pf: fix parallel build

branches: 1.9.58;
Add support for pfs(8)

pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.

This work has been done mostly during my GSoC 2009

No objections on tech-net@

merge yamt-pf42 branch.
(import newer pf from OpenBSD 4.2)

ok'ed by peter@. requested by core@

branches: 1.7.18; 1.7.20;
pf needs to be started after the network is up, because some pf rules
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.

Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.

No objections on: tech-security

Remove (pf)spamd. Its right to exist in NetBSD has been questioned since it
appeared and whether it's really part of pf or not is still unclear. Looking
at the other *BSDs it seems that they have left out spamd when importing pf,
and now we do that too. Also, the name conflicted with another more popular
used tool, after the rename to pfspamd it was left with completely unusable
documentation which apparently no-one wanted to fix.

A port of the latest spamd will be imported into pkgsrc soon.

Suggested by several people, no objections on last proposal on tech-userlevel.

Enable pflogd(8).

branches: 1.4.2;
Install pf(4) examples. Reviewed by yamt@.
Thanks to hubertf@ for the reminder.

handle configinstall target correctly.

merge after importing pf from openbsd 3.6. (userland part)

some files were imported to the different places from the previous version.
v3_5:
etc/pf.conf
etc/pf.os
etc/spamd.conf
share/man/man4/pf.4
share/man/man4/pflog.4
share/man/man5/pf.conf.5
share/man/man5/pf.os.5
share/man/man5/spamd.conf.5
v3_6:
dist/pf/etc/pf.conf
dist/pf/etc/pf.os
dist/pf/etc/spamd.conf
dist/pf/share/man/man4/pf.4
dist/pf/share/man/man4/pflog.4
dist/pf/share/man/man5/pf.conf.5
dist/pf/share/man/man5/pf.os.5
dist/pf/share/man/man5/spamd.conf.5

move pf reachover makefiles into usr.sbin/pf. ok'ed by itojun.

before:
sbin/pfctl
usr.sbin/authpf
usr.sbin/spamdb
libexec/ftp-proxy
libexec/spamd
libexec/spamd-setup
libexec/spamlogd
after:
usr.sbin/pf/pfctl
usr.sbin/pf/authpf
usr.sbin/pf/spamdb
usr.sbin/pf/ftp-proxy
usr.sbin/pf/spamd
usr.sbin/pf/spamd-setup
usr.sbin/pf/spamlogd

adapt to ${CC_WNO_ADDRESS_OF_PACKED_MEMBER}

Simplify CWARNFLAGS to use ${CC_WNO_ADDRESS_OF_PACKED_MEMBER}
which works for both clang and gcc, and remove compiler-specific
equivalents.

bsd.own.mk: rename to CC_WNO_ADDRESS_OF_PACKED_MEMBER

Provide a single variable
CC_WNO_ADDRESS_OF_PACKED_MEMBER
with options for both clang and gcc, to replace
CLANG_NO_ADDR_OF_PACKED_MEMBER
CC_NO_ADDR_OF_PACKED_MEMBER
GCC_NO_ADDR_OF_PACKED_MEMBER

Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.

add support for new GCC 9 warnings that may be too much to fix
right now. new address-of-packed-member and format-overflow
warnings have new GCC_NO_ADDR_OF_PACKED_MEMBER amd
GCC_NO_FORMAT_OVERFLOW variables to remove these warnings.

apply to a bunch of the tree. mostly, these are real bugs that
should be fixed, but in many cases, only by removing the 'packed'
attribute from some structure that doesn't really need it. (i
looked at many different ones, and while perhaps 60-80% were
already properly aligned, it wasn't clear to me that the uses
were always coming from sane data vs network alignment, so it
doesn't seem safe to remove packed without careful research for
each affect struct.) clang already warned (and was not erroring)
for many of these cases, but gcc picked up dozens more.

Disable a couple of warnings until further investigation.

branches: 1.9.2;
use strtonum from libc

Default to -Wno-sign-compare -Wno-pointer-sign for clang.
Push -Wno-array-bounds down to the cases that depend on it.
Selectively disable warnings for 3rd party software or non-trivial
issues to be reviewed later to get clang -Werror to build most of the
tree.

WARNS=1 for pf

Enable WARNS=4 by default, except for:
cpuctl dumplfs hprop ipf iprop-log kadmin kcm kdc kdigest
kimpersonate kstash ktutil makefs ndbootd ntp pppd quot
racoon racoonctl rtadvd sntp sup tcpdchk tcpdmatch tcpdump
traceroute traceroute6 user veriexecgen wsmoused zic
(Mostly third-party applications)

branches: 1.5.20;
Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry. RedHat has
evidently built all "core system packages" with this option for some time.

This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.

This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros. Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.

Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default. Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.

don't use variable arg macro, which is not supported by gcc2.

merge after importing pf from openbsd 3.6. (userland part)

some files were imported to the different places from the previous version.
v3_5:
etc/pf.conf
etc/pf.os
etc/spamd.conf
share/man/man4/pf.4
share/man/man4/pflog.4
share/man/man5/pf.conf.5
share/man/man5/pf.os.5
share/man/man5/spamd.conf.5
v3_6:
dist/pf/etc/pf.conf
dist/pf/etc/pf.os
dist/pf/etc/spamd.conf
dist/pf/share/man/man4/pf.4
dist/pf/share/man/man4/pflog.4
dist/pf/share/man/man5/pf.conf.5
dist/pf/share/man/man5/pf.os.5
dist/pf/share/man/man5/spamd.conf.5

move common fragments into Makefile.inc.

move pf reachover makefiles into usr.sbin/pf. ok'ed by itojun.

before:
sbin/pfctl
usr.sbin/authpf
usr.sbin/spamdb
libexec/ftp-proxy
libexec/spamd
libexec/spamd-setup
libexec/spamlogd
after:
usr.sbin/pf/pfctl
usr.sbin/pf/authpf
usr.sbin/pf/spamdb
usr.sbin/pf/ftp-proxy
usr.sbin/pf/spamd
usr.sbin/pf/spamd-setup
usr.sbin/pf/spamlogd

use strtonum from libc

no need for the end macros anymore

branches: 1.5.2; 1.5.24;
merge yamt-pf42 branch.
(import newer pf from OpenBSD 4.2)

ok'ed by peter@. requested by core@

branches: 1.4.16; 1.4.18;
remove openlog_r/syslog_r; we now have it.

Add a small replacement for strtonum().

copyright notice.

don't use variable arg macro, which is not supported by gcc2.

merge after importing pf from openbsd 3.6. (userland part)

some files were imported to the different places from the previous version.
v3_5:
etc/pf.conf
etc/pf.os
etc/spamd.conf
share/man/man4/pf.4
share/man/man4/pflog.4
share/man/man5/pf.conf.5
share/man/man5/pf.os.5
share/man/man5/spamd.conf.5
v3_6:
dist/pf/etc/pf.conf
dist/pf/etc/pf.os
dist/pf/etc/spamd.conf
dist/pf/share/man/man4/pf.4
dist/pf/share/man/man4/pflog.4
dist/pf/share/man/man5/pf.conf.5
dist/pf/share/man/man5/pf.os.5
dist/pf/share/man/man5/spamd.conf.5

move pf reachover makefiles into usr.sbin/pf. ok'ed by itojun.

before:
sbin/pfctl
usr.sbin/authpf
usr.sbin/spamdb
libexec/ftp-proxy
libexec/spamd
libexec/spamd-setup
libexec/spamlogd
after:
usr.sbin/pf/pfctl
usr.sbin/pf/authpf
usr.sbin/pf/spamdb
usr.sbin/pf/ftp-proxy
usr.sbin/pf/spamd
usr.sbin/pf/spamd-setup
usr.sbin/pf/spamlogd

Install /etc/pf.os with 444 permissions.
Modify postinstall(8) to always upgrade /etc/pf.os.

Suggested by Luke Mewburn in PR/35188.

branches: 1.2.20;
Remove (pf)spamd. Its right to exist in NetBSD has been questioned since it
appeared and whether it's really part of pf or not is still unclear. Looking
at the other *BSDs it seems that they have left out spamd when importing pf,
and now we do that too. Also, the name conflicted with another more popular
used tool, after the rename to pfspamd it was left with completely unusable
documentation which apparently no-one wanted to fix.

A port of the latest spamd will be imported into pkgsrc soon.

Suggested by several people, no objections on last proposal on tech-userlevel.

branches: 1.1.2;
merge after importing pf from openbsd 3.6. (userland part)

some files were imported to the different places from the previous version.
v3_5:
etc/pf.conf
etc/pf.os
etc/spamd.conf
share/man/man4/pf.4
share/man/man4/pflog.4
share/man/man5/pf.conf.5
share/man/man5/pf.os.5
share/man/man5/spamd.conf.5
v3_6:
dist/pf/etc/pf.conf
dist/pf/etc/pf.os
dist/pf/etc/spamd.conf
dist/pf/share/man/man4/pf.4
dist/pf/share/man/man4/pflog.4
dist/pf/share/man/man5/pf.conf.5
dist/pf/share/man/man5/pf.os.5
dist/pf/share/man/man5/spamd.conf.5

branches: 1.1.2;
pf needs to be started after the network is up, because some pf rules
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.

Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.

No objections on: tech-security

pf.boot.conf: remove lingering references to dhclient(8), and while
here, capitalize acronyms. Addresses part of PR misc/53669.

branches: 1.4.10;
Enable carp packets early during boot, to avoid gratuitous failovers.

Okayed by christos@

Use "ipv6-icmp" instead of "icmp6" to allow loading these rules again.
Patch supplied by Daniel Horecki in PR bin/36874.

branches: 1.2.10;
Fix mispelling in a comment.

branches: 1.1.2;
pf needs to be started after the network is up, because some pf rules
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.

Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.

No objections on: tech-security

Remove (pf)spamd. Its right to exist in NetBSD has been questioned since it
appeared and whether it's really part of pf or not is still unclear. Looking
at the other *BSDs it seems that they have left out spamd when importing pf,
and now we do that too. Also, the name conflicted with another more popular
used tool, after the rename to pfspamd it was left with completely unusable
documentation which apparently no-one wanted to fix.

A port of the latest spamd will be imported into pkgsrc soon.

Suggested by several people, no objections on last proposal on tech-userlevel.

branches: 1.1.2;
Install pf(4) examples. Reviewed by yamt@.
Thanks to hubertf@ for the reminder.

sync with reality

branches: 1.8.30;
Disable -DWITH_NPF for now; will be converted to BPF mechanism.

does not need -I${NETBSDSRCDIR}/sys/dist/ipf here, the include files
are installed in /usr/include/netinet

branches: 1.6.4; 1.6.6; 1.6.10;
Fix sun2 builds. Noted by joerg@.

NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.

branches: 1.4.2;
Enable WARNS=4 by default, except for:
cpuctl dumplfs hprop ipf iprop-log kadmin kcm kdc kdigest
kimpersonate kstash ktutil makefs ndbootd ntp pppd quot
racoon racoonctl rtadvd sntp sup tcpdchk tcpdmatch tcpdump
traceroute traceroute6 user veriexecgen wsmoused zic
(Mostly third-party applications)

branches: 1.3.6;
merge yamt-pf42 branch.
(import newer pf from OpenBSD 4.2)

ok'ed by peter@. requested by core@

branches: 1.2.24; 1.2.26;
Add MKIPFILTER; if set to no, don't build and install the ipf(4) programs,
headers and LKM.

Add MKPF; if set to no, don't build and install the pf(4) programs,
headers, LKM and spamd.

Both options default to yes, so nothing changed in the default build.

Reviewed by lukem.

move pf reachover makefiles into usr.sbin/pf. ok'ed by itojun.

before:
sbin/pfctl
usr.sbin/authpf
usr.sbin/spamdb
libexec/ftp-proxy
libexec/spamd
libexec/spamd-setup
libexec/spamlogd
after:
usr.sbin/pf/pfctl
usr.sbin/pf/authpf
usr.sbin/pf/spamdb
usr.sbin/pf/ftp-proxy
usr.sbin/pf/spamd
usr.sbin/pf/spamd-setup
usr.sbin/pf/spamlogd

merge after importing pf from openbsd 3.6. (userland part)

some files were imported to the different places from the previous version.
v3_5:
etc/pf.conf
etc/pf.os
etc/spamd.conf
share/man/man4/pf.4
share/man/man4/pflog.4
share/man/man5/pf.conf.5
share/man/man5/pf.os.5
share/man/man5/spamd.conf.5
v3_6:
dist/pf/etc/pf.conf
dist/pf/etc/pf.os
dist/pf/etc/spamd.conf
dist/pf/share/man/man4/pf.4
dist/pf/share/man/man4/pflog.4
dist/pf/share/man/man5/pf.conf.5
dist/pf/share/man/man5/pf.os.5
dist/pf/share/man/man5/spamd.conf.5

Import pfsync support from OpenBSD 4.2

Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can
be used to synchronise different pf.

This work was part of my 2009 GSoC

No objection on tech-net@

merge after importing pf from openbsd 3.6. (userland part)

some files were imported to the different places from the previous version.
v3_5:
etc/pf.conf
etc/pf.os
etc/spamd.conf
share/man/man4/pf.4
share/man/man4/pflog.4
share/man/man5/pf.conf.5
share/man/man5/pf.os.5
share/man/man5/spamd.conf.5
v3_6:
dist/pf/etc/pf.conf
dist/pf/etc/pf.os
dist/pf/etc/spamd.conf
dist/pf/share/man/man4/pf.4
dist/pf/share/man/man4/pflog.4
dist/pf/share/man/man5/pf.conf.5
dist/pf/share/man/man5/pf.os.5
dist/pf/share/man/man5/spamd.conf.5

pf needs to be started after the network is up, because some pf rules
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.

Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.

No objections on: tech-security

Remove (pf)spamd. Its right to exist in NetBSD has been questioned since it
appeared and whether it's really part of pf or not is still unclear. Looking
at the other *BSDs it seems that they have left out spamd when importing pf,
and now we do that too. Also, the name conflicted with another more popular
used tool, after the rename to pfspamd it was left with completely unusable
documentation which apparently no-one wanted to fix.

A port of the latest spamd will be imported into pkgsrc soon.

Suggested by several people, no objections on last proposal on tech-userlevel.

Remove copy of manual page created during build.

spamd.conf is now pfspamd.conf.

branches: 1.1.2;
merge after importing pf from openbsd 3.6. (userland part)

some files were imported to the different places from the previous version.
v3_5:
etc/pf.conf
etc/pf.os
etc/spamd.conf
share/man/man4/pf.4
share/man/man4/pflog.4
share/man/man5/pf.conf.5
share/man/man5/pf.os.5
share/man/man5/spamd.conf.5
v3_6:
dist/pf/etc/pf.conf
dist/pf/etc/pf.os
dist/pf/etc/spamd.conf
dist/pf/share/man/man4/pf.4
dist/pf/share/man/man4/pflog.4
dist/pf/share/man/man5/pf.conf.5
dist/pf/share/man/man5/pf.os.5
dist/pf/share/man/man5/spamd.conf.5

branches: 1.1.2;
pf needs to be started after the network is up, because some pf rules
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.

Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.

No objections on: tech-security

bsd.own.mk: rename GCC_NO_* to CC_WNO_*

Rename compiler-warning-disable variables from
GCC_NO_warning
to
CC_WNO_warning
where warning is the full warning name as used by the compiler.

GCC_NO_IMPLICIT_FALLTHRU is CC_WNO_IMPLICIT_FALLTHROUGH

Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.

add some new uses of existing GCC_NO_* variables for warning issues.
remove an no longer relevant for gcc7 workaround (works fine in both
gcc9 and gcc 10.)

merge yamt-pf42 branch.
(import newer pf from OpenBSD 4.2)

ok'ed by peter@. requested by core@

branches: 1.3.24; 1.3.26;
merge after importing pf from openbsd 3.6. (userland part)

some files were imported to the different places from the previous version.
v3_5:
etc/pf.conf
etc/pf.os
etc/spamd.conf
share/man/man4/pf.4
share/man/man4/pflog.4
share/man/man5/pf.conf.5
share/man/man5/pf.os.5
share/man/man5/spamd.conf.5
v3_6:
dist/pf/etc/pf.conf
dist/pf/etc/pf.os
dist/pf/etc/spamd.conf
dist/pf/share/man/man4/pf.4
dist/pf/share/man/man4/pflog.4
dist/pf/share/man/man5/pf.conf.5
dist/pf/share/man/man5/pf.os.5
dist/pf/share/man/man5/spamd.conf.5

move common fragments into Makefile.inc.

move pf reachover makefiles into usr.sbin/pf. ok'ed by itojun.

before:
sbin/pfctl
usr.sbin/authpf
usr.sbin/spamdb
libexec/ftp-proxy
libexec/spamd
libexec/spamd-setup
libexec/spamlogd
after:
usr.sbin/pf/pfctl
usr.sbin/pf/authpf
usr.sbin/pf/spamdb
usr.sbin/pf/ftp-proxy
usr.sbin/pf/spamd
usr.sbin/pf/spamd-setup
usr.sbin/pf/spamlogd

don't include pcap/bpf.h

branches: 1.5.6;
fix build.

compile a file with -Wno-stack-protector since it is using __cmsg_alignbytes()
for a variable on the stack.

Build libpcap-0.9.4 from src/dist.
While there are some open issues, particulary wrt support of old
NetBSD-specific interfaces, it is better to get the code some public
testing before NetBSD-4 is branched.

Change BINDIR to /sbin and support MKDYNAMICROOT.

Add build glue for pflogd(8).

Add support for pfs(8)

pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.

This work has been done mostly during my GSoC 2009

No objections on tech-net@

s/enougth/enough/

lineno, states and allocated should be owned by the parser

fix unused variable warnings.

branches: 1.1.6; 1.1.12;
Add support for pfs(8)

pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.

This work has been done mostly during my GSoC 2009

No objections on tech-net@

lineno, states and allocated should be owned by the parser

Use __dead

Add support for pfs(8)

pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.

This work has been done mostly during my GSoC 2009

No objections on tech-net@

Remove trailing whitespace and dot in Nd.

Add missing license

Sort options, standardize SYNOPSIS, slight rewordings. Use more markup.

Add support for pfs(8)

pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.

This work has been done mostly during my GSoC 2009

No objections on tech-net@

improve error messages (remove \n, use __func__, etc)

Add support for pfs(8)

pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.

This work has been done mostly during my GSoC 2009

No objections on tech-net@

No input needed

Add support for pfs(8)

pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.

This work has been done mostly during my GSoC 2009

No objections on tech-net@

Enable WARNS=4 by default, except for:
cpuctl dumplfs hprop ipf iprop-log kadmin kcm kdc kdigest
kimpersonate kstash ktutil makefs ndbootd ntp pppd quot
racoon racoonctl rtadvd sntp sup tcpdchk tcpdmatch tcpdump
traceroute traceroute6 user veriexecgen wsmoused zic
(Mostly third-party applications)

branches: 1.2.2; 1.2.8;
merge yamt-pf42 branch.
(import newer pf from OpenBSD 4.2)

ok'ed by peter@. requested by core@

branches: 1.1.2;
file Makefile was initially added on branch yamt-pf42.