MFC r303018:

MFC r303018:
  Add named dynamic states support to ipfw(4).

  The keep-state, limit and check-state now will have additional argument
  flowname. This flowname will be assigned to dynamic rule by keep-state
  or limit opcode. And then can be matched by check-state opcode or
  O_PROBE_STATE internal opcode. To reduce possible breakage and to maximize
  compatibility with old rulesets default flowname introduced.
  It will be assigned to the rules when user has omitted state name in
  keep-state and check-state opcodes. Also if name is ambiguous (can be
  evaluated as rule opcode) it will be replaced to default.

  Reviewed by:	julian
  Obtained from:	Yandex LLC
  Relnotes:	yes
  Sponsored by:	Yandex LLC
  Differential Revision:	https://reviews.freebsd.org/D6674

MFC r304087:
  Do not warn about ambiguous state name when we inspect a comment token.

MFC r304089:
  Add an ability to attach comment to check-state rules.

MFC r310727 (by marius):
  Fix a bug in r272840; given that the optlen parameter of setsockopt(2)
  is a 32-bit socklen_t, do_get3() passes the kernel to access the wrong
  32-bit half on big-endian LP64 machines when simply casting the 64-bit
  size_t optlen to a socklen_t pointer.
  While at it and given that the intention of do_get3() apparently is to
  hide/wrap the fact that socket options are used for communication with
  ipfw(4), change the optlen parameter of do_set3() to be of type size_t
  and as such more appropriate than uintptr_t, too.

MFC r315305:
  Change the syntax of ipfw's named states.

  Since the state name is an optional argument, it often can conflict
  with other options. To avoid ambiguity now the state name must be
  prefixed with a colon.

Sponsored by:	Yandex LLC