IPFilter 5.1.1 imported into current

[Darren Reed <darrenr%netbsd.org@localhost>]

Today I imported IPFilter 5.1.1 into HEAD. At the time of the
import, GENERIC compiled cleanly on i386... where to begin...

Firstly, there are kernel interface changes from 4.1.34 to 5.1.1.
Some of this can be managed, some of it cannot as the changes
are behavioural and not simply data structures. If you install a
new kernel on an old host, ipf and ipnat should continue to load
their respective configuration files fine. If they do not, please
file a bug and let me know. Using the old binaries for ipfstat and
ipnat will result in corrupted output when you list the rules.

What changes with 5.1.1...

To start with, the man pages for ipf(5) and ipnat(5) have been
rewritten from scratch to make them easier to understand and
thus easier to use the various features in IPFilter. In addition
there is now an ipmon(5) that supports delivery of log messages to
different destinations - including generating SNMP traps messages.

There are a few new actions that can be used with ipnat.conf. The
one that will be of most interest to people is "rewrite" which
supports translation of both the source and destination address
with a single rule. Use of an rdr/map combination is no longer
required. There are also some others that are more experimental.
One of those is a "divert" action that takes a packet and puts an
IP + UDP header on the front, allowing "raw packets" to be delivered
to any socket. Similarly, replies from that socket have the relevant
header data removed.

There are a few extras for ipf.conf, most notably it now allows
for defining limits on how many different hosts/networks can have
a state entry in the state table for each rule. IPFilter 5.1.1 also
supports specifying a filter rule group for the filtering of ICMP
packets that match an entry in the state table. Additionally, there
is a new rule - "decapsulate". This has been designed to allow
filtering on "inner headers" of packets that have been encapsulated
in clear text. It will, for example, allow filtering on IPv4 headers
inside of IPv6 packets (or vice versa.)

It is no longer required to have a separate ipf6.conf file. Both
IPv4 and IPv6 packets can be used in the same file. For those that
have separate files today, they should not interfere with each other
unless you have "block in all" for IPv4 and "pass in all" for IPv6
or similar. In that case, the "block in all" will affect IPv6 traffic.
This is a reflection of the internal design where there is now only
a single list of filter rules, not one for each protocol. Check the
man page for ipf.conf for more details.

One of the less tangible problems I've tried to address with 5.1.1
has been that of error messages resulting from interactions with the
kernel. The problem of crytpic errors from the parser and other
aspects of IPFilter will remain the target of future work.

To make diagnosing problems easier, there is now somewhat epanded
statistics available from ipfstat and ipnat.

If you're building a kernel, you will need to re-run "config" as there
have been changes to sys/netinet/ipfilter.files.

And finally, there was at least one issue in the update that didn't
occur in dry-runs, so there may be a bit of extra work left but I
will be around if there are any significant problems that I've missed.

Darren