NFSv4.1/4.2 has an alternative to the acl attribute, called
dacl, that includes support for the ACL_ENTRY_INHERITED flag,
called NFSV4ACE_INHERITED in NFSv4.

This patch adds a dacl argument to nfsrv_buildacl(),
nfsrv_dissectacl() and nfsrv_dissectace(), so that they
will handle NFSV4ACE_INHERITED when dacl == true.

Since these functions are always called with dacl == false
for this patch, semantics should not have changed.
A future patch will add support for dacl.

MFC after:	2 weeks

MFC after:	2 weeks

MFC after:	2 weeks

MFC after:	2 weeks

This brings it in line with what the clk_*_freq routines are named.

The intent is to provide more entropy than can be provided
by just the 32-bits of the IPv6 address which overlaps with
6to4 tunnels.  This is needed to mitigate potential algorithmic
complexity attacks from attackers who can control large
numbers of IPv6 addresses.

Together with:		gallatin
Reviewed by:		dwmalone, rscheff
Differential revision:	https://reviews.freebsd.org/D33254

Now struct prison has two pointers (IPv4 and IPv6) of struct
prison_ip type.  Each points into epoch context, address count
and variable size array of addresses.  These structures are
freed with network epoch deferred free and are not edited in
place, instead a new structure is allocated and set.

While here, the change also generalizes a lot (but not enough)
of IPv4 and IPv6 processing. E.g. address family agnostic helpers
for kern_jail_set() are provided, that reduce v4-v6 copy-paste.

The fast-path prison_check_ip[46]_locked() is also generalized
into prison_ip_check() that can be executed with network epoch
protection only.

Reviewed by:		jamie
Differential revision:	https://reviews.freebsd.org/D33339

Summary:

The existing call can only really be used for a node wishing to
configure its parent, but as we don't pass in a pointer to the freq,
we can't set it to what it would be for a DRY_RUN pass.

So for clock nodes that wish to try setting parent frequencies to see
which would be the best for its own target frequency, we really do need
a way to call in and pass in a flag /and/ a pointer to freq so it can be
updated for us as the clock tree is recursed through.

Reviewers: manu

Approved by: manu

Subscribers: imp

Differential Revision: https://reviews.freebsd.org/D33445

Handle specially the boundary==0 case of vm_reserv_reclaim_config,
by turning off boundary adjustment in that case.

Reviewed by:	alc
Tested by:	pho, madpilot

Throughout net80211 there are multiple ways to log (debugging)
information.  Start to clenaup one as I kept hitting it to harmonize
the output.  The more we get away from printfs into either wrapper
functions or macros the more likely we can use holistic systematic
tracing in the future.

Sponsored by:	The FreeBSD Foundation
MFC after:	3 days

Add more STATE / DEBUG probes and enhance the output of one in order
to track state changes triggered by "ack" (or not).
This helped to narrow down causes from drivers or the LinuxKPI 802.11
compat framework which kept us in a scan -> auth -> scan loop.

Sponsored by:	The FreeBSD Foundation
MFC after:	3 days

Making use of the debug output was hard given debug lines were run in
parts through vlog (if_printf) and in (multiple) parts through printf(s).

Like some of the functions alreay have, use a local buffer to format
the string and then use a single if_printf;  in addition given these
functions are debug-only, add an extra printf in case we find our
buffers still to be too small so we can adjust for the future.
We already found that 128 characters are to short for some log messages.
Bump the buffer sizes collectively to 256 characters which also is
the maximum of if_vlog() so getting longer would need further changes
elsewhere.

Sponsored by:	The FreeBSD Foundation
MFC after:	3 days

MFC after:	2 weeks

No longer needed after tcp_output() can ask caller to drop.

Reviewed by:		rrs, tuexen
Differential revision:	https://reviews.freebsd.org/D33371

The advanced TCP stacks (bbr, rack) may decide to drop a TCP connection
when they do output on it.  The default stack never does this, thus
existing framework expects tcp_output() always to return locked and
valid tcpcb.

Provide KPI extension to satisfy demands of advanced stacks.  If the
output method returns negative error code, it means that caller must
call tcp_drop().

In tcp_var() provide three inline methods to call tcp_output():
- tcp_output() is a drop-in replacement for the default stack, so that
  default stack can continue using it internally without modifications.
  For advanced stacks it would perform tcp_drop() and unlock and report
  that with negative error code.
- tcp_output_unlock() handles the negative code and always converts
  it to positive and always unlocks.
- tcp_output_nodrop() just calls the method and leaves the responsibility
  to drop on the caller.

Sweep over the advanced stacks and use new KPI instead of using HPTS
delayed drop queue for that.

Reviewed by:		rrs, tuexen
Differential revision:	https://reviews.freebsd.org/D33370

Reviewed by:		rrs, tuexen
Differential revision:	https://reviews.freebsd.org/D33369

For all functions that are leaves of tcp_input() call
ctf_do_dropwithreset_conn() instead of ctf_do_dropwithreset(), cause
we always got tp and we want it to be dropped.

Reviewed by:		rrs, tuexen
Differential revision:	https://reviews.freebsd.org/D33368

This function is always called from tcp_do_segment() method, that
can drop tcpcb and return unlocked.

Reviewed by:		rrs, tuexen
Differential revision:	https://reviews.freebsd.org/D33367

Made with sed(1) execution:

sed -Ef sed -i "" $(grep --exclude tcp_var.h -lr tcp_output sys/)

sed:
s/tp->t_fb->tfb_tcp_output\(tp\)/tcp_output(tp)/
s/to tfb_tcp_output\(\)/to tcp_output()/

Reviewed by:		rrs, tuexen
Differential revision:	https://reviews.freebsd.org/D33366

Reviewed by:		rrs, tuexen
Differential revision:	https://reviews.freebsd.org/D33365

RFC792,1009,1122 state the original conditions for sending a redirect.
RFC1812 further refine these.
ip_forward() still sepcifies the checks originally implemented for these
(we do slightly more/different than suggested as makes sense).
The implementation added in 8ad114c0
to ip_tryforward() however is flawed and may send a "multi-hop"
redirects (to a host not on the directly connected network).

Do proper checks in ip_tryforward() to stop us from sending redirects
in situations we may not.  Keep as much logic out of ip_tryforward()
and in ip_redir_alloc() and only do the mbuf copy once we are sure we
will send a redirect.

While here enhance and fix comments as to which conditions are handled
for sending redirects in various places.

Reported by:		pi (on net@ 2021-12-04)
MFC after:		3 days
Sponsored by:		Dr.-Ing. Nepustil & Co. GmbH
Reviewed by:		cy, others (earlier versions)
Differential Revision:	https://reviews.freebsd.org/D33274

If present, print nexthop L2 prepend data in hex.

MFC after:	1 week

VNET teardown waits 2*MSL (60 seconds by default) before expiring
 tcp PCBs. These PCBs holds references to nexthops, which, in turn,
 reference ifnets. This chain results in VNET interfaces being destroyed
 and moved to default VNET only after 60 seconds.
Allow tcp_msl to be set in jail by virtualising net.inet.tcp.msl sysctl,
 permitting more predictable VNET tests outcomes.

MFC after:	1 week
Reviewed by:	glebius
Differential Revision: https://reviews.freebsd.org/D33270

MFC after:	2 weeks

MFC after:	2 weeks

MFC after:	2 weeks

MFC after:	2 weeks

It only converts bit field into string.  It does not need locking.

MFC after:	1 week

It seems to be needed only to serialize very old K8 registers access.
Introduce separate lock for that and remove Giant dependency.

MFC after:	2 weeks

fb38b29b (page_alloc_br) vm_page: Remove extra test, dup code from page alloc
should have moved a comment block when it moved the function call that followed it.

Move the comment block now.

It is not implemented in HW.

MFC after:	1 week

readelf is not a bootstrap tool and so cannot be relied upon to exist.
On macOS there is no system readelf, and even on Linux or FreeBSD where
it does exist, BUILD_WITH_STRICT_TMPPATH builds won't be able to use it.
Instead of making it a bootstrap tool, just use nm as that suffices and
already is a bootstrap tool.

Fixes:		28482bab ("arm64: Use new arm_kernel_boothdr script for generating booti images.")
Reviewed by:	emaste, mmel
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D32734

MFC after:	1 week

Function vm_reserv_reclaim_contig breaks a reservation with enough
free space to satisfy an allocation request and returns the free space
to the buddy allocator. Change the function to allocate the request
memory from the reservation before breaking it, and return that memory
to the caller. That avoids a second call to the buddy allocator and
guarantees successful allocation after breaking the reservation, where
that success is not currently guaranteed.

Reviewed by:	alc, kib (previous version)
Differential Revision:	https://reviews.freebsd.org/D33644

MFC after:	1 week

- add method to read gate enable/disable staust from HW
- show gate status in sysctl clock dump

MFC after:	1 week

Always recalculate the frequency, the cache is lazily initialized so it is not always up to date.
While I'm in mark sysctl as MPSAFE.

Discussed with:	manu, adrian
MFC after:	1 week