FreshBSD

   add commented-out "val-log-level: 2" next to the uncommentable line to
   enable dnssec validation, it's really useful for debug

   Cleanup, no functional change:
   No need to expose the tbl(7) syntax tree data structures everywhere.
   Move them to their own include file, "tbl.h", and improve comments.

   remove unused prototypes

   add tx-data reporting event

   Simplify mbzero() by using mem_write with a NULL buf which does zero out
   all memory at once without having to use a zero buffer.
   OK mlarkin@

   Set the com speed to 115200 like we do in our bootloader when using SeaBIOS.
   OK mlarkin@

   zap trailing whitespace;

   some pcap_setdirection details; from jan stary
   ok djm

   allow reading from stdin with -f -.
   ok kn

   document show-indexed

   Various cleanups:

   - Unify the two hooks by passing the same argument
   - Check for nullity before dereferencing `if_bridgeport', this will
     matter when we go MP
   - Use the same pattern to find a member in the ioctl path


   ok bluhm@, visa@

   free(9) sizes for sysv shm.

   ok bluhm@, visa@

   free(9) sizes for SVID semaphores.

   ok bluhm@, visa@

   +nettle-bug now that the fix has been committed

   even when there's no update needed, respect dependency chain order.

   More specifically, the set currently being installed won't be affected,
   but shared libraries may be reached through a long dependency chain,
   so they actually require "full" dependency ordering.

   This fixes the libnettle issue reported by jca@ (see regress)

   okay aja@, sthen@

   moving handles to kept means they're not affected by complete_set, which
   means that they won't get their dependency information. But if they're
   in kept, they're actually installed so make sure they have a location.

   This will let pkg_add   always follow dependencies for all sets even if
   there's nothing to directly install

   upon MAIL or RCPT errors, only trigger report_smtp_tx_{mail,rcpt} events if
   error happened within an SMTP transaction.

   Enable the rules doing more than one match at a time. This works since a while.

   Make kcov MP-safe. Calling the injected tracing function
   __sanitizer_cov_trace_pc() early in the boot process caused a subtle
   crash while booting the secondary CPU(s). On amd64, accessing curcpu
   during this period is not safe since its GSBASE register is yet not
   written. After the CPU has been booted curproc can also be NULL for a
   brief period of time before the idle thread tied to the same CPU has
   started. The two problems can simply be avoided by postponing access to
   curcpu and curproc until /dev/kcov has been opened at least once.

   The end goal here is to allow fuzzing of MP kernels, which already is in
   full swing.

   This work has gone through many iterations before settling on the least
   intrusive change; many thanks for visa@ for reviewing and providing
   valuable input.

   Issue originally reported by Greg Steuck on tech@ who also took the time
   to test all iterations and providing me access to a virtualised OpenBSD
   machine for easier testing.

   ok mpi@ visa@

   allow ethernet interfaces to provide a custom if_output routine.

   this will be mostly useful for virtual interfaces like vlan and
   etherip, where they can bypass queueing on an ifq, and instead
   encapsulate in on multiple cpus concurrently and push the packet
   onto the next layer directly.

   ok visa@

   Fix regress test. The rule optimizer changes output since all the
   set community rules are merged into one big set block.

   add optional per-cpu counters for interface stats.

   these exist so interfaces that want to do mpsafe work outside the
   ifq machinery have a place to allocate and update stats in. the
   generic ioctl handling for getting stats to userland knows how to
   roll the new per cpu stats into the rest before export.

   ok visa@

   the world is not ready for dnssec enabled by default

   Flip snprintf(3) error check to align it with the man page example.
   No functional change.
   suggested by tb@; from Jan Klemkow

   Convert some variables with non-negative values to unsigned type
   to avoid comparison of integers of different signs.
   from Jan Klemkow; OK tb@

   Add PN_XNUM support to libbfd so objdump and gdb can handle core
   dumps with many many segments.

   ok yasuoka@

   add a non regression test that triggers the nettle bug

   remove filter action "rewrite" can only be done from a proc filter
   remove "report" keyword, a proc filter gets report events

   discussed with eric@

   merge 1.8.3

   import the rest of unbound 1.8.3 (to merge version numbers etc)

   Fix dns64 allocation in wrong region for returned internal queries.
   (This is the only code change in upstream release 1.8.3).

   do some imsg renaming to make them more clear

   remove unused imsg names

   these files are no longer used

   factor smtp-in and smtp-out reporting code

   report filter responses to smtp

   fix previous

   ok gilles@

   style

   bgpctl can no long reuse the aspath_match function from bgpd so move the
   roughly the same function here called match_aspath().
   OK denis@

   Refactor aspath code a bit. Move cached source_as (for origin validation)
   into struct aspath and pass that struct to aspath_match().
   OK denis@

   generate an event when a helo name identifies a link

   remove unnecessary calls to getsockname()

   ok gilles@

   Extend vmctl start -B argument to work for disk, cdrom and net.
   Currently SeaBIOS will respect disk and cdrom and our kernel will
   understand net.
   OK ccardenas@, reyk@, mlarkin@

   Improve the cert_*() interface. Use the return value to tell whether
   the request is pending (waiting for an async event) or not.  Success
   or failure is always reported through the callback function.

   ok gilles@

   teach libtool to build shared libraries with a soname

   ok naddy@

   provide ifq_is_priq, mostly so things can tell if hfsc is in effect or not.

   use ifq_hdatalen for handling the FIONREAD ioctl

   ok stsp@

   document ifq_hdatalen()

   ok stsp@

   add ifq_hdatalen for getting the size of the packet at the head of an ifq

   this gets the locks right, and returns 0 if there's no packet available.

   ok stsp@

   split ether_output into resolution, encapsulation, and output functions

   if if_output can be overridden on ethernet interfaces, it will allow
   things like vlan to do it's packet encapsulation during output
   before putting the packet directly on the underlying interface for
   output.

   this has two benefits. first, it can avoid having ether_output on
   pseudo interfaces recurse, which makes profiling of the network
   stack a lot clearer. secondly, and more importantly, it allows
   pseudo ethernet interface packet encapsulation to by run concurrently
   by the stack, rather than having packets unnecessarily serialied
   by an ifq.

   this diff just splits ether_output up, it doesnt have any interface
   take advantage of it yet.

   tweaks and ok claudio@