option header we were iterating on.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.

If we fail to advance inside TCP/UDP/ICMPv4/ICMPv6, stop pretending L4
is unknown, and error out right away.

This prevents bugs in machinery, if a place looks for L4 in 'npc_proto'
without checking the cache too. I've seen a ~similar problem already.

In addition to checking L4 in the cache, here we also need to check the
protocol. The NPF entry point does not ensure that
ICMPv6 can be set only in IPv6
ICMPv4 can be set only in IPv4
So we could have ICMPv6 in IPv4.

apply some INET6 so this compiles in INET6-less kernels again.
 1.24.8.1 09-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #817):

sys/net/npf/npf_inet.c: revision 1.38-1.44
sys/net/npf/npf_handler.c: revision 1.38-1.39
sys/net/npf/npf_alg_icmp.c: revision 1.26
sys/net/npf/npf.h: revision 1.56
sys/net/npf/npf_sendpkt.c: revision 1.17-1.18

Declare NPC_FMTERR, and use it to kick malformed packets. Several sanity
checks are added in IPv6; after we see the first IPPROTO_FRAGMENT header,
we are allowed to fail to advance, otherwise we kick the packet.
Sent on tech-net@ a few days ago, no response, but I'm committing it now
anyway.

Switch nptr to uint8_t, and use nbuf_ensure_contig. Makes us use fewer
magic values.

Remove dead branches, 'npc' can't be NULL (and it is dereferenced
earlier).

Fix two consecutive mistakes.

The first mistake was npf_inet.c rev1.37:
"Don't reassemble ipv6 fragments, instead treat the first fragment
as a regular packet (subject to filtering rules), and pass
subsequent fragments in the same group unconditionally."

Doing this was entirely wrong, because then a packet just had to push
the L4 payload in a secondary fragment, and NPF wouldn't apply rules on
it - meaning any IPv6 packet could bypass >=L4 filtering. This mistake
was supposed to be a fix for the second mistake.

The second mistake was that ip6_reass_packet (in npf_reassembly) was
getting called with npc->npc_hlen. But npc_hlen pointed to the last
encountered header in the IPv6 chain, which was not necessarily the
fragment header. So ip6_reass_packet was given garbage, and would fail,
resulting in the packet getting kicked. So basically IPv6 was broken by
NPF.

The first mistake is reverted, and the second one is fixed by doing:
- hlen = sizeof(struct ip6_frag);
+ hlen = 0;

Now the iteration stops on the fragment header, and the call to
ip6_reass_packet is valid.

My npf_inet.c rev1.38 is partially reverted: we don't need to worry
about failing properly to advance; once the packet is reassembled
npf_cache_ip gets called again, and this time the whole chain should be
there.

Tested with a simple UDPv6 server - send a 3000-byte-sized buffer, the
packet gets correctly reassembled by NPF now.

Mmh, put back the RFC6946 check (about dummy fragments), otherwise NPF
is not happy in npf_reassembly, because NPC_IPFRAG is again returned after
the packet was reassembled.

I'm wondering whether it would not be better to just remove the fragment
header in frag6_input directly.

Fix the "return-rst" rule on IPv6 packets.
The scopes needed to be set on the addresses before invoking ip6_output,
because ip6_output needs them. The reason they are not here already is
because pfil_run_hooks (in ip6_input) is called _before_ the kernel
initializes the scopes.

Until now ip6_output was always failing, and the IPv6-TCP-RST packet was
never actually sent.

Perhaps it would be better to have the kernel initialize the scopes
before invoking pfil_run_hooks, but several things will need to be fixed
in several places.

Tested with a simple TCPv6 server. Until now the client would block
waiting for an answer that never came; now it receives an RST right away
and closes the connection, as expected.
I believe that the same problem exists in the "return-icmp" rules, but I
can't investigate this right now (some problems with wireshark).

Fix the IPv6 payload computation in npf_tcpsaw. It was incorrect, and this
caused the "return-rst" rules to send back an RST with the wrong ACK when
the received SYN had an IPv6 option.

Set the scopes before calling icmp6_error(). This fixes a bug similar to
the one I fixed in rev1.17: since the scopes were not set the packet was
never actually sent.

Tested with wireshark, now the ICMPv6 reply is correctly sent, as
expected.

Don't read the L4 payload after IPPROTO_AH when handling IPv6 packets.
AH must be considered as the payload, otherwise a

block all
pass in proto ah from any
pass out proto ah from any

configuration will actually block everything, because NPF checks the
protocol against the one found after AH, and not AH itself.

In addition it may have been a problem for stateful connections; an AH
packet sent by an attacker with an incorrect authentication and a correct
TCP/UDP/whatever payload from an active connection could manage to change
NPF's FSM state, which would perhaps have altered the legitimate
connection with the authenticated remote IPsec host.

Note that IPv4 already doesn't go beyond AH, which is the correct
behavior.

Add XXX (we don't handle IPv6 Jumbograms), and whitespace.
 1.25.2.3 30-Sep-2018  pgoyette Ssync with HEAD
 1.25.2.2 30-Mar-2018  pgoyette Resolve conflicts between branch and HEAD
 1.25.2.1 15-Mar-2018  pgoyette Synch with HEAD
 1.30.2.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.30.2.1 10-Jun-2019  christos Sync with HEAD
 1.32.2.1 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.14 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.13 10-Dec-2017  rmind branches: 1.13.2; 1.13.4;
- npf_cop_table: handle non-IP packets in the ether (fixes PR/52290).
- npfa_icmp_nat: do not recompute the checksum if no port translation.
- npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT.
- npflog: report the packet direction correctly.
 1.12 26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.11 20-Jul-2014  rmind branches: 1.11.4; 1.11.6; 1.11.10;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.10 30-Jun-2014  rmind NPF: use BPF JIT by default.
 1.9 29-Jun-2014  rmind NPF:
- Populate the BPF external memory store with L3 information.
- Eliminate NPF_COP_L3 call and just use the data in the memstore.
- Bump NPF_VERSION.
 1.8 25-Jun-2014  rmind Adjust NPF to the recent BPF / BPF JIT changes and make it work again.
All regression tests are happy now (hi alnsn!).
 1.7 24-Jun-2014  alnsn Fix signatures of copfuncs.
 1.6 06-Dec-2013  rmind branches: 1.6.2; 1.6.4; 1.6.6;
NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
less usual setups which are possible when using 'map' with a custom
filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
direction-agnostic elsewhere.
 1.5 23-Nov-2013  rmind Move initialisation of bpf_args_t into the npf_ruleset_inspect().
This allows us to reuse the BPF memory store as a cache.
 1.4 16-Nov-2013  rmind NPF: convert to bpf_jit_generate()/bpf_jit_freecode().
 1.3 15-Nov-2013  rmind - Add bpf_args_t and convert bpf_filter_ext() to use it. This allows the
caller to initialise (and re-use) the memory store.
- Add bpf_jit_generate() and bpf_jit_freecode() wrappers.
 1.2 12-Nov-2013  rmind NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is
just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).

Few misc fixes. Bump NPF_VERSION.
 1.1 19-Sep-2013  rmind - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
 1.6.6.2 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.6.6.1 06-Dec-2013  yamt file npf_bpf.c was added on branch yamt-pagecache on 2014-05-22 11:41:09 +0000
 1.6.4.2 18-May-2014  rmind sync with head
 1.6.4.1 06-Dec-2013  rmind file npf_bpf.c was added on branch rmind-smpnet on 2014-05-18 17:46:13 +0000
 1.6.2.1 10-Aug-2014  tls Rebase.
 1.11.10.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.11.6.1 05-Feb-2017  skrll Sync with HEAD
 1.11.4.3 03-Dec-2017  jdolecek update from HEAD
 1.11.4.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.11.4.1 20-Jul-2014  tls file npf_bpf.c was added on branch tls-maxphys on 2014-08-20 00:04:35 +0000
 1.13.4.1 10-Jun-2019  christos Sync with HEAD
 1.13.2.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.18 13-Feb-2022  riastradh npf(4): Use atomic_store_release and atomic_load_consume for config.

...or atomic_load_relaxed, when the config is locked. (Not necessary
to use atomic_* at all in NetBSD, but in C11 it will be cheaper to
say atomic_load_relaxed explicitly so an _Atomic-qualified object
doesn't cause the load to be surrounded by unnecessary membars.)

No need for store-before-load ordering here, so no need to
membar_sync.
 1.17 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.16 23-May-2020  rmind Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.15 25-Aug-2019  rmind - npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
 1.14 11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.13 23-Jul-2019  rmind branches: 1.13.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.12 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.11 03-Jan-2017  rmind branches: 1.11.14; 1.11.16;
NPF: fix the interface table initialisation on load.
 1.10 26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.9 30-Nov-2014  rmind branches: 1.9.2;
- npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
 1.8 11-Aug-2014  rmind branches: 1.8.2; 1.8.4;
NPF: finish up the rework of npfctl_save() mechanism.
 1.7 23-Jul-2014  rmind NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.6 30-May-2014  rmind - npf_nat_freepolicy: handle a race condition when a new connection might
be associated with a NAT policy which is going away and npfctl reload
would wait for its natural expiration (potentially long time).
- Remove npf_ruleset_natreload() by merging into npf_ruleset_reload().
- npf_ruleset_reload: eliminate a small time period when a valid NAT
policy might be inactive during the reload operation.
 1.5 22-Nov-2013  rmind branches: 1.5.2; 1.5.4;
Add npf_tableset_syncdict() to sync the table IDs in the proplib dictionary,
as they can change on reload now. Also, fix table name checking in npfctl.
 1.4 12-Nov-2013  rmind NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is
just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).

Few misc fixes. Bump NPF_VERSION.
 1.3 08-Nov-2013  rmind NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 1.2 10-Feb-2013  rmind branches: 1.2.2; 1.2.4; 1.2.6;
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
 1.1 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.2.6.4 03-Dec-2017  jdolecek update from HEAD
 1.2.6.3 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.2.6.2 25-Feb-2013  tls resync with head
 1.2.6.1 10-Feb-2013  tls file npf_conf.c was added on branch tls-maxphys on 2013-02-25 00:30:02 +0000
 1.2.4.1 18-May-2014  rmind sync with head
 1.2.2.2 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.2.2.1 10-Feb-2013  riz file npf_conf.c was added on branch netbsd-6 on 2013-02-11 21:49:48 +0000
 1.5.4.2 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.5.4.1 22-Nov-2013  yamt file npf_conf.c was added on branch yamt-pagecache on 2014-05-22 11:41:09 +0000
 1.5.2.1 10-Aug-2014  tls Rebase.
 1.8.4.2 05-Feb-2017  skrll Sync with HEAD
 1.8.4.1 06-Apr-2015  skrll Sync with HEAD
 1.8.2.1 01-Dec-2014  martin Pull up following revision(s) (requested by rmind in ticket #280):
sys/net/npf/npf_ruleset.c: revision 1.40
sys/net/npf/npf_nat.c: revision 1.36
sys/net/npf/npf_nat.c: revision 1.37
sys/net/npf/npf_conn.h: revision 1.7
sys/net/npf/npf_conf.c: revision 1.9
sys/net/npf/npf_ruleset.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.60
NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
- npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
 1.9.2.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.11.16.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.11.16.1 10-Jun-2019  christos Sync with HEAD
 1.11.14.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.13.2.4 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.13.2.3 25-May-2020  martin Pull up following revision(s) (requested by rmind in ticket #930):

usr.sbin/npf/npfctl/npf_build.c: revision 1.54
sys/net/npf/npf_conn.h: revision 1.19
usr.sbin/npf/npfctl/npfctl.h: revision 1.52
usr.sbin/npf/npfctl/npf_show.c: revision 1.31
sys/net/npf/npf_conf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.56
sys/net/npf/npf_conndb.c: revision 1.8
sys/net/npf/npf_conn.c: revision 1.31

Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.13.2.2 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #141):

usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
 1.13.2.1 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.35 22-Jan-2023  riastradh npf(9): Update comment to reduce diff from upstream.

No functional change.
 1.34 13-Feb-2022  riastradh npf(4): Use atomic_store_release and atomic_load_consume for conn_db.

...or atomic_load_relaxed, when npf->conn_lock is held, for the sake
of C11.

No need for store-before-load implied by membar_sync.
 1.33 25-Jan-2021  christos s/npf_config_lock/npf->config_lock/ in the comments
 1.32 30-May-2020  rmind branches: 1.32.2;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.31 23-May-2020  rmind Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.30 29-Sep-2019  rmind NPF ifmap: rework and fix a few small bugs.
 1.29 06-Aug-2019  christos - npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)
 1.28 06-Aug-2019  christos Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.
 1.27 23-Jul-2019  rmind branches: 1.27.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.26 19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.25 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.24 10-Dec-2017  rmind branches: 1.24.2; 1.24.4;
- npf_cop_table: handle non-IP packets in the ether (fixes PR/52290).
- npfa_icmp_nat: do not recompute the checksum if no port translation.
- npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT.
- npflog: report the packet direction correctly.
 1.23 29-Jan-2017  christos - Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.22 26-Dec-2016  christos branches: 1.22.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.21 10-Dec-2016  christos revert dir hack.
 1.20 10-Dec-2016  christos Welcome to version 18:
- Connection state keys are not stored and loaded using the logical key
contents.
- connection finder key is stored in a map that contains the key and the
direction.
 1.19 10-Dec-2016  kre Remove what looks like remnant (partly removed already) debug code,
which could not possibly compile as it was.
 1.18 10-Dec-2016  christos add functionality to lookup a nat entry from the connection list.
 1.17 08-Dec-2016  rmind NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus
pass-through them on other interfaces. Per discussion with christos@.
 1.16 05-Feb-2015  rmind branches: 1.16.2;
npf_conn_establish: fix the previous change - drop the reference on error.
 1.15 01-Feb-2015  rmind - npf_conn_establish: remove a rare race condition when we might destroy a
connection when it is still referenced by another thread.
- npf_conn_destroy: remove the backwards entry using the saved key, PR/49488.
- Sprinkle some asserts.
 1.14 20-Dec-2014  rmind NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window. Might fix PR/49488.
 1.13 30-Nov-2014  rmind NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
 1.12 24-Aug-2014  rmind branches: 1.12.2;
- npf_conn_import: add a missing stat counter increment.
- npf_nat_import: add a missing reference and make a comment.
 1.11 11-Aug-2014  rmind branches: 1.11.2;
- Add and use npf_alg_export().
- npf_conn_import: handle NAT metadata correctly.
- npf_nat_newpolicy: restore the policy ID.
- npfctl_load: fix error code handling for the limit cases.
- npf_config_import: fix the inverted logic.
- npfctl_load: improve error handling.
 1.10 10-Aug-2014  rmind branches: 1.10.2;
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.
 1.9 26-Jul-2014  rmind branches: 1.9.2;
npf_conn_conkey: fix a comment.
 1.8 25-Jul-2014  rmind npf_conn_conkey: adjust to return the key length and add a comment
describing the key layout.
 1.7 25-Jul-2014  rmind npf_mk_connlist: destroy the connections on error path.
 1.6 23-Jul-2014  rmind NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.5 20-Jul-2014  joerg Drop variable only used in return.
 1.4 20-Jul-2014  rmind NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.3 19-Jul-2014  christos gcc-4.8 complains about not being able to inline
 1.2 19-Jul-2014  rmind Fix gcc warnings.
 1.1 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.9.2.2 10-Aug-2014  tls Rebase.
 1.9.2.1 26-Jul-2014  tls file npf_conn.c was added on branch tls-earlyentropy on 2014-08-10 06:56:16 +0000
 1.10.2.5 15-Mar-2015  snj Pull up following revision(s) (requested by rmind in ticket #586):
sys/net/npf/npf_conn.c: revision 1.16
npf_conn_establish: fix the previous change - drop the reference on error.
 1.10.2.4 04-Feb-2015  snj Pull up following revision(s) (requested by rmind in ticket #479):
lib/libnpf/npf.c: revision 1.35
lib/libnpf/npf.h: revision 1.28
sys/net/npf/npf_conn.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.61
sys/net/npf/npf_ruleset.c: revision 1.41
usr.sbin/npf/npfctl/npf.conf.5: revision 1.44
usr.sbin/npf/npfctl/npf_parse.y: revision 1.37
usr.sbin/npf/npfctl/npf_show.c: revisions 1.16, 1.17
usr.sbin/npf/npfctl/npfctl.c: revision 1.46
load the config file before bpfjit so that we can disable the warning.
--
Don't depend on yacc to include stdlib.h or string.h.
--
- npf_conn_establish: remove a rare race condition when we might destroy a
connection when it is still referenced by another thread.
- npf_conn_destroy: remove the backwards entry using the saved key, PR/49488.
- Sprinkle some asserts.
--
npf.conf(5): mention alg, include in the example, minor fix.
--
npfctl(8): report dynamic rule ID in a comment, print the case when libpcap
is used correctly. Also, add npf_ruleset_dump() helper in the kernel.
--
libnpf: add npf_rule_getid() and npf_rule_getcode().
Missed in the previous commit.
--
npfctl_print_rule: print the ID in hex, not decimal.
 1.10.2.3 22-Dec-2014  msaitoh Pull up following revision(s) (requested by rmind in ticket #347):
sys/net/npf/npf_nat.c: revision 1.38
sys/net/npf/npf_conn.h: revision 1.8
sys/net/npf/npf_conn.c: revision 1.14
NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window. Might fix PR/49488.
 1.10.2.2 01-Dec-2014  martin Pull up following revision(s) (requested by rmind in ticket #280):
sys/net/npf/npf_ruleset.c: revision 1.40
sys/net/npf/npf_nat.c: revision 1.36
sys/net/npf/npf_nat.c: revision 1.37
sys/net/npf/npf_conn.h: revision 1.7
sys/net/npf/npf_conf.c: revision 1.9
sys/net/npf/npf_ruleset.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.60
NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
- npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
 1.10.2.1 29-Aug-2014  martin Pull up following revision(s) (requested by rmind in ticket #56):
sys/net/npf/npf_ctl.c: revision 1.39
usr.sbin/npf/npfctl/npfctl.c: revision 1.43
lib/libnpf/npf.c: revision 1.33
lib/libnpf/npf.c: revision 1.34
sys/net/npf/npf_impl.h: revision 1.59
sys/net/npf/npf_ctl.c: revision 1.40
sys/net/npf/npf_conn.c: revision 1.11
sys/net/npf/npf_alg.c: revision 1.15
sys/net/npf/npf_conn.c: revision 1.12
sys/net/npf/npf_nat.c: revision 1.33
sys/net/npf/npf_nat.c: revision 1.34
Add and use npf_alg_export().
npf_conn_import: handle NAT metadata correctly.
npf_nat_newpolicy: restore the policy ID.
npfctl_load: fix error code handling for the limit cases.
npf_config_import: fix the inverted logic.
npfctl_load: improve error handling.
npf_conn_import: add a missing stat counter increment.
npf_nat_import: add a missing reference and make a comment.
npf_config_submit: finally, include the saved connections.
 1.11.2.3 03-Dec-2017  jdolecek update from HEAD
 1.11.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.11.2.1 11-Aug-2014  tls file npf_conn.c was added on branch tls-maxphys on 2014-08-20 00:04:35 +0000
 1.12.2.2 05-Feb-2017  skrll Sync with HEAD
 1.12.2.1 06-Apr-2015  skrll Sync with HEAD
 1.16.2.2 20-Mar-2017  pgoyette Sync with HEAD
 1.16.2.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.22.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.24.4.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.24.4.1 10-Jun-2019  christos Sync with HEAD
 1.24.2.2 26-Jan-2019  pgoyette Sync with HEAD
 1.24.2.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.27.2.4 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.27.2.3 25-May-2020  martin Pull up following revision(s) (requested by rmind in ticket #930):

usr.sbin/npf/npfctl/npf_build.c: revision 1.54
sys/net/npf/npf_conn.h: revision 1.19
usr.sbin/npf/npfctl/npfctl.h: revision 1.52
usr.sbin/npf/npfctl/npf_show.c: revision 1.31
sys/net/npf/npf_conf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.56
sys/net/npf/npf_conndb.c: revision 1.8
sys/net/npf/npf_conn.c: revision 1.31

Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.27.2.2 04-Oct-2019  martin Pull up following revision(s) (requested by rmind in ticket #282):

usr.sbin/npf/npfctl/npf_build.c: revision 1.53
lib/libnpf/npf.c: revision 1.48
usr.sbin/npf/npfctl/npfctl.h: revision 1.50
sys/net/npf/npf_impl.h: revision 1.80
usr.sbin/npf/npfctl/npfctl.h: revision 1.51
sys/net/npf/npf_ruleset.c: revision 1.49
usr.sbin/npf/npfctl/npf.conf.5: revision 1.90
sys/net/npf/npf_ctl.c: revision 1.59
lib/libnpf/libnpf.3: revision 1.11
usr.sbin/npf/npfctl/npf_parse.y: revision 1.50
usr.sbin/npf/npftest/npftest.conf: revision 1.8
usr.sbin/npf/npfctl/npfctl.c: revision 1.62
usr.sbin/npf/npfctl/npfctl.c: revision 1.63
usr.sbin/npf/npfctl/npf_scan.l: revision 1.30
usr.sbin/npf/npfctl/npfctl.8: revision 1.22
lib/libnpf/npf.h: revision 1.38
usr.sbin/npf/npfctl/npfctl.8: revision 1.23
usr.sbin/npf/npfctl/npfctl.8: revision 1.24
sys/net/npf/npf_if.c: revision 1.11
sys/net/npf/npf_if.c: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.89
sys/net/npf/npf_conn.c: revision 1.30
usr.sbin/npf/npfctl/npf_build.c: revision 1.52

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.

NPF ifmap: rework and fix a few small bugs.

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.
(missed a file in previous commit; cvs is so helpful..)

libnpf/npfctl: support dynamic NAT rulesets using a name prefix.

Use -width Pa for FILES.

Fix pasto in table replace -t type

Use -width Pa for FILES.

npf_ifmap_copylogname: be more defensive.
 1.27.2.1 07-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #25):

sys/net/npf/npf_conn.h: revision 1.17
sys/net/npf/npf.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.28
sys/net/npf/npf_conn.c: revision 1.29

Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.

- npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)
 1.32.2.1 03-Apr-2021  thorpej Sync with HEAD.
 1.20 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.19 23-May-2020  rmind Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.18 11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.17 06-Aug-2019  christos - npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)
 1.16 23-Jul-2019  rmind branches: 1.16.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.15 19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.14 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.13 10-Dec-2017  rmind branches: 1.13.2; 1.13.4;
- npf_cop_table: handle non-IP packets in the ether (fixes PR/52290).
- npfa_icmp_nat: do not recompute the checksum if no port translation.
- npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT.
- npflog: report the packet direction correctly.
 1.12 29-Jan-2017  christos - Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.11 26-Dec-2016  christos branches: 1.11.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.10 10-Dec-2016  christos Welcome to version 18:
- Connection state keys are not stored and loaded using the logical key
contents.
- connection finder key is stored in a map that contains the key and the
direction.
 1.9 10-Dec-2016  christos add functionality to lookup a nat entry from the connection list.
 1.8 20-Dec-2014  rmind branches: 1.8.2;
NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window. Might fix PR/49488.
 1.7 30-Nov-2014  rmind NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
 1.6 10-Aug-2014  rmind branches: 1.6.2; 1.6.4; 1.6.6;
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.
 1.5 25-Jul-2014  rmind branches: 1.5.2;
npf_conn_conkey: adjust to return the key length and add a comment
describing the key layout.
 1.4 25-Jul-2014  rmind npf_mk_connlist: destroy the connections on error path.
 1.3 23-Jul-2014  rmind NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.2 20-Jul-2014  rmind NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.1 19-Jul-2014  rmind Add npf_conn.h missed in the previous commit.
 1.5.2.2 10-Aug-2014  tls Rebase.
 1.5.2.1 25-Jul-2014  tls file npf_conn.h was added on branch tls-earlyentropy on 2014-08-10 06:56:16 +0000
 1.6.6.2 05-Feb-2017  skrll Sync with HEAD
 1.6.6.1 06-Apr-2015  skrll Sync with HEAD
 1.6.4.3 03-Dec-2017  jdolecek update from HEAD
 1.6.4.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.6.4.1 10-Aug-2014  tls file npf_conn.h was added on branch tls-maxphys on 2014-08-20 00:04:35 +0000
 1.6.2.2 22-Dec-2014  msaitoh Pull up following revision(s) (requested by rmind in ticket #347):
sys/net/npf/npf_nat.c: revision 1.38
sys/net/npf/npf_conn.h: revision 1.8
sys/net/npf/npf_conn.c: revision 1.14
NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window. Might fix PR/49488.
 1.6.2.1 01-Dec-2014  martin Pull up following revision(s) (requested by rmind in ticket #280):
sys/net/npf/npf_ruleset.c: revision 1.40
sys/net/npf/npf_nat.c: revision 1.36
sys/net/npf/npf_nat.c: revision 1.37
sys/net/npf/npf_conn.h: revision 1.7
sys/net/npf/npf_conf.c: revision 1.9
sys/net/npf/npf_ruleset.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.60
NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
- npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
 1.8.2.2 20-Mar-2017  pgoyette Sync with HEAD
 1.8.2.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.11.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.13.4.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.13.4.1 10-Jun-2019  christos Sync with HEAD
 1.13.2.2 26-Jan-2019  pgoyette Sync with HEAD
 1.13.2.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.16.2.4 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.16.2.3 25-May-2020  martin Pull up following revision(s) (requested by rmind in ticket #930):

usr.sbin/npf/npfctl/npf_build.c: revision 1.54
sys/net/npf/npf_conn.h: revision 1.19
usr.sbin/npf/npfctl/npfctl.h: revision 1.52
usr.sbin/npf/npfctl/npf_show.c: revision 1.31
sys/net/npf/npf_conf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.56
sys/net/npf/npf_conndb.c: revision 1.8
sys/net/npf/npf_conn.c: revision 1.31

Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.16.2.2 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.16.2.1 07-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #25):

sys/net/npf/npf_conn.h: revision 1.17
sys/net/npf/npf.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.28
sys/net/npf/npf_conn.c: revision 1.29

Introduce an npf_conn_destroy_idx() that can handle partially constructed
conn structures.

- npf_conn_init(): fix a race when initialising the G/C thread.
- Fix a bug when partially initialised connection is destroyed on error.
(from rmind@)
 1.9 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.8 23-May-2020  rmind Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.7 14-Dec-2019  riastradh Skip npf_config_sync if nothing to do.

Saves an unnecessary pserialize_perform every second.
 1.6 23-Jul-2019  rmind branches: 1.6.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.5 19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.4 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.3 26-Dec-2016  christos branches: 1.3.14; 1.3.16;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.2 23-Jul-2014  rmind branches: 1.2.2; 1.2.6; 1.2.8; 1.2.12;
NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.1 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.2.12.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.2.8.1 05-Feb-2017  skrll Sync with HEAD
 1.2.6.3 03-Dec-2017  jdolecek update from HEAD
 1.2.6.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.2.6.1 23-Jul-2014  tls file npf_conndb.c was added on branch tls-maxphys on 2014-08-20 00:04:35 +0000
 1.2.2.2 10-Aug-2014  tls Rebase.
 1.2.2.1 23-Jul-2014  tls file npf_conndb.c was added on branch tls-earlyentropy on 2014-08-10 06:56:16 +0000
 1.3.16.3 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.3.16.2 08-Apr-2020  martin Merge changes from current as of 20200406
 1.3.16.1 10-Jun-2019  christos Sync with HEAD
 1.3.14.2 26-Jan-2019  pgoyette Sync with HEAD
 1.3.14.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.6.2.2 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.6.2.1 25-May-2020  martin Pull up following revision(s) (requested by rmind in ticket #930):

usr.sbin/npf/npfctl/npf_build.c: revision 1.54
sys/net/npf/npf_conn.h: revision 1.19
usr.sbin/npf/npfctl/npfctl.h: revision 1.52
usr.sbin/npf/npfctl/npf_show.c: revision 1.31
sys/net/npf/npf_conf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.56
sys/net/npf/npf_conndb.c: revision 1.8
sys/net/npf/npf_conn.c: revision 1.31

Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.2 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.1 23-Jul-2019  rmind branches: 1.1.2; 1.1.10;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.1.10.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.1.10.1 23-Jul-2019  martin file npf_connkey.c was added on branch phil-wifi on 2020-04-13 08:05:15 +0000
 1.1.2.1 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.62 01-Jun-2025  joe NPF copyright 2025
 1.61 01-Jun-2025  joe kernel: extract rules, lookup socket, process filtering, reviews by christos@
 1.60 30-May-2020  rmind branches: 1.60.26;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.59 30-Sep-2019  rmind libnpf/npfctl: support dynamic NAT rulesets using a name prefix.
 1.58 25-Aug-2019  rmind ake npfctl_switch() and pfil private to OS-specific module.
 1.57 25-Aug-2019  rmind - npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
 1.56 21-Aug-2019  rmind npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.
 1.55 11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.54 23-Jul-2019  rmind branches: 1.54.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.53 19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.52 29-Oct-2018  christos We need to have rump tests work in two modes:

1. npf unit tests. In this case only the npf subsystem is created
and dictionaries are passed directly.
2. kernel system tests (like the ipsec natt test). In this case, npf is
instantiated regularly as part of the kernel and dictionaries are
passed via ioctl.

We differentiate between the two cases by checking the "mbufops" member
which is NULL, regularly and non-NULL in the npf unit tests. Previously
this was done using an ifdef which obviously can't work for both cases.
 1.51 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.50 10-Dec-2017  rmind branches: 1.50.2; 1.50.4;
- npf_mk_rules: enforce unique names for the dynamic rulesets.
- npf_worker_unregister: merge fix for the standalone NPF.
 1.49 30-Oct-2017  ozaki-r Fix npfclt reload on rump kernels

It fails because npfctl cannot get an errno when it calls ioctl to the (rump)
kernel; npfctl (libnpf) expects that an errno is returned via proplib,
however, the rump library of npf doesn't so. It happens because of mishandlings
of complicate npf kernel options.

PR kern/52643
 1.48 17-May-2017  christos branches: 1.48.2;
Allow npf to be used "normally" from a rump kernel, not just from the
test harness (problem reported by Frank Kardel)
 1.47 29-Jan-2017  christos branches: 1.47.4;
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.46 02-Jan-2017  rmind branches: 1.46.2;
NPF: implement dynamic handling of interface addresses (the kernel part).
 1.45 26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.44 10-Dec-2016  christos add functionality to lookup a nat entry from the connection list.
 1.43 28-Oct-2015  christos branches: 1.43.2;
remove bogus KASSERT, there are error paths that don't satisfy this.
XXX: should improve error reporting to userland.
 1.42 08-Jun-2015  rmind - npfctl: fix the confusion in the parser (0/0 case with no other filter).
- Always populate the error dictionary, not only for DEBUG/DIAGNOSTIC.
 1.41 20-Mar-2015  rmind NPF: replace the TAILQ of the dynamic rules with a linked list and fix the
inheriting of the active dynamic rules during the reload; also, fix a bug
in the insert path by putting a memory barrier in the right place.
 1.40 24-Aug-2014  rmind branches: 1.40.2;
- npf_conn_import: add a missing stat counter increment.
- npf_nat_import: add a missing reference and make a comment.
 1.39 11-Aug-2014  rmind - Add and use npf_alg_export().
- npf_conn_import: handle NAT metadata correctly.
- npf_nat_newpolicy: restore the policy ID.
- npfctl_load: fix error code handling for the limit cases.
- npf_config_import: fix the inverted logic.
- npfctl_load: improve error handling.
 1.38 11-Aug-2014  rmind branches: 1.38.2;
NPF: finish up the rework of npfctl_save() mechanism.
 1.37 10-Aug-2014  rmind - Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.
 1.36 25-Jul-2014  rmind npf_mk_connlist: destroy the connections on error path.
 1.35 23-Jul-2014  rmind NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.34 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.33 06-Feb-2014  rmind branches: 1.33.2;
Add support for CDB based NPF tables.
 1.32 12-Nov-2013  rmind NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is
just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).

Few misc fixes. Bump NPF_VERSION.
 1.31 08-Nov-2013  rmind NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 1.30 27-Oct-2013  rmind Add NPF_MAX_RULES, an artificial limit (set it to 1M).
 1.29 19-Sep-2013  rmind NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
 1.28 19-Sep-2013  rmind - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
 1.27 19-Sep-2013  rmind npfctl_rule: fixes for the dynamic rules.
 1.26 02-Jun-2013  rmind branches: 1.26.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.
 1.25 19-May-2013  rmind - Add NPF table flushing functionality.
- Fix line numbering for npfctl debug command.
 1.24 20-Mar-2013  christos Make ALG's autoloadable by providing in the config file:
alg "algname"
 1.23 16-Feb-2013  rmind - Convert NPF dynamic rule ID to just incremented 64-bit counter.
- Fix multiple bugs. Also, update the man page.
 1.22 10-Feb-2013  rmind - Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
 1.21 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.20 23-Dec-2012  rmind - Add NPF version check in proplist as well, not only ioctl. Bump the version.
- Fix a bug in table entry lookup.
- Updates/fixes to the man pages. Misc.
 1.19 29-Oct-2012  rmind Implement NPF table listing and preservation of entries on reload.
Bump the version.
 1.18 16-Sep-2012  rmind Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
 1.17 15-Aug-2012  rmind branches: 1.17.2;
- {npf_mk_rproc,npf_nat_save}: fix the fetching of {rproc-ptr,id_ptr}.
- npf_rproc_setlog: initialise variables to 0, as keys may not exist.

Bugs found by mlelstv@ while testing on Amiga.
 1.16 15-Jul-2012  rmind - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.15 30-May-2012  rmind npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
 1.14 11-Mar-2012  rmind - Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
 1.13 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.12 05-Feb-2012  rmind branches: 1.12.2;
Multiple NPF fixes, add better error reporting from kernel side, add some
asserts, bump the version.
 1.11 15-Jan-2012  rmind - Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
 1.10 29-Nov-2011  rmind branches: 1.10.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.9 06-Nov-2011  rmind Few fixes, KNF/style, bump the NPF version.
 1.8 04-Nov-2011  jakllsch Use uint8_t instead of npf_netmask_t, as npf_netmask_t is a uint_fast8_t,
which is in many places is actually a uint32_t and thus incompatible with
prop_dictionary_get_uint8(). The correct type is noted in a comment.
 1.7 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.6 02-Feb-2011  rmind branches: 1.6.2; 1.6.6;
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.
 1.5 18-Jan-2011  rmind branches: 1.5.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.4 18-Dec-2010  rmind branches: 1.4.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.3 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.2 16-Sep-2010  rmind branches: 1.2.2; 1.2.4;
NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.2.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.2.4.1 16-Sep-2010  uebayasi file npf_ctl.c was added on branch uebayasi-xip on 2010-10-22 09:23:14 +0000
 1.2.2.2 09-Oct-2010  yamt sync with head
 1.2.2.1 16-Sep-2010  yamt file npf_ctl.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.4.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.5.2.1 08-Feb-2011  bouyer Sync with HEAD
 1.6.6.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.6.6.4 23-Jan-2013  yamt sync with head
 1.6.6.3 30-Oct-2012  yamt sync with head
 1.6.6.2 17-Apr-2012  yamt sync with head
 1.6.6.1 10-Nov-2011  yamt sync with head
 1.6.2.2 05-Mar-2011  rmind sync with head
 1.6.2.1 02-Feb-2011  rmind file npf_ctl.c was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.10.2.4 02-Jun-2012  mrg sync to latest -current.
 1.10.2.3 05-Apr-2012  mrg sync to latest -current.
 1.10.2.2 24-Feb-2012  mrg sync to -current.
 1.10.2.1 18-Feb-2012  mrg merge to -current.
 1.12.2.10 22-Sep-2013  riz Pull up following revision(s) (requested by rmind in ticket #952):
sys/net/npf/npf_ctl.c: revision 1.27
npfctl_rule: fixes for the dynamic rules.
 1.12.2.9 18-Feb-2013  riz branches: 1.12.2.9.2;
Pull up following revision(s) (requested by rmind in ticket #829):
usr.sbin/npf/npfctl/npfctl.8: revision 1.13
usr.sbin/npf/npfctl/npf_build.c: revision 1.21
lib/libnpf/npf.c: revision 1.18
sys/net/npf/npf_ctl.c: revision 1.23
usr.sbin/npf/npfctl/npfctl.h: revision 1.27
lib/libnpf/npf.h: revision 1.15
sys/net/npf/npf_ruleset.c: revision 1.19
sys/net/npf/npf_impl.h: revision 1.28
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.c: revision 1.31
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.6
- Convert NPF dynamic rule ID to just incremented 64-bit counter.
- Fix multiple bugs. Also, update the man page.
 1.12.2.8 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.12.2.7 07-Jan-2013  riz Pull up following revision(s) (requested by rmind in ticket #776):
usr.sbin/npf/npfctl/npf.conf.5: revision 1.26
usr.sbin/npf/npfctl/npfctl.c: revision 1.26
dist/pf/usr.sbin/ftp-proxy/npf.c: revision 1.2
lib/libnpf/npf.c: revision 1.15
sys/net/npf/npf_ctl.c: revision 1.20
lib/libnpf/npf.h: revision 1.12
lib/libnpf/npf.3: revision 1.6
lib/libnpf/npf.3: revision 1.7
usr.sbin/npf/npfctl/npf_build.c: revision 1.17
sys/net/npf/npf.h: revision 1.24
- Add NPF version check in proplist as well, not only ioctl. Bump the version.
- Fix a bug in table entry lookup.
- Updates/fixes to the man pages. Misc.
Remove a superfluous quote and fix a recurring typo.
ftp-proxy: disable NPF bits for now; it will be re-done.
 1.12.2.6 24-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #702):
sys/net/npf/npf_tableset.c: revision 1.15
usr.sbin/npf/npfctl/npfctl.h: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.6
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.10
sys/net/npf/npf_state_tcp.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.24
sys/net/npf/npf.h: revision 1.22
sys/net/npf/npf_ctl.c: revision 1.19
sys/net/npf/npf.c: revision 1.14
usr.sbin/npf/npfctl/npfctl.8: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.21
npf_tcp_inwindow: inspect the sequence numbers even if the packet contains no
data, fixing up only the RST to the initial SYN. This makes off-path attacks
more difficult. For the reference, see &quot;Reflection Scan: an Off-Path Attack
on TCP&quot; by Jan Wrobel.
Implement NPF table listing and preservation of entries on reload.
Bump the version.
npfctl(8): mention table listing.
 1.12.2.5 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #693):
lib/npf/ext_normalise/shlib_version: revision 1.1
lib/libnpf/npf.c: revision 1.13
distrib/sets/lists/modules/mi: revision 1.48
sys/net/npf/npf_rproc.c: revision 1.3
sys/net/npf/npf_rproc.c: revision 1.4
sys/modules/npf/Makefile: revision 1.11
usr.sbin/npf/npfctl/npfctl.h: revision 1.20
lib/npf/ext_log/npfext_log.c: revision 1.1
lib/libnpf/npf.h: revision 1.11
sys/net/npf/npf_inet.c: revision 1.17
sys/net/npf/npf_log.c: file removal
sys/net/npf/npf_handler.c: revision 1.22
distrib/sets/lists/base/shl.mi: revision 1.636
sys/net/npf/npf_impl.h: revision 1.23
usr.sbin/npf/npfctl/Makefile: revision 1.8
lib/npf/Makefile: revision 1.1
lib/npf/ext_log/shlib_version: revision 1.1
lib/Makefile: revision 1.189
distrib/sets/lists/comp/shl.mi: revision 1.236
usr.sbin/npf/npfctl/npf_build.c: revision 1.14
distrib/sets/lists/base/mi: revision 1.1007
usr.sbin/npf/npfctl/npf_scan.l: revision 1.6
distrib/sets/lists/base/mi: revision 1.1009
sys/net/npf/npf.h: revision 1.21
lib/npf/ext_normalise/npfext_normalise.c: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.105
lib/libnpf/Makefile: revision 1.3
etc/mtree/NetBSD.dist.base: revision 1.106
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.1
sys/net/npf/npf_ctl.c: revision 1.18
lib/npf/ext_log/Makefile: revision 1.1
distrib/sets/lists/comp/mi: revision 1.1781
usr.sbin/npf/npfctl/npf_var.h: revision 1.4
sys/net/npf/npf.c: revision 1.13
sys/modules/Makefile: revision 1.111
sys/net/npf/npf_ext_log.c: revision 1.1
lib/npf/Makefile.inc: revision 1.1
sys/net/npf/npf_ext_normalise.c: revision 1.1
sys/net/npf/files.npf: revision 1.8
sys/rump/net/lib/libnpf/Makefile: revision 1.2
sys/modules/npf_ext_log/Makefile: revision 1.1
lib/npf/ext_normalise/Makefile: revision 1.1
usr.sbin/npf/npfctl/npfctl.c: revision 1.20
usr.sbin/npf/npfctl/npf_parse.y: revision 1.13
sys/modules/npf_ext_normalise/Makefile: revision 1.1
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
Add /usr/lib/npf.
Add ./usr/libdata/debug/usr/lib/npf for rmind
Fix MKDEBUG set lists
ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.12.2.4 19-Aug-2012  riz Pull up following revision(s) (requested by rmind in ticket #511):
lib/libnpf/npf.c: revision 1.12
sys/net/npf/npf_ctl.c: revision 1.17
sys/net/npf/npf_nat.c: revision 1.17
- {npf_mk_rproc,npf_nat_save}: fix the fetching of {rproc-ptr,id_ptr}.
- npf_rproc_setlog: initialise variables to 0, as keys may not exist.
Bugs found by mlelstv@ while testing on Amiga.
 1.12.2.3 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.12.2.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
 1.12.2.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.12.2.9.2.1 22-Sep-2013  riz Pull up following revision(s) (requested by rmind in ticket #952):
sys/net/npf/npf_ctl.c: revision 1.27
npfctl_rule: fixes for the dynamic rules.
 1.17.2.5 03-Dec-2017  jdolecek update from HEAD
 1.17.2.4 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.17.2.3 23-Jun-2013  tls resync from head
 1.17.2.2 25-Feb-2013  tls resync with head
 1.17.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.26.2.1 18-May-2014  rmind sync with head
 1.33.2.1 10-Aug-2014  tls Rebase.
 1.38.2.4 30-Oct-2018  martin Pull up following revision(s) (requested by sborrill in ticket #1646):

sys/net/npf/npf_ctl.c: revision 1.47 (partial, via patch)

- Increase copyin buffer size to 4M
 1.38.2.3 10-Jun-2015  snj Pull up following revision(s) (requested by rmind in ticket #835):
sys/net/npf/npf_ctl.c: revision 1.42
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.40
- npfctl: fix the confusion in the parser (0/0 case with no other filter).
- Always populate the error dictionary, not only for DEBUG/DIAGNOSTIC.
 1.38.2.2 21-Mar-2015  snj Pull up following revision(s) (requested by rmind in ticket #630):
sys/net/npf/npf_ctl.c: revision 1.41
sys/net/npf/npf_ruleset.c: revision 1.42
usr.sbin/npf/npfctl/npf_build.c: revision 1.39
usr.sbin/npf/npfctl/npf_show.c: revision 1.18
NPF: replace the TAILQ of the dynamic rules with a linked list and fix the
inheriting of the active dynamic rules during the reload; also, fix a bug
in the insert path by putting a memory barrier in the right place.
--
npfctl:
- Fix the filter criteria when to/from is omitted but port used.
- Print more user-friendly error if an NPF table has a duplicate entry.
 1.38.2.1 29-Aug-2014  martin Pull up following revision(s) (requested by rmind in ticket #56):
sys/net/npf/npf_ctl.c: revision 1.39
usr.sbin/npf/npfctl/npfctl.c: revision 1.43
lib/libnpf/npf.c: revision 1.33
lib/libnpf/npf.c: revision 1.34
sys/net/npf/npf_impl.h: revision 1.59
sys/net/npf/npf_ctl.c: revision 1.40
sys/net/npf/npf_conn.c: revision 1.11
sys/net/npf/npf_alg.c: revision 1.15
sys/net/npf/npf_conn.c: revision 1.12
sys/net/npf/npf_nat.c: revision 1.33
sys/net/npf/npf_nat.c: revision 1.34
Add and use npf_alg_export().
npf_conn_import: handle NAT metadata correctly.
npf_nat_newpolicy: restore the policy ID.
npfctl_load: fix error code handling for the limit cases.
npf_config_import: fix the inverted logic.
npfctl_load: improve error handling.
npf_conn_import: add a missing stat counter increment.
npf_nat_import: add a missing reference and make a comment.
npf_config_submit: finally, include the saved connections.
 1.40.2.5 28-Aug-2017  skrll Sync with HEAD
 1.40.2.4 05-Feb-2017  skrll Sync with HEAD
 1.40.2.3 27-Dec-2015  skrll Sync with HEAD (as of 26th Dec)
 1.40.2.2 22-Sep-2015  skrll Sync with HEAD
 1.40.2.1 06-Apr-2015  skrll Sync with HEAD
 1.43.2.2 20-Mar-2017  pgoyette Sync with HEAD
 1.43.2.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.46.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.47.4.1 19-May-2017  pgoyette Resolve conflicts from previous merge (all resulting from $NetBSD
keywork expansion)
 1.48.2.1 17-Nov-2017  snj Pull up following revision(s) (requested by ozaki-r in ticket #357):
distrib/sets/lists/debug/mi: 1.228
distrib/sets/lists/tests/mi: 1.765-1.766
etc/mtree/NetBSD.dist.tests: 1.149
sys/net/npf/npf_ctl.c: 1.49
tests/net/ipsec/Makefile: 1.10
tests/net/ipsec/algorithms.sh: 1.6
tests/net/ipsec/natt_terminator.c: 1.1
tests/net/ipsec/t_ipsec_natt.sh: 1.1
tests/net/net_common.sh: 1.23-1.24
usr.sbin/npf/npfctl/npfctl.c: 1.54
Handle esp-udp for NAT-T
--
Fix npfclt reload on rump kernels
It fails because npfctl cannot get an errno when it calls ioctl to the (rump)
kernel; npfctl (libnpf) expects that an errno is returned via proplib,
however, the rump library of npf doesn't so. It happens because of mishandlings
of complicate npf kernel options.
PR kern/52643
--
Fix showing translated port (ntohs-ed twice wrongly)
--
Add test cases of NAT-T (transport mode)
A small C program is added to make a special socket (UDP_ENCAP_ESPINUDP)
and keep it to handle UDP-encapsulated ESP packets.
--
Add net/ipsec debug lib directory
--
Add ./usr/libdata/debug/usr/tests/net/ipsec
--
Stop using bpfjit
Because most architectures don't support it and npf still works without it.
 1.50.4.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.50.4.1 10-Jun-2019  christos Sync with HEAD
 1.50.2.3 26-Jan-2019  pgoyette Sync with HEAD
 1.50.2.2 26-Nov-2018  pgoyette Sync with HEAD, resolve a couple of conflicts
 1.50.2.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.54.2.5 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.54.2.4 04-Oct-2019  martin Pull up following revision(s) (requested by rmind in ticket #282):

usr.sbin/npf/npfctl/npf_build.c: revision 1.53
lib/libnpf/npf.c: revision 1.48
usr.sbin/npf/npfctl/npfctl.h: revision 1.50
sys/net/npf/npf_impl.h: revision 1.80
usr.sbin/npf/npfctl/npfctl.h: revision 1.51
sys/net/npf/npf_ruleset.c: revision 1.49
usr.sbin/npf/npfctl/npf.conf.5: revision 1.90
sys/net/npf/npf_ctl.c: revision 1.59
lib/libnpf/libnpf.3: revision 1.11
usr.sbin/npf/npfctl/npf_parse.y: revision 1.50
usr.sbin/npf/npftest/npftest.conf: revision 1.8
usr.sbin/npf/npfctl/npfctl.c: revision 1.62
usr.sbin/npf/npfctl/npfctl.c: revision 1.63
usr.sbin/npf/npfctl/npf_scan.l: revision 1.30
usr.sbin/npf/npfctl/npfctl.8: revision 1.22
lib/libnpf/npf.h: revision 1.38
usr.sbin/npf/npfctl/npfctl.8: revision 1.23
usr.sbin/npf/npfctl/npfctl.8: revision 1.24
sys/net/npf/npf_if.c: revision 1.11
sys/net/npf/npf_if.c: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.89
sys/net/npf/npf_conn.c: revision 1.30
usr.sbin/npf/npfctl/npf_build.c: revision 1.52

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.

NPF ifmap: rework and fix a few small bugs.

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.
(missed a file in previous commit; cvs is so helpful..)

libnpf/npfctl: support dynamic NAT rulesets using a name prefix.

Use -width Pa for FILES.

Fix pasto in table replace -t type

Use -width Pa for FILES.

npf_ifmap_copylogname: be more defensive.
 1.54.2.3 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #141):

usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
 1.54.2.2 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #139):

lib/libnpf/npf.c: revision 1.47
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.10
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.10
sys/net/npf/npf.h: revision 1.61
sys/net/npf/npf_ctl.c: revision 1.56
sys/net/npf/npf_os.c: revision 1.15
lib/libnpf/libnpf.3: revision 1.10
sys/net/npf/npf_tableset.c: revision 1.34
usr.sbin/npf/npfctl/npfctl.c: revision 1.61
sys/net/npf/npf_impl.h: revision 1.77
lib/libnpf/npf.h: revision 1.37

- npftest: fix a memleak in a unit test (standalone path only).
- Minor style fixes. No functional change.
npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.
 1.54.2.1 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.60.26.1 02-Aug-2025  perseant Sync with HEAD
 1.17 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.16 29-Jan-2020  thorpej Adopt <net/if_stats.h>.
 1.15 29-Sep-2018  rmind branches: 1.15.4; 1.15.6;
NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.14 26-Jun-2018  msaitoh branches: 1.14.2;
Implement the BPF direction filter (BIOC[GS]DIRECTION). It provides backward
compatibility with BIOC[GS]SEESENT ioctl. The userland interface is the same
as FreeBSD.

This change also fixes a bug that the direction is misunderstand on some
environment by passing the direction to bpf_mtap*() instead of checking
m->m_pkthdr.rcvif.
 1.13 18-Feb-2017  christos branches: 1.13.12;
provide a copy function used for logging that does not lock, but can return
trash.
 1.12 18-Feb-2017  mlelstv npf_ifmap_getname requires the config to be locked. For now, just prevent the
crash.
 1.11 29-Jan-2017  christos - Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.10 26-Dec-2016  christos branches: 1.10.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.9 16-Jun-2016  ozaki-r branches: 1.9.2;
Use if_get_byindex instead of if_byindex for MP-safe
 1.8 20-Jul-2014  rmind branches: 1.8.4;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.7 19-May-2014  jakllsch Add ability to have mbufs disappear (to another interface) during
npf_rproc_run(). For upcoming npf_ext_route extension.

Guidance and ok by rmind@.
 1.6 11-Mar-2013  christos branches: 1.6.10;
*"" is not constant according to gcc. So we move the responsibility for adding
a , to the users of the macro.
 1.5 11-Mar-2013  christos - avoid trailing , in dependencies when there are none other the npf module
itself.
- remove if_npflog dependency from npf_ext_log.
 1.4 11-Mar-2013  christos remove the detach that does not belong here anymore.
 1.3 10-Mar-2013  christos Split the npflog cloner and auto-load the extensions.
 1.2 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.1 16-Sep-2012  rmind branches: 1.1.2; 1.1.4; 1.1.6;
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
 1.1.6.6 03-Dec-2017  jdolecek update from HEAD
 1.1.6.5 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.1.6.4 23-Jun-2013  tls resync from head
 1.1.6.3 25-Feb-2013  tls resync with head
 1.1.6.2 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.1.6.1 16-Sep-2012  tls file npf_ext_log.c was added on branch tls-maxphys on 2012-11-20 03:02:47 +0000
 1.1.4.3 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.1.4.2 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #693):
lib/npf/ext_normalise/shlib_version: revision 1.1
lib/libnpf/npf.c: revision 1.13
distrib/sets/lists/modules/mi: revision 1.48
sys/net/npf/npf_rproc.c: revision 1.3
sys/net/npf/npf_rproc.c: revision 1.4
sys/modules/npf/Makefile: revision 1.11
usr.sbin/npf/npfctl/npfctl.h: revision 1.20
lib/npf/ext_log/npfext_log.c: revision 1.1
lib/libnpf/npf.h: revision 1.11
sys/net/npf/npf_inet.c: revision 1.17
sys/net/npf/npf_log.c: file removal
sys/net/npf/npf_handler.c: revision 1.22
distrib/sets/lists/base/shl.mi: revision 1.636
sys/net/npf/npf_impl.h: revision 1.23
usr.sbin/npf/npfctl/Makefile: revision 1.8
lib/npf/Makefile: revision 1.1
lib/npf/ext_log/shlib_version: revision 1.1
lib/Makefile: revision 1.189
distrib/sets/lists/comp/shl.mi: revision 1.236
usr.sbin/npf/npfctl/npf_build.c: revision 1.14
distrib/sets/lists/base/mi: revision 1.1007
usr.sbin/npf/npfctl/npf_scan.l: revision 1.6
distrib/sets/lists/base/mi: revision 1.1009
sys/net/npf/npf.h: revision 1.21
lib/npf/ext_normalise/npfext_normalise.c: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.105
lib/libnpf/Makefile: revision 1.3
etc/mtree/NetBSD.dist.base: revision 1.106
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.1
sys/net/npf/npf_ctl.c: revision 1.18
lib/npf/ext_log/Makefile: revision 1.1
distrib/sets/lists/comp/mi: revision 1.1781
usr.sbin/npf/npfctl/npf_var.h: revision 1.4
sys/net/npf/npf.c: revision 1.13
sys/modules/Makefile: revision 1.111
sys/net/npf/npf_ext_log.c: revision 1.1
lib/npf/Makefile.inc: revision 1.1
sys/net/npf/npf_ext_normalise.c: revision 1.1
sys/net/npf/files.npf: revision 1.8
sys/rump/net/lib/libnpf/Makefile: revision 1.2
sys/modules/npf_ext_log/Makefile: revision 1.1
lib/npf/ext_normalise/Makefile: revision 1.1
usr.sbin/npf/npfctl/npfctl.c: revision 1.20
usr.sbin/npf/npfctl/npf_parse.y: revision 1.13
sys/modules/npf_ext_normalise/Makefile: revision 1.1
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
Add /usr/lib/npf.
Add ./usr/libdata/debug/usr/lib/npf for rmind
Fix MKDEBUG set lists
ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.1.4.1 16-Sep-2012  riz file npf_ext_log.c was added on branch netbsd-6 on 2012-11-18 22:38:26 +0000
 1.1.2.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.1.2.3 23-Jan-2013  yamt sync with head
 1.1.2.2 30-Oct-2012  yamt sync with head
 1.1.2.1 16-Sep-2012  yamt file npf_ext_log.c was added on branch yamt-pagecache on 2012-10-30 17:22:44 +0000
 1.6.10.1 10-Aug-2014  tls Rebase.
 1.8.4.3 28-Aug-2017  skrll Sync with HEAD
 1.8.4.2 05-Feb-2017  skrll Sync with HEAD
 1.8.4.1 09-Jul-2016  skrll Sync with HEAD
 1.9.2.2 20-Mar-2017  pgoyette Sync with HEAD
 1.9.2.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.10.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.13.12.2 30-Sep-2018  pgoyette Ssync with HEAD
 1.13.12.1 28-Jul-2018  pgoyette Sync with HEAD
 1.14.2.2 08-Apr-2020  martin Merge changes from current as of 20200406
 1.14.2.1 10-Jun-2019  christos Sync with HEAD
 1.15.6.1 29-Feb-2020  ad Sync with head.
 1.15.4.1 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.5 12-Mar-2013  christos normali{s,z}e
 1.4 11-Mar-2013  christos *"" is not constant according to gcc. So we move the responsibility for adding
a , to the users of the macro.
 1.3 11-Mar-2013  christos - avoid trailing , in dependencies when there are none other the npf module
itself.
- remove if_npflog dependency from npf_ext_log.
 1.2 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.1 16-Sep-2012  rmind branches: 1.1.2; 1.1.4; 1.1.6;
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
 1.1.6.4 23-Jun-2013  tls resync from head
 1.1.6.3 25-Feb-2013  tls resync with head
 1.1.6.2 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.1.6.1 16-Sep-2012  tls file npf_ext_normalise.c was added on branch tls-maxphys on 2012-11-20 03:02:47 +0000
 1.1.4.3 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.1.4.2 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #693):
lib/npf/ext_normalise/shlib_version: revision 1.1
lib/libnpf/npf.c: revision 1.13
distrib/sets/lists/modules/mi: revision 1.48
sys/net/npf/npf_rproc.c: revision 1.3
sys/net/npf/npf_rproc.c: revision 1.4
sys/modules/npf/Makefile: revision 1.11
usr.sbin/npf/npfctl/npfctl.h: revision 1.20
lib/npf/ext_log/npfext_log.c: revision 1.1
lib/libnpf/npf.h: revision 1.11
sys/net/npf/npf_inet.c: revision 1.17
sys/net/npf/npf_log.c: file removal
sys/net/npf/npf_handler.c: revision 1.22
distrib/sets/lists/base/shl.mi: revision 1.636
sys/net/npf/npf_impl.h: revision 1.23
usr.sbin/npf/npfctl/Makefile: revision 1.8
lib/npf/Makefile: revision 1.1
lib/npf/ext_log/shlib_version: revision 1.1
lib/Makefile: revision 1.189
distrib/sets/lists/comp/shl.mi: revision 1.236
usr.sbin/npf/npfctl/npf_build.c: revision 1.14
distrib/sets/lists/base/mi: revision 1.1007
usr.sbin/npf/npfctl/npf_scan.l: revision 1.6
distrib/sets/lists/base/mi: revision 1.1009
sys/net/npf/npf.h: revision 1.21
lib/npf/ext_normalise/npfext_normalise.c: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.105
lib/libnpf/Makefile: revision 1.3
etc/mtree/NetBSD.dist.base: revision 1.106
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.1
sys/net/npf/npf_ctl.c: revision 1.18
lib/npf/ext_log/Makefile: revision 1.1
distrib/sets/lists/comp/mi: revision 1.1781
usr.sbin/npf/npfctl/npf_var.h: revision 1.4
sys/net/npf/npf.c: revision 1.13
sys/modules/Makefile: revision 1.111
sys/net/npf/npf_ext_log.c: revision 1.1
lib/npf/Makefile.inc: revision 1.1
sys/net/npf/npf_ext_normalise.c: revision 1.1
sys/net/npf/files.npf: revision 1.8
sys/rump/net/lib/libnpf/Makefile: revision 1.2
sys/modules/npf_ext_log/Makefile: revision 1.1
lib/npf/ext_normalise/Makefile: revision 1.1
usr.sbin/npf/npfctl/npfctl.c: revision 1.20
usr.sbin/npf/npfctl/npf_parse.y: revision 1.13
sys/modules/npf_ext_normalise/Makefile: revision 1.1
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
Add /usr/lib/npf.
Add ./usr/libdata/debug/usr/lib/npf for rmind
Fix MKDEBUG set lists
ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.1.4.1 16-Sep-2012  riz file npf_ext_normalise.c was added on branch netbsd-6 on 2012-11-18 22:38:27 +0000
 1.1.2.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.1.2.3 23-Jan-2013  yamt sync with head
 1.1.2.2 30-Oct-2012  yamt sync with head
 1.1.2.1 16-Sep-2012  yamt file npf_ext_normalise.c was added on branch yamt-pagecache on 2012-10-30 17:22:44 +0000
 1.11 08-Mar-2021  christos reinstate a simple version of ip_randomid()
 1.10 30-May-2020  rmind branches: 1.10.2;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.9 29-Sep-2018  rmind branches: 1.9.4;
NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.8 31-Aug-2018  maxv Introduce npf_set_mss(). When the MSS is not 16bit-aligned, it sets:

0 8 16 24 32
+------+-----------+-----------+------+
| data | MSS (low) | MSS (hig) | data |
+------+-----------+-----------+------+
^ ^
old[0] old[1]

And sets new[0,1] accordingly with the new value. The MSS-clamping code
then adjusts twice the checksum on a 16bit boundary:

from old[0] to new[0]
from old[1] to new[1]

Fixes PR/53479, opened by myself. Tested with wireshark and kASan.
 1.7 07-Apr-2018  maxv branches: 1.7.2;
Fix an inverted logic.

nbuf_cksum_barrier returns true when the direction is PFIL_OUT and TSO is
active; that is to say, it returns true when the checksum was already
recomputed by the function.

The check should be !nbuf_cksum_barrier, because otherwise we're wrongfully
checksumming twice, and it causes the packet to be kicked later in
tcp_input.

This can be seen with a configuration of the type:

procedure "norm" {
normalize: "max-mss" 15000
}
group default {
pass all apply "norm"
}

The packets systematically get dropped because the checksum validation in
tcp_input fails. With this patch in place, it works.
 1.6 10-Dec-2017  rmind branches: 1.6.2;
- npf_cop_table: handle non-IP packets in the ether (fixes PR/52290).
- npfa_icmp_nat: do not recompute the checksum if no port translation.
- npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT.
- npflog: report the packet direction correctly.
 1.5 29-Jan-2017  christos - Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.4 26-Dec-2016  christos branches: 1.4.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.3 20-Jul-2014  rmind branches: 1.3.4; 1.3.8;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.2 19-May-2014  jakllsch branches: 1.2.2;
Add ability to have mbufs disappear (to another interface) during
npf_rproc_run(). For upcoming npf_ext_route extension.

Guidance and ok by rmind@.
 1.1 12-Mar-2013  christos branches: 1.1.6; 1.1.12;
normali{s,z}e
 1.1.12.1 10-Aug-2014  tls Rebase.
 1.1.6.4 03-Dec-2017  jdolecek update from HEAD
 1.1.6.3 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.1.6.2 23-Jun-2013  tls resync from head
 1.1.6.1 12-Mar-2013  tls file npf_ext_normalize.c was added on branch tls-maxphys on 2013-06-23 06:20:25 +0000
 1.2.2.2 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.2.1 19-May-2014  yamt file npf_ext_normalize.c was added on branch yamt-pagecache on 2014-05-22 11:41:09 +0000
 1.3.8.2 20-Mar-2017  pgoyette Sync with HEAD
 1.3.8.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.3.4.1 05-Feb-2017  skrll Sync with HEAD
 1.4.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.6.2.3 30-Sep-2018  pgoyette Ssync with HEAD
 1.6.2.2 06-Sep-2018  pgoyette Sync with HEAD

Resolve a couple of conflicts (result of the uimin/uimax changes)
 1.6.2.1 16-Apr-2018  pgoyette Sync with HEAD, resolve some conflicts
 1.7.2.1 10-Jun-2019  christos Sync with HEAD
 1.9.4.1 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.10.2.1 03-Apr-2021  thorpej Sync with HEAD.
 1.9 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.8 29-Sep-2018  rmind branches: 1.8.4;
NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.7 29-Jan-2017  christos branches: 1.7.12; 1.7.14;
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.6 26-Dec-2016  christos branches: 1.6.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.5 20-Jul-2014  rmind branches: 1.5.4; 1.5.8;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.4 19-May-2014  jakllsch Add ability to have mbufs disappear (to another interface) during
npf_rproc_run(). For upcoming npf_ext_route extension.

Guidance and ok by rmind@.
 1.3 11-Mar-2013  christos branches: 1.3.10;
*"" is not constant according to gcc. So we move the responsibility for adding
a , to the users of the macro.
 1.2 11-Mar-2013  christos - avoid trailing , in dependencies when there are none other the npf module
itself.
- remove if_npflog dependency from npf_ext_log.
 1.1 10-Dec-2012  rmind branches: 1.1.2; 1.1.4; 1.1.8;
Add NPF "rndblock" extension to randomly drop packets (using a random function
with a percentage or modulo operation). This is a demo module, although it can
be used for packet loss simulation. Example of a procedure in npf.conf:

procedure "somedrop" {
# Drop 1.9% of the traffic
rndblock: percentage 1.9
}
 1.1.8.4 03-Dec-2017  jdolecek update from HEAD
 1.1.8.3 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.1.8.2 25-Feb-2013  tls resync with head
 1.1.8.1 10-Dec-2012  tls file npf_ext_rndblock.c was added on branch tls-maxphys on 2013-02-25 00:30:02 +0000
 1.1.4.2 16-Jan-2013  yamt sync with (a bit old) head
 1.1.4.1 10-Dec-2012  yamt file npf_ext_rndblock.c was added on branch yamt-pagecache on 2013-01-16 05:33:49 +0000
 1.1.2.2 15-Dec-2012  riz Pull up following revision(s) (requested by rmind in ticket #745):
distrib/sets/lists/comp/shl.mi: revision 1.241
distrib/sets/lists/modules/mi: revision 1.49
distrib/sets/lists/base/md.sparc64: revision 1.171
lib/npf/ext_rndblock/npfext_rndblock.c: revision 1.1
distrib/sets/lists/base/ad.mips64eb: revision 1.106
distrib/sets/lists/modules/md.evbppc: revision 1.29
sys/net/npf/npf_ext_rndblock.c: revision 1.1
lib/npf/Makefile: revision 1.2
sys/modules/npf_ext_rndblock/Makefile: revision 1.1
lib/npf/ext_rndblock/Makefile: revision 1.1
distrib/sets/lists/base/ad.mips64el: revision 1.106
lib/npf/ext_rndblock/shlib_version: revision 1.1
distrib/sets/lists/base/md.amd64: revision 1.182
distrib/sets/lists/base/shl.mi: revision 1.643
sys/net/npf/files.npf: revision 1.9
sys/modules/Makefile: revision 1.117
Add NPF &quot;rndblock&quot; extension to randomly drop packets (using a random function
with a percentage or modulo operation). This is a demo module, although it can
be used for packet loss simulation. Example of a procedure in npf.conf:
procedure &quot;somedrop&quot; {
# Drop 1.9% of the traffic
rndblock: percentage 1.9
}
 1.1.2.1 10-Dec-2012  riz file npf_ext_rndblock.c was added on branch netbsd-6 on 2012-12-15 23:45:58 +0000
 1.3.10.1 10-Aug-2014  tls Rebase.
 1.5.8.2 20-Mar-2017  pgoyette Sync with HEAD
 1.5.8.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.5.4.1 05-Feb-2017  skrll Sync with HEAD
 1.6.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.7.14.1 10-Jun-2019  christos Sync with HEAD
 1.7.12.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.8.4.1 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.54 08-Jul-2025  joe Pass frames directly when no layer 2 rules are set

NPF's original implementation of default pass is to block. i.e if the packet matches absolutely
no rule even the default group. we cannot use that in layer 2 as well since all frames will be
blocked when no rules are set for layer 2 and that would not be good. since NPF is primarily
a layer 3 filter.

Greg@ Markus@
 1.53 01-Jul-2025  joe kernel code for layer 2 filtering in NPF

reviewed by christos@
 1.52 01-Jun-2025  joe NPF copyright 2025
 1.51 01-Jun-2025  joe kernel: extract rules, lookup socket, process filtering, reviews by christos@
 1.50 05-Jul-2024  rin npf: Drop redundant NULL check before m_freem(9)

XXX
Their standalone version of m_freem() does not work for NULL input.
I will send pullreq to upstream soon.
 1.49 30-May-2020  rmind branches: 1.49.26;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.48 25-Aug-2019  rmind - npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
 1.47 11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.46 23-Jul-2019  rmind branches: 1.46.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.45 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.44 10-Jul-2018  maxv Modify the logic in npf_reassembly. Don't call nbuf_reset, we don't need
it since we don't read the IPv4 header anymore.

If ip{6}_reass_packet fails, always free 'm', and always clear the nbuf.

We want to avoid the case where

'm' was reallocated
the nbuf pointer was not updated accordingly
the caller tried to use the nbuf pointer

This case doesn't happen right now, but the code is fragile, so strengthen
it.
 1.43 10-Jul-2018  maxv Remove the second argument from ip_reass_packet(). We want the IP header
on the mbuf, not elsewhere. Simplifies the NPF reassembly code a little.
No real functional change.
 1.42 10-Jul-2018  maxv Simplify the pointer handling. Set *mp = NULL at the beginning of the
function. In npf_reassembly, pass a simple boolean instead of a ** mbuf
pointer. Add a KASSERT for IPv4, we don't want (error && !m). Remove
the 'fastout' label, use 'out'.
 1.41 10-Jul-2018  maxv Update the pointer when fast-kicking, because it may have been freed.
Before my changes the nonsensical pointer ininitialization held, but
when I started introducing sanity checks the whole thing collapsed.

Need pullup-8.
 1.40 10-Jul-2018  maxv Set con = NULL just once, instead of doing it in each branch.
 1.39 13-Mar-2018  maxv branches: 1.39.2;
Fix two consecutive mistakes.

The first mistake was npf_inet.c rev1.37:

"Don't reassemble ipv6 fragments, instead treat the first fragment
as a regular packet (subject to filtering rules), and pass
subsequent fragments in the same group unconditionally."

Doing this was entirely wrong, because then a packet just had to push
the L4 payload in a secondary fragment, and NPF wouldn't apply rules on
it - meaning any IPv6 packet could bypass >=L4 filtering. This mistake
was supposed to be a fix for the second mistake.

The second mistake was that ip6_reass_packet (in npf_reassembly) was
getting called with npc->npc_hlen. But npc_hlen pointed to the last
encountered header in the IPv6 chain, which was not necessarily the
fragment header. So ip6_reass_packet was given garbage, and would fail,
resulting in the packet getting kicked. So basically IPv6 was broken by
NPF.

The first mistake is reverted, and the second one is fixed by doing:

- hlen = sizeof(struct ip6_frag);
+ hlen = 0;

Now the iteration stops on the fragment header, and the call to
ip6_reass_packet is valid.

My npf_inet.c rev1.38 is partially reverted: we don't need to worry
about failing properly to advance; once the packet is reassembled
npf_cache_ip gets called again, and this time the whole chain should be
there.

Tested with a simple UDPv6 server - send a 3000-byte-sized buffer, the
packet gets correctly reassembled by NPF now.
 1.38 08-Mar-2018  maxv Declare NPC_FMTERR, and use it to kick malformed packets. Several sanity
checks are added in IPv6; after we see the first IPPROTO_FRAGMENT header,
we are allowed to fail to advance, otherwise we kick the packet.

Sent on tech-net@ a few days ago, no response, but I'm committing it now
anyway.
 1.37 19-Feb-2017  christos branches: 1.37.6; 1.37.12;
Don't reassemble ipv6 fragments, instead treat the first fragment as a regular
packet (subject to filtering rules), and pass subsequent fragments in the
same group unconditionally.
 1.36 29-Jan-2017  christos - Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.35 26-Dec-2016  christos branches: 1.35.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.34 08-Dec-2016  rmind NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus
pass-through them on other interfaces. Per discussion with christos@.
 1.33 23-Jul-2014  rmind branches: 1.33.4; 1.33.8;
NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.32 20-Jul-2014  rmind NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.31 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.30 19-May-2014  jakllsch Add ability to have mbufs disappear (to another interface) during
npf_rproc_run(). For upcoming npf_ext_route extension.

Guidance and ok by rmind@.
 1.29 14-Mar-2014  rmind branches: 1.29.2;
NPF: add support for "stateful-ends".
 1.28 08-Nov-2013  rmind NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 1.27 29-Jun-2013  rmind - Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.
 1.26 09-Feb-2013  rmind branches: 1.26.2;
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.25 20-Jan-2013  rmind - nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.24 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.23 06-Oct-2012  rmind npf_packet_handler: drop the packet if IPv6 reassembly did not work.
 1.22 16-Sep-2012  rmind Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
 1.21 12-Aug-2012  rmind branches: 1.21.2;
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.20 15-Jul-2012  rmind - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.19 02-Jul-2012  rmind npf_packet_handler: fix gcc unused warning.
 1.18 01-Jul-2012  rmind NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 1.17 30-May-2012  rmind npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
 1.16 06-May-2012  rmind - Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
 1.15 11-Mar-2012  rmind - Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
 1.14 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.13 06-Feb-2012  rmind branches: 1.13.2;
- Split NPF rule procedure code into a separate module (no functional changes).
- Simplify some code, add more comments, some asserts.
- G/C unused rule hook code.
 1.12 15-Jan-2012  rmind - Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
 1.11 29-Nov-2011  rmind branches: 1.11.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.10 06-Nov-2011  rmind Few fixes, KNF/style, bump the NPF version.
 1.9 05-Nov-2011  zoltan When building the kernel without IPv6 support, compilation failed.
Fix that.
 1.8 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.7 02-Feb-2011  rmind branches: 1.7.2; 1.7.6;
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.
 1.6 18-Jan-2011  rmind branches: 1.6.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.5 18-Dec-2010  rmind branches: 1.5.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.4 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.3 10-Oct-2010  rmind branches: 1.3.2;
npf_packet_handler: clear M_CANFASTFWD flag, so inspection would work when
fast forwarding is enabled (e.g. with GATEWAY kernel option). Thanks matt@
for the tip.
 1.2 16-Sep-2010  rmind branches: 1.2.2;
NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.2.2.2 09-Oct-2010  yamt sync with head
 1.2.2.1 16-Sep-2010  yamt file npf_handler.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.3.2.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.3.2.1 10-Oct-2010  uebayasi file npf_handler.c was added on branch uebayasi-xip on 2010-10-22 09:23:14 +0000
 1.5.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.6.2.1 08-Feb-2011  bouyer Sync with HEAD
 1.7.6.6 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.7.6.5 23-Jan-2013  yamt sync with head
 1.7.6.4 30-Oct-2012  yamt sync with head
 1.7.6.3 23-May-2012  yamt sync with head.
 1.7.6.2 17-Apr-2012  yamt sync with head
 1.7.6.1 10-Nov-2011  yamt sync with head
 1.7.2.2 05-Mar-2011  rmind sync with head
 1.7.2.1 02-Feb-2011  rmind file npf_handler.c was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.11.2.4 02-Jun-2012  mrg sync to latest -current.
 1.11.2.3 05-Apr-2012  mrg sync to latest -current.
 1.11.2.2 24-Feb-2012  mrg sync to -current.
 1.11.2.1 18-Feb-2012  mrg merge to -current.
 1.13.2.9 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.13.2.8 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.13.2.7 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #693):
lib/npf/ext_normalise/shlib_version: revision 1.1
lib/libnpf/npf.c: revision 1.13
distrib/sets/lists/modules/mi: revision 1.48
sys/net/npf/npf_rproc.c: revision 1.3
sys/net/npf/npf_rproc.c: revision 1.4
sys/modules/npf/Makefile: revision 1.11
usr.sbin/npf/npfctl/npfctl.h: revision 1.20
lib/npf/ext_log/npfext_log.c: revision 1.1
lib/libnpf/npf.h: revision 1.11
sys/net/npf/npf_inet.c: revision 1.17
sys/net/npf/npf_log.c: file removal
sys/net/npf/npf_handler.c: revision 1.22
distrib/sets/lists/base/shl.mi: revision 1.636
sys/net/npf/npf_impl.h: revision 1.23
usr.sbin/npf/npfctl/Makefile: revision 1.8
lib/npf/Makefile: revision 1.1
lib/npf/ext_log/shlib_version: revision 1.1
lib/Makefile: revision 1.189
distrib/sets/lists/comp/shl.mi: revision 1.236
usr.sbin/npf/npfctl/npf_build.c: revision 1.14
distrib/sets/lists/base/mi: revision 1.1007
usr.sbin/npf/npfctl/npf_scan.l: revision 1.6
distrib/sets/lists/base/mi: revision 1.1009
sys/net/npf/npf.h: revision 1.21
lib/npf/ext_normalise/npfext_normalise.c: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.105
lib/libnpf/Makefile: revision 1.3
etc/mtree/NetBSD.dist.base: revision 1.106
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.1
sys/net/npf/npf_ctl.c: revision 1.18
lib/npf/ext_log/Makefile: revision 1.1
distrib/sets/lists/comp/mi: revision 1.1781
usr.sbin/npf/npfctl/npf_var.h: revision 1.4
sys/net/npf/npf.c: revision 1.13
sys/modules/Makefile: revision 1.111
sys/net/npf/npf_ext_log.c: revision 1.1
lib/npf/Makefile.inc: revision 1.1
sys/net/npf/npf_ext_normalise.c: revision 1.1
sys/net/npf/files.npf: revision 1.8
sys/rump/net/lib/libnpf/Makefile: revision 1.2
sys/modules/npf_ext_log/Makefile: revision 1.1
lib/npf/ext_normalise/Makefile: revision 1.1
usr.sbin/npf/npfctl/npfctl.c: revision 1.20
usr.sbin/npf/npfctl/npf_parse.y: revision 1.13
sys/modules/npf_ext_normalise/Makefile: revision 1.1
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
Add /usr/lib/npf.
Add ./usr/libdata/debug/usr/lib/npf for rmind
Fix MKDEBUG set lists
ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.13.2.6 09-Oct-2012  riz Pull up following revision(s) (requested by rmind in ticket #594):
sys/net/npf/npf_handler.c: revision 1.23
npf_packet_handler: drop the packet if IPv6 reassembly did not work.
 1.13.2.5 13-Aug-2012  riz branches: 1.13.2.5.2;
Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.13.2.4 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.13.2.3 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.13.2.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
 1.13.2.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.13.2.5.2.1 01-Nov-2012  matt sync with netbsd-6-0-RELEASE.
 1.21.2.4 03-Dec-2017  jdolecek update from HEAD
 1.21.2.3 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.21.2.2 25-Feb-2013  tls resync with head
 1.21.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.26.2.2 18-May-2014  rmind sync with head
 1.26.2.1 28-Aug-2013  rmind sync with head
 1.29.2.1 10-Aug-2014  tls Rebase.
 1.33.8.2 20-Mar-2017  pgoyette Sync with HEAD
 1.33.8.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.33.4.2 28-Aug-2017  skrll Sync with HEAD
 1.33.4.1 05-Feb-2017  skrll Sync with HEAD
 1.35.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.37.12.3 30-Sep-2018  pgoyette Ssync with HEAD
 1.37.12.2 28-Jul-2018  pgoyette Sync with HEAD
 1.37.12.1 15-Mar-2018  pgoyette Synch with HEAD
 1.37.6.2 10-Jul-2018  martin Pull up following revision(s) (requested by maxv in ticket #919):

sys/net/npf/npf_handler.c: revision 1.41

Update the pointer when fast-kicking, because it may have been freed.

Before my changes the nonsensical pointer ininitialization held, but
when I started introducing sanity checks the whole thing collapsed.

Need pullup-8.
 1.37.6.1 09-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #817):

sys/net/npf/npf_inet.c: revision 1.38-1.44
sys/net/npf/npf_handler.c: revision 1.38-1.39
sys/net/npf/npf_alg_icmp.c: revision 1.26
sys/net/npf/npf.h: revision 1.56
sys/net/npf/npf_sendpkt.c: revision 1.17-1.18

Declare NPC_FMTERR, and use it to kick malformed packets. Several sanity
checks are added in IPv6; after we see the first IPPROTO_FRAGMENT header,
we are allowed to fail to advance, otherwise we kick the packet.
Sent on tech-net@ a few days ago, no response, but I'm committing it now
anyway.

Switch nptr to uint8_t, and use nbuf_ensure_contig. Makes us use fewer
magic values.

Remove dead branches, 'npc' can't be NULL (and it is dereferenced
earlier).

Fix two consecutive mistakes.

The first mistake was npf_inet.c rev1.37:
"Don't reassemble ipv6 fragments, instead treat the first fragment
as a regular packet (subject to filtering rules), and pass
subsequent fragments in the same group unconditionally."

Doing this was entirely wrong, because then a packet just had to push
the L4 payload in a secondary fragment, and NPF wouldn't apply rules on
it - meaning any IPv6 packet could bypass >=L4 filtering. This mistake
was supposed to be a fix for the second mistake.

The second mistake was that ip6_reass_packet (in npf_reassembly) was
getting called with npc->npc_hlen. But npc_hlen pointed to the last
encountered header in the IPv6 chain, which was not necessarily the
fragment header. So ip6_reass_packet was given garbage, and would fail,
resulting in the packet getting kicked. So basically IPv6 was broken by
NPF.

The first mistake is reverted, and the second one is fixed by doing:
- hlen = sizeof(struct ip6_frag);
+ hlen = 0;

Now the iteration stops on the fragment header, and the call to
ip6_reass_packet is valid.

My npf_inet.c rev1.38 is partially reverted: we don't need to worry
about failing properly to advance; once the packet is reassembled
npf_cache_ip gets called again, and this time the whole chain should be
there.

Tested with a simple UDPv6 server - send a 3000-byte-sized buffer, the
packet gets correctly reassembled by NPF now.

Mmh, put back the RFC6946 check (about dummy fragments), otherwise NPF
is not happy in npf_reassembly, because NPC_IPFRAG is again returned after
the packet was reassembled.

I'm wondering whether it would not be better to just remove the fragment
header in frag6_input directly.

Fix the "return-rst" rule on IPv6 packets.
The scopes needed to be set on the addresses before invoking ip6_output,
because ip6_output needs them. The reason they are not here already is
because pfil_run_hooks (in ip6_input) is called _before_ the kernel
initializes the scopes.

Until now ip6_output was always failing, and the IPv6-TCP-RST packet was
never actually sent.

Perhaps it would be better to have the kernel initialize the scopes
before invoking pfil_run_hooks, but several things will need to be fixed
in several places.

Tested with a simple TCPv6 server. Until now the client would block
waiting for an answer that never came; now it receives an RST right away
and closes the connection, as expected.
I believe that the same problem exists in the "return-icmp" rules, but I
can't investigate this right now (some problems with wireshark).

Fix the IPv6 payload computation in npf_tcpsaw. It was incorrect, and this
caused the "return-rst" rules to send back an RST with the wrong ACK when
the received SYN had an IPv6 option.

Set the scopes before calling icmp6_error(). This fixes a bug similar to
the one I fixed in rev1.17: since the scopes were not set the packet was
never actually sent.

Tested with wireshark, now the ICMPv6 reply is correctly sent, as
expected.

Don't read the L4 payload after IPPROTO_AH when handling IPv6 packets.
AH must be considered as the payload, otherwise a

block all
pass in proto ah from any
pass out proto ah from any

configuration will actually block everything, because NPF checks the
protocol against the one found after AH, and not AH itself.

In addition it may have been a problem for stateful connections; an AH
packet sent by an attacker with an incorrect authentication and a correct
TCP/UDP/whatever payload from an active connection could manage to change
NPF's FSM state, which would perhaps have altered the legitimate
connection with the authenticated remote IPsec host.

Note that IPv4 already doesn't go beyond AH, which is the correct
behavior.

Add XXX (we don't handle IPv6 Jumbograms), and whitespace.
 1.39.2.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.39.2.1 10-Jun-2019  christos Sync with HEAD
 1.46.2.3 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.46.2.2 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #141):

usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
 1.46.2.1 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.49.26.1 02-Aug-2025  perseant Sync with HEAD
 1.13 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.12 30-Sep-2019  rmind npf_ifmap_copylogname: be more defensive.
 1.11 29-Sep-2019  rmind NPF ifmap: rework and fix a few small bugs.
 1.10 11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.9 29-Sep-2018  rmind branches: 1.9.4;
NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.8 18-Feb-2017  christos branches: 1.8.12; 1.8.14;
provide a copy function used for logging that does not lock, but can return
trash.
 1.7 26-Dec-2016  christos branches: 1.7.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.6 12-May-2016  ozaki-r branches: 1.6.2;
Protect ifnet list with psz and psref

The change ensures that ifnet objects in the ifnet list aren't freed during
list iterations by using pserialize(9) and psref(9).

Note that the change adds a pslist(9) for ifnet but doesn't remove the
original ifnet list (ifnet_list) to avoid breaking kvm(3) users. We
shouldn't use the original list in the kernel anymore.
 1.5 12-Jul-2015  rmind npfkern: eliminate INACTIVE_ID and use 0 for unregistered interfaces.
 1.4 10-Aug-2014  rmind branches: 1.4.2; 1.4.4; 1.4.6;
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.
 1.3 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.2 11-Nov-2013  martin branches: 1.2.2; 1.2.4; 1.2.6;
Add missing [0] (check for unused entries) when matching interface
names.
 1.1 08-Nov-2013  rmind NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 1.2.6.2 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.6.1 11-Nov-2013  yamt file npf_if.c was added on branch yamt-pagecache on 2014-05-22 11:41:09 +0000
 1.2.4.2 18-May-2014  rmind sync with head
 1.2.4.1 11-Nov-2013  rmind file npf_if.c was added on branch rmind-smpnet on 2014-05-18 17:46:13 +0000
 1.2.2.1 10-Aug-2014  tls Rebase.
 1.4.6.4 28-Aug-2017  skrll Sync with HEAD
 1.4.6.3 05-Feb-2017  skrll Sync with HEAD
 1.4.6.2 29-May-2016  skrll Sync with HEAD
 1.4.6.1 22-Sep-2015  skrll Sync with HEAD
 1.4.4.3 03-Dec-2017  jdolecek update from HEAD
 1.4.4.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.4.4.1 10-Aug-2014  tls file npf_if.c was added on branch tls-maxphys on 2014-08-20 00:04:35 +0000
 1.4.2.1 17-Jul-2015  snj Pull up following revision(s) (requested by rmind in ticket #880):
sys/net/npf/npf_if.c: revision 1.5
sys/net/npf/npf_mbuf.c: revision 1.14
usr.sbin/npf/npf.7: revision 1.3
usr.sbin/npf/npfctl/npf_var.c: revision 1.9
npfkern: eliminate INACTIVE_ID and use 0 for unregistered interfaces.
--
- npfvar_get_type1: check for NULL first.
- Minor fix for the npf(7) man page.
 1.6.2.2 20-Mar-2017  pgoyette Sync with HEAD
 1.6.2.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.7.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.8.14.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.8.14.1 10-Jun-2019  christos Sync with HEAD
 1.8.12.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.9.4.3 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.9.4.2 04-Oct-2019  martin Pull up following revision(s) (requested by rmind in ticket #282):

usr.sbin/npf/npfctl/npf_build.c: revision 1.53
lib/libnpf/npf.c: revision 1.48
usr.sbin/npf/npfctl/npfctl.h: revision 1.50
sys/net/npf/npf_impl.h: revision 1.80
usr.sbin/npf/npfctl/npfctl.h: revision 1.51
sys/net/npf/npf_ruleset.c: revision 1.49
usr.sbin/npf/npfctl/npf.conf.5: revision 1.90
sys/net/npf/npf_ctl.c: revision 1.59
lib/libnpf/libnpf.3: revision 1.11
usr.sbin/npf/npfctl/npf_parse.y: revision 1.50
usr.sbin/npf/npftest/npftest.conf: revision 1.8
usr.sbin/npf/npfctl/npfctl.c: revision 1.62
usr.sbin/npf/npfctl/npfctl.c: revision 1.63
usr.sbin/npf/npfctl/npf_scan.l: revision 1.30
usr.sbin/npf/npfctl/npfctl.8: revision 1.22
lib/libnpf/npf.h: revision 1.38
usr.sbin/npf/npfctl/npfctl.8: revision 1.23
usr.sbin/npf/npfctl/npfctl.8: revision 1.24
sys/net/npf/npf_if.c: revision 1.11
sys/net/npf/npf_if.c: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.89
sys/net/npf/npf_conn.c: revision 1.30
usr.sbin/npf/npfctl/npf_build.c: revision 1.52

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.

NPF ifmap: rework and fix a few small bugs.

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.
(missed a file in previous commit; cvs is so helpful..)

libnpf/npfctl: support dynamic NAT rulesets using a name prefix.

Use -width Pa for FILES.

Fix pasto in table replace -t type

Use -width Pa for FILES.

npf_ifmap_copylogname: be more defensive.
 1.9.4.1 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.8 13-Feb-2022  riastradh npf(4): Use atomic_store_release and atomic_load_consume for config.

...or atomic_load_relaxed, when the config is locked. (Not necessary
to use atomic_* at all in NetBSD, but in C11 it will be cheaper to
say atomic_load_relaxed explicitly so an _Atomic-qualified object
doesn't cause the load to be surrounded by unnecessary membars.)

No need for store-before-load ordering here, so no need to
membar_sync.
 1.7 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.6 25-Aug-2019  rmind - npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
 1.5 19-Jan-2019  rmind branches: 1.5.4;
Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.4 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.3 11-Dec-2017  ozaki-r branches: 1.3.2; 1.3.4;
Rename IFNET_LOCK to IFNET_GLOBAL_LOCK

IFNET_LOCK will be used in another lock, if_ioctl_lock (might be renamed then).
 1.2 03-Jan-2017  rmind branches: 1.2.2; 1.2.6; 1.2.12; 1.2.18;
NPF: fix the interface table initialisation on load.
 1.1 02-Jan-2017  rmind NPF: implement dynamic handling of interface addresses (the kernel part).
 1.2.18.2 03-Dec-2017  jdolecek update from HEAD
 1.2.18.1 03-Jan-2017  jdolecek file npf_ifaddr.c was added on branch tls-maxphys on 2017-12-03 11:39:03 +0000
 1.2.12.1 02-Jan-2018  snj Pull up following revision(s) (requested by ozaki-r in ticket #456):
sys/arch/arm/sunxi/sunxi_emac.c: 1.9
sys/dev/ic/dwc_gmac.c: 1.43-1.44
sys/dev/pci/if_iwm.c: 1.75
sys/dev/pci/if_wm.c: 1.543
sys/dev/pci/ixgbe/ixgbe.c: 1.112
sys/dev/pci/ixgbe/ixv.c: 1.74
sys/kern/sys_socket.c: 1.75
sys/net/agr/if_agr.c: 1.43
sys/net/bpf.c: 1.219
sys/net/if.c: 1.397, 1.399, 1.401-1.403, 1.406-1.410, 1.412-1.416
sys/net/if.h: 1.242-1.247, 1.250, 1.252-1.257
sys/net/if_bridge.c: 1.140 via patch, 1.142-1.146
sys/net/if_etherip.c: 1.40
sys/net/if_ethersubr.c: 1.243, 1.246
sys/net/if_faith.c: 1.57
sys/net/if_gif.c: 1.132
sys/net/if_l2tp.c: 1.15, 1.17
sys/net/if_loop.c: 1.98-1.101
sys/net/if_media.c: 1.35
sys/net/if_pppoe.c: 1.131-1.132
sys/net/if_spppsubr.c: 1.176-1.177
sys/net/if_tun.c: 1.142
sys/net/if_vlan.c: 1.107, 1.109, 1.114-1.121
sys/net/npf/npf_ifaddr.c: 1.3
sys/net/npf/npf_os.c: 1.8-1.9
sys/net/rtsock.c: 1.230
sys/netcan/if_canloop.c: 1.3-1.5
sys/netinet/if_arp.c: 1.255
sys/netinet/igmp.c: 1.65
sys/netinet/in.c: 1.210-1.211
sys/netinet/in_pcb.c: 1.180
sys/netinet/ip_carp.c: 1.92, 1.94
sys/netinet/ip_flow.c: 1.81
sys/netinet/ip_input.c: 1.362
sys/netinet/ip_mroute.c: 1.147
sys/netinet/ip_output.c: 1.283, 1.285, 1.287
sys/netinet6/frag6.c: 1.61
sys/netinet6/in6.c: 1.251, 1.255
sys/netinet6/in6_pcb.c: 1.162
sys/netinet6/ip6_flow.c: 1.35
sys/netinet6/ip6_input.c: 1.183
sys/netinet6/ip6_output.c: 1.196
sys/netinet6/mld6.c: 1.90
sys/netinet6/nd6.c: 1.239-1.240
sys/netinet6/nd6_nbr.c: 1.139
sys/netinet6/nd6_rtr.c: 1.136
sys/netipsec/ipsec_output.c: 1.65
sys/rump/net/lib/libnetinet/netinet_component.c: 1.9-1.10
kmem_intr_free kmem_intr_[z]alloced memory
the underlying pools are the same but api-wise those should match
Unify IFEF_*_MPSAFE into IFEF_MPSAFE
There are already two flags for if_output and if_start, however, it seems such
MPSAFE flags are eventually needed for all if_XXX operations. Having discrete
flags for each operation is wasteful of if_extflags bits. So let's unify
the flags into one: IFEF_MPSAFE.
Fortunately IFEF_*_MPSAFE flags have never been included in any releases, so
we can change them without breaking backward compatibility of the releases
(though the kernel version of -current should be bumped).
Note that if an interface have both MP-safe and non-MP-safe operations at a
time, we have to set the IFEF_MPSAFE flag and let callees of non-MP-safe
opeartions take the kernel lock.
Proposed on tech-kern@ and tech-net@
Provide macros for softnet_lock and KERNEL_LOCK hiding NET_MPSAFE switch
It reduces C&P codes such as "#ifndef NET_MPSAFE KERNEL_LOCK(1, NULL); ..."
scattered all over the source code and makes it easy to identify remaining
KERNEL_LOCK and/or softnet_lock that are held even if NET_MPSAFE.
No functional change
Hold KERNEL_LOCK on if_ioctl selectively based on IFEF_MPSAFE
If IFEF_MPSAFE is set, hold the lock and otherwise don't hold.
This change requires additions of KERNEL_LOCK to subsequence functions from
if_ioctl such as ifmedia_ioctl and ifioctl_common to protect non-MP-safe
components.
Proposed on tech-kern@ and tech-net@
Ensure to hold if_ioctl_lock when calling if_flags_set
Fix locking against myself on ifpromisc
vlan_unconfig_locked could be called with holding if_ioctl_lock.
Ensure to not turn on IFF_RUNNING of an interface until its initialization completes
And ensure to turn off it before destruction as per IFF_RUNNING's description
"resource allocated". (The description is a bit doubtful though, I believe the
change is still proper.)
Ensure to hold if_ioctl_lock on if_up and if_down
One exception for if_down is if_detach; in the case the lock isn't needed
because it's guaranteed that no other one can access ifp at that point.
Make if_link_queue MP-safe if IFEF_MPSAFE
if_link_queue is a queue to store events of link state changes, which is
used to pass events from (typically) an interrupt handler to
if_link_state_change softint. The queue was protected by KERNEL_LOCK so far,
but if IFEF_MPSAFE is enabled, it becomes unsafe because (perhaps) an interrupt
handler of an interface with IFEF_MPSAFE doesn't take KERNEL_LOCK. Protect it
by a spin mutex.
Additionally with this change KERNEL_LOCK of if_link_state_change softint is
omitted if NET_MPSAFE is enabled.
Note that the spin mutex is now ifp->if_snd.ifq_lock as well as the case of
if_timer (see the comment).
Use IFADDR_WRITER_FOREACH instead of IFADDR_READER_FOREACH
At that point no other one modifies the list so IFADDR_READER_FOREACH
is unnecessary. Use of IFADDR_READER_FOREACH is harmless in general though,
if we try to detect contract violations of pserialize, using it violates
the contract. So avoid using it makes life easy.
Ensure to call if_addr_init with holding if_ioctl_lock
Get rid of outdated comments
Fix build of kernels without ether
By throwing out if_enable_vlan_mtu and if_disable_vlan_mtu that
created a unnecessary dependency from if.c to if_ethersubr.c.
PR kern/52790
Rename IFNET_LOCK to IFNET_GLOBAL_LOCK
IFNET_LOCK will be used in another lock, if_ioctl_lock (might be renamed then).
Wrap if_ioctl_lock with IFNET_* macros (NFC)
Also if_ioctl_lock perhaps needs to be renamed to something because it's now
not just for ioctl...
Reorder some destruction routines in if_detach
- Destroy if_ioctl_lock at the end of the if_detach because it's used in various
destruction routines
- Move psref_target_destroy after pr_purgeif because we want to use psref in
pr_purgeif (otherwise destruction procedures can be tricky)
Ensure to call if_mcast_op with holding IFNET_LOCK
Note that CARP doesn't deal with IFNET_LOCK yet.
Remove IFNET_GLOBAL_LOCK where it's unnecessary because IFNET_LOCK is held
Describe which lock is used to protect each member variable of struct ifnet
Requested by skrll@
Write a guideline for converting an interface to IFEF_MPSAFE
Requested by skrll@
Note that IFNET_LOCK must not be held in softint
Don't set IFEF_MPSAFE unless NET_MPSAFE at this point
Because recent investigations show that interfaces with IFEF_MPSAFE need to
follow additional restrictions to work with the flag safely. We should enable it
on an interface by default only if the interface surely satisfies the
restrictions, which are described in if.h.
Note that enabling IFEF_MPSAFE solely gains a few benefit on performance because
the network stack is still serialized by the big kernel locks by default.
 1.2.6.2 05-Feb-2017  skrll Sync with HEAD
 1.2.6.1 03-Jan-2017  skrll file npf_ifaddr.c was added on branch nick-nhusb on 2017-02-05 13:40:58 +0000
 1.2.2.2 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.2.2.1 03-Jan-2017  pgoyette file npf_ifaddr.c was added on branch pgoyette-localcount on 2017-01-07 08:56:50 +0000
 1.3.4.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.3.4.1 10-Jun-2019  christos Sync with HEAD
 1.3.2.2 26-Jan-2019  pgoyette Sync with HEAD
 1.3.2.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.5.4.2 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.5.4.1 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #141):

usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
 1.85 01-Jul-2025  joe kernel code for layer 2 filtering in NPF

reviewed by christos@
 1.84 01-Jun-2025  joe NPF copyright 2025
 1.83 01-Jun-2025  joe kernel: extract rules, lookup socket, process filtering, reviews by christos@
 1.82 27-Aug-2020  riastradh branches: 1.82.26;
npf: Make sure to initialize portmap_lock only once.

PR kern/55586
 1.81 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.80 29-Sep-2019  rmind NPF ifmap: rework and fix a few small bugs.
 1.79 25-Aug-2019  rmind ake npfctl_switch() and pfil private to OS-specific module.
 1.78 25-Aug-2019  rmind - npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
 1.77 21-Aug-2019  rmind npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.
 1.76 11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.75 23-Jul-2019  rmind branches: 1.75.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.74 19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.73 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.72 12-Sep-2018  christos Fix lockdebug diagnostic error of trying to acquire an rw_lock from a
pserialized active context. From riastradh@
 1.71 31-Aug-2018  maxv Introduce npf_set_mss(). When the MSS is not 16bit-aligned, it sets:

0 8 16 24 32
+------+-----------+-----------+------+
| data | MSS (low) | MSS (hig) | data |
+------+-----------+-----------+------+
^ ^
old[0] old[1]

And sets new[0,1] accordingly with the new value. The MSS-clamping code
then adjusts twice the checksum on a 16bit boundary:

from old[0] to new[0]
from old[1] to new[1]

Fixes PR/53479, opened by myself. Tested with wireshark and kASan.
 1.70 10-Dec-2017  rmind branches: 1.70.2; 1.70.4;
- npf_mk_rules: enforce unique names for the dynamic rulesets.
- npf_worker_unregister: merge fix for the standalone NPF.
 1.69 19-Feb-2017  christos forgot to commit this (new prototype)
 1.68 29-Jan-2017  christos - Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.67 03-Jan-2017  rmind branches: 1.67.2;
NPF: fix the interface table initialisation on load.
 1.66 02-Jan-2017  rmind NPF: implement dynamic handling of interface addresses (the kernel part).
 1.65 28-Dec-2016  christos export rprocs too so we don't lose them.
 1.64 26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.63 10-Dec-2016  christos add functionality to lookup a nat entry from the connection list.
 1.62 09-Dec-2016  christos This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!
 1.61 02-Feb-2015  rmind branches: 1.61.2;
npfctl(8): report dynamic rule ID in a comment, print the case when libpcap
is used correctly. Also, add npf_ruleset_dump() helper in the kernel.
 1.60 30-Nov-2014  rmind - npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
 1.59 11-Aug-2014  rmind branches: 1.59.2;
- Add and use npf_alg_export().
- npf_conn_import: handle NAT metadata correctly.
- npf_nat_newpolicy: restore the policy ID.
- npfctl_load: fix error code handling for the limit cases.
- npf_config_import: fix the inverted logic.
- npfctl_load: improve error handling.
 1.58 11-Aug-2014  rmind branches: 1.58.2;
NPF: finish up the rework of npfctl_save() mechanism.
 1.57 10-Aug-2014  rmind - Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.
 1.56 23-Jul-2014  rmind NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.55 20-Jul-2014  rmind NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.54 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.53 25-Jun-2014  rmind Adjust NPF to the recent BPF / BPF JIT changes and make it work again.
All regression tests are happy now (hi alnsn!).
 1.52 30-May-2014  rmind - npf_nat_freepolicy: handle a race condition when a new connection might
be associated with a NAT policy which is going away and npfctl reload
would wait for its natural expiration (potentially long time).
- Remove npf_ruleset_natreload() by merging into npf_ruleset_reload().
- npf_ruleset_reload: eliminate a small time period when a valid NAT
policy might be inactive during the reload operation.
 1.51 19-May-2014  jakllsch Add ability to have mbufs disappear (to another interface) during
npf_rproc_run(). For upcoming npf_ext_route extension.

Guidance and ok by rmind@.
 1.50 14-Mar-2014  rmind branches: 1.50.2;
NPF: add support for "stateful-ends".
 1.49 19-Feb-2014  rmind NPF: fix the recent breakage of the traceroute ALG. Also, simplify and
refactor a little bit.
 1.48 16-Feb-2014  rmind NPF: pass ALG functions via npfa_funcs_t structure.
 1.47 13-Feb-2014  rmind NPF: add support for IPv6-to-IPv6 Network Prefix Translation (NPTv6),
as per RFC 6296. Add a unit test. Also, bump NPF_VERSION.

Thanks to S.P.Zeidler for the help with NPTv6 work!
 1.46 06-Feb-2014  rmind Add support for CDB based NPF tables.
 1.45 06-Dec-2013  rmind NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
less usual setups which are possible when using 'map' with a custom
filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
direction-agnostic elsewhere.
 1.44 04-Dec-2013  rmind - npf_do_nat: fix a race condition and simplify the logic.
- npf_session_setnat: clear the NAT association on failure.
 1.43 23-Nov-2013  rmind Move initialisation of bpf_args_t into the npf_ruleset_inspect().
This allows us to reuse the BPF memory store as a cache.
 1.42 22-Nov-2013  rmind npf_addr_mix: use xor rather than sum.
 1.41 22-Nov-2013  rmind Add npf_tableset_syncdict() to sync the table IDs in the proplib dictionary,
as they can change on reload now. Also, fix table name checking in npfctl.
 1.40 16-Nov-2013  rmind NPF: convert to bpf_jit_generate()/bpf_jit_freecode().
 1.39 15-Nov-2013  rmind - Add bpf_args_t and convert bpf_filter_ext() to use it. This allows the
caller to initialise (and re-use) the memory store.
- Add bpf_jit_generate() and bpf_jit_freecode() wrappers.
 1.38 12-Nov-2013  rmind NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is
just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).

Few misc fixes. Bump NPF_VERSION.
 1.37 08-Nov-2013  rmind NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 1.36 04-Nov-2013  rmind npf_generic_fsm and npf_tcp_fsm: use uint8_t and make the arrays more dense.
 1.35 29-Oct-2013  rmind npf_session_setnat: fix the race condition when the old connection is still
being expired while a new/duplicate is being created.
 1.34 27-Oct-2013  rmind Add NPF_MAX_RULES, an artificial limit (set it to 1M).
 1.33 19-Sep-2013  rmind NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
 1.32 19-Sep-2013  rmind - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
 1.31 02-Jun-2013  rmind branches: 1.31.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.
 1.30 19-May-2013  rmind - Add NPF table flushing functionality.
- Fix line numbering for npfctl debug command.
 1.29 20-Mar-2013  christos Make ALG's autoloadable by providing in the config file:
alg "algname"
 1.28 16-Feb-2013  rmind - Convert NPF dynamic rule ID to just incremented 64-bit counter.
- Fix multiple bugs. Also, update the man page.
 1.27 10-Feb-2013  rmind - Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
 1.26 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.25 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.24 29-Oct-2012  rmind Implement NPF table listing and preservation of entries on reload.
Bump the version.
 1.23 16-Sep-2012  rmind Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
 1.22 15-Aug-2012  rmind branches: 1.22.2;
Add npf_state_setsampler() for _NPF_TESTING case. This also fixes the build.
 1.21 12-Aug-2012  rmind - Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.20 28-Jul-2012  matt Fix -fno-common found by building i386/conf/ALL
 1.19 19-Jul-2012  spz teach npf ipv6-icmp
reviewed by rmind@
 1.18 15-Jul-2012  rmind - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.17 01-Jul-2012  rmind NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 1.16 22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.15 30-May-2012  rmind npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
 1.14 06-May-2012  rmind - Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
 1.13 14-Apr-2012  rmind Update rumpdev_npf; use WARNS=4.
 1.12 11-Mar-2012  rmind - Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
 1.11 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.10 06-Feb-2012  rmind branches: 1.10.2;
- Split NPF rule procedure code into a separate module (no functional changes).
- Simplify some code, add more comments, some asserts.
- G/C unused rule hook code.
 1.9 29-Nov-2011  rmind branches: 1.9.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.8 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.7 02-Feb-2011  rmind branches: 1.7.2; 1.7.6;
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.
 1.6 18-Jan-2011  rmind branches: 1.6.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.5 18-Dec-2010  rmind branches: 1.5.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.4 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.3 25-Sep-2010  matt branches: 1.3.2; 1.3.4;
Rename rb.h to rbtree.h, as it is more appropriate (c.f. ptree.h). Also
helps find code that hasn't been updated to use the new rbtree API.
 1.2 16-Sep-2010  rmind NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.3.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.3.4.1 25-Sep-2010  uebayasi file npf_impl.h was added on branch uebayasi-xip on 2010-10-22 09:23:14 +0000
 1.3.2.2 09-Oct-2010  yamt sync with head
 1.3.2.1 25-Sep-2010  yamt file npf_impl.h was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.5.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.6.2.1 08-Feb-2011  bouyer Sync with HEAD
 1.7.6.6 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.7.6.5 23-Jan-2013  yamt sync with head
 1.7.6.4 30-Oct-2012  yamt sync with head
 1.7.6.3 23-May-2012  yamt sync with head.
 1.7.6.2 17-Apr-2012  yamt sync with head
 1.7.6.1 10-Nov-2011  yamt sync with head
 1.7.2.2 05-Mar-2011  rmind sync with head
 1.7.2.1 02-Feb-2011  rmind file npf_impl.h was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.9.2.5 02-Jun-2012  mrg sync to latest -current.
 1.9.2.4 29-Apr-2012  mrg sync to latest -current.
 1.9.2.3 05-Apr-2012  mrg sync to latest -current.
 1.9.2.2 24-Feb-2012  mrg sync to -current.
 1.9.2.1 18-Feb-2012  mrg merge to -current.
 1.10.2.15 17-Nov-2013  bouyer Pull up following revision(s) (requested by rmind in ticket #985):
sys/net/npf/npf_impl.h: revision 1.35
sys/net/npf/npf_nat.c: revision 1.21
sys/net/npf/npf_session.c: revision 1.26
npf_session_setnat: fix the race condition when the old connection is still
being expired while a new/duplicate is being created.
 1.10.2.14 18-Feb-2013  riz branches: 1.10.2.14.2;
Pull up following revision(s) (requested by rmind in ticket #829):
usr.sbin/npf/npfctl/npfctl.8: revision 1.13
usr.sbin/npf/npfctl/npf_build.c: revision 1.21
lib/libnpf/npf.c: revision 1.18
sys/net/npf/npf_ctl.c: revision 1.23
usr.sbin/npf/npfctl/npfctl.h: revision 1.27
lib/libnpf/npf.h: revision 1.15
sys/net/npf/npf_ruleset.c: revision 1.19
sys/net/npf/npf_impl.h: revision 1.28
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.c: revision 1.31
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.6
- Convert NPF dynamic rule ID to just incremented 64-bit counter.
- Fix multiple bugs. Also, update the man page.
 1.10.2.13 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.10.2.12 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.10.2.11 26-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #718):
usr.sbin/npf/npfctl/npfctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.c: revision 1.23
usr.sbin/npf/npfctl/npf_parse.y: revision 1.15
usr.sbin/npf/npfctl/npfctl.c: revision 1.24
usr.sbin/npf/npfctl/npf_parse.y: revision 1.16
usr.sbin/npf/npfctl/npfctl.h: revision 1.22
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.14
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.12
usr.sbin/npf/npfctl/npf_scan.l: revision 1.7
usr.sbin/npf/npfctl/npf_scan.l: revision 1.8
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.2
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.3
usr.sbin/npf/npfctl/npf_var.c: revision 1.6
usr.sbin/npf/npfctl/npf_var.c: revision 1.7
gcc 4.1 is not smart enough to notice &quot;arg&quot; is only used when initialized
correctly and produces a &quot;might be used unintialized&quot; warning.
npfctl: switch to efun(3) routines.
npfctl: switch to ecalloc(3).
 1.10.2.10 24-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #702):
sys/net/npf/npf_tableset.c: revision 1.15
usr.sbin/npf/npfctl/npfctl.h: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.6
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.10
sys/net/npf/npf_state_tcp.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.24
sys/net/npf/npf.h: revision 1.22
sys/net/npf/npf_ctl.c: revision 1.19
sys/net/npf/npf.c: revision 1.14
usr.sbin/npf/npfctl/npfctl.8: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.21
npf_tcp_inwindow: inspect the sequence numbers even if the packet contains no
data, fixing up only the RST to the initial SYN. This makes off-path attacks
more difficult. For the reference, see &quot;Reflection Scan: an Off-Path Attack
on TCP&quot; by Jan Wrobel.
Implement NPF table listing and preservation of entries on reload.
Bump the version.
npfctl(8): mention table listing.
 1.10.2.9 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #693):
lib/npf/ext_normalise/shlib_version: revision 1.1
lib/libnpf/npf.c: revision 1.13
distrib/sets/lists/modules/mi: revision 1.48
sys/net/npf/npf_rproc.c: revision 1.3
sys/net/npf/npf_rproc.c: revision 1.4
sys/modules/npf/Makefile: revision 1.11
usr.sbin/npf/npfctl/npfctl.h: revision 1.20
lib/npf/ext_log/npfext_log.c: revision 1.1
lib/libnpf/npf.h: revision 1.11
sys/net/npf/npf_inet.c: revision 1.17
sys/net/npf/npf_log.c: file removal
sys/net/npf/npf_handler.c: revision 1.22
distrib/sets/lists/base/shl.mi: revision 1.636
sys/net/npf/npf_impl.h: revision 1.23
usr.sbin/npf/npfctl/Makefile: revision 1.8
lib/npf/Makefile: revision 1.1
lib/npf/ext_log/shlib_version: revision 1.1
lib/Makefile: revision 1.189
distrib/sets/lists/comp/shl.mi: revision 1.236
usr.sbin/npf/npfctl/npf_build.c: revision 1.14
distrib/sets/lists/base/mi: revision 1.1007
usr.sbin/npf/npfctl/npf_scan.l: revision 1.6
distrib/sets/lists/base/mi: revision 1.1009
sys/net/npf/npf.h: revision 1.21
lib/npf/ext_normalise/npfext_normalise.c: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.105
lib/libnpf/Makefile: revision 1.3
etc/mtree/NetBSD.dist.base: revision 1.106
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.1
sys/net/npf/npf_ctl.c: revision 1.18
lib/npf/ext_log/Makefile: revision 1.1
distrib/sets/lists/comp/mi: revision 1.1781
usr.sbin/npf/npfctl/npf_var.h: revision 1.4
sys/net/npf/npf.c: revision 1.13
sys/modules/Makefile: revision 1.111
sys/net/npf/npf_ext_log.c: revision 1.1
lib/npf/Makefile.inc: revision 1.1
sys/net/npf/npf_ext_normalise.c: revision 1.1
sys/net/npf/files.npf: revision 1.8
sys/rump/net/lib/libnpf/Makefile: revision 1.2
sys/modules/npf_ext_log/Makefile: revision 1.1
lib/npf/ext_normalise/Makefile: revision 1.1
usr.sbin/npf/npfctl/npfctl.c: revision 1.20
usr.sbin/npf/npfctl/npf_parse.y: revision 1.13
sys/modules/npf_ext_normalise/Makefile: revision 1.1
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
Add /usr/lib/npf.
Add ./usr/libdata/debug/usr/lib/npf for rmind
Fix MKDEBUG set lists
ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.10.2.8 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #678):
sys/rump/librump/rumpkern/rump.c: revision 1.243
sys/rump/librump/rumpkern/rump.c: revision 1.244
sys/rump/librump/rumpkern/rump.c: revision 1.245
sys/rump/librump/rumpkern/rump.c: revision 1.246
usr.sbin/npf/npftest/npftest.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.2
usr.sbin/npf/npftest/npftest.h: revision 1.5
sys/rump/net/Makefile.rumpnetcomp: revision 1.5
sys/rump/net/lib/libnpf/shlib_version: revision 1.1
sys/net/npf/npf_impl.h: revision 1.22
sys/rump/dev/lib/libnpf/Makefile: file removal
usr.sbin/npf/npftest/Makefile: revision 1.3
sys/rump/dev/lib/libnpf/component.c: file removal
sys/rump/dev/lib/libnpf/shlib_version: file removal
sys/net/npf/npf_state.c: revision 1.12
sys/rump/net/lib/libnpf/component.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.6
sys/rump/net/lib/libnpf/Makefile: revision 1.1
Move and rename librumpdev_npf to librumpnet_npf.
Enable the build of librumpnet_npf.
Add npf_state_setsampler() for _NPF_TESTING case. This also fixes the build.
Call pserialize_init() during rump start-up, since librump/net/npf
uses it.
It helps to include the declaration of the routine being called.
We also need kcpuset_init() now.
Use correct routine name - kcpuset_sysinit() vs kcpuset_init()
 1.10.2.7 13-Aug-2012  riz Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.10.2.6 25-Jul-2012  jdc Pull up revisions:
src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
src/sys/net/npf/npf.h revision 1.20
src/sys/net/npf/npf_alg_icmp.c revision 1.11
src/sys/net/npf/npf_impl.h revision 1.19
src/sys/net/npf/npf_inet.c revisions 1.15,1.16
src/sys/net/npf/npf_instr.c revision 1.14
src/sys/net/npf/npf_ncode.h revision 1.10
src/sys/net/npf/npf_processor.c revision 1.12
src/sys/net/npf/npf_session.c revision 1.16
src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
src/sys/net/npf/npf_state.c revision 1.10
src/sys/net/npf/npf_state_tcp.c revision 1.10
src/usr.sbin/npf/npftest/npfstream.c revision 1.2
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).

Add missing __dead.

teach npf ipv6-icmp
reviewed by rmind@

- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.

- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.10.2.5 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.10.2.4 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.10.2.3 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.10.2.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
 1.10.2.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.10.2.14.2.1 17-Nov-2013  bouyer Pull up following revision(s) (requested by rmind in ticket #985):
sys/net/npf/npf_impl.h: revision 1.35
sys/net/npf/npf_nat.c: revision 1.21
sys/net/npf/npf_session.c: revision 1.26
npf_session_setnat: fix the race condition when the old connection is still
being expired while a new/duplicate is being created.
 1.22.2.5 03-Dec-2017  jdolecek update from HEAD
 1.22.2.4 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.22.2.3 23-Jun-2013  tls resync from head
 1.22.2.2 25-Feb-2013  tls resync with head
 1.22.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.31.2.1 18-May-2014  rmind sync with head
 1.50.2.1 10-Aug-2014  tls Rebase.
 1.58.2.4 18-Dec-2016  snj Pull up following revision(s) (requested by rmind in ticket #1319):
sys/modules/npf/Makefile: revision 1.19
sys/net/npf/files.npf: revision 1.18
sys/net/npf/lpm.c: revision 1.1
sys/net/npf/lpm.h: revision 1.1
sys/net/npf/npf_impl.h: revision 1.62
sys/net/npf/npf_tableset.c: revision 1.24
sys/net/npf/npf_tableset_ptree.c: file removal
sys/rump/net/lib/libnpf/Makefile: revision 1.18
This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!
--
ditch ptree and use lpm
--
remove ptree add lpm
 1.58.2.3 04-Feb-2015  snj branches: 1.58.2.3.4;
Pull up following revision(s) (requested by rmind in ticket #479):
lib/libnpf/npf.c: revision 1.35
lib/libnpf/npf.h: revision 1.28
sys/net/npf/npf_conn.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.61
sys/net/npf/npf_ruleset.c: revision 1.41
usr.sbin/npf/npfctl/npf.conf.5: revision 1.44
usr.sbin/npf/npfctl/npf_parse.y: revision 1.37
usr.sbin/npf/npfctl/npf_show.c: revisions 1.16, 1.17
usr.sbin/npf/npfctl/npfctl.c: revision 1.46
load the config file before bpfjit so that we can disable the warning.
--
Don't depend on yacc to include stdlib.h or string.h.
--
- npf_conn_establish: remove a rare race condition when we might destroy a
connection when it is still referenced by another thread.
- npf_conn_destroy: remove the backwards entry using the saved key, PR/49488.
- Sprinkle some asserts.
--
npf.conf(5): mention alg, include in the example, minor fix.
--
npfctl(8): report dynamic rule ID in a comment, print the case when libpcap
is used correctly. Also, add npf_ruleset_dump() helper in the kernel.
--
libnpf: add npf_rule_getid() and npf_rule_getcode().
Missed in the previous commit.
--
npfctl_print_rule: print the ID in hex, not decimal.
 1.58.2.2 01-Dec-2014  martin Pull up following revision(s) (requested by rmind in ticket #280):
sys/net/npf/npf_ruleset.c: revision 1.40
sys/net/npf/npf_nat.c: revision 1.36
sys/net/npf/npf_nat.c: revision 1.37
sys/net/npf/npf_conn.h: revision 1.7
sys/net/npf/npf_conf.c: revision 1.9
sys/net/npf/npf_ruleset.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.60
NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
- npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
 1.58.2.1 29-Aug-2014  martin Pull up following revision(s) (requested by rmind in ticket #56):
sys/net/npf/npf_ctl.c: revision 1.39
usr.sbin/npf/npfctl/npfctl.c: revision 1.43
lib/libnpf/npf.c: revision 1.33
lib/libnpf/npf.c: revision 1.34
sys/net/npf/npf_impl.h: revision 1.59
sys/net/npf/npf_ctl.c: revision 1.40
sys/net/npf/npf_conn.c: revision 1.11
sys/net/npf/npf_alg.c: revision 1.15
sys/net/npf/npf_conn.c: revision 1.12
sys/net/npf/npf_nat.c: revision 1.33
sys/net/npf/npf_nat.c: revision 1.34
Add and use npf_alg_export().
npf_conn_import: handle NAT metadata correctly.
npf_nat_newpolicy: restore the policy ID.
npfctl_load: fix error code handling for the limit cases.
npf_config_import: fix the inverted logic.
npfctl_load: improve error handling.
npf_conn_import: add a missing stat counter increment.
npf_nat_import: add a missing reference and make a comment.
npf_config_submit: finally, include the saved connections.
 1.58.2.3.4.1 18-Jan-2017  skrll Sync with netbsd-5
 1.59.2.3 28-Aug-2017  skrll Sync with HEAD
 1.59.2.2 05-Feb-2017  skrll Sync with HEAD
 1.59.2.1 06-Apr-2015  skrll Sync with HEAD
 1.61.2.2 20-Mar-2017  pgoyette Sync with HEAD
 1.61.2.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.67.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.70.4.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.70.4.1 10-Jun-2019  christos Sync with HEAD
 1.70.2.3 26-Jan-2019  pgoyette Sync with HEAD
 1.70.2.2 30-Sep-2018  pgoyette Ssync with HEAD
 1.70.2.1 06-Sep-2018  pgoyette Sync with HEAD

Resolve a couple of conflicts (result of the uimin/uimax changes)
 1.75.2.5 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.75.2.4 04-Oct-2019  martin Pull up following revision(s) (requested by rmind in ticket #282):

usr.sbin/npf/npfctl/npf_build.c: revision 1.53
lib/libnpf/npf.c: revision 1.48
usr.sbin/npf/npfctl/npfctl.h: revision 1.50
sys/net/npf/npf_impl.h: revision 1.80
usr.sbin/npf/npfctl/npfctl.h: revision 1.51
sys/net/npf/npf_ruleset.c: revision 1.49
usr.sbin/npf/npfctl/npf.conf.5: revision 1.90
sys/net/npf/npf_ctl.c: revision 1.59
lib/libnpf/libnpf.3: revision 1.11
usr.sbin/npf/npfctl/npf_parse.y: revision 1.50
usr.sbin/npf/npftest/npftest.conf: revision 1.8
usr.sbin/npf/npfctl/npfctl.c: revision 1.62
usr.sbin/npf/npfctl/npfctl.c: revision 1.63
usr.sbin/npf/npfctl/npf_scan.l: revision 1.30
usr.sbin/npf/npfctl/npfctl.8: revision 1.22
lib/libnpf/npf.h: revision 1.38
usr.sbin/npf/npfctl/npfctl.8: revision 1.23
usr.sbin/npf/npfctl/npfctl.8: revision 1.24
sys/net/npf/npf_if.c: revision 1.11
sys/net/npf/npf_if.c: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.89
sys/net/npf/npf_conn.c: revision 1.30
usr.sbin/npf/npfctl/npf_build.c: revision 1.52

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.

NPF ifmap: rework and fix a few small bugs.

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.
(missed a file in previous commit; cvs is so helpful..)

libnpf/npfctl: support dynamic NAT rulesets using a name prefix.

Use -width Pa for FILES.

Fix pasto in table replace -t type

Use -width Pa for FILES.

npf_ifmap_copylogname: be more defensive.
 1.75.2.3 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #141):

usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
 1.75.2.2 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #139):

lib/libnpf/npf.c: revision 1.47
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.10
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.10
sys/net/npf/npf.h: revision 1.61
sys/net/npf/npf_ctl.c: revision 1.56
sys/net/npf/npf_os.c: revision 1.15
lib/libnpf/libnpf.3: revision 1.10
sys/net/npf/npf_tableset.c: revision 1.34
usr.sbin/npf/npfctl/npfctl.c: revision 1.61
sys/net/npf/npf_impl.h: revision 1.77
lib/libnpf/npf.h: revision 1.37

- npftest: fix a memleak in a unit test (standalone path only).
- Minor style fixes. No functional change.
npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.
 1.75.2.1 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.82.26.1 02-Aug-2025  perseant Sync with HEAD
 1.58 01-Jul-2025  joe kernel code for layer 2 filtering in NPF

reviewed by christos@
 1.57 30-May-2020  rmind branches: 1.57.26;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.56 23-May-2020  rmind Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.55 11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.54 23-Jul-2019  rmind branches: 1.54.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.53 19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.52 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.51 31-Aug-2018  maxv Introduce npf_set_mss(). When the MSS is not 16bit-aligned, it sets:

0 8 16 24 32
+------+-----------+-----------+------+
| data | MSS (low) | MSS (hig) | data |
+------+-----------+-----------+------+
^ ^
old[0] old[1]

And sets new[0,1] accordingly with the new value. The MSS-clamping code
then adjusts twice the checksum on a 16bit boundary:

from old[0] to new[0]
from old[1] to new[1]

Fixes PR/53479, opened by myself. Tested with wireshark and kASan.
 1.50 08-Apr-2018  maxv branches: 1.50.2;
Fix bug I introduced in previous commit.
 1.49 07-Apr-2018  maxv Rewrite npf_fetch_tcpopts:

* Instead of doing several nbuf_advance/nbuf_ensure_contig and
playing with gotos, fetch the TCP options only once, and iterate over
the (safe) area. The code is similar to tcp_dooptions.

* When handling TCPOPT_MAXSEG and TCPOPT_WINDOW, ensure the length is
the one we're expecting. If it isn't, then skip the option. This
wasn't done before, and not doing it allowed a packet to bypass the
max-mss clamping procedure. Discussed on tech-net@.
 1.48 06-Apr-2018  maxv If we're trying to read the mss on a packet that for some reason has two
MAXSEG options, we find ourselves patching the second option with the
value of the first one.

Fix that by using a local variable.
 1.47 23-Mar-2018  maxv If we fail to advance inside TCP/UDP/ICMPv4/ICMPv6, stop pretending L4
is unknown, and error out right away.

This prevents bugs in machinery, if a place looks for L4 in 'npc_proto'
without checking the cache too. I've seen a ~similar problem already.
 1.46 22-Mar-2018  maxv Retrieve the complete IPv4 header right away, and make sure we did retrieve
the IPv6 option header we were iterating on.
 1.45 22-Mar-2018  maxv Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.

Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.
 1.44 21-Mar-2018  maxv Add XXX (we don't handle IPv6 Jumbograms), and whitespace.
 1.43 21-Mar-2018  maxv Don't read the L4 payload after IPPROTO_AH when handling IPv6 packets.

AH must be considered as the payload, otherwise a

block all
pass in proto ah from any
pass out proto ah from any

configuration will actually block everything, because NPF checks the
protocol against the one found after AH, and not AH itself.

In addition it may have been a problem for stateful connections; an AH
packet sent by an attacker with an incorrect authentication and a correct
TCP/UDP/whatever payload from an active connection could manage to change
NPF's FSM state, which would perhaps have altered the legitimate
connection with the authenticated remote IPsec host.

Note that IPv4 already doesn't go beyond AH, which is the correct
behavior.
 1.42 17-Mar-2018  maxv Fix the IPv6 payload computation in npf_tcpsaw. It was incorrect, and this
caused the "return-rst" rules to send back an RST with the wrong ACK when
the received SYN had an IPv6 option.
 1.41 13-Mar-2018  maxv Mmh, put back the RFC6946 check (about dummy fragments), otherwise NPF
is not happy in npf_reassembly, because NPC_IPFRAG is again returned after
the packet was reassembled.

I'm wondering whether it would not be better to just remove the fragment
header in frag6_input directly.
 1.40 13-Mar-2018  maxv Fix two consecutive mistakes.

The first mistake was npf_inet.c rev1.37:

"Don't reassemble ipv6 fragments, instead treat the first fragment
as a regular packet (subject to filtering rules), and pass
subsequent fragments in the same group unconditionally."

Doing this was entirely wrong, because then a packet just had to push
the L4 payload in a secondary fragment, and NPF wouldn't apply rules on
it - meaning any IPv6 packet could bypass >=L4 filtering. This mistake
was supposed to be a fix for the second mistake.

The second mistake was that ip6_reass_packet (in npf_reassembly) was
getting called with npc->npc_hlen. But npc_hlen pointed to the last
encountered header in the IPv6 chain, which was not necessarily the
fragment header. So ip6_reass_packet was given garbage, and would fail,
resulting in the packet getting kicked. So basically IPv6 was broken by
NPF.

The first mistake is reverted, and the second one is fixed by doing:

- hlen = sizeof(struct ip6_frag);
+ hlen = 0;

Now the iteration stops on the fragment header, and the call to
ip6_reass_packet is valid.

My npf_inet.c rev1.38 is partially reverted: we don't need to worry
about failing properly to advance; once the packet is reassembled
npf_cache_ip gets called again, and this time the whole chain should be
there.

Tested with a simple UDPv6 server - send a 3000-byte-sized buffer, the
packet gets correctly reassembled by NPF now.
 1.39 08-Mar-2018  maxv Switch nptr to uint8_t, and use nbuf_ensure_contig. Makes us use fewer
magic values.
 1.38 08-Mar-2018  maxv Declare NPC_FMTERR, and use it to kick malformed packets. Several sanity
checks are added in IPv6; after we see the first IPPROTO_FRAGMENT header,
we are allowed to fail to advance, otherwise we kick the packet.

Sent on tech-net@ a few days ago, no response, but I'm committing it now
anyway.
 1.37 19-Feb-2017  christos branches: 1.37.6; 1.37.12;
Don't reassemble ipv6 fragments, instead treat the first fragment as a regular
packet (subject to filtering rules), and pass subsequent fragments in the
same group unconditionally.
 1.36 26-Dec-2016  christos branches: 1.36.2;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.35 07-Nov-2016  jnemeth fixup misplaced #endif
 1.34 18-Mar-2016  mrg branches: 1.34.2;
minimal changes necessary to link into an INET6-less kernel.
 1.33 17-Dec-2015  mlelstv make DDB print ipv6 addresses too
 1.32 20-Jul-2014  rmind branches: 1.32.2; 1.32.4; 1.32.6; 1.32.10;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.31 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.30 19-Feb-2014  rmind branches: 1.30.2;
NPF: fix the recent breakage of the traceroute ALG. Also, simplify and
refactor a little bit.
 1.29 13-Feb-2014  rmind NPF: add support for IPv6-to-IPv6 Network Prefix Translation (NPTv6),
as per RFC 6296. Add a unit test. Also, bump NPF_VERSION.

Thanks to S.P.Zeidler for the help with NPTv6 work!
 1.28 06-Dec-2013  rmind NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
less usual setups which are possible when using 'map' with a custom
filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
direction-agnostic elsewhere.
 1.27 22-Nov-2013  rmind Optimise checksum fixup routines:
- npf_fixup16_cksum: 1's complement sum is endian-independent.
- npf_fixup32_cksum: the first 32->16 bit reduction is not needed.

Pointed out by Valery Ushakov.
 1.26 22-Nov-2013  rmind npf_addr_mix: use xor rather than sum.
 1.25 30-Oct-2013  mrg used __diagused where appropriate.
 1.24 25-Oct-2013  martin Turn a few __unused into __diagused
 1.23 23-Aug-2013  rmind - npf_cache_ip: re-fetch IPv6 header since nbufs might have been reallocated.
- npf_cache_all: clear NBUF_DATAREF_RESET since npf_cache_ip() handles it.
 1.22 02-Jun-2013  rmind branches: 1.22.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.
 1.21 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.20 24-Dec-2012  rmind Silence gcc in npf_recache().
 1.19 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.18 10-Dec-2012  rmind npf_rwrcksum: handle delayed checksums in the network stack; also fix
non-NPF_NAT_PORTS case and add some comments. PR/47235.
 1.17 16-Sep-2012  rmind Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
 1.16 21-Jul-2012  rmind branches: 1.16.2;
- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.15 19-Jul-2012  spz teach npf ipv6-icmp
reviewed by rmind@
 1.14 15-Jul-2012  rmind - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.13 01-Jul-2012  rmind NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 1.12 22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.11 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.10 29-Nov-2011  rmind branches: 1.10.2; 1.10.4;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.9 12-Nov-2011  jakllsch Make a comment consistent with the code.
 1.8 06-Nov-2011  rmind Few fixes, KNF/style, bump the NPF version.
 1.7 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.6 18-Jan-2011  rmind branches: 1.6.4; 1.6.8;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.5 18-Dec-2010  rmind branches: 1.5.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.4 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.3 25-Sep-2010  rmind branches: 1.3.2; 1.3.4;
Add nbuf_advfetch() and simplify some code slightly.
 1.2 16-Sep-2010  rmind NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.3.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.3.4.1 25-Sep-2010  uebayasi file npf_inet.c was added on branch uebayasi-xip on 2010-10-22 09:23:15 +0000
 1.3.2.2 09-Oct-2010  yamt sync with head
 1.3.2.1 25-Sep-2010  yamt file npf_inet.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.5.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.6.8.6 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.6.8.5 23-Jan-2013  yamt sync with head
 1.6.8.4 16-Jan-2013  yamt sync with (a bit old) head
 1.6.8.3 30-Oct-2012  yamt sync with head
 1.6.8.2 17-Apr-2012  yamt sync with head
 1.6.8.1 10-Nov-2011  yamt sync with head
 1.6.4.2 05-Mar-2011  rmind sync with head
 1.6.4.1 18-Jan-2011  rmind file npf_inet.c was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.10.4.11 17-May-2018  martin Pull up following revision(s) via patch (requested by maxv in ticket #1549):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27,1.28

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.

We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).

Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.

Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.
 1.10.4.10 13-Sep-2013  msaitoh Pull up following revision (requested by riz in ticket #942):
/sys/net/npf/npf_inet.c revision 1.23
Fix bugs to prevent panic:
- npf_cache_ip: re-fetch IPv6 header since nbufs might have been reallocated.
- npf_cache_all: clear NBUF_DATAREF_RESET since npf_cache_ip() handles it.
 1.10.4.9 11-Feb-2013  riz branches: 1.10.4.9.2;
Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.10.4.8 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.10.4.7 16-Dec-2012  riz Pull up following revision(s) (requested by rmind in ticket #746):
sys/net/npf/npf_inet.c: revision 1.18
sys/net/npf/npf_mbuf.c: revision 1.8
sys/net/npf/npf.h: revision 1.23
npf_rwrcksum: handle delayed checksums in the network stack; also fix
non-NPF_NAT_PORTS case and add some comments. PR/47235.
 1.10.4.6 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #693):
lib/npf/ext_normalise/shlib_version: revision 1.1
lib/libnpf/npf.c: revision 1.13
distrib/sets/lists/modules/mi: revision 1.48
sys/net/npf/npf_rproc.c: revision 1.3
sys/net/npf/npf_rproc.c: revision 1.4
sys/modules/npf/Makefile: revision 1.11
usr.sbin/npf/npfctl/npfctl.h: revision 1.20
lib/npf/ext_log/npfext_log.c: revision 1.1
lib/libnpf/npf.h: revision 1.11
sys/net/npf/npf_inet.c: revision 1.17
sys/net/npf/npf_log.c: file removal
sys/net/npf/npf_handler.c: revision 1.22
distrib/sets/lists/base/shl.mi: revision 1.636
sys/net/npf/npf_impl.h: revision 1.23
usr.sbin/npf/npfctl/Makefile: revision 1.8
lib/npf/Makefile: revision 1.1
lib/npf/ext_log/shlib_version: revision 1.1
lib/Makefile: revision 1.189
distrib/sets/lists/comp/shl.mi: revision 1.236
usr.sbin/npf/npfctl/npf_build.c: revision 1.14
distrib/sets/lists/base/mi: revision 1.1007
usr.sbin/npf/npfctl/npf_scan.l: revision 1.6
distrib/sets/lists/base/mi: revision 1.1009
sys/net/npf/npf.h: revision 1.21
lib/npf/ext_normalise/npfext_normalise.c: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.105
lib/libnpf/Makefile: revision 1.3
etc/mtree/NetBSD.dist.base: revision 1.106
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.1
sys/net/npf/npf_ctl.c: revision 1.18
lib/npf/ext_log/Makefile: revision 1.1
distrib/sets/lists/comp/mi: revision 1.1781
usr.sbin/npf/npfctl/npf_var.h: revision 1.4
sys/net/npf/npf.c: revision 1.13
sys/modules/Makefile: revision 1.111
sys/net/npf/npf_ext_log.c: revision 1.1
lib/npf/Makefile.inc: revision 1.1
sys/net/npf/npf_ext_normalise.c: revision 1.1
sys/net/npf/files.npf: revision 1.8
sys/rump/net/lib/libnpf/Makefile: revision 1.2
sys/modules/npf_ext_log/Makefile: revision 1.1
lib/npf/ext_normalise/Makefile: revision 1.1
usr.sbin/npf/npfctl/npfctl.c: revision 1.20
usr.sbin/npf/npfctl/npf_parse.y: revision 1.13
sys/modules/npf_ext_normalise/Makefile: revision 1.1
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
Add /usr/lib/npf.
Add ./usr/libdata/debug/usr/lib/npf for rmind
Fix MKDEBUG set lists
ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.10.4.5 25-Jul-2012  jdc branches: 1.10.4.5.4;
Pull up revisions:
src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
src/sys/net/npf/npf.h revision 1.20
src/sys/net/npf/npf_alg_icmp.c revision 1.11
src/sys/net/npf/npf_impl.h revision 1.19
src/sys/net/npf/npf_inet.c revisions 1.15,1.16
src/sys/net/npf/npf_instr.c revision 1.14
src/sys/net/npf/npf_ncode.h revision 1.10
src/sys/net/npf/npf_processor.c revision 1.12
src/sys/net/npf/npf_session.c revision 1.16
src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
src/sys/net/npf/npf_state.c revision 1.10
src/sys/net/npf/npf_state_tcp.c revision 1.10
src/usr.sbin/npf/npftest/npfstream.c revision 1.2
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).

Add missing __dead.

teach npf ipv6-icmp
reviewed by rmind@

- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.

- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.10.4.4 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.10.4.3 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.10.4.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.10.4.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.10.4.9.2.2 17-May-2018  martin Pull up following revision(s) via patch (requested by maxv in ticket #1549):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27,1.28

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.

We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).

Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.

Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.
 1.10.4.9.2.1 13-Sep-2013  msaitoh Pull up following revision (requested by riz in ticket #942):
/sys/net/npf/npf_inet.c revision 1.23
Fix bugs to prevent panic:
- npf_cache_ip: re-fetch IPv6 header since nbufs might have been reallocated.
- npf_cache_all: clear NBUF_DATAREF_RESET since npf_cache_ip() handles it.
 1.10.4.5.4.1 16-Dec-2012  riz Pull up following revision(s) (requested by rmind in ticket #746):
sys/net/npf/npf_inet.c: revision 1.18
sys/net/npf/npf_mbuf.c: revision 1.8
sys/net/npf/npf.h: revision 1.23
npf_rwrcksum: handle delayed checksums in the network stack; also fix
non-NPF_NAT_PORTS case and add some comments. PR/47235.
 1.10.2.1 24-Feb-2012  mrg sync to -current.
 1.16.2.5 03-Dec-2017  jdolecek update from HEAD
 1.16.2.4 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.16.2.3 23-Jun-2013  tls resync from head
 1.16.2.2 25-Feb-2013  tls resync with head
 1.16.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.22.2.2 18-May-2014  rmind sync with head
 1.22.2.1 28-Aug-2013  rmind sync with head
 1.30.2.1 10-Aug-2014  tls Rebase.
 1.32.10.1 14-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #1605):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.
Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.
 1.32.6.1 14-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #1605):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.
Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.
 1.32.4.5 28-Aug-2017  skrll Sync with HEAD
 1.32.4.4 05-Feb-2017  skrll Sync with HEAD
 1.32.4.3 05-Dec-2016  skrll Sync with HEAD
 1.32.4.2 19-Mar-2016  skrll Sync with HEAD
 1.32.4.1 27-Dec-2015  skrll Sync with HEAD (as of 26th Dec)
 1.32.2.3 14-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #1605):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.
Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.
 1.32.2.2 22-May-2017  martin Pull up missing part of rev 1.33, partly pulled up in ticket #1394:
make DDB print ipv6 addresses too
 1.32.2.1 12-May-2017  snj Pull up following revision(s) (requested by jnemeth in ticket #1394):
sys/net/npf/npf_inet.c: revisions 1.34, 1.35 via patch
sys/net/npf/npf_mbuf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.40
minimal changes necessary to link into an INET6-less kernel.
--
fixup misplaced #endif
 1.34.2.2 20-Mar-2017  pgoyette Sync with HEAD
 1.34.2.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.36.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.37.12.8 26-Jan-2019  pgoyette Sync with HEAD
 1.37.12.7 30-Sep-2018  pgoyette Ssync with HEAD
 1.37.12.6 06-Sep-2018  pgoyette Sync with HEAD

Resolve a couple of conflicts (result of the uimin/uimax changes)
 1.37.12.5 16-Apr-2018  pgoyette Sync with HEAD, resolve some conflicts
 1.37.12.4 07-Apr-2018  pgoyette Sync with HEAD. 77 conflicts resolved - all of them $NetBSD$
 1.37.12.3 30-Mar-2018  pgoyette Resolve conflicts between branch and HEAD
 1.37.12.2 22-Mar-2018  pgoyette Synch with HEAD, resolve conflicts
 1.37.12.1 15-Mar-2018  pgoyette Synch with HEAD
 1.37.6.2 14-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #823):

sys/net/npf/npf_inet.c: revision 1.45-1.47
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.30
sys/net/npf/npf_sendpkt.c: revision 1.19

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.

We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.

Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Retrieve the complete IPv4 header right away, and make sure we did retrieve
the IPv6 option header we were iterating on.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.

If we fail to advance inside TCP/UDP/ICMPv4/ICMPv6, stop pretending L4
is unknown, and error out right away.

This prevents bugs in machinery, if a place looks for L4 in 'npc_proto'
without checking the cache too. I've seen a ~similar problem already.

In addition to checking L4 in the cache, here we also need to check the
protocol. The NPF entry point does not ensure that
ICMPv6 can be set only in IPv6
ICMPv4 can be set only in IPv4
So we could have ICMPv6 in IPv4.

apply some INET6 so this compiles in INET6-less kernels again.
 1.37.6.1 09-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #817):

sys/net/npf/npf_inet.c: revision 1.38-1.44
sys/net/npf/npf_handler.c: revision 1.38-1.39
sys/net/npf/npf_alg_icmp.c: revision 1.26
sys/net/npf/npf.h: revision 1.56
sys/net/npf/npf_sendpkt.c: revision 1.17-1.18

Declare NPC_FMTERR, and use it to kick malformed packets. Several sanity
checks are added in IPv6; after we see the first IPPROTO_FRAGMENT header,
we are allowed to fail to advance, otherwise we kick the packet.
Sent on tech-net@ a few days ago, no response, but I'm committing it now
anyway.

Switch nptr to uint8_t, and use nbuf_ensure_contig. Makes us use fewer
magic values.

Remove dead branches, 'npc' can't be NULL (and it is dereferenced
earlier).

Fix two consecutive mistakes.

The first mistake was npf_inet.c rev1.37:
"Don't reassemble ipv6 fragments, instead treat the first fragment
as a regular packet (subject to filtering rules), and pass
subsequent fragments in the same group unconditionally."

Doing this was entirely wrong, because then a packet just had to push
the L4 payload in a secondary fragment, and NPF wouldn't apply rules on
it - meaning any IPv6 packet could bypass >=L4 filtering. This mistake
was supposed to be a fix for the second mistake.

The second mistake was that ip6_reass_packet (in npf_reassembly) was
getting called with npc->npc_hlen. But npc_hlen pointed to the last
encountered header in the IPv6 chain, which was not necessarily the
fragment header. So ip6_reass_packet was given garbage, and would fail,
resulting in the packet getting kicked. So basically IPv6 was broken by
NPF.

The first mistake is reverted, and the second one is fixed by doing:
- hlen = sizeof(struct ip6_frag);
+ hlen = 0;

Now the iteration stops on the fragment header, and the call to
ip6_reass_packet is valid.

My npf_inet.c rev1.38 is partially reverted: we don't need to worry
about failing properly to advance; once the packet is reassembled
npf_cache_ip gets called again, and this time the whole chain should be
there.

Tested with a simple UDPv6 server - send a 3000-byte-sized buffer, the
packet gets correctly reassembled by NPF now.

Mmh, put back the RFC6946 check (about dummy fragments), otherwise NPF
is not happy in npf_reassembly, because NPC_IPFRAG is again returned after
the packet was reassembled.

I'm wondering whether it would not be better to just remove the fragment
header in frag6_input directly.

Fix the "return-rst" rule on IPv6 packets.
The scopes needed to be set on the addresses before invoking ip6_output,
because ip6_output needs them. The reason they are not here already is
because pfil_run_hooks (in ip6_input) is called _before_ the kernel
initializes the scopes.

Until now ip6_output was always failing, and the IPv6-TCP-RST packet was
never actually sent.

Perhaps it would be better to have the kernel initialize the scopes
before invoking pfil_run_hooks, but several things will need to be fixed
in several places.

Tested with a simple TCPv6 server. Until now the client would block
waiting for an answer that never came; now it receives an RST right away
and closes the connection, as expected.
I believe that the same problem exists in the "return-icmp" rules, but I
can't investigate this right now (some problems with wireshark).

Fix the IPv6 payload computation in npf_tcpsaw. It was incorrect, and this
caused the "return-rst" rules to send back an RST with the wrong ACK when
the received SYN had an IPv6 option.

Set the scopes before calling icmp6_error(). This fixes a bug similar to
the one I fixed in rev1.17: since the scopes were not set the packet was
never actually sent.

Tested with wireshark, now the ICMPv6 reply is correctly sent, as
expected.

Don't read the L4 payload after IPPROTO_AH when handling IPv6 packets.
AH must be considered as the payload, otherwise a

block all
pass in proto ah from any
pass out proto ah from any

configuration will actually block everything, because NPF checks the
protocol against the one found after AH, and not AH itself.

In addition it may have been a problem for stateful connections; an AH
packet sent by an attacker with an incorrect authentication and a correct
TCP/UDP/whatever payload from an active connection could manage to change
NPF's FSM state, which would perhaps have altered the legitimate
connection with the authenticated remote IPsec host.

Note that IPv4 already doesn't go beyond AH, which is the correct
behavior.

Add XXX (we don't handle IPv6 Jumbograms), and whitespace.
 1.50.2.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.50.2.1 10-Jun-2019  christos Sync with HEAD
 1.54.2.3 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.54.2.2 25-May-2020  martin Pull up following revision(s) (requested by rmind in ticket #930):

usr.sbin/npf/npfctl/npf_build.c: revision 1.54
sys/net/npf/npf_conn.h: revision 1.19
usr.sbin/npf/npfctl/npfctl.h: revision 1.52
usr.sbin/npf/npfctl/npf_show.c: revision 1.31
sys/net/npf/npf_conf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.56
sys/net/npf/npf_conndb.c: revision 1.8
sys/net/npf/npf_conn.c: revision 1.31

Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.54.2.1 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.57.26.1 02-Aug-2025  perseant Sync with HEAD
 1.17 19-Sep-2013  rmind NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
 1.16 09-Feb-2013  rmind branches: 1.16.2;
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.15 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.14 19-Jul-2012  spz branches: 1.14.2;
teach npf ipv6-icmp
reviewed by rmind@
 1.13 15-Jul-2012  rmind - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.12 01-Jul-2012  rmind NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 1.11 22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.10 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.9 15-Jan-2012  rmind branches: 1.9.2;
- Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
 1.8 29-Nov-2011  rmind branches: 1.8.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.7 06-Nov-2011  rmind Few fixes, KNF/style, bump the NPF version.
 1.6 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.5 18-Jan-2011  rmind branches: 1.5.4; 1.5.8;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.4 11-Nov-2010  rmind branches: 1.4.2;
NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.3 25-Sep-2010  rmind branches: 1.3.2; 1.3.4;
Add nbuf_advfetch() and simplify some code slightly.
 1.2 16-Sep-2010  rmind NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.3.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.3.4.1 25-Sep-2010  uebayasi file npf_instr.c was added on branch uebayasi-xip on 2010-10-22 09:23:15 +0000
 1.3.2.2 09-Oct-2010  yamt sync with head
 1.3.2.1 25-Sep-2010  yamt file npf_instr.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.4.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.5.8.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.5.8.4 23-Jan-2013  yamt sync with head
 1.5.8.3 30-Oct-2012  yamt sync with head
 1.5.8.2 17-Apr-2012  yamt sync with head
 1.5.8.1 10-Nov-2011  yamt sync with head
 1.5.4.2 05-Mar-2011  rmind sync with head
 1.5.4.1 18-Jan-2011  rmind file npf_instr.c was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.8.2.2 24-Feb-2012  mrg sync to -current.
 1.8.2.1 18-Feb-2012  mrg merge to -current.
 1.9.2.8 17-Nov-2013  bouyer Apply patch, requested by rmind in ticket 986:
usr.sbin/npf/npfctl/npf_ncgen.c patch
sys/net/npf/npf_instr.c patch
fix the byteorder for port range comparison
 1.9.2.7 11-Feb-2013  riz branches: 1.9.2.7.2;
Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.9.2.6 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.9.2.5 25-Jul-2012  jdc branches: 1.9.2.5.4;
Pull up revisions:
src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
src/sys/net/npf/npf.h revision 1.20
src/sys/net/npf/npf_alg_icmp.c revision 1.11
src/sys/net/npf/npf_impl.h revision 1.19
src/sys/net/npf/npf_inet.c revisions 1.15,1.16
src/sys/net/npf/npf_instr.c revision 1.14
src/sys/net/npf/npf_ncode.h revision 1.10
src/sys/net/npf/npf_processor.c revision 1.12
src/sys/net/npf/npf_session.c revision 1.16
src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
src/sys/net/npf/npf_state.c revision 1.10
src/sys/net/npf/npf_state_tcp.c revision 1.10
src/usr.sbin/npf/npftest/npfstream.c revision 1.2
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).

Add missing __dead.

teach npf ipv6-icmp
reviewed by rmind@

- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.

- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.9.2.4 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.9.2.3 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.9.2.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.9.2.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.9.2.7.2.1 17-Nov-2013  bouyer Apply patch, requested by rmind in ticket 986:
usr.sbin/npf/npfctl/npf_ncgen.c patch
sys/net/npf/npf_instr.c patch
fix the byteorder for port range comparison
 1.9.2.5.4.1 17-Nov-2013  bouyer Apply patch, requested by rmind in ticket 986:
usr.sbin/npf/npfctl/npf_ncgen.c patch
sys/net/npf/npf_instr.c patch
fix the byteorder for port range comparison
 1.14.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.14.2.1 25-Feb-2013  tls resync with head
 1.16.2.1 18-May-2014  rmind sync with head
 1.5 16-Sep-2012  rmind Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
 1.4 22-Jun-2012  rmind branches: 1.4.2;
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.3 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.2 18-Jan-2011  rmind branches: 1.2.4; 1.2.8; 1.2.12; 1.2.14;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.1 18-Dec-2010  rmind branches: 1.1.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.1.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.2.14.3 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #693):
lib/npf/ext_normalise/shlib_version: revision 1.1
lib/libnpf/npf.c: revision 1.13
distrib/sets/lists/modules/mi: revision 1.48
sys/net/npf/npf_rproc.c: revision 1.3
sys/net/npf/npf_rproc.c: revision 1.4
sys/modules/npf/Makefile: revision 1.11
usr.sbin/npf/npfctl/npfctl.h: revision 1.20
lib/npf/ext_log/npfext_log.c: revision 1.1
lib/libnpf/npf.h: revision 1.11
sys/net/npf/npf_inet.c: revision 1.17
sys/net/npf/npf_log.c: file removal
sys/net/npf/npf_handler.c: revision 1.22
distrib/sets/lists/base/shl.mi: revision 1.636
sys/net/npf/npf_impl.h: revision 1.23
usr.sbin/npf/npfctl/Makefile: revision 1.8
lib/npf/Makefile: revision 1.1
lib/npf/ext_log/shlib_version: revision 1.1
lib/Makefile: revision 1.189
distrib/sets/lists/comp/shl.mi: revision 1.236
usr.sbin/npf/npfctl/npf_build.c: revision 1.14
distrib/sets/lists/base/mi: revision 1.1007
usr.sbin/npf/npfctl/npf_scan.l: revision 1.6
distrib/sets/lists/base/mi: revision 1.1009
sys/net/npf/npf.h: revision 1.21
lib/npf/ext_normalise/npfext_normalise.c: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.105
lib/libnpf/Makefile: revision 1.3
etc/mtree/NetBSD.dist.base: revision 1.106
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.1
sys/net/npf/npf_ctl.c: revision 1.18
lib/npf/ext_log/Makefile: revision 1.1
distrib/sets/lists/comp/mi: revision 1.1781
usr.sbin/npf/npfctl/npf_var.h: revision 1.4
sys/net/npf/npf.c: revision 1.13
sys/modules/Makefile: revision 1.111
sys/net/npf/npf_ext_log.c: revision 1.1
lib/npf/Makefile.inc: revision 1.1
sys/net/npf/npf_ext_normalise.c: revision 1.1
sys/net/npf/files.npf: revision 1.8
sys/rump/net/lib/libnpf/Makefile: revision 1.2
sys/modules/npf_ext_log/Makefile: revision 1.1
lib/npf/ext_normalise/Makefile: revision 1.1
usr.sbin/npf/npfctl/npfctl.c: revision 1.20
usr.sbin/npf/npfctl/npf_parse.y: revision 1.13
sys/modules/npf_ext_normalise/Makefile: revision 1.1
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
Add /usr/lib/npf.
Add ./usr/libdata/debug/usr/lib/npf for rmind
Fix MKDEBUG set lists
ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.2.14.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.2.14.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.2.12.1 24-Feb-2012  mrg sync to -current.
 1.2.8.2 30-Oct-2012  yamt sync with head
 1.2.8.1 17-Apr-2012  yamt sync with head
 1.2.4.2 05-Mar-2011  rmind sync with head
 1.2.4.1 18-Jan-2011  rmind file npf_log.c was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.4.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.25 12-Feb-2023  kardel PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream as https://github.com/rmind/npf/pull/115
 1.24 30-May-2020  rmind branches: 1.24.20;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.23 26-Sep-2019  christos Cast m_mbuflen() result to "size_t". It could also be "u_int" since it is
assigned to "u_int", but all the other "standalone" equivalent functions return
"size_t".
 1.22 15-Nov-2018  maxv branches: 1.22.4;
Remove the 't' argument from m_tag_find().
 1.21 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.20 10-Aug-2018  maxv Rename

ip6_undefer_csum -> in6_undefer_cksum
in6_delayed_cksum -> in6_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in6_offload.c. Add comments to explain what
we're doing.

Same as IPv4.
 1.19 11-Jul-2018  maxv Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.
 1.18 26-Dec-2016  christos branches: 1.18.14; 1.18.16;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.17 08-Dec-2016  rmind NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus
pass-through them on other interfaces. Per discussion with christos@.
 1.16 18-Mar-2016  mrg branches: 1.16.2;
minimal changes necessary to link into an INET6-less kernel.
 1.15 17-Dec-2015  mlelstv handle delayed cksums also for ipv6
 1.14 12-Jul-2015  rmind npfkern: eliminate INACTIVE_ID and use 0 for unregistered interfaces.
 1.13 10-Aug-2014  rmind branches: 1.13.2; 1.13.4;
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.
 1.12 08-Nov-2013  rmind NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 1.11 19-Feb-2013  rmind branches: 1.11.2;
nbuf_ensure_contig: fix assert (can be equal if there is zero-length mbuf).
Found by npftest on sparc64.
 1.10 20-Jan-2013  rmind - nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.9 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.8 10-Dec-2012  rmind npf_rwrcksum: handle delayed checksums in the network stack; also fix
non-NPF_NAT_PORTS case and add some comments. PR/47235.
 1.7 14-Apr-2012  rmind branches: 1.7.2;
Update rumpdev_npf; use WARNS=4.
 1.6 18-Jan-2011  rmind branches: 1.6.4; 1.6.8; 1.6.12; 1.6.14;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.5 11-Nov-2010  rmind branches: 1.5.2;
NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.4 03-Oct-2010  rmind branches: 1.4.2; 1.4.4;
nbuf_advfetch: fix bug and change behaviour on error case.
 1.3 25-Sep-2010  rmind Add nbuf_advfetch() and simplify some code slightly.
 1.2 16-Sep-2010  rmind NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.4.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.4.4.1 03-Oct-2010  uebayasi file npf_mbuf.c was added on branch uebayasi-xip on 2010-10-22 09:23:15 +0000
 1.4.2.2 09-Oct-2010  yamt sync with head
 1.4.2.1 03-Oct-2010  yamt file npf_mbuf.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.5.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.6.14.3 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.6.14.2 16-Dec-2012  riz Pull up following revision(s) (requested by rmind in ticket #746):
sys/net/npf/npf_inet.c: revision 1.18
sys/net/npf/npf_mbuf.c: revision 1.8
sys/net/npf/npf.h: revision 1.23
npf_rwrcksum: handle delayed checksums in the network stack; also fix
non-NPF_NAT_PORTS case and add some comments. PR/47235.
 1.6.14.1 26-Jun-2012  riz branches: 1.6.14.1.4;
Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
 1.6.14.1.4.1 16-Dec-2012  riz Pull up following revision(s) (requested by rmind in ticket #746):
sys/net/npf/npf_inet.c: revision 1.18
sys/net/npf/npf_mbuf.c: revision 1.8
sys/net/npf/npf.h: revision 1.23
npf_rwrcksum: handle delayed checksums in the network stack; also fix
non-NPF_NAT_PORTS case and add some comments. PR/47235.
 1.6.12.1 29-Apr-2012  mrg sync to latest -current.
 1.6.8.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.6.8.3 23-Jan-2013  yamt sync with head
 1.6.8.2 16-Jan-2013  yamt sync with (a bit old) head
 1.6.8.1 17-Apr-2012  yamt sync with head
 1.6.4.2 05-Mar-2011  rmind sync with head
 1.6.4.1 18-Jan-2011  rmind file npf_mbuf.c was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.7.2.3 03-Dec-2017  jdolecek update from HEAD
 1.7.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.7.2.1 25-Feb-2013  tls resync with head
 1.11.2.1 18-May-2014  rmind sync with head
 1.13.4.4 05-Feb-2017  skrll Sync with HEAD
 1.13.4.3 19-Mar-2016  skrll Sync with HEAD
 1.13.4.2 27-Dec-2015  skrll Sync with HEAD (as of 26th Dec)
 1.13.4.1 22-Sep-2015  skrll Sync with HEAD
 1.13.2.3 12-May-2017  snj Pull up following revision(s) (requested by jnemeth in ticket #1394):
sys/net/npf/npf_inet.c: revisions 1.34, 1.35 via patch
sys/net/npf/npf_mbuf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.40
minimal changes necessary to link into an INET6-less kernel.
--
fixup misplaced #endif
 1.13.2.2 26-Jan-2016  riz Pull up following revision(s) (requested by mlelstv in ticket #1065):
sys/net/npf/npf_mbuf.c: revision 1.15
handle delayed cksums also for ipv6
 1.13.2.1 17-Jul-2015  snj Pull up following revision(s) (requested by rmind in ticket #880):
sys/net/npf/npf_if.c: revision 1.5
sys/net/npf/npf_mbuf.c: revision 1.14
usr.sbin/npf/npf.7: revision 1.3
usr.sbin/npf/npfctl/npf_var.c: revision 1.9
npfkern: eliminate INACTIVE_ID and use 0 for unregistered interfaces.
--
- npfvar_get_type1: check for NULL first.
- Minor fix for the npf(7) man page.
 1.16.2.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.18.16.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.18.16.1 10-Jun-2019  christos Sync with HEAD
 1.18.14.4 26-Nov-2018  pgoyette Sync with HEAD, resolve a couple of conflicts
 1.18.14.3 30-Sep-2018  pgoyette Ssync with HEAD
 1.18.14.2 06-Sep-2018  pgoyette Sync with HEAD

Resolve a couple of conflicts (result of the uimin/uimax changes)
 1.18.14.1 28-Jul-2018  pgoyette Sync with HEAD
 1.22.4.2 14-Mar-2023  martin Pull up following revision(s) (requested by kardel in ticket #119):

sys/net/npf/npf_mbuf.c: revision 1.25
sys/net/npf/npf.h: revision 1.64
sys/net/npf/npf_sendpkt.c: revision 1.23

PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream ashttps://github.com/rmind/npf/pull/115
 1.22.4.1 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.24.20.1 14-Mar-2023  martin Pull up following revision(s) (requested by kardel in ticket #119):

sys/net/npf/npf_mbuf.c: revision 1.25
sys/net/npf/npf.h: revision 1.64
sys/net/npf/npf_sendpkt.c: revision 1.23

PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream ashttps://github.com/rmind/npf/pull/115
 1.54 01-Jul-2025  joe kernel code for layer 2 filtering in NPF

reviewed by christos@
 1.53 24-Feb-2023  riastradh branches: 1.53.6;
npf: Eliminate __HAVE_ATOMIC_AS_MEMBAR conditionals.

Discussed on tech-kern:
https://mail-index.netbsd.org/tech-kern/2023/02/23/msg028729.html

Requested by rmind@:
https://github.com/rmind/npf/pull/127#issuecomment-1399573125
 1.52 09-Apr-2022  riastradh sys: Use membar_release/acquire around reference drop.

This just goes through my recent reference count membar audit and
changes membar_exit to membar_release and membar_enter to
membar_acquire -- this should make everything cheaper on most CPUs
without hurting correctness, because membar_acquire is generally
cheaper than membar_enter.
 1.51 12-Mar-2022  riastradh sys: Membar audit around reference count releases.

If two threads are using an object that is freed when the reference
count goes to zero, we need to ensure that all memory operations
related to the object happen before freeing the object.

Using an atomic_dec_uint_nv(&refcnt) == 0 ensures that only one
thread takes responsibility for freeing, but it's not enough to
ensure that the other thread's memory operations happen before the
freeing.

Consider:

Thread A Thread B
obj->foo = 42; obj->baz = 73;
mumble(&obj->bar); grumble(&obj->quux);
/* membar_exit(); */ /* membar_exit(); */
atomic_dec -- not last atomic_dec -- last
/* membar_enter(); */
KASSERT(invariant(obj->foo,
obj->bar));
free_stuff(obj);

The memory barriers ensure that

obj->foo = 42;
mumble(&obj->bar);

in thread A happens before

KASSERT(invariant(obj->foo, obj->bar));
free_stuff(obj);

in thread B. Without them, this ordering is not guaranteed.

So in general it is necessary to do

membar_exit();
if (atomic_dec_uint_nv(&obj->refcnt) != 0)
return;
membar_enter();

to release a reference, for the `last one out hit the lights' style
of reference counting. (This is in contrast to the style where one
thread blocks new references and then waits under a lock for existing
ones to drain with a condvar -- no membar needed thanks to mutex(9).)

I searched for atomic_dec to find all these. Obviously we ought to
have a better abstraction for this because there's so much copypasta.
This is a stop-gap measure to fix actual bugs until we have that. It
would be nice if an abstraction could gracefully handle the different
styles of reference counting in use -- some years ago I drafted an
API for this, but making it cover everything got a little out of hand
(particularly with struct vnode::v_usecount) and I ended up setting
it aside to work on psref/localcount instead for better scalability.

I got bored of adding #ifdef __HAVE_ATOMIC_AS_MEMBAR everywhere, so I
only put it on things that look performance-critical on 5sec review.
We should really adopt membar_enter_preatomic/membar_exit_postatomic
or something (except they are applicable only to atomic r/m/w, not to
atomic_load/store_*, making the naming annoying) and get rid of all
the ifdefs.
 1.50 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.49 23-May-2020  rmind Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.48 25-Aug-2019  rmind - npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
 1.47 11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.46 23-Jul-2019  rmind branches: 1.46.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.45 19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.44 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.43 11-May-2018  maxv branches: 1.43.2;
Improve comment, it's not just IPv4.
 1.42 23-Apr-2018  christos PR/53207: David Binderman: Use logical and
 1.41 26-Dec-2016  christos branches: 1.41.8; 1.41.14;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.40 18-Mar-2016  mrg branches: 1.40.2;
minimal changes necessary to link into an INET6-less kernel.
 1.39 30-Dec-2014  christos Don't forget to destroy the mutex before freeing the nat struct on a failed
load.
XXX: pullup -7
 1.38 20-Dec-2014  rmind NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window. Might fix PR/49488.
 1.37 30-Nov-2014  rmind - npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
 1.36 30-Nov-2014  rmind NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
 1.35 26-Nov-2014  rmind branches: 1.35.2;
NPF: fix the reference counting and share the active NAT portmap correctly
when performing the reload. Should fixes PR/49412, reported by kardel@.
 1.34 24-Aug-2014  rmind - npf_conn_import: add a missing stat counter increment.
- npf_nat_import: add a missing reference and make a comment.
 1.33 11-Aug-2014  rmind - Add and use npf_alg_export().
- npf_conn_import: handle NAT metadata correctly.
- npf_nat_newpolicy: restore the policy ID.
- npfctl_load: fix error code handling for the limit cases.
- npf_config_import: fix the inverted logic.
- npfctl_load: improve error handling.
 1.32 10-Aug-2014  rmind branches: 1.32.2;
- Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.
 1.31 23-Jul-2014  rmind NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.30 20-Jul-2014  rmind NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.29 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.28 30-May-2014  rmind - npf_nat_freepolicy: handle a race condition when a new connection might
be associated with a NAT policy which is going away and npfctl reload
would wait for its natural expiration (potentially long time).
- Remove npf_ruleset_natreload() by merging into npf_ruleset_reload().
- npf_ruleset_reload: eliminate a small time period when a valid NAT
policy might be inactive during the reload operation.
 1.27 14-Mar-2014  rmind branches: 1.27.2;
NPF: add support for "stateful-ends".
 1.26 19-Feb-2014  rmind NPF: fix the recent breakage of the traceroute ALG. Also, simplify and
refactor a little bit.
 1.25 13-Feb-2014  rmind NPF: add support for IPv6-to-IPv6 Network Prefix Translation (NPTv6),
as per RFC 6296. Add a unit test. Also, bump NPF_VERSION.

Thanks to S.P.Zeidler for the help with NPTv6 work!
 1.24 07-Feb-2014  rmind NPF: add support for static (stateless) NAT.
 1.23 06-Dec-2013  rmind NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
less usual setups which are possible when using 'map' with a custom
filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
direction-agnostic elsewhere.
 1.22 04-Dec-2013  rmind - npf_do_nat: fix a race condition and simplify the logic.
- npf_session_setnat: clear the NAT association on failure.
 1.21 29-Oct-2013  rmind npf_session_setnat: fix the race condition when the old connection is still
being expired while a new/duplicate is being created.
 1.20 02-Jun-2013  rmind branches: 1.20.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.
 1.19 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.18 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.17 15-Aug-2012  rmind branches: 1.17.2;
- {npf_mk_rproc,npf_nat_save}: fix the fetching of {rproc-ptr,id_ptr}.
- npf_rproc_setlog: initialise variables to 0, as keys may not exist.

Bugs found by mlelstv@ while testing on Amiga.
 1.16 12-Aug-2012  rmind - Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.15 15-Jul-2012  rmind - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.14 01-Jul-2012  rmind NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 1.13 22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.12 11-Mar-2012  rmind - Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
 1.11 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.10 05-Feb-2012  rmind branches: 1.10.2;
Multiple NPF fixes, add better error reporting from kernel side, add some
asserts, bump the version.
 1.9 15-Jan-2012  rmind - Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
 1.8 19-Nov-2011  tls branches: 1.8.2;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.
 1.7 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.6 02-Feb-2011  rmind branches: 1.6.2; 1.6.6;
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.
 1.5 18-Jan-2011  rmind branches: 1.5.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.4 18-Dec-2010  rmind branches: 1.4.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.3 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.2 16-Sep-2010  rmind branches: 1.2.2; 1.2.4;
NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.2.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.2.4.1 16-Sep-2010  uebayasi file npf_nat.c was added on branch uebayasi-xip on 2010-10-22 09:23:15 +0000
 1.2.2.2 09-Oct-2010  yamt sync with head
 1.2.2.1 16-Sep-2010  yamt file npf_nat.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.4.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.5.2.1 08-Feb-2011  bouyer Sync with HEAD
 1.6.6.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.6.6.4 23-Jan-2013  yamt sync with head
 1.6.6.3 30-Oct-2012  yamt sync with head
 1.6.6.2 17-Apr-2012  yamt sync with head
 1.6.6.1 10-Nov-2011  yamt sync with head
 1.6.2.2 05-Mar-2011  rmind sync with head
 1.6.2.1 02-Feb-2011  rmind file npf_nat.c was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.8.2.3 05-Apr-2012  mrg sync to latest -current.
 1.8.2.2 24-Feb-2012  mrg sync to -current.
 1.8.2.1 18-Feb-2012  mrg merge to -current.
 1.10.2.9 17-Nov-2013  bouyer Pull up following revision(s) (requested by rmind in ticket #985):
sys/net/npf/npf_impl.h: revision 1.35
sys/net/npf/npf_nat.c: revision 1.21
sys/net/npf/npf_session.c: revision 1.26
npf_session_setnat: fix the race condition when the old connection is still
being expired while a new/duplicate is being created.
 1.10.2.8 11-Feb-2013  riz branches: 1.10.2.8.2;
Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.10.2.7 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.10.2.6 19-Aug-2012  riz Pull up following revision(s) (requested by rmind in ticket #511):
lib/libnpf/npf.c: revision 1.12
sys/net/npf/npf_ctl.c: revision 1.17
sys/net/npf/npf_nat.c: revision 1.17
- {npf_mk_rproc,npf_nat_save}: fix the fetching of {rproc-ptr,id_ptr}.
- npf_rproc_setlog: initialise variables to 0, as keys may not exist.
Bugs found by mlelstv@ while testing on Amiga.
 1.10.2.5 13-Aug-2012  riz Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.10.2.4 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.10.2.3 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.10.2.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.10.2.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.10.2.8.2.1 17-Nov-2013  bouyer Pull up following revision(s) (requested by rmind in ticket #985):
sys/net/npf/npf_impl.h: revision 1.35
sys/net/npf/npf_nat.c: revision 1.21
sys/net/npf/npf_session.c: revision 1.26
npf_session_setnat: fix the race condition when the old connection is still
being expired while a new/duplicate is being created.
 1.17.2.4 03-Dec-2017  jdolecek update from HEAD
 1.17.2.3 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.17.2.2 23-Jun-2013  tls resync from head
 1.17.2.1 25-Feb-2013  tls resync with head
 1.20.2.1 18-May-2014  rmind sync with head
 1.27.2.1 10-Aug-2014  tls Rebase.
 1.32.2.6 12-May-2017  snj Pull up following revision(s) (requested by jnemeth in ticket #1394):
sys/net/npf/npf_inet.c: revisions 1.34, 1.35 via patch
sys/net/npf/npf_mbuf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.40
minimal changes necessary to link into an INET6-less kernel.
--
fixup misplaced #endif
 1.32.2.5 04-Jan-2015  martin Pull up following revision(s) (requested by rmind in ticket #374):
sys/net/npf/npf_nat.c: revision 1.39
Don't forget to destroy the mutex before freeing the nat struct on a failed
load.
 1.32.2.4 22-Dec-2014  msaitoh Pull up following revision(s) (requested by rmind in ticket #347):
sys/net/npf/npf_nat.c: revision 1.38
sys/net/npf/npf_conn.h: revision 1.8
sys/net/npf/npf_conn.c: revision 1.14
NPF: set the connection flags atomically in the post-creation logic and
fix a tiny race condition window. Might fix PR/49488.
 1.32.2.3 01-Dec-2014  martin Pull up following revision(s) (requested by rmind in ticket #280):
sys/net/npf/npf_ruleset.c: revision 1.40
sys/net/npf/npf_nat.c: revision 1.36
sys/net/npf/npf_nat.c: revision 1.37
sys/net/npf/npf_conn.h: revision 1.7
sys/net/npf/npf_conf.c: revision 1.9
sys/net/npf/npf_ruleset.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.60
NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
- npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
 1.32.2.2 01-Dec-2014  martin Pull up following revision(s) (requested by rmind in ticket #274):
sys/net/npf/npf_nat.c: revision 1.35
sys/net/npf/npf_ruleset.c: revision 1.38
NPF: fix the reference counting and share the active NAT portmap correctly
when performing the reload. Should fixes PR/49412, reported by kardel@.
 1.32.2.1 29-Aug-2014  martin Pull up following revision(s) (requested by rmind in ticket #56):
sys/net/npf/npf_ctl.c: revision 1.39
usr.sbin/npf/npfctl/npfctl.c: revision 1.43
lib/libnpf/npf.c: revision 1.33
lib/libnpf/npf.c: revision 1.34
sys/net/npf/npf_impl.h: revision 1.59
sys/net/npf/npf_ctl.c: revision 1.40
sys/net/npf/npf_conn.c: revision 1.11
sys/net/npf/npf_alg.c: revision 1.15
sys/net/npf/npf_conn.c: revision 1.12
sys/net/npf/npf_nat.c: revision 1.33
sys/net/npf/npf_nat.c: revision 1.34
Add and use npf_alg_export().
npf_conn_import: handle NAT metadata correctly.
npf_nat_newpolicy: restore the policy ID.
npfctl_load: fix error code handling for the limit cases.
npf_config_import: fix the inverted logic.
npfctl_load: improve error handling.
npf_conn_import: add a missing stat counter increment.
npf_nat_import: add a missing reference and make a comment.
npf_config_submit: finally, include the saved connections.
 1.35.2.3 05-Feb-2017  skrll Sync with HEAD
 1.35.2.2 19-Mar-2016  skrll Sync with HEAD
 1.35.2.1 06-Apr-2015  skrll Sync with HEAD
 1.40.2.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.41.14.4 26-Jan-2019  pgoyette Sync with HEAD
 1.41.14.3 30-Sep-2018  pgoyette Ssync with HEAD
 1.41.14.2 21-May-2018  pgoyette Sync with HEAD
 1.41.14.1 02-May-2018  pgoyette Synch with HEAD
 1.41.8.1 05-May-2018  martin Pull up following revision(s) (requested by prlw1 in ticket #795):

sys/net/npf/npf_nat.c: revision 1.42

PR/53207: David Binderman: Use logical and
 1.43.2.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.43.2.1 10-Jun-2019  christos Sync with HEAD
 1.46.2.4 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.46.2.3 25-May-2020  martin Pull up following revision(s) (requested by rmind in ticket #930):

usr.sbin/npf/npfctl/npf_build.c: revision 1.54
sys/net/npf/npf_conn.h: revision 1.19
usr.sbin/npf/npfctl/npfctl.h: revision 1.52
usr.sbin/npf/npfctl/npf_show.c: revision 1.31
sys/net/npf/npf_conf.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.56
sys/net/npf/npf_conndb.c: revision 1.8
sys/net/npf/npf_conn.c: revision 1.31

Backport selected NPF fixes from the upstream (to be pulled up):

- npf_conndb_lookup: protect the connection lookup with pserialize(9),
instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
Should fix crashes reported on high load (PR/55182).

- npf_config_destroy: handle partially initialized config; fixes crashes
with some invalid configurations.

- NAT policy creation / destruction: set the initial reference and do not
wait for reference draining on destruction; destroy the policy on the
last reference drop instead. Fixes a lockup with the dynamic NAT rules.

- npf_nat_{export,import}: fix a regression since dynamic NAT rules.

- npfctl: fix a regression and restore the default group behaviour.

- Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
 1.46.2.2 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #141):

usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
 1.46.2.1 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.53.6.1 02-Aug-2025  perseant Sync with HEAD
 1.12 19-Sep-2013  rmind NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
 1.11 09-Feb-2013  rmind branches: 1.11.2;
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.10 19-Jul-2012  spz branches: 1.10.2;
teach npf ipv6-icmp
reviewed by rmind@
 1.9 01-Jul-2012  rmind NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 1.8 15-Jun-2012  rmind - Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
 1.7 14-Apr-2012  rmind Update rumpdev_npf; use WARNS=4.
 1.6 10-Mar-2012  christos definitions used by the disassembler.
 1.5 04-Nov-2011  zoltan branches: 1.5.4; 1.5.6;
Add IPv6 support for NPF.
 1.4 18-Dec-2010  rmind branches: 1.4.6; 1.4.10;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.3 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.2 16-Sep-2010  rmind branches: 1.2.2; 1.2.4;
NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.2.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.2.4.1 16-Sep-2010  uebayasi file npf_ncode.h was added on branch uebayasi-xip on 2010-10-22 09:23:15 +0000
 1.2.2.2 09-Oct-2010  yamt sync with head
 1.2.2.1 16-Sep-2010  yamt file npf_ncode.h was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.4.10.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.4.10.3 30-Oct-2012  yamt sync with head
 1.4.10.2 17-Apr-2012  yamt sync with head
 1.4.10.1 10-Nov-2011  yamt sync with head
 1.4.6.2 05-Mar-2011  rmind sync with head
 1.4.6.1 18-Dec-2010  rmind file npf_ncode.h was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.5.6.5 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.5.6.4 25-Jul-2012  jdc Pull up revisions:
src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
src/sys/net/npf/npf.h revision 1.20
src/sys/net/npf/npf_alg_icmp.c revision 1.11
src/sys/net/npf/npf_impl.h revision 1.19
src/sys/net/npf/npf_inet.c revisions 1.15,1.16
src/sys/net/npf/npf_instr.c revision 1.14
src/sys/net/npf/npf_ncode.h revision 1.10
src/sys/net/npf/npf_processor.c revision 1.12
src/sys/net/npf/npf_session.c revision 1.16
src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
src/sys/net/npf/npf_state.c revision 1.10
src/sys/net/npf/npf_state_tcp.c revision 1.10
src/usr.sbin/npf/npftest/npfstream.c revision 1.2
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).

Add missing __dead.

teach npf ipv6-icmp
reviewed by rmind@

- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.

- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.5.6.3 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.5.6.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
 1.5.6.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.5.4.2 29-Apr-2012  mrg sync to latest -current.
 1.5.4.1 11-Mar-2012  mrg sync to latest -current
 1.10.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.10.2.1 25-Feb-2013  tls resync with head
 1.11.2.1 18-May-2014  rmind sync with head
 1.23 01-Jul-2025  joe kernel code for layer 2 filtering in NPF

reviewed by christos@
 1.22 20-Mar-2025  pgoyette Disable autounload for the npf module, until we can figure out why
it's causing panic during system startup.
 1.21 27-Jan-2021  christos branches: 1.21.24;
Don't silently ignore the errors from npfctl_run_op. We end up returning
packets to userland that are missing required fields (like in rule_add the
id of the rule) and npfctl aborts.
 1.20 25-Jan-2021  christos Fix locking issue: npf_default_pass needs to be called with the config lock
held.
 1.19 18-Aug-2020  maxv branches: 1.19.2;
Add missing cases, to prevent memory corruption.

Reported-by: syzbot+f8b8a689a3560dda27f7@syzkaller.appspotmail.com
 1.18 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.17 25-Aug-2019  rmind ake npfctl_switch() and pfil private to OS-specific module.
 1.16 25-Aug-2019  rmind - npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
 1.15 21-Aug-2019  rmind npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.
 1.14 11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.13 10-Aug-2019  rmind Add the ifnet_t::if_npf_private field. Bump the kernel version.
Fixes PR/54098.
 1.12 23-Jul-2019  rmind branches: 1.12.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.11 27-Feb-2019  mrg work around a GCC 7 vs sparc (32 bit) issue i haven't figured out
the real cause of yet.

mark npf_init() as non-static. for a yet-unknown reason, when this
function is inlined by the compiler (or a human!) into the single
caller, some CPUs end up in a hung state that can't be interrupted
eventually leading to system hang. eg:

[ 8.9693040] root on hme0
[ 8.9862690] nfs_boot: trying DHCP/BOOTP
xcall(cpu2,0xf0240ac8) from 0xf0241170: couldn't ping cpus: cpu1

is the symptom though sometimes nfs_boot is actually able to
complete mountroot before it hangs.


this may be a compiler bug but the symptom and the trigger are
far removed and my so-far reading of the "broken" npf_init
inlining has shown no issues, however, i haven't completed a
full scan of this asm in the past month so i'm commiting this
workaround for now.
 1.10 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.9 11-Dec-2017  ozaki-r branches: 1.9.2; 1.9.4;
Rename IFNET_LOCK to IFNET_GLOBAL_LOCK

IFNET_LOCK will be used in another lock, if_ioctl_lock (might be renamed then).
 1.8 17-Nov-2017  ozaki-r branches: 1.8.2;
Provide macros for softnet_lock and KERNEL_LOCK hiding NET_MPSAFE switch

It reduces C&P codes such as "#ifndef NET_MPSAFE KERNEL_LOCK(1, NULL); ..."
scattered all over the source code and makes it easy to identify remaining
KERNEL_LOCK and/or softnet_lock that are held even if NET_MPSAFE.

No functional change
 1.7 20-Jul-2017  pgoyette The nof module depends on some stuff from the bpf module, so set the
required modules list accordingly.
 1.6 27-Jan-2017  ryo branches: 1.6.2; 1.6.6; 1.6.8;
Don't hold softnet_lock if NET_MPSAFE.

Some functions lock softnet_lock while waiting in pserialize_perform() in pfil_add_hook().
(e.g. key_timehandler(), etc)
 1.5 03-Jan-2017  rmind branches: 1.5.2; 1.5.4;
NPF: fix the interface table initialisation on load.
 1.4 02-Jan-2017  christos make this compile as a module.
 1.3 02-Jan-2017  rmind NPF: implement dynamic handling of interface addresses (the kernel part).
 1.2 26-Dec-2016  rmind Convert NPF to the latest pfil(9) changes.
 1.1 26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.5.4.1 21-Apr-2017  bouyer Sync with HEAD
 1.5.2.3 20-Mar-2017  pgoyette Sync with HEAD
 1.5.2.2 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.5.2.1 03-Jan-2017  pgoyette file npf_os.c was added on branch pgoyette-localcount on 2017-01-07 08:56:50 +0000
 1.6.8.2 02-Jan-2018  snj Pull up following revision(s) (requested by ozaki-r in ticket #456):
sys/arch/arm/sunxi/sunxi_emac.c: 1.9
sys/dev/ic/dwc_gmac.c: 1.43-1.44
sys/dev/pci/if_iwm.c: 1.75
sys/dev/pci/if_wm.c: 1.543
sys/dev/pci/ixgbe/ixgbe.c: 1.112
sys/dev/pci/ixgbe/ixv.c: 1.74
sys/kern/sys_socket.c: 1.75
sys/net/agr/if_agr.c: 1.43
sys/net/bpf.c: 1.219
sys/net/if.c: 1.397, 1.399, 1.401-1.403, 1.406-1.410, 1.412-1.416
sys/net/if.h: 1.242-1.247, 1.250, 1.252-1.257
sys/net/if_bridge.c: 1.140 via patch, 1.142-1.146
sys/net/if_etherip.c: 1.40
sys/net/if_ethersubr.c: 1.243, 1.246
sys/net/if_faith.c: 1.57
sys/net/if_gif.c: 1.132
sys/net/if_l2tp.c: 1.15, 1.17
sys/net/if_loop.c: 1.98-1.101
sys/net/if_media.c: 1.35
sys/net/if_pppoe.c: 1.131-1.132
sys/net/if_spppsubr.c: 1.176-1.177
sys/net/if_tun.c: 1.142
sys/net/if_vlan.c: 1.107, 1.109, 1.114-1.121
sys/net/npf/npf_ifaddr.c: 1.3
sys/net/npf/npf_os.c: 1.8-1.9
sys/net/rtsock.c: 1.230
sys/netcan/if_canloop.c: 1.3-1.5
sys/netinet/if_arp.c: 1.255
sys/netinet/igmp.c: 1.65
sys/netinet/in.c: 1.210-1.211
sys/netinet/in_pcb.c: 1.180
sys/netinet/ip_carp.c: 1.92, 1.94
sys/netinet/ip_flow.c: 1.81
sys/netinet/ip_input.c: 1.362
sys/netinet/ip_mroute.c: 1.147
sys/netinet/ip_output.c: 1.283, 1.285, 1.287
sys/netinet6/frag6.c: 1.61
sys/netinet6/in6.c: 1.251, 1.255
sys/netinet6/in6_pcb.c: 1.162
sys/netinet6/ip6_flow.c: 1.35
sys/netinet6/ip6_input.c: 1.183
sys/netinet6/ip6_output.c: 1.196
sys/netinet6/mld6.c: 1.90
sys/netinet6/nd6.c: 1.239-1.240
sys/netinet6/nd6_nbr.c: 1.139
sys/netinet6/nd6_rtr.c: 1.136
sys/netipsec/ipsec_output.c: 1.65
sys/rump/net/lib/libnetinet/netinet_component.c: 1.9-1.10
kmem_intr_free kmem_intr_[z]alloced memory
the underlying pools are the same but api-wise those should match
Unify IFEF_*_MPSAFE into IFEF_MPSAFE
There are already two flags for if_output and if_start, however, it seems such
MPSAFE flags are eventually needed for all if_XXX operations. Having discrete
flags for each operation is wasteful of if_extflags bits. So let's unify
the flags into one: IFEF_MPSAFE.
Fortunately IFEF_*_MPSAFE flags have never been included in any releases, so
we can change them without breaking backward compatibility of the releases
(though the kernel version of -current should be bumped).
Note that if an interface have both MP-safe and non-MP-safe operations at a
time, we have to set the IFEF_MPSAFE flag and let callees of non-MP-safe
opeartions take the kernel lock.
Proposed on tech-kern@ and tech-net@
Provide macros for softnet_lock and KERNEL_LOCK hiding NET_MPSAFE switch
It reduces C&P codes such as "#ifndef NET_MPSAFE KERNEL_LOCK(1, NULL); ..."
scattered all over the source code and makes it easy to identify remaining
KERNEL_LOCK and/or softnet_lock that are held even if NET_MPSAFE.
No functional change
Hold KERNEL_LOCK on if_ioctl selectively based on IFEF_MPSAFE
If IFEF_MPSAFE is set, hold the lock and otherwise don't hold.
This change requires additions of KERNEL_LOCK to subsequence functions from
if_ioctl such as ifmedia_ioctl and ifioctl_common to protect non-MP-safe
components.
Proposed on tech-kern@ and tech-net@
Ensure to hold if_ioctl_lock when calling if_flags_set
Fix locking against myself on ifpromisc
vlan_unconfig_locked could be called with holding if_ioctl_lock.
Ensure to not turn on IFF_RUNNING of an interface until its initialization completes
And ensure to turn off it before destruction as per IFF_RUNNING's description
"resource allocated". (The description is a bit doubtful though, I believe the
change is still proper.)
Ensure to hold if_ioctl_lock on if_up and if_down
One exception for if_down is if_detach; in the case the lock isn't needed
because it's guaranteed that no other one can access ifp at that point.
Make if_link_queue MP-safe if IFEF_MPSAFE
if_link_queue is a queue to store events of link state changes, which is
used to pass events from (typically) an interrupt handler to
if_link_state_change softint. The queue was protected by KERNEL_LOCK so far,
but if IFEF_MPSAFE is enabled, it becomes unsafe because (perhaps) an interrupt
handler of an interface with IFEF_MPSAFE doesn't take KERNEL_LOCK. Protect it
by a spin mutex.
Additionally with this change KERNEL_LOCK of if_link_state_change softint is
omitted if NET_MPSAFE is enabled.
Note that the spin mutex is now ifp->if_snd.ifq_lock as well as the case of
if_timer (see the comment).
Use IFADDR_WRITER_FOREACH instead of IFADDR_READER_FOREACH
At that point no other one modifies the list so IFADDR_READER_FOREACH
is unnecessary. Use of IFADDR_READER_FOREACH is harmless in general though,
if we try to detect contract violations of pserialize, using it violates
the contract. So avoid using it makes life easy.
Ensure to call if_addr_init with holding if_ioctl_lock
Get rid of outdated comments
Fix build of kernels without ether
By throwing out if_enable_vlan_mtu and if_disable_vlan_mtu that
created a unnecessary dependency from if.c to if_ethersubr.c.
PR kern/52790
Rename IFNET_LOCK to IFNET_GLOBAL_LOCK
IFNET_LOCK will be used in another lock, if_ioctl_lock (might be renamed then).
Wrap if_ioctl_lock with IFNET_* macros (NFC)
Also if_ioctl_lock perhaps needs to be renamed to something because it's now
not just for ioctl...
Reorder some destruction routines in if_detach
- Destroy if_ioctl_lock at the end of the if_detach because it's used in various
destruction routines
- Move psref_target_destroy after pr_purgeif because we want to use psref in
pr_purgeif (otherwise destruction procedures can be tricky)
Ensure to call if_mcast_op with holding IFNET_LOCK
Note that CARP doesn't deal with IFNET_LOCK yet.
Remove IFNET_GLOBAL_LOCK where it's unnecessary because IFNET_LOCK is held
Describe which lock is used to protect each member variable of struct ifnet
Requested by skrll@
Write a guideline for converting an interface to IFEF_MPSAFE
Requested by skrll@
Note that IFNET_LOCK must not be held in softint
Don't set IFEF_MPSAFE unless NET_MPSAFE at this point
Because recent investigations show that interfaces with IFEF_MPSAFE need to
follow additional restrictions to work with the flag safely. We should enable it
on an interface by default only if the interface surely satisfies the
restrictions, which are described in if.h.
Note that enabling IFEF_MPSAFE solely gains a few benefit on performance because
the network stack is still serialized by the big kernel locks by default.
 1.6.8.1 25-Jul-2017  snj Pull up following revision(s) (requested by pgoyette in ticket #155):
sys/net/npf/npf_os.c: revision 1.7
The npf module depends on some stuff from the bpf module, so set the
required modules list accordingly.
 1.6.6.2 29-Apr-2017  pgoyette Remove explicit inclusion of <sys/localcount.h> since there is no
explicit usage of localcounts here. <sys/conf.h> will take care of
including as needed.
 1.6.6.1 28-Apr-2017  pgoyette The npf device may be loaded as a (rump) module, so make sure we have a
localcount in its devsw
 1.6.2.3 28-Aug-2017  skrll Sync with HEAD
 1.6.2.2 05-Feb-2017  skrll Sync with HEAD
 1.6.2.1 27-Jan-2017  skrll file npf_os.c was added on branch nick-nhusb on 2017-02-05 13:40:58 +0000
 1.8.2.2 03-Dec-2017  jdolecek update from HEAD
 1.8.2.1 17-Nov-2017  jdolecek file npf_os.c was added on branch tls-maxphys on 2017-12-03 11:39:03 +0000
 1.9.4.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.9.4.1 10-Jun-2019  christos Sync with HEAD
 1.9.2.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.12.2.4 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.12.2.3 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #141):

usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.15
sys/net/npf/npf_alg.c: revision 1.21
sys/net/npf/npf.h: revision 1.62
sys/net/npf/npf_ctl.c: revision 1.57
sys/net/npf/npf_ctl.c: revision 1.58
sys/net/npf/npf_os.c: revision 1.16
sys/net/npf/npf_os.c: revision 1.17
sys/net/npf/npf_conf.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.78
sys/sys/mbuf.h: revision 1.220
sys/net/npf/npf_impl.h: revision 1.79
sys/net/npf/npf.c: revision 1.41
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.19
sys/net/npf/npf_nat.c: revision 1.48
sys/net/npf/npf_handler.c: revision 1.48
sys/net/npf/npf_ifaddr.c: revision 1.6

- npfctl_load_nvlist: simplify the config loading logic.
- Fix a small race condition in npf_nat_getaddr().
- Rework pserialize/EBR wrappers, make it easier to maintain.
Move PACKET_TAG_NPF where it belongs to.
Make npfctl_switch() and pfil private to OS-specific module.
 1.12.2.2 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #139):

lib/libnpf/npf.c: revision 1.47
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.10
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.10
sys/net/npf/npf.h: revision 1.61
sys/net/npf/npf_ctl.c: revision 1.56
sys/net/npf/npf_os.c: revision 1.15
lib/libnpf/libnpf.3: revision 1.10
sys/net/npf/npf_tableset.c: revision 1.34
usr.sbin/npf/npfctl/npfctl.c: revision 1.61
sys/net/npf/npf_impl.h: revision 1.77
lib/libnpf/npf.h: revision 1.37

- npftest: fix a memleak in a unit test (standalone path only).
- Minor style fixes. No functional change.
npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.
 1.12.2.1 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.19.2.1 03-Apr-2021  thorpej Sync with HEAD.
 1.21.24.1 02-Aug-2025  perseant Sync with HEAD
 1.6 12-Feb-2023  kardel PR kern/55654:
Switch default for parameter npf ip4.reassembly to 1.
This makes the NPF default configuration comply with host
requirements for IPv4.
 1.5 28-Apr-2022  martin branches: 1.5.4;
Make the thmap(9) used for params use sleepable allocations,
suggested by rmind@. Should fix PR 56802.
 1.4 28-Apr-2022  martin Temporary hack to make PR 56802 (when it happens) tell us for sure that
it is caused by KM_NOSLEEP memory allocation failure.
 1.3 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.2 11-Aug-2019  rmind branches: 1.2.8;
Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.1 23-Jul-2019  rmind branches: 1.1.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.1.2.3 14-Mar-2023  martin Pull up following revision(s) (requested by kardel in ticket #1612):

usr.sbin/npf/npf-params.7: revision 1.9
sys/net/npf/npf_params.c: revision 1.6

PR kern/55654:

Switch default for parameter npf ip4.reassembly to 1.

This makes the NPF default configuration comply with host
requirements for IPv4.
 1.1.2.2 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.1.2.1 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.2.8.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.2.8.1 11-Aug-2019  martin file npf_params.c was added on branch phil-wifi on 2020-04-13 08:05:15 +0000
 1.5.4.1 14-Mar-2023  martin Pull up following revision(s) (requested by kardel in ticket #118):

usr.sbin/npf/npf-params.7: revision 1.9
sys/net/npf/npf_params.c: revision 1.6

PR kern/55654:

Switch default for parameter npf ip4.reassembly to 1.

This makes the NPF default configuration comply with host
requirements for IPv4.
 1.7 28-Aug-2020  riastradh npf: Remove harmless vestiges of debugging hacks.
 1.6 27-Aug-2020  riastradh npf: Make sure to initialize portmap_lock only once.

PR kern/55586
 1.5 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.4 11-Aug-2019  rmind branches: 1.4.8;
Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.3 25-Jul-2019  rmind branches: 1.3.2;
npf_portmap_flush: remove invalid assert (this routine can be callied via
the npf_destroy() path where the constraint is not applicable).
 1.2 23-Jul-2019  rmind NPF portmap: add a workaround for archs without 64-bit CAS.
 1.1 23-Jul-2019  rmind NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.3.2.2 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.3.2.1 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.4.8.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.4.8.1 11-Aug-2019  martin file npf_portmap.c was added on branch phil-wifi on 2020-04-13 08:05:15 +0000
 1.16 19-Sep-2013  rmind NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
 1.15 09-Feb-2013  rmind branches: 1.15.2;
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.14 20-Jan-2013  rmind - nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.13 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.12 19-Jul-2012  spz branches: 1.12.2;
teach npf ipv6-icmp
reviewed by rmind@
 1.11 01-Jul-2012  rmind NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 1.10 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.9 05-Feb-2012  rmind branches: 1.9.2;
Multiple NPF fixes, add better error reporting from kernel side, add some
asserts, bump the version.
 1.8 15-Jan-2012  rmind - Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
 1.7 29-Nov-2011  rmind branches: 1.7.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.6 06-Nov-2011  rmind Few fixes, KNF/style, bump the NPF version.
 1.5 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.4 18-Dec-2010  rmind branches: 1.4.6; 1.4.10;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.3 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.2 16-Sep-2010  rmind branches: 1.2.2; 1.2.4;
NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.2.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.2.4.1 16-Sep-2010  uebayasi file npf_processor.c was added on branch uebayasi-xip on 2010-10-22 09:23:15 +0000
 1.2.2.2 09-Oct-2010  yamt sync with head
 1.2.2.1 16-Sep-2010  yamt file npf_processor.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.4.10.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.4.10.4 23-Jan-2013  yamt sync with head
 1.4.10.3 30-Oct-2012  yamt sync with head
 1.4.10.2 17-Apr-2012  yamt sync with head
 1.4.10.1 10-Nov-2011  yamt sync with head
 1.4.6.2 05-Mar-2011  rmind sync with head
 1.4.6.1 18-Dec-2010  rmind file npf_processor.c was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.7.2.2 24-Feb-2012  mrg sync to -current.
 1.7.2.1 18-Feb-2012  mrg merge to -current.
 1.9.2.5 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.9.2.4 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.9.2.3 25-Jul-2012  jdc Pull up revisions:
src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
src/sys/net/npf/npf.h revision 1.20
src/sys/net/npf/npf_alg_icmp.c revision 1.11
src/sys/net/npf/npf_impl.h revision 1.19
src/sys/net/npf/npf_inet.c revisions 1.15,1.16
src/sys/net/npf/npf_instr.c revision 1.14
src/sys/net/npf/npf_ncode.h revision 1.10
src/sys/net/npf/npf_processor.c revision 1.12
src/sys/net/npf/npf_session.c revision 1.16
src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
src/sys/net/npf/npf_state.c revision 1.10
src/sys/net/npf/npf_state_tcp.c revision 1.10
src/usr.sbin/npf/npftest/npfstream.c revision 1.2
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).

Add missing __dead.

teach npf ipv6-icmp
reviewed by rmind@

- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.

- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.9.2.2 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.9.2.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.12.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.12.2.1 25-Feb-2013  tls resync with head
 1.15.2.1 18-May-2014  rmind sync with head
 1.23 24-Feb-2023  riastradh npf: Eliminate __HAVE_ATOMIC_AS_MEMBAR conditionals.

Discussed on tech-kern:
https://mail-index.netbsd.org/tech-kern/2023/02/23/msg028729.html

Requested by rmind@:
https://github.com/rmind/npf/pull/127#issuecomment-1399573125
 1.22 09-Apr-2022  riastradh sys: Use membar_release/acquire around reference drop.

This just goes through my recent reference count membar audit and
changes membar_exit to membar_release and membar_enter to
membar_acquire -- this should make everything cheaper on most CPUs
without hurting correctness, because membar_acquire is generally
cheaper than membar_enter.
 1.21 12-Mar-2022  riastradh sys: Membar audit around reference count releases.

If two threads are using an object that is freed when the reference
count goes to zero, we need to ensure that all memory operations
related to the object happen before freeing the object.

Using an atomic_dec_uint_nv(&refcnt) == 0 ensures that only one
thread takes responsibility for freeing, but it's not enough to
ensure that the other thread's memory operations happen before the
freeing.

Consider:

Thread A Thread B
obj->foo = 42; obj->baz = 73;
mumble(&obj->bar); grumble(&obj->quux);
/* membar_exit(); */ /* membar_exit(); */
atomic_dec -- not last atomic_dec -- last
/* membar_enter(); */
KASSERT(invariant(obj->foo,
obj->bar));
free_stuff(obj);

The memory barriers ensure that

obj->foo = 42;
mumble(&obj->bar);

in thread A happens before

KASSERT(invariant(obj->foo, obj->bar));
free_stuff(obj);

in thread B. Without them, this ordering is not guaranteed.

So in general it is necessary to do

membar_exit();
if (atomic_dec_uint_nv(&obj->refcnt) != 0)
return;
membar_enter();

to release a reference, for the `last one out hit the lights' style
of reference counting. (This is in contrast to the style where one
thread blocks new references and then waits under a lock for existing
ones to drain with a condvar -- no membar needed thanks to mutex(9).)

I searched for atomic_dec to find all these. Obviously we ought to
have a better abstraction for this because there's so much copypasta.
This is a stop-gap measure to fix actual bugs until we have that. It
would be nice if an abstraction could gracefully handle the different
styles of reference counting in use -- some years ago I drafted an
API for this, but making it cover everything got a little out of hand
(particularly with struct vnode::v_usecount) and I ended up setting
it aside to work on psref/localcount instead for better scalability.

I got bored of adding #ifdef __HAVE_ATOMIC_AS_MEMBAR everywhere, so I
only put it on things that look performance-critical on 5sec review.
We should really adopt membar_enter_preatomic/membar_exit_postatomic
or something (except they are applicable only to atomic r/m/w, not to
atomic_load/store_*, making the naming annoying) and get rid of all
the ifdefs.
 1.20 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.19 23-Jul-2019  rmind branches: 1.19.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.18 11-Apr-2019  kamil Fix CVS Id usage
 1.17 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.16 29-Jan-2017  christos branches: 1.16.12; 1.16.14;
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.15 28-Dec-2016  christos branches: 1.15.2;
export rprocs too so we don't lose them.
 1.14 26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.13 10-Dec-2016  christos Add missing extcalls array. This is currently a no-op, but this is what
userland does too. Allows npfctl save; npfctl load to work again.
 1.12 11-Aug-2014  rmind branches: 1.12.4; 1.12.8;
NPF: finish up the rework of npfctl_save() mechanism.
 1.11 20-Jul-2014  rmind NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.10 19-May-2014  jakllsch Add ability to have mbufs disappear (to another interface) during
npf_rproc_run(). For upcoming npf_ext_route extension.

Guidance and ok by rmind@.
 1.9 11-Mar-2013  christos branches: 1.9.10;
prevent the lookup function from autoloading recursively.
 1.8 11-Mar-2013  christos move the module loading in the correct place.
 1.7 10-Mar-2013  christos Split the npflog cloner and auto-load the extensions.
 1.6 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.5 20-Jan-2013  rmind - nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.4 03-Oct-2012  mlelstv ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.3 16-Sep-2012  rmind Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
 1.2 20-Feb-2012  rmind branches: 1.2.2; 1.2.4;
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.1 06-Feb-2012  rmind branches: 1.1.2; 1.1.4;
- Split NPF rule procedure code into a separate module (no functional changes).
- Simplify some code, add more comments, some asserts.
- G/C unused rule hook code.
 1.1.4.3 24-Feb-2012  mrg sync to -current.
 1.1.4.2 18-Feb-2012  mrg merge to -current.
 1.1.4.1 06-Feb-2012  mrg file npf_rproc.c was added on branch jmcneill-usbmp on 2012-02-18 07:35:38 +0000
 1.1.2.4 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.1.2.3 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.1.2.2 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #693):
lib/npf/ext_normalise/shlib_version: revision 1.1
lib/libnpf/npf.c: revision 1.13
distrib/sets/lists/modules/mi: revision 1.48
sys/net/npf/npf_rproc.c: revision 1.3
sys/net/npf/npf_rproc.c: revision 1.4
sys/modules/npf/Makefile: revision 1.11
usr.sbin/npf/npfctl/npfctl.h: revision 1.20
lib/npf/ext_log/npfext_log.c: revision 1.1
lib/libnpf/npf.h: revision 1.11
sys/net/npf/npf_inet.c: revision 1.17
sys/net/npf/npf_log.c: file removal
sys/net/npf/npf_handler.c: revision 1.22
distrib/sets/lists/base/shl.mi: revision 1.636
sys/net/npf/npf_impl.h: revision 1.23
usr.sbin/npf/npfctl/Makefile: revision 1.8
lib/npf/Makefile: revision 1.1
lib/npf/ext_log/shlib_version: revision 1.1
lib/Makefile: revision 1.189
distrib/sets/lists/comp/shl.mi: revision 1.236
usr.sbin/npf/npfctl/npf_build.c: revision 1.14
distrib/sets/lists/base/mi: revision 1.1007
usr.sbin/npf/npfctl/npf_scan.l: revision 1.6
distrib/sets/lists/base/mi: revision 1.1009
sys/net/npf/npf.h: revision 1.21
lib/npf/ext_normalise/npfext_normalise.c: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.105
lib/libnpf/Makefile: revision 1.3
etc/mtree/NetBSD.dist.base: revision 1.106
usr.sbin/npf/npfctl/npf_extmod.c: revision 1.1
sys/net/npf/npf_ctl.c: revision 1.18
lib/npf/ext_log/Makefile: revision 1.1
distrib/sets/lists/comp/mi: revision 1.1781
usr.sbin/npf/npfctl/npf_var.h: revision 1.4
sys/net/npf/npf.c: revision 1.13
sys/modules/Makefile: revision 1.111
sys/net/npf/npf_ext_log.c: revision 1.1
lib/npf/Makefile.inc: revision 1.1
sys/net/npf/npf_ext_normalise.c: revision 1.1
sys/net/npf/files.npf: revision 1.8
sys/rump/net/lib/libnpf/Makefile: revision 1.2
sys/modules/npf_ext_log/Makefile: revision 1.1
lib/npf/ext_normalise/Makefile: revision 1.1
usr.sbin/npf/npfctl/npfctl.c: revision 1.20
usr.sbin/npf/npfctl/npf_parse.y: revision 1.13
sys/modules/npf_ext_normalise/Makefile: revision 1.1
Implement dynamic NPF extensions interface. An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
Add /usr/lib/npf.
Add ./usr/libdata/debug/usr/lib/npf for rmind
Fix MKDEBUG set lists
ext_ops does not change during the life cycle and can be fetched without
the mutex held. This avoids confusion in the compiler about an uninitialized
variable ext_ops.
ok rmind@
 1.1.2.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.2.4.5 03-Dec-2017  jdolecek update from HEAD
 1.2.4.4 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.2.4.3 23-Jun-2013  tls resync from head
 1.2.4.2 25-Feb-2013  tls resync with head
 1.2.4.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.2.2.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.2.2.4 23-Jan-2013  yamt sync with head
 1.2.2.3 30-Oct-2012  yamt sync with head
 1.2.2.2 17-Apr-2012  yamt sync with head
 1.2.2.1 20-Feb-2012  yamt file npf_rproc.c was added on branch yamt-pagecache on 2012-04-17 00:08:39 +0000
 1.9.10.1 10-Aug-2014  tls Rebase.
 1.12.8.2 20-Mar-2017  pgoyette Sync with HEAD
 1.12.8.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.12.4.1 05-Feb-2017  skrll Sync with HEAD
 1.15.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.16.14.1 10-Jun-2019  christos Sync with HEAD
 1.16.12.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.19.2.1 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.57 09-Oct-2025  joe PR kern/59615 introduce layer checks for 10 userland 11 kernel
 1.56 01-Jul-2025  joe branches: 1.56.2;
kernel code for layer 2 filtering in NPF

reviewed by christos@
 1.55 01-Jun-2025  joe NPF copyright 2025
 1.54 01-Jun-2025  joe npfctl: show user/group in retrieved rule
 1.53 01-Jun-2025  joe kernel: extract rules, lookup socket, process filtering, reviews by christos@
 1.52 08-Aug-2023  kardel branches: 1.52.6;
The analysis documented in PR misc/56990 is correct.
Fix by not returning when encountering a ruleset rule.

The code up to now would stop at any group rule.

ruleset rules are marked as group rule and a dynamic rule.

processing is only finished when a result is present AND
we are looking at a plain group rule.
 1.51 30-May-2020  rmind branches: 1.51.20;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.50 12-Feb-2020  christos PR/54950: Lloyd Parkes: Avoid NULL deref.
 1.49 29-Sep-2019  rmind branches: 1.49.2;
NPF ifmap: rework and fix a few small bugs.
 1.48 23-Jul-2019  rmind branches: 1.48.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.47 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.46 10-Dec-2017  rmind branches: 1.46.2; 1.46.4;
- npf_mk_rules: enforce unique names for the dynamic rulesets.
- npf_worker_unregister: merge fix for the standalone NPF.
 1.45 29-Jan-2017  christos branches: 1.45.6;
- Increase copyin buffer size to 4M
- Change log output format to be like the OpenBSD's pf including in
the header the matching rule etc, and fill in the matching info.
 1.44 28-Dec-2016  christos branches: 1.44.2;
export rprocs too so we don't lose them.
 1.43 26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.42 20-Mar-2015  rmind branches: 1.42.2;
NPF: replace the TAILQ of the dynamic rules with a linked list and fix the
inheriting of the active dynamic rules during the reload; also, fix a bug
in the insert path by putting a memory barrier in the right place.
 1.41 02-Feb-2015  rmind npfctl(8): report dynamic rule ID in a comment, print the case when libpcap
is used correctly. Also, add npf_ruleset_dump() helper in the kernel.
 1.40 30-Nov-2014  rmind - npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
 1.39 30-Nov-2014  rmind NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
 1.38 26-Nov-2014  rmind branches: 1.38.2;
NPF: fix the reference counting and share the active NAT portmap correctly
when performing the reload. Should fixes PR/49412, reported by kardel@.
 1.37 11-Aug-2014  rmind branches: 1.37.2;
NPF: finish up the rework of npfctl_save() mechanism.
 1.36 10-Aug-2014  rmind - Add npf_ruleset_export(), npf_rule_export() and npf_nat_policyexport().
- Split off npf_conn_export(). Add npf_ifmap_getname() and use it to save
the interface name; pick it up on npf_conn_import().
- Misc fixes. Bump NPF_VERSION.
 1.35 23-Jul-2014  rmind NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
with a full configuration. Support a reverse load operation. Eliminate
the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.
 1.34 20-Jul-2014  rmind NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.33 25-Jun-2014  rmind Adjust NPF to the recent BPF / BPF JIT changes and make it work again.
All regression tests are happy now (hi alnsn!).
 1.32 24-Jun-2014  alnsn Implement copfuncs and external memory in bpfjit.
 1.31 30-May-2014  rmind - npf_nat_freepolicy: handle a race condition when a new connection might
be associated with a NAT policy which is going away and npfctl reload
would wait for its natural expiration (potentially long time).
- Remove npf_ruleset_natreload() by merging into npf_ruleset_reload().
- npf_ruleset_reload: eliminate a small time period when a valid NAT
policy might be inactive during the reload operation.
 1.30 04-Dec-2013  rmind branches: 1.30.2;
- npf_do_nat: fix a race condition and simplify the logic.
- npf_session_setnat: clear the NAT association on failure.
 1.29 23-Nov-2013  rmind Move initialisation of bpf_args_t into the npf_ruleset_inspect().
This allows us to reuse the BPF memory store as a cache.
 1.28 16-Nov-2013  rmind NPF: convert to bpf_jit_generate()/bpf_jit_freecode().
 1.27 15-Nov-2013  rmind - Add bpf_args_t and convert bpf_filter_ext() to use it. This allows the
caller to initialise (and re-use) the memory store.
- Add bpf_jit_generate() and bpf_jit_freecode() wrappers.
 1.26 08-Nov-2013  rmind NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 1.25 19-Sep-2013  rmind NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
 1.24 19-Sep-2013  rmind - Convert NPF to use BPF byte-code by default. Compile BPF byte-code in
npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.
 1.23 18-Sep-2013  rmind Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.
 1.22 30-Aug-2013  rmind bpf_filter: add a custom argument which can be passed to coprocessor routine.
 1.21 29-Aug-2013  rmind Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@
 1.20 18-Mar-2013  rmind branches: 1.20.6;
Always use BPF JIT for NPF rules (using BPF code) if it is available.
 1.19 16-Feb-2013  rmind - Convert NPF dynamic rule ID to just incremented 64-bit counter.
- Fix multiple bugs. Also, update the man page.
 1.18 10-Feb-2013  rmind - Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
 1.17 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.16 20-Jan-2013  rmind - nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.15 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.14 12-Aug-2012  rmind branches: 1.14.2;
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.13 15-Jul-2012  rmind - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.12 01-Jul-2012  rmind NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 1.11 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.10 06-Feb-2012  rmind branches: 1.10.2;
- Split NPF rule procedure code into a separate module (no functional changes).
- Simplify some code, add more comments, some asserts.
- G/C unused rule hook code.
 1.9 15-Jan-2012  rmind - Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
 1.8 08-Dec-2011  rmind - Explain the magic in npf_tcpfl2case().
- Use __unused instead of (void)cast; fix comment.
 1.7 02-Feb-2011  rmind branches: 1.7.2; 1.7.6; 1.7.10;
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.
 1.6 18-Jan-2011  rmind branches: 1.6.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.5 27-Dec-2010  uebayasi branches: 1.5.2;
Fix build.
 1.4 18-Dec-2010  rmind NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.3 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.2 16-Sep-2010  rmind branches: 1.2.2; 1.2.4;
NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.2.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.2.4.1 16-Sep-2010  uebayasi file npf_ruleset.c was added on branch uebayasi-xip on 2010-10-22 09:23:15 +0000
 1.2.2.2 09-Oct-2010  yamt sync with head
 1.2.2.1 16-Sep-2010  yamt file npf_ruleset.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.5.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.6.2.1 08-Feb-2011  bouyer Sync with HEAD
 1.7.10.2 24-Feb-2012  mrg sync to -current.
 1.7.10.1 18-Feb-2012  mrg merge to -current.
 1.7.6.4 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.7.6.3 23-Jan-2013  yamt sync with head
 1.7.6.2 30-Oct-2012  yamt sync with head
 1.7.6.1 17-Apr-2012  yamt sync with head
 1.7.2.2 05-Mar-2011  rmind sync with head
 1.7.2.1 02-Feb-2011  rmind file npf_ruleset.c was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.10.2.7 18-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #829):
usr.sbin/npf/npfctl/npfctl.8: revision 1.13
usr.sbin/npf/npfctl/npf_build.c: revision 1.21
lib/libnpf/npf.c: revision 1.18
sys/net/npf/npf_ctl.c: revision 1.23
usr.sbin/npf/npfctl/npfctl.h: revision 1.27
lib/libnpf/npf.h: revision 1.15
sys/net/npf/npf_ruleset.c: revision 1.19
sys/net/npf/npf_impl.h: revision 1.28
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.c: revision 1.31
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.6
- Convert NPF dynamic rule ID to just incremented 64-bit counter.
- Fix multiple bugs. Also, update the man page.
 1.10.2.6 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.10.2.5 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.10.2.4 13-Aug-2012  riz Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.10.2.3 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.10.2.2 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.10.2.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.14.2.4 03-Dec-2017  jdolecek update from HEAD
 1.14.2.3 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.14.2.2 23-Jun-2013  tls resync from head
 1.14.2.1 25-Feb-2013  tls resync with head
 1.20.6.1 18-May-2014  rmind sync with head
 1.30.2.1 10-Aug-2014  tls Rebase.
 1.37.2.4 21-Mar-2015  snj Pull up following revision(s) (requested by rmind in ticket #630):
sys/net/npf/npf_ctl.c: revision 1.41
sys/net/npf/npf_ruleset.c: revision 1.42
usr.sbin/npf/npfctl/npf_build.c: revision 1.39
usr.sbin/npf/npfctl/npf_show.c: revision 1.18
NPF: replace the TAILQ of the dynamic rules with a linked list and fix the
inheriting of the active dynamic rules during the reload; also, fix a bug
in the insert path by putting a memory barrier in the right place.
--
npfctl:
- Fix the filter criteria when to/from is omitted but port used.
- Print more user-friendly error if an NPF table has a duplicate entry.
 1.37.2.3 04-Feb-2015  snj Pull up following revision(s) (requested by rmind in ticket #479):
lib/libnpf/npf.c: revision 1.35
lib/libnpf/npf.h: revision 1.28
sys/net/npf/npf_conn.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.61
sys/net/npf/npf_ruleset.c: revision 1.41
usr.sbin/npf/npfctl/npf.conf.5: revision 1.44
usr.sbin/npf/npfctl/npf_parse.y: revision 1.37
usr.sbin/npf/npfctl/npf_show.c: revisions 1.16, 1.17
usr.sbin/npf/npfctl/npfctl.c: revision 1.46
load the config file before bpfjit so that we can disable the warning.
--
Don't depend on yacc to include stdlib.h or string.h.
--
- npf_conn_establish: remove a rare race condition when we might destroy a
connection when it is still referenced by another thread.
- npf_conn_destroy: remove the backwards entry using the saved key, PR/49488.
- Sprinkle some asserts.
--
npf.conf(5): mention alg, include in the example, minor fix.
--
npfctl(8): report dynamic rule ID in a comment, print the case when libpcap
is used correctly. Also, add npf_ruleset_dump() helper in the kernel.
--
libnpf: add npf_rule_getid() and npf_rule_getcode().
Missed in the previous commit.
--
npfctl_print_rule: print the ID in hex, not decimal.
 1.37.2.2 01-Dec-2014  martin Pull up following revision(s) (requested by rmind in ticket #280):
sys/net/npf/npf_ruleset.c: revision 1.40
sys/net/npf/npf_nat.c: revision 1.36
sys/net/npf/npf_nat.c: revision 1.37
sys/net/npf/npf_conn.h: revision 1.7
sys/net/npf/npf_conf.c: revision 1.9
sys/net/npf/npf_ruleset.c: revision 1.39
sys/net/npf/npf_conn.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.60
NPF:
- npf_nat_import: take the port only if using the portmap.
- Sprinkle some comments and asserts.
- npf_config_load: if loading the connections, do not perform any actice
NAT policy take over or or portmap sharing - just replace them all.
- npf_config_fini: flush with the empty connection database.
- npf_nat_import: fix the stat counter.
 1.37.2.1 01-Dec-2014  martin Pull up following revision(s) (requested by rmind in ticket #274):
sys/net/npf/npf_nat.c: revision 1.35
sys/net/npf/npf_ruleset.c: revision 1.38
NPF: fix the reference counting and share the active NAT portmap correctly
when performing the reload. Should fixes PR/49412, reported by kardel@.
 1.38.2.2 05-Feb-2017  skrll Sync with HEAD
 1.38.2.1 06-Apr-2015  skrll Sync with HEAD
 1.42.2.2 20-Mar-2017  pgoyette Sync with HEAD
 1.42.2.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.44.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.45.6.1 23-Aug-2023  martin Pull up following revision(s) (requested by kardel in ticket #1893):

sys/net/npf/npf_ruleset.c: revision 1.52

The analysis documented in PR misc/56990 is correct.

Fix by not returning when encountering a ruleset rule.

The code up to now would stop at any group rule.
ruleset rules are marked as group rule and a dynamic rule.
processing is only finished when a result is present AND
we are looking at a plain group rule.
 1.46.4.3 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.46.4.2 08-Apr-2020  martin Merge changes from current as of 20200406
 1.46.4.1 10-Jun-2019  christos Sync with HEAD
 1.46.2.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.48.2.4 23-Aug-2023  martin Pull up following revision(s) (requested by kardel in ticket #1725):

sys/net/npf/npf_ruleset.c: revision 1.52

The analysis documented in PR misc/56990 is correct.

Fix by not returning when encountering a ruleset rule.

The code up to now would stop at any group rule.
ruleset rules are marked as group rule and a dynamic rule.
processing is only finished when a result is present AND
we are looking at a plain group rule.
 1.48.2.3 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.48.2.2 12-Feb-2020  martin Pull up following revision(s) (requested by christos in ticket #699):

sys/net/npf/npf_ruleset.c: revision 1.50

PR/54950: Lloyd Parkes: Avoid NULL deref.
 1.48.2.1 04-Oct-2019  martin Pull up following revision(s) (requested by rmind in ticket #282):

usr.sbin/npf/npfctl/npf_build.c: revision 1.53
lib/libnpf/npf.c: revision 1.48
usr.sbin/npf/npfctl/npfctl.h: revision 1.50
sys/net/npf/npf_impl.h: revision 1.80
usr.sbin/npf/npfctl/npfctl.h: revision 1.51
sys/net/npf/npf_ruleset.c: revision 1.49
usr.sbin/npf/npfctl/npf.conf.5: revision 1.90
sys/net/npf/npf_ctl.c: revision 1.59
lib/libnpf/libnpf.3: revision 1.11
usr.sbin/npf/npfctl/npf_parse.y: revision 1.50
usr.sbin/npf/npftest/npftest.conf: revision 1.8
usr.sbin/npf/npfctl/npfctl.c: revision 1.62
usr.sbin/npf/npfctl/npfctl.c: revision 1.63
usr.sbin/npf/npfctl/npf_scan.l: revision 1.30
usr.sbin/npf/npfctl/npfctl.8: revision 1.22
lib/libnpf/npf.h: revision 1.38
usr.sbin/npf/npfctl/npfctl.8: revision 1.23
usr.sbin/npf/npfctl/npfctl.8: revision 1.24
sys/net/npf/npf_if.c: revision 1.11
sys/net/npf/npf_if.c: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.89
sys/net/npf/npf_conn.c: revision 1.30
usr.sbin/npf/npfctl/npf_build.c: revision 1.52

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.

NPF ifmap: rework and fix a few small bugs.

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.
(missed a file in previous commit; cvs is so helpful..)

libnpf/npfctl: support dynamic NAT rulesets using a name prefix.

Use -width Pa for FILES.

Fix pasto in table replace -t type

Use -width Pa for FILES.

npf_ifmap_copylogname: be more defensive.
 1.49.2.1 29-Feb-2020  ad Sync with head.
 1.51.20.1 23-Aug-2023  martin Pull up following revision(s) (requested by kardel in ticket #340):

sys/net/npf/npf_ruleset.c: revision 1.52

The analysis documented in PR misc/56990 is correct.

Fix by not returning when encountering a ruleset rule.

The code up to now would stop at any group rule.
ruleset rules are marked as group rule and a dynamic rule.
processing is only finished when a result is present AND
we are looking at a plain group rule.
 1.52.6.1 02-Aug-2025  perseant Sync with HEAD
 1.56.2.1 13-Oct-2025  martin Pull up following revision(s) (requested by joe in ticket #53):

sys/net/npf/npf.h: revision 1.68
sys/net/npf/npf_ruleset.c: revision 1.57

PR kern/59615 introduce layer checks for 10 userland 11 kernel
 1.23 12-Feb-2023  kardel PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream as https://github.com/rmind/npf/pull/115
 1.22 30-May-2020  rmind branches: 1.22.20;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.21 29-Sep-2018  rmind branches: 1.21.4;
npf_return_tcp: fix no-INET6 case.
 1.20 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.19 10-Apr-2018  mrg branches: 1.19.2;
apply some INET6 so this compiles in INET6-less kernels again.
 1.18 17-Mar-2018  maxv Set the scopes before calling icmp6_error(). This fixes a bug similar to
the one I fixed in rev1.17: since the scopes were not set the packet was
never actually sent.

Tested with wireshark, now the ICMPv6 reply is correctly sent, as
expected.
 1.17 14-Mar-2018  maxv Fix the "return-rst" rule on IPv6 packets.

The scopes needed to be set on the addresses before invoking ip6_output,
because ip6_output needs them. The reason they are not here already is
because pfil_run_hooks (in ip6_input) is called _before_ the kernel
initializes the scopes.

Until now ip6_output was always failing, and the IPv6-TCP-RST packet was
never actually sent.

Perhaps it would be better to have the kernel initialize the scopes
before invoking pfil_run_hooks, but several things will need to be fixed
in several places.

Tested with a simple TCPv6 server. Until now the client would block
waiting for an answer that never came; now it receives an RST right away
and closes the connection, as expected.

I believe that the same problem exists in the "return-icmp" rules, but I
can't investigate this right now (some problems with wireshark).
 1.16 26-Dec-2016  christos branches: 1.16.8; 1.16.14;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.15 20-Jul-2014  rmind branches: 1.15.4; 1.15.8;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.14 09-Feb-2013  rmind branches: 1.14.10;
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.13 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.12 15-Jul-2012  rmind branches: 1.12.2;
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.11 22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.10 06-May-2012  rmind - Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
 1.9 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.8 29-Nov-2011  rmind branches: 1.8.2; 1.8.4;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.7 06-Nov-2011  rmind Few fixes, KNF/style, bump the NPF version.
 1.6 05-Nov-2011  zoltan When building the kernel without IPv6 support, compilation failed.
Fix that.
 1.5 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.4 18-Jan-2011  rmind branches: 1.4.4; 1.4.8;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.3 11-Nov-2010  rmind branches: 1.3.2;
NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.2 25-Sep-2010  rmind branches: 1.2.2; 1.2.4;
Add nbuf_advfetch() and simplify some code slightly.
 1.1 16-Sep-2010  rmind NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.2.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.2.4.1 25-Sep-2010  uebayasi file npf_sendpkt.c was added on branch uebayasi-xip on 2010-10-22 09:23:15 +0000
 1.2.2.2 09-Oct-2010  yamt sync with head
 1.2.2.1 25-Sep-2010  yamt file npf_sendpkt.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.3.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.4.8.6 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.4.8.5 23-Jan-2013  yamt sync with head
 1.4.8.4 30-Oct-2012  yamt sync with head
 1.4.8.3 23-May-2012  yamt sync with head.
 1.4.8.2 17-Apr-2012  yamt sync with head
 1.4.8.1 10-Nov-2011  yamt sync with head
 1.4.4.2 05-Mar-2011  rmind sync with head
 1.4.4.1 18-Jan-2011  rmind file npf_sendpkt.c was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.8.4.6 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.8.4.5 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.8.4.4 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.8.4.3 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.8.4.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
 1.8.4.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.8.2.2 02-Jun-2012  mrg sync to latest -current.
 1.8.2.1 24-Feb-2012  mrg sync to -current.
 1.12.2.3 03-Dec-2017  jdolecek update from HEAD
 1.12.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.12.2.1 25-Feb-2013  tls resync with head
 1.14.10.1 10-Aug-2014  tls Rebase.
 1.15.8.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.15.4.1 05-Feb-2017  skrll Sync with HEAD
 1.16.14.4 30-Sep-2018  pgoyette Ssync with HEAD
 1.16.14.3 16-Apr-2018  pgoyette Sync with HEAD, resolve some conflicts
 1.16.14.2 22-Mar-2018  pgoyette Synch with HEAD, resolve conflicts
 1.16.14.1 15-Mar-2018  pgoyette Synch with HEAD
 1.16.8.2 14-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #823):

sys/net/npf/npf_inet.c: revision 1.45-1.47
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.30
sys/net/npf/npf_sendpkt.c: revision 1.19

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.

We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.

Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Retrieve the complete IPv4 header right away, and make sure we did retrieve
the IPv6 option header we were iterating on.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.

If we fail to advance inside TCP/UDP/ICMPv4/ICMPv6, stop pretending L4
is unknown, and error out right away.

This prevents bugs in machinery, if a place looks for L4 in 'npc_proto'
without checking the cache too. I've seen a ~similar problem already.

In addition to checking L4 in the cache, here we also need to check the
protocol. The NPF entry point does not ensure that
ICMPv6 can be set only in IPv6
ICMPv4 can be set only in IPv4
So we could have ICMPv6 in IPv4.

apply some INET6 so this compiles in INET6-less kernels again.
 1.16.8.1 09-May-2018  martin Pull up following revision(s) (requested by maxv in ticket #817):

sys/net/npf/npf_inet.c: revision 1.38-1.44
sys/net/npf/npf_handler.c: revision 1.38-1.39
sys/net/npf/npf_alg_icmp.c: revision 1.26
sys/net/npf/npf.h: revision 1.56
sys/net/npf/npf_sendpkt.c: revision 1.17-1.18

Declare NPC_FMTERR, and use it to kick malformed packets. Several sanity
checks are added in IPv6; after we see the first IPPROTO_FRAGMENT header,
we are allowed to fail to advance, otherwise we kick the packet.
Sent on tech-net@ a few days ago, no response, but I'm committing it now
anyway.

Switch nptr to uint8_t, and use nbuf_ensure_contig. Makes us use fewer
magic values.

Remove dead branches, 'npc' can't be NULL (and it is dereferenced
earlier).

Fix two consecutive mistakes.

The first mistake was npf_inet.c rev1.37:
"Don't reassemble ipv6 fragments, instead treat the first fragment
as a regular packet (subject to filtering rules), and pass
subsequent fragments in the same group unconditionally."

Doing this was entirely wrong, because then a packet just had to push
the L4 payload in a secondary fragment, and NPF wouldn't apply rules on
it - meaning any IPv6 packet could bypass >=L4 filtering. This mistake
was supposed to be a fix for the second mistake.

The second mistake was that ip6_reass_packet (in npf_reassembly) was
getting called with npc->npc_hlen. But npc_hlen pointed to the last
encountered header in the IPv6 chain, which was not necessarily the
fragment header. So ip6_reass_packet was given garbage, and would fail,
resulting in the packet getting kicked. So basically IPv6 was broken by
NPF.

The first mistake is reverted, and the second one is fixed by doing:
- hlen = sizeof(struct ip6_frag);
+ hlen = 0;

Now the iteration stops on the fragment header, and the call to
ip6_reass_packet is valid.

My npf_inet.c rev1.38 is partially reverted: we don't need to worry
about failing properly to advance; once the packet is reassembled
npf_cache_ip gets called again, and this time the whole chain should be
there.

Tested with a simple UDPv6 server - send a 3000-byte-sized buffer, the
packet gets correctly reassembled by NPF now.

Mmh, put back the RFC6946 check (about dummy fragments), otherwise NPF
is not happy in npf_reassembly, because NPC_IPFRAG is again returned after
the packet was reassembled.

I'm wondering whether it would not be better to just remove the fragment
header in frag6_input directly.

Fix the "return-rst" rule on IPv6 packets.
The scopes needed to be set on the addresses before invoking ip6_output,
because ip6_output needs them. The reason they are not here already is
because pfil_run_hooks (in ip6_input) is called _before_ the kernel
initializes the scopes.

Until now ip6_output was always failing, and the IPv6-TCP-RST packet was
never actually sent.

Perhaps it would be better to have the kernel initialize the scopes
before invoking pfil_run_hooks, but several things will need to be fixed
in several places.

Tested with a simple TCPv6 server. Until now the client would block
waiting for an answer that never came; now it receives an RST right away
and closes the connection, as expected.
I believe that the same problem exists in the "return-icmp" rules, but I
can't investigate this right now (some problems with wireshark).

Fix the IPv6 payload computation in npf_tcpsaw. It was incorrect, and this
caused the "return-rst" rules to send back an RST with the wrong ACK when
the received SYN had an IPv6 option.

Set the scopes before calling icmp6_error(). This fixes a bug similar to
the one I fixed in rev1.17: since the scopes were not set the packet was
never actually sent.

Tested with wireshark, now the ICMPv6 reply is correctly sent, as
expected.

Don't read the L4 payload after IPPROTO_AH when handling IPv6 packets.
AH must be considered as the payload, otherwise a

block all
pass in proto ah from any
pass out proto ah from any

configuration will actually block everything, because NPF checks the
protocol against the one found after AH, and not AH itself.

In addition it may have been a problem for stateful connections; an AH
packet sent by an attacker with an incorrect authentication and a correct
TCP/UDP/whatever payload from an active connection could manage to change
NPF's FSM state, which would perhaps have altered the legitimate
connection with the authenticated remote IPsec host.

Note that IPv4 already doesn't go beyond AH, which is the correct
behavior.

Add XXX (we don't handle IPv6 Jumbograms), and whitespace.
 1.19.2.1 10-Jun-2019  christos Sync with HEAD
 1.21.4.2 14-Mar-2023  martin Pull up following revision(s) (requested by kardel in ticket #119):

sys/net/npf/npf_mbuf.c: revision 1.25
sys/net/npf/npf.h: revision 1.64
sys/net/npf/npf_sendpkt.c: revision 1.23

PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream ashttps://github.com/rmind/npf/pull/115
 1.21.4.1 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.22.20.1 14-Mar-2023  martin Pull up following revision(s) (requested by kardel in ticket #119):

sys/net/npf/npf_mbuf.c: revision 1.25
sys/net/npf/npf.h: revision 1.64
sys/net/npf/npf_sendpkt.c: revision 1.23

PR kern/56052:
allow block-return packets passed through without rule matching.
Included up-stream ashttps://github.com/rmind/npf/pull/115
 1.34 20-Jul-2014  rmind Bye bye npf_session.c
 1.33 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.32 14-May-2014  rmind npf_session_inspect: do not silently drop the packet on state check failure.
Let the rules deal with it (e.g. we may want to log it).
 1.31 14-Mar-2014  rmind branches: 1.31.2;
NPF: add support for "stateful-ends".
 1.30 06-Dec-2013  rmind NPF:
- Adjust NAT to not assume flow direction in some cases and thus support
less usual setups which are possible when using 'map' with a custom
filter criteria.
- Introduce NPF_SRC/NPF_DST and replace npc_src/npc_dst with npc_ips[2]
for more convenient handling.
- ICMP ALG: restrict matching only to the outgoing traffic, but be more
direction-agnostic elsewhere.
 1.29 04-Dec-2013  rmind - npf_do_nat: fix a race condition and simplify the logic.
- npf_session_setnat: clear the NAT association on failure.
 1.28 22-Nov-2013  rmind npf_addr_mix: use xor rather than sum.
 1.27 08-Nov-2013  rmind NPF: add support for specifying the interfaces before they are attached.
If an interface is or gets detached, all associated rules and connections
will be deactivated (it might be useful to have an option to invalidate
the associated connections). Once the interface is reattached they will
become active.

Bump NPF_VERSION.
 1.26 29-Oct-2013  rmind npf_session_setnat: fix the race condition when the old connection is still
being expired while a new/duplicate is being created.
 1.25 26-Sep-2013  rmind sess_hash_bucket: convert to murmurhash2, include ports, use random seed.
 1.24 02-Jun-2013  rmind branches: 1.24.2;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.
 1.23 18-Mar-2013  rmind npf_session_establish: fix previous.
 1.22 18-Mar-2013  rmind Add npf_session_trackable_p() and npf_session_fillent() for the common code.
Simplify. No functional change.
 1.21 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.20 20-Jan-2013  rmind - nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.19 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.18 13-Sep-2012  joerg Mark npf_session_worker as __dead.
 1.17 12-Aug-2012  rmind branches: 1.17.2;
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.16 19-Jul-2012  spz teach npf ipv6-icmp
reviewed by rmind@
 1.15 15-Jul-2012  rmind - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.14 01-Jul-2012  rmind NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 1.13 22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.12 11-Mar-2012  rmind - Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
 1.11 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.10 29-Nov-2011  rmind branches: 1.10.2; 1.10.4;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.9 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.8 02-Feb-2011  rmind branches: 1.8.2; 1.8.6;
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.
 1.7 18-Jan-2011  rmind branches: 1.7.2;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.6 18-Dec-2010  rmind branches: 1.6.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.5 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.4 03-Oct-2010  rmind branches: 1.4.2; 1.4.4;
- npf_session_gc: fix for previous RB-tree conversion.
- npf_session_free: rename (to singular).
 1.3 24-Sep-2010  rmind Fixes/improvements to RB-tree implementation:
1. Fix inverted node order, so that negative value from comparison operator
would represent lower (left) node, and positive - higher (right) node.
2. Add an argument (i.e. "context"), passed to comparison operators.
3. Change rb_tree_insert_node() to return a node - either inserted one or
already existing one.
4. Amend the interface to manipulate the actual object, instead of the
rb_node (in a similar way as Patricia-tree interface does).
5. Update all RB-tree users accordingly.

XXX: Perhaps rename rb.h to rbtree.h, since cleaning-up..

1-3 address the PR/43488 by Jeremy Huddleston.

Passes RB-tree regression tests.
Reviewed by: matt@, christos@
 1.2 16-Sep-2010  rmind NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.4.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.4.4.1 03-Oct-2010  uebayasi file npf_session.c was added on branch uebayasi-xip on 2010-10-22 09:23:15 +0000
 1.4.2.2 09-Oct-2010  yamt sync with head
 1.4.2.1 03-Oct-2010  yamt file npf_session.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.6.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.7.2.1 08-Feb-2011  bouyer Sync with HEAD
 1.8.6.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.8.6.4 23-Jan-2013  yamt sync with head
 1.8.6.3 30-Oct-2012  yamt sync with head
 1.8.6.2 17-Apr-2012  yamt sync with head
 1.8.6.1 10-Nov-2011  yamt sync with head
 1.8.2.2 05-Mar-2011  rmind sync with head
 1.8.2.1 02-Feb-2011  rmind file npf_session.c was added on branch rmind-uvmplock on 2011-03-05 20:55:55 +0000
 1.10.4.10 17-Nov-2013  bouyer Pull up following revision(s) (requested by rmind in ticket #985):
sys/net/npf/npf_impl.h: revision 1.35
sys/net/npf/npf_nat.c: revision 1.21
sys/net/npf/npf_session.c: revision 1.26
npf_session_setnat: fix the race condition when the old connection is still
being expired while a new/duplicate is being created.
 1.10.4.9 11-Feb-2013  riz branches: 1.10.4.9.2;
Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.10.4.8 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.10.4.7 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #679):
sys/net/npf/npf_session.c: revision 1.18
usr.sbin/npf/npftest/npftest.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.7
usr.sbin/npf/npftest/npftest.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.5
sys/net/npf/npf_alg_icmp.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.3
npftest:
- Do not stop running other tests, if some tests fail.
- Fix some endianness bugs in the test cases.
Tested on sparc64 by martin@, all tests pass.
Add two new command line options to help integration into ATF:
-L lists the available test cases, -T executes a single named test.
Fix printf format
Mark npf_session_worker as __dead.
More __dead
npf_icmp_uniqid: split into npf_icmp_uniqid4() and npf_icmp_uniqid6() parts.
 1.10.4.6 13-Aug-2012  riz Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.10.4.5 25-Jul-2012  jdc Pull up revisions:
src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
src/sys/net/npf/npf.h revision 1.20
src/sys/net/npf/npf_alg_icmp.c revision 1.11
src/sys/net/npf/npf_impl.h revision 1.19
src/sys/net/npf/npf_inet.c revisions 1.15,1.16
src/sys/net/npf/npf_instr.c revision 1.14
src/sys/net/npf/npf_ncode.h revision 1.10
src/sys/net/npf/npf_processor.c revision 1.12
src/sys/net/npf/npf_session.c revision 1.16
src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
src/sys/net/npf/npf_state.c revision 1.10
src/sys/net/npf/npf_state_tcp.c revision 1.10
src/usr.sbin/npf/npftest/npfstream.c revision 1.2
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).

Add missing __dead.

teach npf ipv6-icmp
reviewed by rmind@

- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.

- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.10.4.4 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.10.4.3 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.10.4.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.10.4.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.10.4.9.2.1 17-Nov-2013  bouyer Pull up following revision(s) (requested by rmind in ticket #985):
sys/net/npf/npf_impl.h: revision 1.35
sys/net/npf/npf_nat.c: revision 1.21
sys/net/npf/npf_session.c: revision 1.26
npf_session_setnat: fix the race condition when the old connection is still
being expired while a new/duplicate is being created.
 1.10.2.2 05-Apr-2012  mrg sync to latest -current.
 1.10.2.1 24-Feb-2012  mrg sync to -current.
 1.17.2.4 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.17.2.3 23-Jun-2013  tls resync from head
 1.17.2.2 25-Feb-2013  tls resync with head
 1.17.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.24.2.1 18-May-2014  rmind sync with head
 1.31.2.1 10-Aug-2014  tls Rebase.
 1.4 03-Oct-2025  joe hold locks in socket access in npf PR kern/59681
 1.3 02-Jun-2025  joe branches: 1.3.2; 1.3.4;
fix build for non-INET6 kernels : martin@
 1.2 02-Jun-2025  joe remove headers from INET6 options: martin@
 1.1 01-Jun-2025  joe kernel: extract rules, lookup socket, process filtering, reviews by christos@
 1.3.4.2 02-Aug-2025  perseant Sync with HEAD
 1.3.4.1 02-Jun-2025  perseant file npf_socket.c was added on branch perseant-exfatfs on 2025-08-02 05:57:48 +0000
 1.3.2.1 13-Oct-2025  martin Pull up following revision(s) (requested by joe in ticket #52):

sys/net/npf/npf_socket.c: revision 1.4

hold locks in socket access in npf PR kern/59681
 1.23 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.22 23-Jul-2019  rmind branches: 1.22.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.21 29-Oct-2018  christos We need to have rump tests work in two modes:

1. npf unit tests. In this case only the npf subsystem is created
and dictionaries are passed directly.
2. kernel system tests (like the ipsec natt test). In this case, npf is
instantiated regularly as part of the kernel and dictionaries are
passed via ioctl.

We differentiate between the two cases by checking the "mbufops" member
which is NULL, regularly and non-NULL in the npf unit tests. Previously
this was done using an ifdef which obviously can't work for both cases.
 1.20 26-Oct-2018  christos enable the sampling function for _NPF_RUMP
 1.19 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.18 26-Dec-2016  christos branches: 1.18.14; 1.18.16;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.17 20-Jul-2014  rmind branches: 1.17.4; 1.17.8;
NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.16 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.15 04-Nov-2013  rmind branches: 1.15.2;
npf_generic_fsm and npf_tcp_fsm: use uint8_t and make the arrays more dense.
 1.14 09-Feb-2013  rmind branches: 1.14.2;
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.13 24-Dec-2012  rmind - Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.12 15-Aug-2012  rmind branches: 1.12.2;
Add npf_state_setsampler() for _NPF_TESTING case. This also fixes the build.
 1.11 12-Aug-2012  rmind - Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.10 21-Jul-2012  rmind - npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.9 01-Jul-2012  rmind NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 1.8 22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.7 30-May-2012  rmind npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
 1.6 29-Nov-2011  rmind branches: 1.6.2; 1.6.4;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.5 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.4 25-Apr-2011  yamt branches: 1.4.4;
fix module build
 1.3 18-Jan-2011  rmind branches: 1.3.4;
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
 1.2 18-Dec-2010  rmind branches: 1.2.2;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.1 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.2.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.3.4.3 31-May-2011  rmind sync with head
 1.3.4.2 05-Mar-2011  rmind sync with head
 1.3.4.1 18-Jan-2011  rmind file npf_state.c was added on branch rmind-uvmplock on 2011-03-05 20:55:56 +0000
 1.4.4.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.4.4.4 23-Jan-2013  yamt sync with head
 1.4.4.3 30-Oct-2012  yamt sync with head
 1.4.4.2 17-Apr-2012  yamt sync with head
 1.4.4.1 10-Nov-2011  yamt sync with head
 1.6.4.8 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.6.4.7 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.6.4.6 18-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #678):
sys/rump/librump/rumpkern/rump.c: revision 1.243
sys/rump/librump/rumpkern/rump.c: revision 1.244
sys/rump/librump/rumpkern/rump.c: revision 1.245
sys/rump/librump/rumpkern/rump.c: revision 1.246
usr.sbin/npf/npftest/npftest.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.2
usr.sbin/npf/npftest/npftest.h: revision 1.5
sys/rump/net/Makefile.rumpnetcomp: revision 1.5
sys/rump/net/lib/libnpf/shlib_version: revision 1.1
sys/net/npf/npf_impl.h: revision 1.22
sys/rump/dev/lib/libnpf/Makefile: file removal
usr.sbin/npf/npftest/Makefile: revision 1.3
sys/rump/dev/lib/libnpf/component.c: file removal
sys/rump/dev/lib/libnpf/shlib_version: file removal
sys/net/npf/npf_state.c: revision 1.12
sys/rump/net/lib/libnpf/component.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.6
sys/rump/net/lib/libnpf/Makefile: revision 1.1
Move and rename librumpdev_npf to librumpnet_npf.
Enable the build of librumpnet_npf.
Add npf_state_setsampler() for _NPF_TESTING case. This also fixes the build.
Call pserialize_init() during rump start-up, since librump/net/npf
uses it.
It helps to include the declaration of the routine being called.
We also need kcpuset_init() now.
Use correct routine name - kcpuset_sysinit() vs kcpuset_init()
 1.6.4.5 13-Aug-2012  riz Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.6.4.4 25-Jul-2012  jdc Pull up revisions:
src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
src/sys/net/npf/npf.h revision 1.20
src/sys/net/npf/npf_alg_icmp.c revision 1.11
src/sys/net/npf/npf_impl.h revision 1.19
src/sys/net/npf/npf_inet.c revisions 1.15,1.16
src/sys/net/npf/npf_instr.c revision 1.14
src/sys/net/npf/npf_ncode.h revision 1.10
src/sys/net/npf/npf_processor.c revision 1.12
src/sys/net/npf/npf_session.c revision 1.16
src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
src/sys/net/npf/npf_state.c revision 1.10
src/sys/net/npf/npf_state_tcp.c revision 1.10
src/usr.sbin/npf/npftest/npfstream.c revision 1.2
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).

Add missing __dead.

teach npf ipv6-icmp
reviewed by rmind@

- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.

- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.6.4.3 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.6.4.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.6.4.1 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
 1.6.2.1 02-Jun-2012  mrg sync to latest -current.
 1.12.2.3 03-Dec-2017  jdolecek update from HEAD
 1.12.2.2 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.12.2.1 25-Feb-2013  tls resync with head
 1.14.2.1 18-May-2014  rmind sync with head
 1.15.2.1 10-Aug-2014  tls Rebase.
 1.17.8.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.17.4.1 05-Feb-2017  skrll Sync with HEAD
 1.18.16.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.18.16.1 10-Jun-2019  christos Sync with HEAD
 1.18.14.2 26-Nov-2018  pgoyette Sync with HEAD, resolve a couple of conflicts
 1.18.14.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.22.2.1 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.21 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.20 23-Jul-2019  rmind branches: 1.20.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.19 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.18 26-Dec-2016  rmind branches: 1.18.14; 1.18.16;
npf_tcp_fsm: fix for the NPF_TCPS_SYN_RECEIVED state.

SYN re-transmission after SYN-ACK was seen by NPF should not terminate
the connection. Thanks to: Alexander Kiselev <kiselev99 at gmail com>
 1.17 26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.16 25-Jul-2014  rmind branches: 1.16.4; 1.16.8;
npf_tcp_inwindow: enable strict RST check by default.
 1.15 20-Jul-2014  rmind NPF: add nbuf_t * into npf_cache_t and remove unnecessary carrying by argument.
 1.14 19-Jul-2014  rmind NPF: partially rewrite the connection tracking mechanism:
- Separate the tracking interface from the storage (state table)
and thus prepare to use a new data structure for the storage.
- Fix some race conditions in NAT association logic.
 1.13 04-Nov-2013  rmind branches: 1.13.2;
npf_generic_fsm and npf_tcp_fsm: use uint8_t and make the arrays more dense.
 1.12 24-Dec-2012  rmind branches: 1.12.2;
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
 1.11 06-Oct-2012  rmind npf_tcp_inwindow: inspect the sequence numbers even if the packet contains no
data, fixing up only the RST to the initial SYN. This makes off-path attacks
more difficult. For the reference, see "Reflection Scan: an Off-Path Attack
on TCP" by Jan Wrobel.
 1.10 21-Jul-2012  rmind branches: 1.10.2;
- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.9 15-Jul-2012  rmind - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.8 01-Jul-2012  rmind npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
 1.7 22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.6 05-Jun-2012  rmind npf_state_tcp: add an assert; fix some comments while here.
 1.5 30-May-2012  rmind npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
 1.4 03-Apr-2012  rmind branches: 1.4.2;
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).

PR/46265 from Changli Gao.
 1.3 08-Dec-2011  rmind branches: 1.3.2;
- Explain the magic in npf_tcpfl2case().
- Use __unused instead of (void)cast; fix comment.
 1.2 05-Dec-2011  rmind - Add npf_tcpfl2case() and make TCP state table more compact.
- Adjust the state for FIN case on sim-SYN and SYN-RECEIVED.
 1.1 29-Nov-2011  rmind branches: 1.1.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.1.2.3 02-Jun-2012  mrg sync to latest -current.
 1.1.2.2 05-Apr-2012  mrg sync to latest -current.
 1.1.2.1 18-Feb-2012  mrg merge to -current.
 1.3.2.7 08-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #777):
usr.sbin/npf/npfctl/npfctl.c: revision 1.27
sys/net/npf/npf_session.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.4
sys/net/npf/npf_rproc.c: revision 1.5
usr.sbin/npf/npftest/README: revision 1.3
sys/sys/mbuf.h: revision 1.151
sys/net/npf/npf_ruleset.c: revision 1.15
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.3
sys/net/npf/npf_ruleset.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.4
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.4
sys/net/npf/npf_inet.c: revision 1.19
sys/net/npf/npf_instr.c: revision 1.15
sys/net/npf/npf_handler.c: revision 1.24
sys/net/npf/npf_handler.c: revision 1.25
sys/net/npf/npf_state_tcp.c: revision 1.12
sys/net/npf/npf_processor.c: revision 1.13
sys/net/npf/npf_impl.h: revision 1.25
sys/net/npf/npf_processor.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.10
sys/net/npf/npf_alg_icmp.c: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.3
sys/net/npf/npf_session.c: revision 1.20
sys/net/npf/npf_alg.c: revision 1.6
sys/kern/uipc_mbuf.c: revision 1.148
sys/net/npf/npf_inet.c: revision 1.20
sys/net/npf/npf.h: revision 1.25
sys/net/npf/npf_nat.c: revision 1.18
sys/net/npf/npf_state.c: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.13
sys/net/npf/npf_ext_log.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.4
sys/net/npf/npf_ext_normalise.c: revision 1.2
- Rework NPF's nbuf interface: use advancing and ensuring as a main method.
Eliminate unnecessary copy and simplify. Adapt regression tests.
- Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute.
- Minor fixes, misc cleanup.
Silence gcc in npf_recache().
Add m_ensure_contig() routine, which is equivalent to m_pullup, but does not
destroy the mbuf chain on failure (it is kept valid).
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free
the mbuf chain on failure. Fixes some corner cases. Improve regression
test and sprinkle some asserts.
- npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix).
The problem was found and fix provided by Anthony Mallet.
 1.3.2.6 24-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #702):
sys/net/npf/npf_tableset.c: revision 1.15
usr.sbin/npf/npfctl/npfctl.h: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.6
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.10
sys/net/npf/npf_state_tcp.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.24
sys/net/npf/npf.h: revision 1.22
sys/net/npf/npf_ctl.c: revision 1.19
sys/net/npf/npf.c: revision 1.14
usr.sbin/npf/npfctl/npfctl.8: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.21
npf_tcp_inwindow: inspect the sequence numbers even if the packet contains no
data, fixing up only the RST to the initial SYN. This makes off-path attacks
more difficult. For the reference, see &quot;Reflection Scan: an Off-Path Attack
on TCP&quot; by Jan Wrobel.
Implement NPF table listing and preservation of entries on reload.
Bump the version.
npfctl(8): mention table listing.
 1.3.2.5 25-Jul-2012  jdc Pull up revisions:
src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
src/sys/net/npf/npf.h revision 1.20
src/sys/net/npf/npf_alg_icmp.c revision 1.11
src/sys/net/npf/npf_impl.h revision 1.19
src/sys/net/npf/npf_inet.c revisions 1.15,1.16
src/sys/net/npf/npf_instr.c revision 1.14
src/sys/net/npf/npf_ncode.h revision 1.10
src/sys/net/npf/npf_processor.c revision 1.12
src/sys/net/npf/npf_session.c revision 1.16
src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
src/sys/net/npf/npf_state.c revision 1.10
src/sys/net/npf/npf_state_tcp.c revision 1.10
src/usr.sbin/npf/npftest/npfstream.c revision 1.2
src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).

Add missing __dead.

teach npf ipv6-icmp
reviewed by rmind@

- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.

- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.
 1.3.2.4 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.3.2.3 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.3.2.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.3.2.1 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #354):
sys/net/npf/npf_state_tcp.c: revision 1.4
sys/net/npf/npf_state_tcp.c: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.6
usr.sbin/npf/npftest/npftest.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
usr.sbin/npf/npftest/npftest.c: revision 1.2
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
usr.sbin/npf/npfctl/npf_data.c: revision 1.11
usr.sbin/npf/npftest/npftest.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.12
usr.sbin/npf/npftest/npftest.h: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
usr.sbin/npf/npfctl/npf_data.c: revision 1.13
sys/net/npf/npf.h: revision 1.16
usr.sbin/npf/npftest/npftest.h: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
usr.sbin/npf/npftest/npftest.h: revision 1.3
usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
usr.sbin/npf/npfctl/npf_build.c: revision 1.6
usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
usr.sbin/npf/npfctl/npf_build.c: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
sys/net/npf/npf_state.c: revision 1.7
usr.sbin/npf/npfctl/npfctl.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.12
usr.sbin/npf/npfctl/Makefile: revision 1.7
sys/rump/net/lib/libnet/Makefile: revision 1.14
sys/net/npf/npf_mbuf.c: revision 1.7
usr.sbin/npf/npftest/Makefile: revision 1.1
usr.sbin/npf/npftest/Makefile: revision 1.2
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
usr.sbin/npf/npftest/npfstream.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.12
sys/rump/dev/lib/libnpf/Makefile: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.14
sys/rump/dev/lib/libnpf/Makefile: revision 1.3
usr.sbin/npf/npfctl/npfctl.h: revision 1.15
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
sys/net/npf/npf_ctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_var.c: revision 1.4
usr.sbin/npf/npfctl/npf_var.h: revision 1.2
usr.sbin/npf/npfctl/npf_var.c: revision 1.5
sys/net/npf/npf_impl.h: revision 1.13
sys/net/npf/npf_sendpkt.c: revision 1.10
sys/net/npf/npf_impl.h: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
sys/net/npf/npf_impl.h: revision 1.15
sys/net/npf/npf_handler.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
sys/net/npf/npf_handler.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
sys/net/npf/npf_ncode.h: revision 1.7
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland). Other tests will be added once converted to
RUMP framework. All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command. Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...
 1.4.2.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.4.2.4 23-Jan-2013  yamt sync with head
 1.4.2.3 30-Oct-2012  yamt sync with head
 1.4.2.2 17-Apr-2012  yamt sync with head
 1.4.2.1 03-Apr-2012  yamt file npf_state_tcp.c was added on branch yamt-pagecache on 2012-04-17 00:08:39 +0000
 1.10.2.4 03-Dec-2017  jdolecek update from HEAD
 1.10.2.3 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.10.2.2 25-Feb-2013  tls resync with head
 1.10.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.12.2.1 18-May-2014  rmind sync with head
 1.13.2.1 10-Aug-2014  tls Rebase.
 1.16.8.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.16.4.1 05-Feb-2017  skrll Sync with HEAD
 1.18.16.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.18.16.1 10-Jun-2019  christos Sync with HEAD
 1.18.14.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.20.2.1 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.43 07-Feb-2025  joe introduce a kernel boolean assertion to ensure the running thread holds the mutex
 1.42 24-Feb-2023  riastradh branches: 1.42.6;
npf: Eliminate __HAVE_ATOMIC_AS_MEMBAR conditionals.

Discussed on tech-kern:
https://mail-index.netbsd.org/tech-kern/2023/02/23/msg028729.html

Requested by rmind@:
https://github.com/rmind/npf/pull/127#issuecomment-1399573125
 1.41 23-Jan-2023  riastradh npf(9): Drop table lock around copyout.

It is forbidden to hold a spin lock around copyout, and t_lock is a
spin lock.

We need t_lock in order to iterate over the list of entries.
However, during copyout itself, we only need to ensure that the
object we're copying out isn't freed by npf_table_remove or
npf_table_gc.

Fortunately, the only caller of npf_table_list, npf_table_remove, and
npf_table_gc is npfctl_table, and it serializes all of them by the
npf config lock. So we can safely drop t_lock across copyout.

PR kern/57136
PR kern/57181
 1.40 22-Jan-2023  riastradh npf(9): Another comment tweak to match upstream.

No functional change.
 1.39 22-Jan-2023  riastradh npf(9): Use __HAVE_ATOMIC_AS_MEMBAR around refcnt consistently.
 1.38 09-Apr-2022  riastradh branches: 1.38.4;
sys: Use membar_release/acquire around reference drop.

This just goes through my recent reference count membar audit and
changes membar_exit to membar_release and membar_enter to
membar_acquire -- this should make everything cheaper on most CPUs
without hurting correctness, because membar_acquire is generally
cheaper than membar_enter.
 1.37 12-Mar-2022  riastradh sys: Membar audit around reference count releases.

If two threads are using an object that is freed when the reference
count goes to zero, we need to ensure that all memory operations
related to the object happen before freeing the object.

Using an atomic_dec_uint_nv(&refcnt) == 0 ensures that only one
thread takes responsibility for freeing, but it's not enough to
ensure that the other thread's memory operations happen before the
freeing.

Consider:

Thread A Thread B
obj->foo = 42; obj->baz = 73;
mumble(&obj->bar); grumble(&obj->quux);
/* membar_exit(); */ /* membar_exit(); */
atomic_dec -- not last atomic_dec -- last
/* membar_enter(); */
KASSERT(invariant(obj->foo,
obj->bar));
free_stuff(obj);

The memory barriers ensure that

obj->foo = 42;
mumble(&obj->bar);

in thread A happens before

KASSERT(invariant(obj->foo, obj->bar));
free_stuff(obj);

in thread B. Without them, this ordering is not guaranteed.

So in general it is necessary to do

membar_exit();
if (atomic_dec_uint_nv(&obj->refcnt) != 0)
return;
membar_enter();

to release a reference, for the `last one out hit the lights' style
of reference counting. (This is in contrast to the style where one
thread blocks new references and then waits under a lock for existing
ones to drain with a condvar -- no membar needed thanks to mutex(9).)

I searched for atomic_dec to find all these. Obviously we ought to
have a better abstraction for this because there's so much copypasta.
This is a stop-gap measure to fix actual bugs until we have that. It
would be nice if an abstraction could gracefully handle the different
styles of reference counting in use -- some years ago I drafted an
API for this, but making it cover everything got a little out of hand
(particularly with struct vnode::v_usecount) and I ended up setting
it aside to work on psref/localcount instead for better scalability.

I got bored of adding #ifdef __HAVE_ATOMIC_AS_MEMBAR everywhere, so I
only put it on things that look performance-critical on 5sec review.
We should really adopt membar_enter_preatomic/membar_exit_postatomic
or something (except they are applicable only to atomic r/m/w, not to
atomic_load/store_*, making the naming annoying) and get rid of all
the ifdefs.
 1.36 25-Jan-2021  christos s/npf_config_lock/npf->config_lock/ in the comments
 1.35 30-May-2020  rmind branches: 1.35.2;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.34 21-Aug-2019  rmind npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.
 1.33 23-Jul-2019  rmind branches: 1.33.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.32 20-Jun-2019  christos Add error checking for previous memory allocation failure.
 1.31 20-Jun-2019  christos PR/54314: Frank Kardel: LOCKDEBUG: Mutex error: assert_sleepable,70:
spin lock held when loading NPF
 1.30 12-Jun-2019  christos Avoid LOCKDEBUG pserialize panic by implementing suggestion #1 from

http://mail-index.netbsd.org/current-users/2019/02/24/msg035220.html:

Convert the mutex to spin-lock at IPL_NET (but it is excessive) and
convert the memory allocations in that code path to KM_NOSLEEP.
 1.29 19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.28 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.27 10-Mar-2017  christos branches: 1.27.12; 1.27.14;
fix MIN/MAX confusion.
 1.26 02-Jan-2017  rmind branches: 1.26.2;
NPF: implement dynamic handling of interface addresses (the kernel part).
 1.25 26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.24 09-Dec-2016  christos This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!
 1.23 20-Apr-2016  christos branches: 1.23.2;
/32 and /128 are valid netmasks.
 1.22 11-Aug-2014  rmind branches: 1.22.2; 1.22.4; 1.22.8;
NPF: finish up the rework of npfctl_save() mechanism.
 1.21 06-Feb-2014  rmind Add support for CDB based NPF tables.
 1.20 22-Nov-2013  rmind Add npf_tableset_syncdict() to sync the table IDs in the proplib dictionary,
as they can change on reload now. Also, fix table name checking in npfctl.
 1.19 12-Nov-2013  rmind NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is
just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).

Few misc fixes. Bump NPF_VERSION.
 1.18 19-May-2013  rmind branches: 1.18.2;
- Add NPF table flushing functionality.
- Fix line numbering for npfctl debug command.
 1.17 09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.16 04-Dec-2012  rmind npf_table_list: avoid triggering assert on diagnostic.
 1.15 29-Oct-2012  rmind Implement NPF table listing and preservation of entries on reload.
Bump the version.
 1.14 12-Aug-2012  rmind branches: 1.14.2;
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.13 15-Jul-2012  rmind - Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.12 01-Jul-2012  rmind NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
 1.11 22-Jun-2012  rmind NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.10 20-Feb-2012  rmind - Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
 1.9 15-Jan-2012  rmind branches: 1.9.2;
- Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
 1.8 29-Nov-2011  rmind branches: 1.8.2;
- Rework and improve TCP state tracking.
- Fix regressions after IPv6 patch merge.

Note: npfctl(8) rework will come soon.
 1.7 06-Nov-2011  rmind Few fixes, KNF/style, bump the NPF version.
 1.6 04-Nov-2011  zoltan Add IPv6 support for NPF.
 1.5 02-Feb-2011  rmind branches: 1.5.2; 1.5.6;
NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.
 1.4 18-Dec-2010  rmind branches: 1.4.2; 1.4.4;
NPF checkpoint:
- Add support for session saving/restoring.
- Add packet logging support (can tcpdump a pseudo-interface).
- Support reload without flushing of sessions; rework some locking.
- Revisit session mangement, replace linking with npf_sentry_t entries.
- Add some counters for statistics, using percpu(9).
- Add IP_DF flag cleansing.
- Fix various bugs; misc clean-up.
 1.3 11-Nov-2010  rmind NPF checkpoint:
- Add proper TCP state tracking as described in Guido van Rooij paper,
plus handle TCP Window Scaling option.
- Completely rework npf_cache_t, reduce granularity, simplify code.
- Add npf_addr_t as an abstraction, amend session handling code, as well
as NAT code et al, to use it. Now design is prepared for IPv6 support.
- Handle IPv4 fragments i.e. perform packet reassembly.
- Add support for IPv4 ID randomization and minimum TTL enforcement.
- Add support for TCP MSS "clamping".
- Random bits for IPv6. Various fixes and clean-up.
 1.2 24-Sep-2010  rmind branches: 1.2.2; 1.2.4;
Fixes/improvements to RB-tree implementation:
1. Fix inverted node order, so that negative value from comparison operator
would represent lower (left) node, and positive - higher (right) node.
2. Add an argument (i.e. "context"), passed to comparison operators.
3. Change rb_tree_insert_node() to return a node - either inserted one or
already existing one.
4. Amend the interface to manipulate the actual object, instead of the
rb_node (in a similar way as Patricia-tree interface does).
5. Update all RB-tree users accordingly.

XXX: Perhaps rename rb.h to rbtree.h, since cleaning-up..

1-3 address the PR/43488 by Jeremy Huddleston.

Passes RB-tree regression tests.
Reviewed by: matt@, christos@
 1.1 22-Aug-2010  rmind Import NPF - a packet filter. Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
 1.2.4.2 22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.2.4.1 24-Sep-2010  uebayasi file npf_tableset.c was added on branch uebayasi-xip on 2010-10-22 09:23:15 +0000
 1.2.2.2 09-Oct-2010  yamt sync with head
 1.2.2.1 24-Sep-2010  yamt file npf_tableset.c was added on branch yamt-nfs-mp on 2010-10-09 03:32:37 +0000
 1.4.4.1 08-Feb-2011  bouyer Sync with HEAD
 1.4.2.1 06-Jun-2011  jruoho Sync with HEAD.
 1.5.6.5 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.5.6.4 16-Jan-2013  yamt sync with (a bit old) head
 1.5.6.3 30-Oct-2012  yamt sync with head
 1.5.6.2 17-Apr-2012  yamt sync with head
 1.5.6.1 10-Nov-2011  yamt sync with head
 1.5.2.2 05-Mar-2011  rmind sync with head
 1.5.2.1 02-Feb-2011  rmind file npf_tableset.c was added on branch rmind-uvmplock on 2011-03-05 20:55:56 +0000
 1.8.2.2 24-Feb-2012  mrg sync to -current.
 1.8.2.1 18-Feb-2012  mrg merge to -current.
 1.9.2.8 11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.9.2.7 11-Dec-2012  riz Pull up following revision(s) (requested by rmind in ticket #736):
usr.sbin/npf/npfctl/npf_parse.y: revision 1.17
sys/net/npf/npf_tableset.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.h: revision 1.23
usr.sbin/npf/npfctl/npf_data.c: revision 1.19
usr.sbin/npf/npfctl/npf_build.c: revision 1.15
share/examples/npf/host-npf.conf: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.9
share/examples/npf/soho_gw-npf.conf: revision 1.3
usr.sbin/npf/npfctl/npf_var.h: revision 1.6
usr.sbin/npf/npfctl/npf.conf.5: revision 1.24
npfctl: extend syntax for extracting interface IP address(es) by the family.
adjust to current npf.conf syntax
npf_table_list: avoid triggering assert on diagnostic.
 1.9.2.6 24-Nov-2012  riz Pull up following revision(s) (requested by rmind in ticket #702):
sys/net/npf/npf_tableset.c: revision 1.15
usr.sbin/npf/npfctl/npfctl.h: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.6
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.10
sys/net/npf/npf_state_tcp.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.24
sys/net/npf/npf.h: revision 1.22
sys/net/npf/npf_ctl.c: revision 1.19
sys/net/npf/npf.c: revision 1.14
usr.sbin/npf/npfctl/npfctl.8: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.21
npf_tcp_inwindow: inspect the sequence numbers even if the packet contains no
data, fixing up only the RST to the initial SYN. This makes off-path attacks
more difficult. For the reference, see &quot;Reflection Scan: an Off-Path Attack
on TCP&quot; by Jan Wrobel.
Implement NPF table listing and preservation of entries on reload.
Bump the version.
npfctl(8): mention table listing.
 1.9.2.5 13-Aug-2012  riz Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.9.2.4 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.9.2.3 05-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #399):
sys/net/npf/npf_session.c: revision 1.14
sys/net/npf/npf_tableset.c: revision 1.12
sys/net/npf/npf_state_tcp.c: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
usr.sbin/npf/npfctl/npf_data.c: revision 1.14
sys/net/npf/npf_inet.c: revision 1.13
sys/net/npf/npf_ruleset.c: revision 1.12
sys/net/npf/npf.h: revision 1.18
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.8: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
usr.sbin/npf/npfctl/npfctl.8: revision 1.8
sys/net/npf/npf_instr.c: revision 1.12
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
sys/net/npf/npf_state.c: revision 1.9
sys/net/npf/npf_processor.c: revision 1.11
usr.sbin/npf/npfctl/npfctl.c: revision 1.13
usr.sbin/npf/npfctl/npfctl.c: revision 1.14
usr.sbin/npf/npfctl/npf_build.c: revision 1.10
lib/libnpf/npf.3: revision 1.5
lib/libnpf/npf.h: revision 1.8
share/man/man9/npf_ncode.9: revision 1.9
usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
lib/libnpf/npf.c: revision 1.9
usr.sbin/npf/npfctl/npfctl.h: revision 1.16
sys/net/npf/npf_nat.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
sys/net/npf/npf_impl.h: revision 1.17
sys/net/npf/npf_handler.c: revision 1.18
sys/net/npf/npf_handler.c: revision 1.19
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary &quot;pass proto &lt;name/number&gt;&quot;.
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.
 1.9.2.2 26-Jun-2012  riz Pull up following revision(s) (requested by rmind in ticket #365):
sys/rump/librump/rumpkern/rumpcpu_generic.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.13
sys/net/npf/npf_tableset.c: revision 1.11
sys/net/npf/npf_state_tcp.c: revision 1.7
sys/net/npf/npf_inet.c: revision 1.12
sys/net/npf/npf.h: revision 1.17
sys/net/npf/npf_instr.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.2
sys/net/npf/npf_state.c: revision 1.8
sys/net/npf/npf_log.c: revision 1.4
sys/net/npf/npf_alg.c: revision 1.4
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.118
sys/net/npf/npf_nat.c: revision 1.13
sys/net/npf/npf.c: revision 1.11
sys/net/npf/npf_sendpkt.c: revision 1.11
sys/net/npf/npf_impl.h: revision 1.16
sys/rump/librump/rumpkern/scheduler.c: revision 1.28
rumpkern:
- Add subr_kcpuset.c and subr_pserialize.c modules.
- Add kcpuset_{running,attached} for RUMP env.
NPF:
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
 1.9.2.1 03-Apr-2012  riz Pull up following revision(s) (requested by rmind in ticket #158):
sys/net/npf/npf_session.c: revision 1.12
sys/net/npf/npf_tableset.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.2
usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
sys/net/npf/npf_inet.c: revision 1.11
sys/net/npf/npf.h: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.5
sys/net/npf/npf_ruleset.c: revision 1.11
sys/net/npf/npf_instr.c: revision 1.10
usr.sbin/npf/npfctl/Makefile: revision 1.6
sys/net/npf/npf_processor.c: revision 1.10
sys/net/npf/npf_log.c: revision 1.3
lib/libnpf/npf.h: revision 1.7
sys/net/npf/npf_alg.c: revision 1.3
sys/net/npf/npf_sendpkt.c: revision 1.9
lib/libnpf/npf.c: revision 1.8
usr.sbin/npf/npfctl/npfctl.h: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.13
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
sys/net/npf/npf_ctl.c: revision 1.14
sys/net/npf/npf_nat.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.12
sys/net/npf/npf_impl.h: revision 1.11
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
sys/net/npf/npf_impl.h: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
sys/net/npf/npf_handler.c: revision 1.14
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
sys/net/npf/npf_handler.c: revision 1.15
sys/net/npf/npf_ncode.h: revision 1.6
sys/net/npf/npf.c: revision 1.8
sys/net/npf/npf.c: revision 1.9
sys/net/npf/npf_alg_icmp.c: revision 1.9
sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes. Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.
 1.14.2.5 03-Dec-2017  jdolecek update from HEAD
 1.14.2.4 20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.14.2.3 23-Jun-2013  tls resync from head
 1.14.2.2 25-Feb-2013  tls resync with head
 1.14.2.1 20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.18.2.1 18-May-2014  rmind sync with head
 1.22.8.1 18-Jan-2017  skrll Sync with netbsd-5
 1.22.4.3 28-Aug-2017  skrll Sync with HEAD
 1.22.4.2 05-Feb-2017  skrll Sync with HEAD
 1.22.4.1 22-Apr-2016  skrll Sync with HEAD
 1.22.2.1 18-Dec-2016  snj Pull up following revision(s) (requested by rmind in ticket #1319):
sys/modules/npf/Makefile: revision 1.19
sys/net/npf/files.npf: revision 1.18
sys/net/npf/lpm.c: revision 1.1
sys/net/npf/lpm.h: revision 1.1
sys/net/npf/npf_impl.h: revision 1.62
sys/net/npf/npf_tableset.c: revision 1.24
sys/net/npf/npf_tableset_ptree.c: file removal
sys/rump/net/lib/libnpf/Makefile: revision 1.18
This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!
--
ditch ptree and use lpm
--
remove ptree add lpm
 1.23.2.2 20-Mar-2017  pgoyette Sync with HEAD
 1.23.2.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.26.2.1 21-Apr-2017  bouyer Sync with HEAD
 1.27.14.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.27.14.1 10-Jun-2019  christos Sync with HEAD
 1.27.12.2 26-Jan-2019  pgoyette Sync with HEAD
 1.27.12.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.33.2.3 21-Aug-2023  martin Pull up following revision(s) (requested by riastradh in ticket #1718):

sys/net/npf/npf_tableset.c: revision 1.41

npf(9): Drop table lock around copyout.

It is forbidden to hold a spin lock around copyout, and t_lock is a
spin lock.

We need t_lock in order to iterate over the list of entries.
However, during copyout itself, we only need to ensure that the
object we're copying out isn't freed by npf_table_remove or
npf_table_gc.

Fortunately, the only caller of npf_table_list, npf_table_remove, and
npf_table_gc is npfctl_table, and it serializes all of them by the
npf config lock. So we can safely drop t_lock across copyout.

PR kern/57136
PR kern/57181
 1.33.2.2 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.33.2.1 01-Sep-2019  martin Pull up following revision(s) (requested by rmind in ticket #139):

lib/libnpf/npf.c: revision 1.47
usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.10
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.10
sys/net/npf/npf.h: revision 1.61
sys/net/npf/npf_ctl.c: revision 1.56
sys/net/npf/npf_os.c: revision 1.15
lib/libnpf/libnpf.3: revision 1.10
sys/net/npf/npf_tableset.c: revision 1.34
usr.sbin/npf/npfctl/npfctl.c: revision 1.61
sys/net/npf/npf_impl.h: revision 1.77
lib/libnpf/npf.h: revision 1.37

- npftest: fix a memleak in a unit test (standalone path only).
- Minor style fixes. No functional change.
npfkern/libnpf: Add support for the table replace/swap operation.
Contributed by Timshel Knoll-Miller.
 1.35.2.1 03-Apr-2021  thorpej Sync with HEAD.
 1.38.4.1 21-Aug-2023  martin Pull up following revision(s) (requested by riastradh in ticket #332):

sys/net/npf/npf_tableset.c: revision 1.41

npf(9): Drop table lock around copyout.

It is forbidden to hold a spin lock around copyout, and t_lock is a
spin lock.

We need t_lock in order to iterate over the list of entries.
However, during copyout itself, we only need to ensure that the
object we're copying out isn't freed by npf_table_remove or
npf_table_gc.

Fortunately, the only caller of npf_table_list, npf_table_remove, and
npf_table_gc is npfctl_table, and it serializes all of them by the
npf config lock. So we can safely drop t_lock across copyout.

PR kern/57136
PR kern/57181
 1.42.6.1 02-Aug-2025  perseant Sync with HEAD
 1.2 09-Dec-2016  christos This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!
 1.1 15-Jul-2012  rmind branches: 1.1.2; 1.1.4; 1.1.6; 1.1.18; 1.1.20; 1.1.24; 1.1.26;
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.1.26.1 13-Mar-2017  skrll Sync with netbsd-7-1-RELEASE
 1.1.24.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.1.20.1 05-Feb-2017  skrll Sync with HEAD
 1.1.18.1 18-Dec-2016  snj Pull up following revision(s) (requested by rmind in ticket #1319):
sys/modules/npf/Makefile: revision 1.19
sys/net/npf/files.npf: revision 1.18
sys/net/npf/lpm.c: revision 1.1
sys/net/npf/lpm.h: revision 1.1
sys/net/npf/npf_impl.h: revision 1.62
sys/net/npf/npf_tableset.c: revision 1.24
sys/net/npf/npf_tableset_ptree.c: file removal
sys/rump/net/lib/libnpf/Makefile: revision 1.18
This patches ditches the ptree(3) library, because it is broken (you
can get missing entries!). Instead, as a temporary solution, we switch
to a simple linear scan of the hash tables for the longest-prefix-match
(lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set,
on modern hardware this simple algorithm is pretty fast anyway!
--
ditch ptree and use lpm
--
remove ptree add lpm
 1.1.6.2 30-Oct-2012  yamt sync with head
 1.1.6.1 15-Jul-2012  yamt file npf_tableset_ptree.c was added on branch yamt-pagecache on 2012-10-30 17:22:45 +0000
 1.1.4.1 03-Dec-2017  jdolecek update from HEAD
 1.1.2.2 16-Jul-2012  riz Pull up following revision(s) (requested by rmind in ticket #421):
lib/libnpf/npf.c: revision 1.10
sys/net/npf/npf_session.c: revision 1.15
sys/net/npf/npf_tableset.c: revision 1.13
sys/net/npf/npf_state_tcp.c: revision 1.9
usr.sbin/npf/npfctl/npf_data.c: revision 1.15
sys/net/npf/npf_inet.c: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.13
sys/net/npf/npf.h: revision 1.19
usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
sys/net/npf/npf_instr.c: revision 1.13
sys/net/npf/npf_handler.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
sys/net/npf/npf_alg_icmp.c: revision 1.10
usr.sbin/npf/npfctl/npfctl.c: revision 1.15
usr.sbin/npf/npfctl/npf_build.c: revision 1.11
lib/libnpf/npf.h: revision 1.9
sys/net/npf/npf_alg.c: revision 1.5
sys/rump/dev/lib/libnpf/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.16
sys/net/npf/npf_nat.c: revision 1.15
sys/net/npf/npf_tableset_ptree.c: revision 1.1
sys/net/npf/npf.c: revision 1.12
sys/net/npf/npf_sendpkt.c: revision 1.12
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
sys/net/npf/npf_impl.h: revision 1.18
sys/net/npf/files.npf: revision 1.7
usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6. Implement tree table type
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
 1.1.2.1 15-Jul-2012  riz file npf_tableset_ptree.c was added on branch netbsd-6 on 2012-07-16 22:13:27 +0000
 1.10 27-Aug-2020  riastradh npf: Don't stop early after sleeping and before processing instances.

We already check winfo->exit below, after processing instances and
before sleeping again.

Candidate fix for:

panic: kernel diagnostic assertion "LIST_EMPTY(&winfo->instances)" failed: file "/home/riastradh/netbsd/current/src/sys/rump/net/lib/libnpf/../../../..//net/npf/npf_worker.c", line 300 NPF instances must be discharged before the npfk_sysfini() call
 1.9 30-May-2020  rmind npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.
 1.8 30-May-2020  rmind Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.7 11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.6 19-Jan-2019  rmind branches: 1.6.4;
Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.5 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.4 10-Dec-2017  rmind branches: 1.4.2; 1.4.4;
- npf_mk_rules: enforce unique names for the dynamic rulesets.
- npf_worker_unregister: merge fix for the standalone NPF.
 1.3 02-Jan-2017  rmind NPF: implement dynamic handling of interface addresses (the kernel part).
 1.2 26-Dec-2016  christos Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.1 02-Jun-2013  rmind branches: 1.1.2; 1.1.10; 1.1.14; 1.1.18;
- NPF connection tracking: rework synchronisation on tracking disable/enable
points and document it. Split the worker thread into a separate module
with an interface, so it could be re-used for other tasks.
- Replace ALG list with arrays and thus hit fewer cache lines.
- Misc bug fixes.
 1.1.18.1 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.1.14.1 05-Feb-2017  skrll Sync with HEAD
 1.1.10.2 22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.1.10.1 02-Jun-2013  yamt file npf_worker.c was added on branch yamt-pagecache on 2014-05-22 11:41:09 +0000
 1.1.2.3 03-Dec-2017  jdolecek update from HEAD
 1.1.2.2 23-Jun-2013  tls resync from head
 1.1.2.1 02-Jun-2013  tls file npf_worker.c was added on branch tls-maxphys on 2013-06-23 06:20:25 +0000
 1.4.4.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.4.4.1 10-Jun-2019  christos Sync with HEAD
 1.4.2.2 26-Jan-2019  pgoyette Sync with HEAD
 1.4.2.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.6.4.2 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.6.4.1 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.6 01-Jul-2025  joe kernel code for layer 2 filtering in NPF

reviewed by christos@
 1.5 30-May-2020  rmind branches: 1.5.26;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.4 11-Aug-2019  rmind Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.
 1.3 23-Jul-2019  rmind branches: 1.3.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.2 29-Sep-2018  rmind NPF: Major rework -- migrate NPF to the libnv library.
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.

Thanks to christos@ for extra testing.
 1.1 26-Dec-2016  christos branches: 1.1.2; 1.1.6; 1.1.18; 1.1.20; 1.1.22;
Sync NPF with the version on github: backport standalone NPF changes,
which allow us to create and run separate NPF instances. Minor fixes.
(from rmind@)
 1.1.22.2 13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.1.22.1 10-Jun-2019  christos Sync with HEAD
 1.1.20.1 30-Sep-2018  pgoyette Ssync with HEAD
 1.1.18.2 03-Dec-2017  jdolecek update from HEAD
 1.1.18.1 26-Dec-2016  jdolecek file npfkern.h was added on branch tls-maxphys on 2017-12-03 11:39:03 +0000
 1.1.6.2 05-Feb-2017  skrll Sync with HEAD
 1.1.6.1 26-Dec-2016  skrll file npfkern.h was added on branch nick-nhusb on 2017-02-05 13:40:58 +0000
 1.1.2.2 07-Jan-2017  pgoyette Sync with HEAD. (Note that most of these changes are simply $NetBSD$
tag issues.)
 1.1.2.1 26-Dec-2016  pgoyette file npfkern.h was added on branch pgoyette-localcount on 2017-01-07 08:56:50 +0000
 1.3.2.2 20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.3.2.1 13-Aug-2019  martin Pull up following revision(s) (requested by rmind in ticket #49):

usr.sbin/npf/npf.7: revision 1.7
sys/net/npf/npfkern.h: revision 1.4
sys/net/npf/npf_conn.h: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.13
sys/net/npf/npf_ctl.c: revision 1.55
sys/net/npf/npf_os.c: revision 1.14
sys/net/npf/npf_conf.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_perf_test.c: revision 1.9
sys/net/npf/npf_impl.h: revision 1.76
sys/net/npf/npf_portmap.c: revision 1.4
sys/net/npf/npf_params.c: revision 1.2
sys/net/npf/npf.c: revision 1.40
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.16
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.18
sys/net/npf/npf_nat.c: revision 1.47
sys/net/npf/npf_handler.c: revision 1.47
sys/net/npf/npf_inet.c: revision 1.55
sys/net/npf/npf_if.c: revision 1.10
sys/net/npf/npf_worker.c: revision 1.7
usr.sbin/npf/npf-params.7: revision 1.3

npf-params(7): add more bpf.jit details.
From David H. Gutteridge.

Adjust some internal NPF APIs:
* npfkern: use the npfk_ prefix.
* NPF portmap: amend the API so it could be used elsewhere.
* Make npf_connkey_t public.

npf.7: add xref to npf-params.7
(Adding directly here since this particular file isn't included in
rmind@'s upstream GitHub repo at present.)
 1.5.26.1 02-Aug-2025  perseant Sync with HEAD

RSS XML Feed