[seccomp] epoll_wait(2) isn't available on every arch

add newline after usage

fix "first location" bug reported by devel at datenbrei dot de. The first location would overwrite the default value for a server, triggering the "`foo' rule specified more than once" error. This also needed a small tweak on how we match locations to avoid breaking other tests.

fix ca generation

don't allocate BIGNUM on the stack on fedora 33 the BIGNUM type is opaque. Allocate always to avoid headaches.

allow epoll_wait fedora 33 issue an epoll_wait instead of pwait.


improve errors during config parsing

don't delete valid.ext


add `require client ca' rule to require certs signed by a CA

add conf for a ca

gg: add support for client certs

refactor apply_block_return move the strip and fmt logic to their own function