pf: Fix ICMP translation

Fix ICMP source address rewriting in rdr scenarios.

pf: Fix more ICMP mistranslation

In the default case fix the substitution of the destination address.

PR:		201519
Submitted by:	Max <maximos@als.nnov.ru>

  Use correct size for malloc.

but only in the NETMAP code.  This lead to the NETMAP code paths
passing nothing up to userland.

Submitted by:	Ad Schellevis <ad@opnsense.org>
Reported by:	Franco Fichtner <franco@opnsense.org>
MFC after:	1 day

Fix freebsd-update(8) support of FreeBSD 11.0 release
distribution. [EN-16:09]

Approved by:	so

(cherry picked from commit 3a6620f8)

When rtsold with `-d' it is supposed to show informal messages,
though it actually picks up prefix delegation RAs on other non-
configured interfaces.  Since it's listening on a raw socket,
we get all those things, but there's no misconfiguration and
no interest in what happens with other interfaces per se and
the debug level shall be sufficient.

PR: https://forum.opnsense.org/index.php?topic=3392
(cherry picked from commit 9789a421)

We were inconsistent about the use of time_second vs. time_uptime.
Always use time_uptime so the value can be meaningfully compared.

Submitted by:	"Max" <maximos@als.nnov.ru>
MFC after:	4 days

Taken from: https://www.iana.org/time-zones

On OPNsense's 16.7 roadmap is HardenedBSD's ASLR code. This commit
separates out the ASLR code from the rest of our exploit mitigation
and system hardening code.

Testing and verification still need to be performed. Initial testing
(compile + boot + `procstat -v PIDofPIEapplication) has been
performed. More thorough testing should occur.

Shared object load order randomization in the RTLD is not included in
this patch. That will be discussed with the fine folks at OPNsense at
a later time.

On i386, the stack isn't randomized enough to provide enough space for
the VDSO to be randomized. Bump the stack randomization up to 14 for
32bit systems and lower the VDSO randomization to 8. This provides
enough of a difference between the two to allow for both stack and
VDSO randomization.

Note that ASLR on 32bit systems is still rather weak. Not much entropy
can be introduced into the stack and VDSO. Brute forcing the stack and
VDSO is well within the realm of possibility. Users are strongly
advised to migrate to 64bit systems.

Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>

Security:	FreeBSD-SA-16:24.ntp
Approved by:	so

Fix kernel stack disclosure in 4.3BSD compatibility layer. [SA-16:21]

Security:	SA-16:20
Security:	SA-16:21
Approved by:	so

  Backport security fix for absolute path traversal
  vulnerability in bsdcpio.

Security:	CVE-2015-2304
Security:	SA-16:22
Approved by:	so

This reverts commit 55362daa.

Not in FreeBSD and not our battle.

Logo kindly supplied by the Schellevis brothers @jschellevis
and @adschellevis, who had a lot of fun doing this.  :)

Time is ticking.... tick tock tick tock :)

Original branding work by: @kurbel

Taken from: http://caia.swin.edu.au/freebsd/aqm/

panics when unloading the dummynet and IPFW modules:

- The callout drain function can sleep and should not be called having
a non-sleepable lock locked. Remove locks around "ipfw_dyn_uninit(0)".

- Add a new "dn_gone" variable to prevent asynchronous restart of
dummynet callouts when unloading the dummynet kernel module.

- Call "dn_reschedule()" locked so that "dn_gone" can be set and
checked atomically with regard to starting a new callout.

Reviewed by:	hiren
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D3855

Remove ifa_mtx. It was used only in one place in kernel, and ifnet's ifaddr lock can substitute it there.

Discussed with:	melifaro, ae
Sponsored by:	Netflix
Sponsored by:	Nginx, Inc.

Taken from:  pfSense
Modified by: Franco Fichtner
See also:    https://github.com/opnsense/core/issues/153
See also:    https://forum.opnsense.org/index.php?topic=2385

Taken from: http://www.pcengines.info/forums/?page=post&id=6DA3284E-4973-4EC5-921D-A93AB72123DC

(cherry picked from commit 629b0b86)

Taken from: pfSense
See also:   https://lists.freebsd.org/pipermail/freebsd-net/2013-June/035749.html
See also:   http://undeadly.org/cgi?action=article&sid=20130828151241

Taken from: pfSense

Taken from:  m0n0wall
Modified by: franco@opnsense.org

Also mutes a spammy message.  Bravely going where no man
has gone before.  :)

Taken from: https://www.iana.org/time-zones

Taken from: FreeBSD

Submitted by:	Thomas Siegmund

Inspired by: DragonFlyBSD

- Validate that user supplied control message length in sendmsg(2)
  is not negative.

Security:	SA-16:18
Security:	CVE-2016-1886
Security:	SA-16:19
Security:	CVE-2016-1887
Submitted by:	C Turt <cturt hardenedbsd.org>
Approved by:	so

Fix performance regression in libc hash(3). [EN-16:06]

Fix excessive latency in x86 IPI delivery. [EN-16:07]

Fix memory leak in ZFS. [EN-16:08]

Approved by:	so

Approved by:	so

Taken from: FreeBSD
Commit ref: b62280e683e2

- Validate that user supplied control message length in sendmsg(2)
  is not negative.

Security:	SA-16:18
Security:	CVE-2016-1886
Security:	SA-16:19
Security:	CVE-2016-1887
Submitted by:	C Turt <cturt hardenedbsd.org>
Approved by:	so

Taken from: http://caia.swin.edu.au/freebsd/aqm/

This reverts commit 0a19f813.

Fix excessive latency in x86 IPI delivery. [EN-16:07]

Fix memory leak in ZFS. [EN-16:08]

Approved by:	so

Approved by:	so