CVS log for src/usr.sbin/npf/npfctl/Attic/npf_disassemble.c

Up to [cvs.NetBSD.org] / src / usr.sbin / npf / npfctl

Request diff between arbitrary revisions

Keyword substitution: kv
Default branch: MAIN

Rebase to HEAD as of a few days ago.

sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs.  ("Protocol error: too many arguments")

NPF: G/C n-code in favour of BPF byte-code.  Delete lots of code, mmm!

- Convert NPF to use BPF byte-code by default.  Compile BPF byte-code in
  npfctl(8) and generate separate marks to describe the filter criteria.
- Rewrite 'npfctl show' functionality and fix some of the bugs.
- npftest: add a test for BPF COP.
- Bump NPF_VERSION.

resync with head

Pull up following revision(s) (requested by rmind in ticket #829):
	usr.sbin/npf/npfctl/npfctl.8: revision 1.13
	usr.sbin/npf/npfctl/npf_build.c: revision 1.21
	lib/libnpf/npf.c: revision 1.18
	sys/net/npf/npf_ctl.c: revision 1.23
	usr.sbin/npf/npfctl/npfctl.h: revision 1.27
	lib/libnpf/npf.h: revision 1.15
	sys/net/npf/npf_ruleset.c: revision 1.19
	sys/net/npf/npf_impl.h: revision 1.28
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.17
	usr.sbin/npf/npfctl/npfctl.c: revision 1.31
	usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.6
- Convert NPF dynamic rule ID to just incremented 64-bit counter.
- Fix multiple bugs.  Also, update the man page.

- Convert NPF dynamic rule ID to just incremented 64-bit counter.
- Fix multiple bugs.  Also, update the man page.

Pull up following revision(s) (requested by rmind in ticket #817):
	usr.sbin/npf/npfctl/npfctl.8: revision 1.12
	usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
	usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
	usr.sbin/npf/npfctl/npf_build.c: revision 1.20
	usr.sbin/npf/npfctl/npfctl.c: revision 1.28
	lib/libnpf/npf.c: revision 1.16
	usr.sbin/npf/npfctl/npfctl.c: revision 1.29
	lib/libnpf/npf.c: revision 1.17
	sys/modules/npf/Makefile: revision 1.12
	sys/net/npf/npf_rproc.c: revision 1.6
	usr.sbin/npf/npftest/README: revision 1.4
	sys/net/npf/npf_tableset.c: revision 1.17
	sys/net/npf/npf_ctl.c: revision 1.21
	sys/net/npf/npf_ctl.c: revision 1.22
	usr.sbin/npf/npfctl/npfctl.h: revision 1.25
	lib/libnpf/npf.h: revision 1.13
	usr.sbin/npf/npftest/npftest.conf: revision 1.2
	usr.sbin/npf/npfctl/npfctl.h: revision 1.26
	sys/net/npf/npf_ruleset.c: revision 1.17
	lib/libnpf/npf.h: revision 1.14
	sys/net/npf/npf_ruleset.c: revision 1.18
	sys/net/npf/npf_conf.c: revision 1.1
	usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
	sys/net/npf/npf_conf.c: revision 1.2
	sys/net/npf/npf_instr.c: revision 1.16
	sys/net/npf/npf_handler.c: revision 1.26
	sys/net/npf/npf_impl.h: revision 1.26
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
	sys/net/npf/npf_processor.c: revision 1.15
	sys/net/npf/npf_impl.h: revision 1.27
	sys/net/npf/npf_alg_icmp.c: revision 1.15
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
	sys/net/npf/npf_ncode.h: revision 1.11
	sys/net/npf/files.npf: revision 1.10
	usr.sbin/npf/npftest/Makefile: revision 1.4
	usr.sbin/npf/npfctl/npfctl.c: revision 1.30
	lib/libnpf/npf.3: revision 1.8
	usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
	sys/net/npf/npf_session.c: revision 1.21
	usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
	usr.sbin/npf/npfctl/npf_build.c: revision 1.18
	usr.sbin/npf/npfctl/npf_build.c: revision 1.19
	sys/net/npf/npf_alg.c: revision 1.7
	usr.sbin/npf/npfctl/Makefile: revision 1.10
	sys/net/npf/npf_inet.c: revision 1.21
	sys/net/npf/npf.h: revision 1.26
	sys/net/npf/npf.h: revision 1.27
	usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
	sys/net/npf/npf_nat.c: revision 1.19
	sys/net/npf/npf.c: revision 1.15
	sys/net/npf/npf_state.c: revision 1.14
	sys/net/npf/npf_sendpkt.c: revision 1.14
	sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules.  Controlled through npf(3) library of via
  npfctl rule command.  A rule can be removed using a unique identifier,
  returned on addition, or using a key which is SHA1 hash of the rule.
  Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.

- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.

NPF:
- Implement dynamic NPF rules.  Controlled through npf(3) library of via
  npfctl rule command.  A rule can be removed using a unique identifier,
  returned on addition, or using a key which is SHA1 hash of the rule.
  Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.

IPv6 linklocal address printing cosmetics

sync with (a bit old) head

Pull up following revision(s) (requested by rmind in ticket #750):
	usr.sbin/npf/npfctl/npfctl.c: revision 1.25
	usr.sbin/npf/npfctl/npfctl.h: revision 1.24
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.13
	usr.sbin/npf/npfctl/npf_build.c: revision 1.16
	usr.sbin/npf/npfctl/npfctl.8: revision 1.11
npfctl: add 'validate' command to check the config, but not load it.  Update
the man page.  Also add a small note about 'debug' command, PR/47298.

npfctl: add 'validate' command to check the config, but not load it.  Update
the man page.  Also add a small note about 'debug' command, PR/47298.

Pull up following revision(s) (requested by rmind in ticket #718):
	usr.sbin/npf/npfctl/npfctl.c: revision 1.22
	usr.sbin/npf/npfctl/npfctl.c: revision 1.23
	usr.sbin/npf/npfctl/npf_parse.y: revision 1.15
	usr.sbin/npf/npfctl/npfctl.c: revision 1.24
	usr.sbin/npf/npfctl/npf_parse.y: revision 1.16
	usr.sbin/npf/npfctl/npfctl.h: revision 1.22
	usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.14
	usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.15
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.11
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.12
	usr.sbin/npf/npfctl/npf_scan.l: revision 1.7
	usr.sbin/npf/npfctl/npf_scan.l: revision 1.8
	usr.sbin/npf/npfctl/npf_extmod.c: revision 1.2
	usr.sbin/npf/npfctl/npf_extmod.c: revision 1.3
	usr.sbin/npf/npfctl/npf_var.c: revision 1.6
	usr.sbin/npf/npfctl/npf_var.c: revision 1.7
gcc 4.1 is not smart enough to notice "arg" is only used when initialized
correctly and produces a "might be used unintialized" warning.
npfctl: switch to efun(3) routines.
npfctl: switch to ecalloc(3).

Pull up following revision(s) (requested by rmind in ticket #702):
	sys/net/npf/npf_tableset.c: revision 1.15
	usr.sbin/npf/npfctl/npfctl.h: revision 1.21
	usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.6
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.10
	sys/net/npf/npf_state_tcp.c: revision 1.11
	sys/net/npf/npf_impl.h: revision 1.24
	sys/net/npf/npf.h: revision 1.22
	sys/net/npf/npf_ctl.c: revision 1.19
	sys/net/npf/npf.c: revision 1.14
	usr.sbin/npf/npfctl/npfctl.8: revision 1.10
	usr.sbin/npf/npfctl/npfctl.c: revision 1.21
npf_tcp_inwindow: inspect the sequence numbers even if the packet contains no
data, fixing up only the RST to the initial SYN.  This makes off-path attacks
more difficult.  For the reference, see "Reflection Scan: an Off-Path Attack
on TCP" by Jan Wrobel.
Implement NPF table listing and preservation of entries on reload.
Bump the version.
npfctl(8): mention table listing.

Resync to 2012-11-19 00:00:00 UTC

npfctl: switch to ecalloc(3).

npfctl: switch to efun(3) routines.

sync with head

Implement NPF table listing and preservation of entries on reload.
Bump the version.

Pull up following revision(s) (requested by rmind in ticket #489):
	usr.sbin/npf/npfctl/npfctl.8: revision 1.9
	usr.sbin/npf/npfctl/npf.conf.5: revision 1.15
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.9
- npfctl show: add most of the missing cases.
- Few minor improvements to NPF man pages.

- npfctl show: add most of the missing cases.
- Few minor improvements to NPF man pages.

Pull up revisions:
  src/usr.sbin/npf/npfctl/npfctl.c revisions 1.16,1.17
  src/sys/net/npf/npf.h revision 1.20
  src/sys/net/npf/npf_alg_icmp.c revision 1.11
  src/sys/net/npf/npf_impl.h revision 1.19
  src/sys/net/npf/npf_inet.c revisions 1.15,1.16
  src/sys/net/npf/npf_instr.c revision 1.14
  src/sys/net/npf/npf_ncode.h revision 1.10
  src/sys/net/npf/npf_processor.c revision 1.12
  src/sys/net/npf/npf_session.c revision 1.16
  src/usr.sbin/npf/npfctl/npf_build.c revision 1.12
  src/usr.sbin/npf/npfctl/npf_data.c revisions 1.16,1.17
  src/usr.sbin/npf/npfctl/npf_disassemble.c revision 1.8
  src/usr.sbin/npf/npfctl/npf_ncgen.c revision 1.13
  src/usr.sbin/npf/npfctl/npf_parse.y revision 1.11
  src/usr.sbin/npf/npfctl/npf_scan.l revision 1.5
  src/usr.sbin/npf/npfctl/npf_var.h revision 1.3
  src/usr.sbin/npf/npfctl/npfctl.h revision 1.18
  src/sys/net/npf/npf_state.c revision 1.10
  src/sys/net/npf/npf_state_tcp.c revision 1.10
  src/usr.sbin/npf/npftest/npfstream.c revision 1.2
  src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c revision 1.2
(requested by rmind in ticket #435).

Add missing __dead.

teach npf ipv6-icmp
reviewed by rmind@

- npfctl_print_stats: beautification a la French style.
- npfctl_icmpcode: fix the build break.

- npf_fetch_tcpopts: fix off-by-one when validating TCP option length
  against the maximum allowed.
- npf_tcp_inwindow: be more liberal with npf_fetch_tcpopts().
- Few minor improvements to npftest.

teach npf ipv6-icmp
reviewed by rmind@

Pull up following revision(s) (requested by rmind in ticket #421):
	lib/libnpf/npf.c: revision 1.10
	sys/net/npf/npf_session.c: revision 1.15
	sys/net/npf/npf_tableset.c: revision 1.13
	sys/net/npf/npf_state_tcp.c: revision 1.9
	usr.sbin/npf/npfctl/npf_data.c: revision 1.15
	sys/net/npf/npf_inet.c: revision 1.14
	sys/net/npf/npf_ruleset.c: revision 1.13
	sys/net/npf/npf.h: revision 1.19
	usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.12
	sys/net/npf/npf_instr.c: revision 1.13
	sys/net/npf/npf_handler.c: revision 1.20
	usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.4
	sys/net/npf/npf_alg_icmp.c: revision 1.10
	usr.sbin/npf/npfctl/npfctl.c: revision 1.15
	usr.sbin/npf/npfctl/npf_build.c: revision 1.11
	lib/libnpf/npf.h: revision 1.9
	sys/net/npf/npf_alg.c: revision 1.5
	sys/rump/dev/lib/libnpf/Makefile: revision 1.4
	usr.sbin/npf/npfctl/npfctl.h: revision 1.17
	sys/net/npf/npf_ctl.c: revision 1.16
	sys/net/npf/npf_nat.c: revision 1.15
	sys/net/npf/npf_tableset_ptree.c: revision 1.1
	sys/net/npf/npf.c: revision 1.12
	sys/net/npf/npf_sendpkt.c: revision 1.12
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.7
	sys/net/npf/npf_impl.h: revision 1.18
	sys/net/npf/files.npf: revision 1.7
	usr.sbin/npf/npfctl/npf_parse.y: revision 1.10
- Rework NPF tables and fix support for IPv6.  Implement tree table type
  using radix / Patricia tree.  Universal IPv4/IPv6 comparator for ptree(3)
  was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.

- Rework NPF tables and fix support for IPv6.  Implement tree table type
  using radix / Patricia tree.  Universal IPv4/IPv6 comparator for ptree(3)
  was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.

Pull up following revision(s) (requested by rmind in ticket #399):
	sys/net/npf/npf_session.c: revision 1.14
	sys/net/npf/npf_tableset.c: revision 1.12
	sys/net/npf/npf_state_tcp.c: revision 1.8
	usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3
	usr.sbin/npf/npfctl/npf_data.c: revision 1.14
	sys/net/npf/npf_inet.c: revision 1.13
	sys/net/npf/npf_ruleset.c: revision 1.12
	sys/net/npf/npf.h: revision 1.18
	usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11
	usr.sbin/npf/npfctl/npfctl.8: revision 1.7
	usr.sbin/npf/npfctl/npf_parse.y: revision 1.9
	usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2
	usr.sbin/npf/npfctl/npfctl.8: revision 1.8
	sys/net/npf/npf_instr.c: revision 1.12
	usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3
	usr.sbin/npf/npfctl/npf.conf.5: revision 1.13
	usr.sbin/npf/npfctl/npf.conf.5: revision 1.14
	sys/net/npf/npf_state.c: revision 1.9
	sys/net/npf/npf_processor.c: revision 1.11
	usr.sbin/npf/npfctl/npfctl.c: revision 1.13
	usr.sbin/npf/npfctl/npfctl.c: revision 1.14
	usr.sbin/npf/npfctl/npf_build.c: revision 1.10
	lib/libnpf/npf.3: revision 1.5
	lib/libnpf/npf.h: revision 1.8
	share/man/man9/npf_ncode.9: revision 1.9
	usr.sbin/npf/npfctl/npf_scan.l: revision 1.4
	lib/libnpf/npf.c: revision 1.9
	usr.sbin/npf/npfctl/npfctl.h: revision 1.16
	sys/net/npf/npf_nat.c: revision 1.14
	usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6
	sys/net/npf/npf_impl.h: revision 1.17
	sys/net/npf/npf_handler.c: revision 1.18
	sys/net/npf/npf_handler.c: revision 1.19
	usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4
	sys/net/npf/npf_ncode.h: revision 1.9
Fix and update npf.conf(5), npfctl(8) and its usage message.
npf_state_tcp: fix for FIN retransmission and out-of-order ACK case.
NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
npf_packet_handler: fix gcc unused warning.

NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.

Pull up following revision(s) (requested by rmind in ticket #354):
	sys/net/npf/npf_state_tcp.c: revision 1.4
	sys/net/npf/npf_state_tcp.c: revision 1.5
	sys/net/npf/npf_state_tcp.c: revision 1.6
	usr.sbin/npf/npftest/npftest.c: revision 1.1
	usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1
	usr.sbin/npf/npftest/npftest.c: revision 1.2
	usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2
	usr.sbin/npf/npfctl/npf_data.c: revision 1.11
	usr.sbin/npf/npftest/npftest.c: revision 1.3
	usr.sbin/npf/npfctl/npf_data.c: revision 1.12
	usr.sbin/npf/npftest/npftest.h: revision 1.1
	usr.sbin/npf/npfctl/npf_parse.y: revision 1.5
	usr.sbin/npf/npfctl/npf_data.c: revision 1.13
	sys/net/npf/npf.h: revision 1.16
	usr.sbin/npf/npftest/npftest.h: revision 1.2
	usr.sbin/npf/npfctl/npf_parse.y: revision 1.6
	usr.sbin/npf/npftest/npftest.h: revision 1.3
	usr.sbin/npf/npfctl/npf_parse.y: revision 1.7
	usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10
	usr.sbin/npf/npfctl/npf_build.c: revision 1.6
	usr.sbin/npf/npfctl/npf_parse.y: revision 1.8
	usr.sbin/npf/npfctl/npf_build.c: revision 1.7
	usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1
	usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1
	usr.sbin/npf/npfctl/npf_build.c: revision 1.8
	usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1
	usr.sbin/npf/npfctl/npf_build.c: revision 1.9
	usr.sbin/npf/npfctl/npf.conf.5: revision 1.10
	usr.sbin/npf/npfctl/npf.conf.5: revision 1.11
	usr.sbin/npf/npfctl/npf.conf.5: revision 1.12
	sys/net/npf/npf_state.c: revision 1.7
	usr.sbin/npf/npfctl/npfctl.c: revision 1.11
	usr.sbin/npf/npfctl/npfctl.c: revision 1.12
	usr.sbin/npf/npfctl/Makefile: revision 1.7
	sys/rump/net/lib/libnet/Makefile: revision 1.14
	sys/net/npf/npf_mbuf.c: revision 1.7
	usr.sbin/npf/npftest/Makefile: revision 1.1
	usr.sbin/npf/npftest/Makefile: revision 1.2
	usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1
	usr.sbin/npf/npfctl/npf_scan.l: revision 1.2
	usr.sbin/npf/npftest/npfstream.c: revision 1.1
	usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2
	usr.sbin/npf/npfctl/npf_scan.l: revision 1.3
	usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3
	usr.sbin/npf/npfctl/npfctl.h: revision 1.12
	sys/rump/dev/lib/libnpf/Makefile: revision 1.2
	usr.sbin/npf/npfctl/npfctl.h: revision 1.14
	sys/rump/dev/lib/libnpf/Makefile: revision 1.3
	usr.sbin/npf/npfctl/npfctl.h: revision 1.15
	usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9
	sys/net/npf/npf_ctl.c: revision 1.15
	usr.sbin/npf/npfctl/npf_var.c: revision 1.4
	usr.sbin/npf/npfctl/npf_var.h: revision 1.2
	usr.sbin/npf/npfctl/npf_var.c: revision 1.5
	sys/net/npf/npf_impl.h: revision 1.13
	sys/net/npf/npf_sendpkt.c: revision 1.10
	sys/net/npf/npf_impl.h: revision 1.14
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4
	sys/net/npf/npf_impl.h: revision 1.15
	sys/net/npf/npf_handler.c: revision 1.16
	usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1
	usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5
	sys/net/npf/npf_handler.c: revision 1.17
	usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2
	sys/net/npf/npf_ncode.h: revision 1.7
	usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1
	usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3
	sys/net/npf/npf_ncode.h: revision 1.8
npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of
SEQ+LEN in the receiver's side correctly (using ACK from the sender's side).
PR/46265 from Changli Gao.
rumpnet_net: add pfil.c
Update rumpdev_npf; use WARNS=4.
Add initial NPF regression tests integrated with RUMP framework (running the
kernel part of NPF in userland).  Other tests will be added once converted to
RUMP framework.  All tests are in the public domain.
Some Makefile fixes from christos@.
- Fix double-free case on ICMP return case.
- npf_pfil_register: handle kernels without INET6 option correctly.
- Reduce some #ifdefs.
npfctl(8): add show-config command.  Also, update syntax.
npftest: add a stream processor, which prints out the TCP state information.
A tool for debugging connection tracking from tcpdump -w captured data.
npftest: add a module for TCP state tracking and add few test cases.
npf_state_tcp: add an assert; fix some comments while here.
- Rework NPF NAT syntax to be more structured and support future additions
  of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.
make this compile again.
remove error(1) output
Remove superfluous Pp
- make each element of a variable hold a type
- change get_type to take an index, so we can get the individual types of
  each element (since primitive elements can be in lists)
- make port_range primitive
- add a routine to convert a variable of primitives to a variable containing
- only port ranges.
remove extra rule that got merged...

- Rework NPF NAT syntax to be more structured and support future additions
  of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.

npfctl(8): add show-config command.  Also, update syntax.

sync with head

Pull up following revision(s) (requested by rmind in ticket #158):
	sys/net/npf/npf_session.c: revision 1.12
	sys/net/npf/npf_tableset.c: revision 1.10
	sys/net/npf/npf_rproc.c: revision 1.2
	usr.sbin/npf/npfctl/npf_parse.y: revision 1.4
	sys/net/npf/npf_inet.c: revision 1.11
	sys/net/npf/npf.h: revision 1.15
	usr.sbin/npf/npfctl/npf_build.c: revision 1.5
	sys/net/npf/npf_ruleset.c: revision 1.11
	sys/net/npf/npf_instr.c: revision 1.10
	usr.sbin/npf/npfctl/Makefile: revision 1.6
	sys/net/npf/npf_processor.c: revision 1.10
	sys/net/npf/npf_log.c: revision 1.3
	lib/libnpf/npf.h: revision 1.7
	sys/net/npf/npf_alg.c: revision 1.3
	sys/net/npf/npf_sendpkt.c: revision 1.9
	lib/libnpf/npf.c: revision 1.8
	usr.sbin/npf/npfctl/npfctl.h: revision 1.13
	sys/net/npf/npf_ctl.c: revision 1.13
	usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.8
	sys/net/npf/npf_ctl.c: revision 1.14
	sys/net/npf/npf_nat.c: revision 1.11
	sys/net/npf/npf_nat.c: revision 1.12
	sys/net/npf/npf_impl.h: revision 1.11
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.1
	sys/net/npf/npf_impl.h: revision 1.12
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.2
	sys/net/npf/npf_handler.c: revision 1.14
	usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.3
	sys/net/npf/npf_handler.c: revision 1.15
	sys/net/npf/npf_ncode.h: revision 1.6
	sys/net/npf/npf.c: revision 1.8
	sys/net/npf/npf.c: revision 1.9
	sys/net/npf/npf_alg_icmp.c: revision 1.9
	sys/net/npf/npf_session.c: revision 1.11
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS.  Be more defensive in the
  packet handler.  Change the default policy to block when the config is
  loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
  of rule procedure might happen in the interrupt handler (under a very rare
  condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Simplify slightly: merge iface into addr_or_iface, use it in filt_addr.
Add a small disassembler.
definitions used by the disassembler.
- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve.
- Few fixes.  Improve some comments.
don't leak the branch target array.
Add NPF config retrieval routines.

file npf_disassemble.c was added on branch yamt-pagecache on 2012-04-17 00:09:50 +0000

file npf_disassemble.c was added on branch netbsd-6 on 2012-04-03 17:22:54 +0000

don't leak the branch target array.

- better printing of type/code flags/mask
- pass the instruction start pointer, instead of subtracting 1 to account for it

Add a small disassembler.