- Copy stable/10 (r259064) to releng/10.0 as part of the
10.0-RELEASE cycle.
- Update __FreeBSD_version [1]
- Set branch name to -RC1

[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so
start releng/10.0 at '100' so the branch is started with
a value ending in zero.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Add support for "vnet jname" argument in ifconfig_IF. The vnet keyword
is ignored except for "rc.d/netif vnet{up,down} ifn" because a jail is
usually created after interface initialization on boot time.

"rc.d/netif vnetup ifn" moves ifn into the specified jail. It is
designed to be used in other scripts like rc.d/jail, not automatically
invoked during the interface initialization.

Approved by: re (kib)

Do not attempt to do AF-specific configurations on a interface when
noafif() is true. The following warning message was displayed when
pflog0 interface existed, for example:

ifconfig: ioctl(SIOCGIFINFO_IN6): Protocol family not supported

Reported by: bz
Approved by: re (gjb)

Add epair(4) support in $cloned_interfaces. One should be specified
as "epair0" in $cloned_interfaces and "epair0[ab]" in the others in
rc.conf like the following:

cloned_interfaces="epair0"
ifconfig_epair0a="inet 192.168.1.1/24"
ifconfig_epair0b="inet 192.168.2.1/24"

/etc/rc.d/netif now accepts both "netif start epair0" and "netif start
epair0a".

Approved by: re (kib)

Fix parsing lines of ifconfig output which include \t in the case of
inet and inet6.

Approved by: re (delphij)

Correctly remove an interface's ipv4 address when the user calls
"/etc/rc.d/netif stop XXX". The old globbing pattern failed to account for the
possibility of a tab occuring before "inet".

Reviewed by: will
Approved by: ken (mentor, implicit)
MFC after: Never (bug affects head only)
Sponsored by: Spectra Logic

- Reimplement $gif_interfaces as a variant of $cloned_interfaces.
Newly-configured systems should use $cloned_interfaces.

- Call clone_{up,down}() and ifnet_rename() in rc.d/netif {start,stop}.
ifnet_rename() now accepts an interface name list as its argument.

- Add rc.d/netif clear. The "clear" subcommand is basically equivalent to
"stop" but it does not call clone_down().

- Add "ifname:sticky" keyword into $cloned_interfaces. If :sticky is
specified, the interface will not be destroyed in rc.d/netif stop.

- Add cloned_interfaces_sticky={YES,NO}. This variable globally sets
:sticky keyword above for all interfaces. The default value is NO.
When cloned_interfaces_sticky=YES, :nosticky keyword can be used to
override it on per interface basis.

Do not set ND6_IFF_ACCEPT_RTADV on if_bridge(4) interfaces when
ipv6_enable=yes.

MFC after: 3 days

Fix address range specification with ifconfig(8) options such as:

- inet 192.0.2.1-10 netmask 255.255.255.0 (inet range spec + ifconfig options)
- inet6 2001:db8:1::1-f prefixlen 60 (inet6 range spec + ifconfig options)

If prefixlen or netmask option is specified with CIDR notation at
the same time, the option is used.

Tested by: Michael Grimm
MFC after: 3 days

- Fix a bug in ipv6_prefix_IF. It did not work with the 64-bit prefix
notation like 2001:db8:1:1.

- Use eui64 flag in ifconfig(8) instead of network6_getladdr()[*] for
interface indentifier part.

Suggested by: ume [*]
MFC after: 3 days

Add "ether" and "link" to ifconfig_alias{es,N}.

Don't attempt to do DHCP on certain interfaces, similar to what's done for
ipv6_autoconfif() in r212577.

MFC after: 1 week

Implement ifconfig_wlanX="HOSTAP".

Not only this is a bit cleaner, it allows multiple instances of hostapd to be
running on the system host, useful for simultaneous dual-band WiFi.
This is similar to ifconfig_wlanX="WPA" but it uses /etc/hostapd-wlanX.conf.
Compatibility with hostapd_enable=YES/NO was kept.

Reviewed by: adrian

- Add CIDR notation support like 192.168.1-2.10-16/24 to $ifconfig_IF_aliasN.
This is an extended version of ipv4_addr_IF which supports both IPv4 and
IPv6, and multiple range specifications. To avoid to generate too many
addresses, the maximum number of the generated addresses is currently
limited to 31.

- Add $ifconfig_IF_aliases, which accepts multiple IP aliases in a variable.

- ipv6_prefix_IF now supports !/64 prefix length. In addition to the old
64-bit format (2001:db8:1:1), a full 128-bit format like 2001:db8:1:1::/64
is supported.

- Replace ifconfig command with $IFCONFIG_CMD variable to support
a dry-run mode in the future.

- Remove IP aliases before removing all of IPv4 addresses when doing
"rc.d/netif down".

- Add a DAD wait to network6_getladdr() because it is possible to fail to
configure an EUI64 address when ipv6_prefix_IF is specified.

A summary of the supported ifconfig_* variables is as follows:

# IPv4 configuration.
ifconfig_em0="inet 192.168.0.1"
# IPv6 configuration.
ifconfig_em0_ipv6="inet6 2001:db8::1/64"
# IPv4 address range spec. Now deprecated.
ipv4_addr_em0="10.2.1.1-10"
# IPv6 alias.
ifconfig_em0_alias0="inet6 2001:db8:5::1 prefixlen 70"
# IPv4 alias.
ifconfig_em0_alias1="inet 10.2.2.1/24"
# IPv4 alias with range spec w/o AF keyword (backward compat).
ifconfig_em0_alias2="10.3.1.1-10/32"
# IPv6 alias with range spec.
ifconfig_em0_alias3="inet6 2001:db8:20-2f::1/64"
# ifconfig_IF_aliases is just like ifconfig_IF_aliasN.
ifconfig_em0_aliases="inet 10.3.3.201-204/24 inet6 2001:db8:210-213::1/64 inet 10.1.1.1/24"
# IPv6 alias (backward compat)
ipv6_ifconfig_em0_alias0="inet6 2001:db8:f::1/64"
# IPv6 alias w/o AF keyword (backward compat)
ipv6_ifconfig_em0_alias1="2001:db8:f:1::1/64"
# IPv6 prefix.
ipv6_prefix_em0="2001:db8::/64"

Tested by: Kimmo Paasiala

Fix an issue when ipv6_enable=YES && ipv6_gateway_enable=YES which could
prevent rtadvd(8) from working as intended.

Spotted by: brian
Discussed with: brian

Fix several glitches in IPv6-related knobs:

- ipv6_enable + ipv6_gateway_enable should unset ACCEPT_RTADV by default for
backward compatibility.

- Configurations in ipv6_prefix_IF should be recognized even if there is no
ifconfig_IF_ipv6.

- DAD wait should be performed at once, not on a per-interface basis, if
possible. This fixes an issue that a system with a lot of IPv6-capable
interfaces takes too long for booting.

MFC after: 1 week

Spelling fixes for etc/

Add compatibility support for specifing IPv4 aliases in
rc.conf without the "inet" keyword.

Obtained from: hrs

Add support for removing addresses added by ipv6_prefix_hostid_addr_up()
upon rc.d/netif stop.

Fix an issue that 127/8 is not configured when $ifconfig_DEFAULT is not empty.

Spotted by: ume

Test if the interface is afif in dhcpif() and syncdhcpif(), as
done in ipv6_autoconfif.

Reviewed by: hrs (freebsd-rc@)
MFC after: 1 week

Minor spelling, wording and punctuation fixes in comments.

PR: 155984
Submitted by: gcooper
Approved by: re (kib)
MFC after: 1 week

- Add an warning when ifconfig_IF_ipv6 has no inet6 keyword in front
of an IPv6 address. (r225489)

- Use eval for ${ifconfig_args} to fix an issue fixed in r223506. (r225489)

Approved by: re (bz)

Add $ipv6_cpe_wanif to enable functionality required for IPv6 CPE
(r225485). When setting an interface name to it, the following
configurations will be enabled:

1. "no_radr" is set to all IPv6 interfaces automatically.

2. "-no_radr accept_rtadv" will be set only for $ipv6_cpe_wanif. This is
done just before evaluating $ifconfig_IF_ipv6 in the rc.d scripts (this
means you can manually supersede this configuration if necessary).

3. The node will add RA-sending routers to the default router list
even if net.inet6.ip6.forwarding=1.

This mode is added to conform to RFC 6204 (a router which connects
the end-user network to a service provider network). To enable
packet forwarding, you still need to set ipv6_gateway_enable=YES.

Note that accepting router entries into the default router list when
packet forwarding capability and a routing daemon are enabled can
result in messing up the routing table. To minimize such unexpected
behaviors, "no_radr" is set on all interfaces but $ipv6_cpe_wanif.

Approved by: re (bz)

Add support for string values with white spaces for ifconfig(8)
parameters accepting them (such as description, group).

Changes discussed on freebsd-rc.

PR: conf/156675
Reported by: "Alexander V. Chernikov" <melifaro att ipfw ru>
Suggested by: hrs
Analyzed with: Alexander V. Chernikov via IRC
MFC after: 2 weeks

Add a helper function to check kern.features.* sysctls.

Discussed with: dougb

Do not mark lo0 as IFDISABLED even if there is no $ifconfig_lo0_ipv6 line.

Remove "ifconfig IF inet6 -accept_rtadv" when ipv6_gateway_enable=YES because
this is no longer needed.

No logner set an IPv4 loopback address by default in defaults/rc.conf.
If not specified, network.subr will add it automatically if we have
INET support (1).

In network.subr only call the address family up/down functions
if the respective AF is available.

Switch to new kern.features variables for inet and inet6 as the
inet sysctl tree is also available for IPv6-only kernels leading
to unexpected results.

Suggested by: hrs (1)
Reviewed by: hrs
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 20 days

network.subr: Use printf(1) builtin for hexprint function.

Now that printf(1) is a shell builtin, there is no need to emulate it
anymore. The external printf(1) is /usr/bin/printf and therefore may not be
available in early boot.

It may be faster to use printf directly but the function is useful for
compatibility.

Split $ipv6_prefer into $ip6addrctl_policy and $ipv6_activate_all_interfaces.

The $ip6addrctl_policy is a variable to choose a pre-defined address
selection policy set by ip6addrctl(8).
The keyword "ipv4_prefer" sets IPv4-preferred one described in Section 10.3,
the keyword "ipv6_prefer" sets IPv6-preferred one in Section 2.1 in RFC 3484,
respectively. When "AUTO" is specified, it attempts to read
/etc/ip6addrctl.conf first. If it is found, it reads and installs it as
a policy table. If not, either of the two pre-defined policy tables is
chosen automatically according to $ipv6_activate_all_interfaces.

When $ipv6_activate_all_interfaces=NO, interfaces which have no corresponding
$ifconfig_IF_ipv6 is marked as IFDISABLED for security reason.

The default values are ip6addrctl_policy=AUTO and
ipv6_activate_all_interfaces=NO.

Discussed with: ume and bz

Localize $_punct_c in get_if_var() and whitespace clean-ups.

Based on: changes in r206408 by dougb

- Check some specific IFs first in ipv6_autoconfif().
- $ipv6_enable supports YES|TRUE|ON|1 as in checkyesno().

Based on: changes in r206408 by dougb

Fix $ipv6_network_interfaces and set it as AUTO by default.

Based on: changes in r206408 by dougb

Revert changes in r206408.

Discussed with: dougb, core.5, and core.6

Prevent unloading a kld for a driver that has subinterfaces (vlan and/or
wlan interfaces) from being automatically reloaded via devd shutdown
event handlers.
- Revert part of my previous changes to call ifn_stop on subinterfaces
when an interface is detached. It is better to destroy the interfaces
first so that an 'ifconfig foo0.blah down' doesn't result in ifconfig
auto-loading if_foo.ko. The ifconfig command will not be invoked if
foo0.blah is gone when ifn_stop() is called. Furthermore, it is not
necessary to explicitly invoke ifn_stop() after the subinterface is
destroyed as devd will already do that.
- Pass -n to ifconfig when destroying interfaces so that destroying a
cloned interface does not kldload any drivers.

Reviewed by: dougb
MFC after: 4 days

Remove trailing white space. No functional changes.

Make address assignment via ipv6_prefix_IF work again

Improve the handling of IPv6 configuration in rc.d. The ipv6_enable
and ipv6_ifconfig_<interface> options have already been deprecated,
these changes do not alter that.

With these changes any value set for ipv6_enable will emit a
warning. In order to avoid a POLA violation for the deprecation
of the option ipv6_enable=NO will still disable configuration
for all interfaces other than lo0. ipv6_enable=YES will not have
any effect, but will emit an additional warning. Support and
warnings for this option will be removed in FreeBSD 10.x.

Consistent with the current code, in order for IPv6 to be configured
on an interface (other than lo0) an ifconfig_<interface>_ipv6
option will have to be added to /etc/rc.conf[.local].

1. Clean up and minor optimizations for the following functions:
ifconfig_up (the ipv6 elements)
ipv6if
ipv6_autoconfif
get_if_var
_ifconfig_getargs
The cleanups generally were to move the "easy" tests earlier in the
functions, and consolidate duplicate code.

2. Stop overloading ipv6_prefer with the ability to disable IPv6
configuration.

3. Remove noafif() which was only ever called from ipv6_autoconfif.
Instead, simplify and integrate the tests into that function, and
convert the test to use is_wired_interface() instead of listing
wireless interfaces explicitly.

4. Integrate backwards compatibility for ipv6_ifconfig_<interface>
into _ifconfig_getargs. This dramatically simplifies the code in
all of the callers, and avoids a lot of other code duplication.

5. In rc.d/netoptions, add code for an ipv6_privacy option to use
RFC 4193 style pseudo-random addresses (this is what windows does
by default, FYI).

6. Add support for the [NO]RTADV options in ifconfig_getargs() and
ipv6_autoconfif(). In the latter, include support for the explicit
addition of [-]accept_rtadv in ifconfig_<interface>_ipv6 as is done
in the current code.

7. In rc.d/netif add a warning if $ipv6_enable is set, and remove
the set_rcvar_obsolete for it. Also remove the latter from
rc.d/ip6addrctl.

8. In /etc/defaults/rc.conf:

Add an example for RTADV configuration.

Set ipv6_network_interfaces to AUTO.

Switch ipv6_prefer to YES. If ipv6_enable is not set this will have
no effect.

Add a default for ipv6_privacy (NO).

9. Document all of this in rc.conf.5.

Add rc.d script for the rtsold(8) daemon.

The rtsol(8) handles just one RA then exit. So, the OtherConfig flag
may not be handled well by rtsol(8) in the environment where there are
multiple RA servers on the segment. In such case, rtsold(8) will be
your friend.

Reviewed by: hrs
MFC after: 2 weeks

Remove a trailing reference to the obsolete vaps_<IF> variable.

Reviewed by: brooks
MFC after: 3 days

Add support for configuring vlan(4) interfaces as child devices similar to
wlan(4) interfaces. vlan(4) interfaces are listed via a new 'vlans_<IF>'
variable. If a vlan interface is a number, then that number is treated as
the vlan tag for the interface and the interface will be named '<IF>.<tag>'.
Otherwise, the vlan tag must be provided via a vlan parameter in a
'create_args_<vlan>' variable.

While I'm here, fix a few nits in rc.conf(5) and mention create_args_<IF> in
the description of cloned_interfaces.

Reviewed by: brooks
MFC after: 2 weeks

- Add AF_IPX and AF_NATM to afexists().

- Add afexists() check to address family specific rc.d scripts. A
script for an AF will be silently ignored if the kernel has no
support for the AF.

Fix several logic bugs in the previous IPv6 variable change and
re-add $ipv6_enable support for backward compatibility. From
UPDATING:

1. To use IPv6, simply define $ifconfig_IF_ipv6 like $ifconfig_IF
for IPv4. For aliases, $ifconfig_IF_aliasN should be used.
Note that both variables need the "inet6" keyword at the head.

Do not set $ipv6_network_interfaces manually if you do not
understand what you are doing. It is not needed in most cases.

$ipv6_ifconfig_IF and $ipv6_ifconfig_IF_aliasN still work, but
they are obsolete.

2. $ipv6_enable is obsolete. Use $ipv6_prefer and/or
"inet6 accept_rtadv" keyword in ifconfig(8) instead.

If you define $ipv6_enable=YES, it means $ipv6_prefer=YES and
all configured interfaces have "inet6 accept_rtadv" in the
$ifconfig_IF_ipv6. These are for backward compatibility.

3. A new variable $ipv6_prefer has been added. If NO, IPv6
functionality of interfaces with no corresponding
$ifconfig_IF_ipv6 is disabled by using "inet6 ifdisabled" flag,
and the default address selection policy of ip6addrctl(8)
is the IPv4-preferred one (see rc.d/ip6addrctl for more details).
Note that if you want to configure IPv6 functionality on the
disabled interfaces after boot, first you need to clear the flag by
using ifconfig(8) like:

ifconfig em0 inet6 -ifdisabled

If YES, the default address selection policy is set as
IPv6-preferred.

The default value of $ipv6_prefer is NO.

4. If your system need to receive Router Advertisement messages,
define "inet6 accept_rtadv" in $ifconfig_IF_ipv6. The rc(8)
scripts automatically invoke rtsol(8) when the interface becomes
UP. The Router Advertisement messages are used for SLAAC
(State-Less Address AutoConfiguration).

Add missing comments and whitespace clean-ups.

Integrate rc.d/network_ipv6 into rc.d/netif:

- Add rc.d/stf and rc.d/faith for stf(4) and faith(4).
- Remove rc.d/auto_linklocal and rc.d/network_ipv6.
- Move rc.d/sysctl to just before FILESYSTEMS because rc.d/netif
depends on some sysctl variables.

Reviewed by: brooks
MFC after: 3 days

In the loop through the list of interfaces in network6_interface_setup()
rtsol_interface gets reset to "yes" each time through the loop, but
rtsol_available does not. If a user has lo0 first in their list of
interfaces rtsol_available will get set to "no" the first time through
the loop and subsequent interfaces will not get rtsol'ed when they should.

Therefore change the conditional for the is_wired() test to _interface.

Noticed by: Dimitry Andric <dimitry@andric.com>

Improve the case test to detect the presence of lo0 in the list of
network_interfaces.

Submitted by: Christoph Mallon <christoph.mallon@gmx.de>

Prior to the dire warning about values of network_interfaces other than
AUTO the biggest mistake users made was leaving lo0 off the list. Since
lo0 is effectively mandatory, check for it and add it to the list if
it's not there.

Move is_wired_interface() from rc.d/wpa_supplicant into network.subr,
simplify it a bit, and make use of that method to determine if an
interface is a candidate for IPv6 rtsol rather than listing all of the
possible wireless interfaces that should _not_ get rtsol'ed.

This change is only relevant for 8.0+ unless the "wlan mandatory" code
gets ported back to RELENG_7.

rtsol should not be run on the wireless NIC interfaces directly,
it will run on wlan0 instead.

Eliminate the warning that "Values of network_interfaces other than
AUTO are deprecated.' There is no good reason to deprecate them, and
setting this to different values can be useful for custom solutions
and/or one-off configuration problems.

Add support for setting the debug flags on wlan interfaces after the are
created using wlandebug_<ifn> variables.

Check for NOAUTO on child interfaces (eg wlanX) so they can be created via
rc.conf but not necessarily started.

Remove compat support for vaps_<ifn> and vap_create_<ifn> variables as
promised in r178527. These variables were never in a release version.

Reminded by: sam

Implement a "quiet" mode for rc.d/netif, which only outputs
the interface name of interfaces that were configured.

This change has the added benefit that ifn_start() and
ifn_stop() in network.subr no longer write to standard output.
Whether to output and what to output is now handled entirely
in rc.d/netif.

Add a missing space between a variable and the ] for a test

Change the default value of synchronous_dhclient to NO.

To preserve the existing behavior of etc/rc.d/netif, add code to wait
up to if_up_delay seconds (30 seconds by default) for a default route to
be configured if there are any dhcp interfaces. This should be extended
to test that the interface is actually up.

X-MFC after:

Fix last commit and call childif_destroy() correctly.

Don't print the interface status if we only create child or destroy
interfaces.

Correctly return status from childif_create().

Emit a warning when the network_interfaces variable is not set to AUTO.

MFC after: 3 days

Replace the prototype vaps_<ifn> and vap_create_<ifn> variables with
more wlans_<ifn> and create_args_<ifn>

Add documentation for these variants and generally update the wireless
device example.

There is are very short lived shim from vaps_<ifn> which produces
a warning and vap_create_<ifn> which does not. Misuse the MFC
notification service to remind me to remove them.

MFC after: 3 weeks

rc support for vaps

Support gif_interface values that don't follow the pattern gif###.
Remove ancient compatablity support for gif_interface="NO".

Change wpa_supplicant to down the interface at the start of the init routine.
wpa_supplicant expects that it has exclusive access to the net80211 state so
when its starts poking in the WEP/WPA settings and the card is already
scanning it can cause net80211 to try and associate incorrectly with a
protected AP.

This is an inconvenience for firmware based cards such as iwi where it can be
sent an auth instruction with incomplete security info and cause a firmware
error.

Remove the 'ifconfig up' from network.subr since wpa_supplicant will
immediately down the interface again.

Reported by: Guy Helmer (and others)
Reviewed by: sam, brooks, avatar
MFC after: 3 days

Do not attempt to load the kernel module when checking if an interface exists.

This would cause pseudo network modules to be reloaded again when trying to
unload the first time if any cloned interfaces exist.

MFC after: 2 weeks

Back out network.subr :- fix and comment out dhc*_fxp0 examples instead

Submitted by: jhb

Fix get_if_var() with 3 args (i.e. with default)

All xxx_<ifname> flags are set to empty strings automatically earlier so
eval echo \${${prefix}${_if}${suffix}-${_default}}
not substitute the default but return just the empty string.
Fix it using
eval echo \${${prefix}${_if}${suffix}:-${_default}}
(i.e. treat empty strings as unset)

The bug manifistates itself with the following warning from checkyesno():
/etc/rc.d/dhclient: WARNING: $background_dhclient is not set properly -
see rc.conf(5)

Add support for EtherChannel configuration to rc startup scripts.

Note: This also deprecates "NO" as a way to specify an empty list of
interfaces for gif_interfaces.

PR: conf/104884
Submitted by: nork
Harassed by: brd
Discussed with: brooks, dougb

Do not try to rtsol on pflog or pfsync devices.

Restore the behavior that net.inet6.ip6.auto_linklocal=0 could
be coexist with ipv6_enable="YES".

MFC after: 3 days

Turn off automatic link local address if ipv6_enable is not set to YES
in rc.conf

Reviewed by: KAME core team, cperciva
MFC after: 3 days

Introduce a new method ipv6if which attemptes to figure out if an
interface is an IPv6 interface.

Use this method to decide if we should attempt to configure an interface
with an IPv6 address in pccard_ether. The mechanism pccard_ether uses
to do this is unsuited to the task because it assumes the list of
interfaces it is passed is the full list of IPv6 interfaces and makes
decissions based on that. This is at least a step in the right
direction and is probably about as much as we can MFC safely.

PR: conf/103428
MFC after: 3 days

Introduce a new function, ifexists and use it to avoid attempting to
touch interfaces that don't actually exist in the stop case. In the
process move some IPv4 specific code from ifconfig_down to ipv4_down.

This should solve problems with ifconfig: error messages on boot when
interfaces are renamed.

Spell synchronous with required silent 'h'.

Reported by: ru, ceri
Pointy hat: brooks

Add missing _ to $_punct.

Submitted by: Dmitry Pryanishnikov <dmitry at atlantis.dp.ua>

Commit the various network interface configutation updates I've been
working on.
1) Make it possible to configure interfaces with certain characters in
their names that aren't valid in shell variables. Currently supported
characters are ".-/+". They are converted into '_' characters.
2) Replace nearly all eval statements in network.subr with a new
function get_if_var which substitues an interface name (after the
translations above) for "IF" in a variable name.
3) Fix list_net_interfaces() in the nodhcp case.
4) Allow the administrator to specify if dhclient should be started
when /etc/rc.d/netif configures the interface or only by devd.
This can be set on both a per interface and system wide basis.

PR: conf/88974 [1,2], conf/92433 [1,2]

Add a new configuration variable, ipv4_addrs_<ifn>, which adds one or
more IPv4 address from a ranged list in CIRD notation:

ipv4_addrs_ed0="192.168.0.1/24 192.168.1.1-5/28"

In the process move alias processing into new ipv4_up/down functions to
more toward a less IPv4 centric world.

Submitted by: Philipp Wuensche <cryx dash freebsd at h3q dot com>

- Alwasy explicitly bring the interface up before configuring it.
- If an interface's ifconfig_<ifn> is set, but empty, don't set it to
ifconfig_DEFAULT. This way interfaces can be disabled even in the
presence of ifconfig_DEFAULT.
- When listing interfaces and network_interfaces=auto, place lo0 first
if it's around.

Support ifconfig_<ifn> variables containing quoted variables with spaces
in them by wrapping the ifconfig command with eval "...".

For example, this allows:

ifconfig_iwi0="DHCP ssid 'foo bar baz'"

- Remove the removable_interfaces variable. /etc/pccard_ether will
now run on any interface.
- Add a new ifconfig_<ifn> keyword, NOAUTO which prevents configuration
of an interface at boot or via /etc/pccard_ether. This allows
/etc/rc.d/netif to be used to start and stop an interface on a purely
manual basis. The decision to affect pccard_ether may be revisited at
a later date.

Requested by: imp, gallatin (removable_interfaces)
Discussed with: sam, Randy Bush (NOAUTO)

- Remove the pccard_ifconfig variable in favor of a new
ifconfig_DEFAULT variable. Unlike pccard_ifconfig, ifconfig_DEFAULT
applies to all interfaces that do not specify an ifconfig_<ifn>
variable rather than just those listed in removable_interfaces.
- Correct the list of interfaces when network_interfaces and
removable_interfaces are both set by including removable_interfaces
in the list of canidates.
- When listing dhcp interfaces, include those with other ifconfig
options so nat works.

Approved by: re (network interface startup blanket)

Add support for starting wpa_supplicant by adding the WPA keyword to an
interface's ifconfig_<ifn> entry in /etc/rc.conf.

Approved by: re (network interface startup blanket)

Fix return values of ifconfig_up/down.

Reported by: Andrea Campi

Support code for the OpenBSD dhclient. This significantly changes the
way interfaces are configured. Some key points:

- At startup, all interfaces are configured through /etc/rc.d/netif.
- ifconfig_<if> variables my now mix real ifconfig commands the with
DHCP and WPA directives. For example, this allows media
configuration prior to running dhclient.
- /etc/rc.d/dhclient is not run at startup except by netif to start
dhclient on specific interfaces.
- /etc/pccard_ether calls "/etc/rc.d/netif start <if>" to do most of
it's work.
- /etc/pccard_ether no longer takes additional arguments to pass to
ifconfig. Instead, ifconfig_<if> variables are now honored in favor
of pccard_ifconfig when available.
- /etc/pccard_ether will only run on interfaces specified in
removable_interfaces, even if pccard_ifconfig is set.

'all' argument for list_net_interfaces() is now unused, remove it.

Use "ifconfig -l" instead of "list_network_interfaces all" in
ifnet_rename() to support situations where rc.conf's $network_interfaces
variable is set to an explicit list of network interfaces (instead of
the default "auto").

Using "list_network_interfaces all" resulted in using
$network_interfaces for both interface _renaming_ and interface
_configuration_ which obviously cannot work either before (if the
new name is in $network_interfaces) or after (if the old name is in
$network_interfaces) renaming the interface.

fix typo: s/intefraces/interfaces/

Allow to change interfaces name on boot time.
Now, one should be able to put something like this into /etc/rc.conf:

ifconfig_fxp0_name="net0"
ifconfig_net0="inet 10.0.0.1/16"

Reviewed by: green

Avoid double appearing of cloned interfaces in the output
from list_net_interfaces() when network_interfaces=auto.

Rationale: Since the auto case is special, the lesser evil
had to be chosen among not adding cloned interfaces to
_tmplist or removing duplicates from _tmplist after adding
cloned interfaces. Since list_net_interfaces() must not use
/usr/bin tools, the former "evil" appeared clearer and much
more efficient. (See the PR audit trail for discussion.)

PR: conf/63700
Reviewed by: brooks
MFC after: 5 days

Fix a typo in a variable name.

Removed whitespace at BOF, EOL & EOF.

Improve the handling dhcp handling of pccard_ether.

There are now many configurations which have a NIC on board, and
pccard slots. If a dhclient is running on the internal nic, the
Improve the handling dhcp handling of pccard_ether.

Improve the dhcp handling of pccard_ether.

There are now many configurations which have a NIC on board and
Improve the dhcp handling of pccard_ether.

There are now many configurations which have a NIC on board and
cardbus slots too. If a dhclient was already running on the internal
NIC, the user was forced to kill a running dhclient manually.

If now a pccard is included at startup time, /etc/rc.d/dhclient
start does include it into the startup list for dhcp devices.
That means you can now do dhcp on the internal and the pccard devices
at the same time. If the card is plugged in later, a running dhclient
(working for the internal interface only) is killed, and restarted,
but the interface name of the new pccard is added to the internal
name. After removal, /etc/rc.d/dhclient is started again. This
script does nothing if there are no devices in /etc/rc.conf

This is only a workaround for a well known problem. After we have
a dhcp client which handles device adding and removal, it will go
away.

add rtsol_flags.

MFC after: 1 week

Check by [ $? -eq 0 ] rather than $?.

Reviewed by: mtm

o Fix a typo
o Fill in the ipx_down() routine.

Submitted by: ceri

- Remove a debugging echo.
- When we change the IFS make sure to return it to its previous
value before executing a command.

Implement *_down network routines for ifconfig'ed interfaces, cloned
interfaces, interface aliases, user supplied ifconfig scripts, and
ipx interfaces. The ipx routine fails unconditionaly at the moment.
Someone who has a need for it can fill it in with the appropriate incantations.

pccard_ether didn't setup IPv6 after rcTOS sweep.

Reviewed by: mtm and dougb
Approved by: re (scott)

Break out and rewrite the network setup scripts.
o /etc/network.subr contains common subroutines used for seting
up network interfaces
o rc.d/hostname sets the hostname if not already set
o rc.d/nisdomain sets the nis domain *after* rpcbind but
before the yp* daemons. This fixes issues with temporary
hangs when looking up informaion in nis before it's ready.
o rc.d/netif brings network interfaces (minus dhcp) up.
o rc.d/network1 has been disabled and will be retired before
RELENG_5. It will be replaced by rc.d/netif

Approved by: markm (mentor)

Back out 1.143 and 1.144. They are no longer needed now that we start
devd later in the boot process. This should fix all the problems
people have had with those commits. Diskless should be working again,
and those that mount /usr with nfs should be able to do that again too.

o Don't consider LOOPBACK devices as configured...

o redirect the grep to /dev/null
o use ifn rather than interface in rc.network
o merge into rc.d/network1

Approved by: (re blanket)

Fix style bugs:
* Space -> tabs conversion.
* Removed blanks before semicolon in "if ... ; then".
* Proper indentation of misindented lines.
* Put a full stop after some comments.
* Removed whitespace at end of line.

Approved by: silence from gordon

up gif during setup.

Correct comment

Submitted by: Mike Makonnen <makonnen@pacbell.net>

Remove spurious "echo '.'".

Make nisdomainname=NO DTRT

Submitted by: des, via Mike Makonnen <makonnen@pacbell.net>

Cleanup some pollution from the NetBSD sync, and add gif setup.

Submitted by: Mike Makonnen <makonnen@pacbell.net>

Fix a typo that caused dhclient not to work.

Submitted by: Dennis Kristensen <snicki@snicki.dk>
Reviewed by: Mike Makonnen <makonnen@pacbell.net>

Merge in all the changes that Mike Makonnen has been maintaining for a
while. This is only the script pieces, the glue for the build comes next.

Submitted by: Mike Makonnen <makonnen@pacbell.net>
Reviewed by: silence on -current and -hackers
Prodded by: rwatson

Cosmetic changes to the previous commit, bringing it closer to what I
already had in my tree but didn't want to commit.

Since sshd expects /etc/ssh/ssh_host_rsa_key to exist, we had better
create it. Also specify protocol v1/v2 in case people wonder why we
generate two RSA keys.

The good news is that my initial PR was correct... the bad news is that I
was apparently smoking something when I committed the last fix, because as
ume was kindly enough to set me straight on, amd *will* start with no
arguments at all, as long as there is an /etc/amd.conf file for it to
read. What it won't do is start with *just* -p.

In any case, now it's fixed.

Don't try to generate ssh keys if ssh isn't installed.

IPFilter may need to be re-sync'ed even if we are not filtering, but
only doing ipnat(8). Go back to using $ipfilter_active, but turn off
$ipfilter_active when loading ipl.ko has failed.

Submitted by: devet@devet.org (Arjan de Vet)
MFC after: 3 days

Answer the question posed in 1.126. amd won't start without either a
conf file, or command line options. I brought this up in PR 12432,
which (ironically) obrien assigned to me after I became a committer. :)

PR: conf/12432
Submitted by: Me

The reload of ipf(8) rules should depend on $ipfilter_enable, not
$ipfilter_active. $ipfilter_enable is set to "NO" if modules fail to
load, and $ipfilter_active can be "YES" when we are not using ipf(8).

MFC after: 3 days

Background the startup of `Amd', it often blocks on startup.

Why shouldn't amd always write its PID to a file?
Since I cannot answer that question, make it.

Redirect stdout of `ipf -y' to /dev/null. This removes a stray
"filter sync'd" in the middle of the boot output if IPFilter is
enabled, but does not hide any potential errors, which go to stderr.

There is no reason to demand the administrator set 'natd_interface'
when running natd(8) out of the rc-files. It is perfectly valid for
the interface or alias address to be set in a natd(8) configuration
file, not on the command line. Also, loosen up the restrictions on
identifying an IP address argument in 'natd_interface.'

Fix the documentation, rc.conf(5), to reflect this change.

Take the bogus default for 'natd_interface' out of /etc/defaults/rc.conf.

MFC after: 3 days

peter points out that we probably should not mess with the sysctl(8)
values at all if they are not purposefully set. What if the
administrator messed with them in /etc/sysctl.conf? We don't want to
overwrite them.

If 'log_in_vain' is zero, do not force the issue. If it is non-zero,
set it.

(forced commit)

The previous change is subject to:

MFC after: 1 month

Register amd's dependency on NFS.

This change was submitted to the freebsd-audit mailing list for review
but received no feedback. Hindsight-enabled reviews are welcome.

PR: conf/31358
Submitted: Thomas Quinot <thomas@cuivre.fr.eu.org>

Make the rc.conf(5) 'log_in_vain' knob an integer.

Try this out in -CURRENT, MFC, and then consider dropping the
'log_in_vain' knob all together. It really is something for
sysctl.conf(5).

PR: bin/32953
Reviewed by: -bugs discussion
MFC after: 1 week

rpc.lockd needs rpc.statd to be running for it to start up properly.
so swap the order.

Also allow rpc.lockd and rpc.statd to be turned on if nfsclient is
enabled. They are needed to provide client side locking support.

PR: conf/27811

s/sysctl -w/sysctl/

o Update rc.network to reflect the recent change of default in the
kernel TCP timer code: rather than checking for tcp_keepalive being
set to "YES", check for "NO" and turn off keepalives if the variable
is set in that manner.

o Note: eventually, it would make sense to remove this variable from
rc.conf management, and instead rely on sysctl.conf. In fact, this
is probably true of a number of rc.conf variables whose sole aim
is to drive the setting of sysctls at boot time.

Protect the '*' in pppoed_provider (the default) from metacharacter
expansion in the rc-scripts.

PR: 32552
Submitted by: Gleb Smirnoff <glebius@rinet.ru>
Approved by: ru
Obtained from: ru
MFC after: 1 day

Spelling police: sucessful -> successful.

(Forced commit to list actual problems fixed / PRs affected).

Overview of problems fixed:

- fix support for saving and restoring filter/NAT state information
(across reboots for example);

- ipmon(8) is started before loading any filter/NAT rules;

- ipmon(8) and ipfs(8) do not solely depend on ipfilter_enable anymore,
they now also work when only ipnat_enable is true;

- the multiple occurrences of code loading the ipfilter kernel module
have been removed;

- the options have been removed from the _program variables in
defaults/rc.conf and the comments in that file have been updated to
reflect (possibly new) reality;

- the rc.conf.5 manual page has been updated to reflect the changes.

Submitted by: Arjan de Vet <devet@devet.org>
PR: conf/25223, kern/25344, conf/25809,
conf/26275, bin/27016, conf/31482

Resolve all the ipfilter startup issues in rc.network with one big patch
to get it all right, allowing ipnat to be enabled independantly of ipfilter
in rc.conf (among other things).

PR: multiple
Submitted by: Arjan de Vet <devet@devet.org>
Reviewed by: Giorgos Keramidas <keramida@FreeBSD.org>

Avoid unnecessary calls to expr(1) by using standard shell arithmetic
expansion instead.

Update the nsswitch.conf -> host.conf generator to handle criteria,
continuation lines, extra whitespace, and to use the last matching
line in the file. This syncs the host.conf generation with how
the nsswitch.conf is parsed.
Only print " host.conf" instead of a multi-line message, since this
happens on every boot.

Modify the way host.conf and nsswitch.conf are treated at boot time:

- if nsswitch.conf exists, host.conf is auto-generated for compatibility
with legacy applications and libraries.

- if host.conf exists but nsswitch.conf does not, nsswitch.conf is auto-
generated as usual.

Do an ipf -y after bringing up ppp to ensure rules which mention ppp get
matched. Moification on PR to handle ipnat not being dependant on
ipfilter_enable

PR: 22859

Allow ipnat_enable to be set to "yes" without requiring ipfiltre_enable to
be set to "yes"

PR: 25223

Put in place for using ipfs use on shutdown and startup.

PR: 27070

Handle the lack of nfs server or client support in the kernel by
kldload'ing the appropriate modules before enabling the service.

Remove references to nfsiod and nfs_client_flags now that they are
obsolete.

Submitted by: Gordon Tetlow <gordont@gnf.org>

Add a new rc.conf variable, cloned_interfaces, to create cloned
interfaces at boot.

The vfs.nfs.bufpackets sysctl is in the client, not the server. Move it
to the client section. Turn off nfsiod, it no longer exists (now just
kthreads). I need revisit nfsiod so that we have an argument passthrough.

Merge in patch to automagically decide whether or not a kldload of ipfilter
is required into rc.network.

Person failed to use a real name so both email addresses from PR included
(Sent was different to From).

PR: 22998
Submitted by: dl@leo.org/spock@empire.trek.org

Upgraded launchpad for kerberos. Noe kerberos IV OR kerberos 5
may be started at boot for kerberos servers.

Create gif devices in the "gifconfig" stage while configuring them.

Reviewed by: ru, ume
Obtained from: NetBSD
MFC after: 1 week

Fix misindented esac.

MFC after: 1 week

Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.

TODO:
- The definitions of SADB_* in sys/net/pfkeyv2.h are still different
from RFC2407/IANA assignment because of binary compatibility
issue. It should be fixed under 5-CURRENT.
- ip6po_m member of struct ip6_pktopts is no longer used. But, it
is still there because of binary compatibility issue. It should
be removed under 5-CURRENT.

Reviewed by: itojun
Obtained from: KAME
MFC after: 3 weeks

Add a missing \n

Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
PR: 28014
MFC after: 1 week

Move gif_interfaces from an IP6 option to a regular IP option.

PR: 26543
Submitted by: Brooks Davis <brooks@one-eyed-alien.net>
MFC after: 3 weeks

Restore the RSA host key to /etc/ssh/ssh_host_key.
Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16.

Link /etc/ssh/ssh_host_key to /etc/ssh/ssh_host_rsa_key to deal with
gratutious changes in the latest SSH

Reviewed by: obrien
Approved by: obrien

s/ssh_host_key/ssh_host_rsa_key/ since that is what openssh uses now
after a mergemaster.

Axe TCP_RESTRICT_RST. It was never a particularly good idea except for a few
very specific scenarios, and now that we have had net.inet.tcp.blackhole for
quite some time there is really no reason to use it any more.

(second of three commits)

Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and
associated changes that had to happen to make this possible as well as
bugs fixed along the way.

Bring in required TLI library routines to support this.

Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.

This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).

The submitter has agreed to continue on and bring us up to the
1999 release.

Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.

Many userland updates were done to bring the code up to par with
the recent RPC API.

There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.

While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.

New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.

Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.

Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.

Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul

* Add an eval so that ipnat_flags=">/dev/null" works, per the PR
* Do some line length and specify full path cleanups while I'm here

PR: conf/22937
Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>

Apply a more consistent style to the echo statements in /etc/ scripts.
* Put quotes around each line
* Single quotes for lines with no variable interpolation
* Double quotes if there is
* Capitalize each word that begins a line
* Make echo -n 'Doing foo:' ... echo '.' more of a standard

No functionality changes

Fixed the reporting of ip_portrange_{first|last}.

Add copyright notices. Other systems have been barrowing our /etc files
w/o giving any credit.

This brings support for IP Filter into rc.network and rc.conf with
the appropriate documentation added to rc.conf(5). If all goes well
with this over the next few weeks, the PR will be closed with the
pullup of patches back to 4-STABLE.

PR: 20202
Submitted by: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Reviewed by: Darren Reed <darrenr@freebsd.org>
Approved by: Darren Reed <darrenr@freebsd.org>
Obtained from: Gerhard Sittig <Gerhard.Sittig@gmx.net>

Use su -m instead of just su to avoid reading the users login profile

Add nsswitch support. By creating an /etc/nsswitch.conf file, you can
configure FreeBSD so that various databases such as passwd and group can be
looked up using flat files, NIS, or Hesiod.

= Hesiod has been added to libc (see hesiod(3)).

= A library routine for parsing nsswitch.conf and invoking callback
functions as specified has been added to libc (see nsdispatch(3)).

= The following C library functions have been modified to use nsdispatch:
. getgrent, getgrnam, getgrgid
. getpwent, getpwnam, getpwuid
. getusershell
. getaddrinfo
. gethostbyname, gethostbyname2, gethostbyaddr
. getnetbyname, getnetbyaddr
. getipnodebyname, getipnodebyaddr, getnodebyname, getnodebyaddr

= host.conf has been removed from src/etc. rc.network has been modified
to warn that host.conf is no longer used at boot time. In addition, if
there is a host.conf but no nsswitch.conf, the latter is created at boot
time from the former.

Obtained from: NetBSD

Fix a whitespace bogon.

Allow a ppp_user specification to run ppp at startup

PR: 20258

Add to, don't overwrite, user-settable mountd_flags.

PR: conf/15745
Submitted by: Vivek Khera <khera@kciLink.com>

Add ip_portrange_first and ip_portrange_last rc.conf/rc.network
options. This allows you to set the standard dynamic port
assignment range prior to any network daemons (like named) starting
up, necessary if you are also using a firewall to restrict lower ports.
will be MFC'd in a few days

Add ipsec_enable and ipsec_file options to run IPSEC's setkey program
with the specified configuration file at the appropriate time.

Remove extraneous ";;" in previous commit

Submitted by: jedgar

Create a DSA host key if one does not already exist, and teach sshd_config
about it.

Add firewall_logging knob to enable/disablle events logging, disabled
by default. Needed mainly for ipfw kernel module to enable logging
disabled there.

Add a sysctl to specify the amount of UDP receive space NFS should
reserve, in maximal NFS packets. Originally only 2 packets worth of
space was reserved. The default is now 4, which appears to greatly
improve performance for slow to mid-speed machines on gigabit networks.

Add documentation and correct some prior documentation.

Problem Researched by: Andrew Gallatin <gallatin@cs.duke.edu>
Approved by: jkh

cosmetic fix - add a space.

Get the order of things right; the keys need to be generated
early to allow entropy to replenish.
sshd must start late to catch the full effects of ldconfig.

Generate new sshd host key when necessary. I'm tired of
waiting for someone to commit this. :)

Run sshd at boot time if the sysadmin wants it. Also install
ssh[d] config files in the right place.

Approved by: jkh
Reviewed by: joerg

The isdnd is able to listen on a socket for isdnmonitor to connect to
it to remotely control it (similar to ppp and pppctl). When this is
enabled in the isdnd config file, it will fail currently because isdnd
is started before the network interfaces are configured.
It is necessary to move the isdnd start after the ifconfig of the network
interfaces, then this problem will not occur.

This is another in Martin Blapp's N-series of mount-related cleanups :)
Changes are:
- rpc.umntall is called at the right places now in /etc/rc*
- rpc.umntall timeout has been lowered from two days (too high) to one
- verbose messages in rpc.umntall have been clarified
- kill double entries in /var/db/mounttab when rpc.umntall is invoked
- ${early_nfs_mounts} has been removed from /etc/rc
- patched mount(8) -p to print different pass/dump values for ufs filesystems.
(last patch recieved from dan <bugg@bugg.strangled.net>)

Submitted by: Martin Blapp <mbr@imp.ch>, dan <bugg@bugg.strangled.net>

xntpd -> ntpd.

Submitted by: ru

Suport multiple ``ifconfig_*?="DHCP"'' configurations.

Currently we have a problem in that `dhclient' bails when configuring the
second interface as port 68 is already in use (by the `dhclient' started
for the first interface).

PR: 14810
Submitted by: n_hibma

Oops, typo

Add pppoed startup options

Add network pass4 - after all local (/usr/local/etc/rc.d f.e.)
daemons started. Move log_in_vain option there. It is needed to avoid
lot of connections to port 80 logged on production WWW server prior
Apache started from /usr/local/etc/rc.d

Add single_mountd_enable hook to run mountd but not NFS server
Needed for machine with CFS but without real NFS

Make the firewall file variable space-safe.

Apply a consistent style to most of the etc scripts. Particularly, use
case instead of test where appropriate, since case allows case is a sh
builtin and (as a side-effect) allows case-insensitivity.

Changes discussed on freebsd-hackers.

Submitted by: Doug Barton <Doug@gorean.org>

Add the net.inet.tcp.restrict_rst and net.inet.tcp.drop_synfin sysctl
variables, conditional on the TCP_RESTRICT_RST and TCP_DROP_SYNFIN kernel
options, respectively. See the comments in LINT for details.

-background is also a legitimate ppp mode. Don't change it to -auto.

$Id$ -> $FreeBSD$

Catch an extra X on DHCP.

Spotted by the eagle eyes of: Pierre DAVID <Pierre.David@prism.uvsq.fr>

Style clean-up:

* All variables are now embraced: ${foo}

* All comparisons against some value now take the form:
[ "${foo}" ? "value" ]
where ? is a comparison operator

* All empty string tests now take the form:
[ -z "${foo}" ]

* All non-empty string tests now take the form:
[ -n "${foo}" ]

Submitted by: jkh

ppp_alias -> ppp_nat

Submitted by: Josef L. Karthauser <joe@FreeBSD.org.uk>

Quieten ppp at startup.

Add net.inet.icmp.log_redirect and net.inet.icmp.drop_redirect, for
respectively logging and dropping ICMP REDIRECT packets.

Note that there is no rate limiting on the log messages, so log_redirect
should be used with caution (preferrably only for debugging purposes).

Start ppp before natd, not afterwards.

Submitted by: Josef L. Karthauser <joe@uk.FreeBSD.org>

Add a default ppp.conf (mode 600).

Originally submitted by: Wayne Self <wself@cdrom.com>

Allow a ppp startup option in rc.conf.

Adjust sysinstall so that it appends to the end of ppp.conf
and uses the generated profile to start ppp in auto mode on
boot.

Submitted by: Josef L. Karthauser <joe@uk.FreeBSD.org>

Allow DHCP to be used in an ifconfig variable instead of the usual
address information, producing the obvious effect (dhcp configuration).

Submitted by: "Sean O'Connell" <sean@stat.Duke.EDU>

Tweak previous commit. Only sense the configuration if network_interfaces
is set to "auto". Any network_interfaces settings will be treated as
before.

Do away with ${network_interfaces} in rc.conf. Just use `ifconfig -l` to
get a list of interfaces, and then automatically configure them if
${ifconfig_${ifn}} or /etc/start_if.${ifn} exists.

This makes it a lot easier to deal with machines that constantly change
their network configuration as you can leave ifconfig settings for all
the possible cards - just the ones that are present will be configured.

If amd_flags is empty, don't add -p as it makes amd abend.

Don't discard error output from sysctl(8).

Do discard standard output from the sysctl for approxy_all, and echo
what this sysctl is doing in the usual way. This fix is probably
backwards. We should probably just use the standard sysctl output
in all cases (it needs to have a newline filtered out).

Echo what the sysctls for nfs_reserved_port_only and nfs_access_cache
are doing.

Add handle to control global TCP keepalives and turn them on as
default.

Despite their name it doesn't keep TCP sessions alive, it kills
them if the other end has gone AWOL. This happens a lot with
clients which use NAT, dynamic IP assignment or which has a 2^32
* 10^-3 seconds upper bound on their uptime.

There is no detectable increase in network trafic because of this:
two minimal TCP packets every two hours for a live TCP connection.

Many servers already enable keepalives themselves.

The host requirements RFC is 10 years old, and doesn't know about
the loosing clients of todays InterNet.

Remove extraneous space
PR: 11096

Allow the user to specify a different firewall script than /etc/rc.firewall.

Add two features:
log_in_vain:
log_in_vain turns on logging for packets to ports for which
there is no listener.
rc.sysctl:
A generic way to set sysctl values. It reads /etc/syslog.conf
and sets values based on that. No /etc/syslog.conf has been
checked in yet, and I've not added this to the makefile yet
until I get more feedback.

Reviewed by: -current, -hackers and bde especially

Move natd from network_pass3 to network_pass1

Add ${lpd_program} and ${portmap_program} as variables in rc.conf, with
suitable defaults pointing to the FreeBSD-shipped versions. This will allow
for easier integration of third-party replacements for these daemons.
Reviewed by: Several members of -committers

Add some special hooks for sppp(4) interfaces. In addition to the
normal ifconfig stuff, one might need to pass down authentication
parameters for them.

This is closely tied to Hellmuth's impending rc patches for ISDN, but
sppp can also be used separately (thus it doesn't go directly into the
planned ISDN section of rc.conf).

Reviewed by: hm

Integrate the ISDN subsystem into the /etc/rc framework
Reviewed by: Joerg Wunsch

Allow rwhod to take flags.

PR: 7705
Submitted by: Johan Karlsson <k@numeri.campus.luth.se>

Direct std{err,out} to /dev/null when invoking sysctl(8) for setting
`nfs_access_cache_timeout'.

Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>

Implement the nfs_access_cache variable, allowing us to set the timeout for
the NFS client's ACCESS cache.

kldload ipfw, it's installed always and works on both kernel formats

Here are some scripts and man pages for configuring HARP ATM
interfaces.

Reviewed by: phk
Submitted by: Mike Spengler <mks@networkcs.com>

rc.conf variable $amd_map_program needs to be eval'ed.
PR: misc/7435
Submitted by: David Wolfskill <dhw@whistle.com>

Turn off replies to ICMP echo requests for broadcast and multicast
addresses by default.

Add a knob "icmp_bmcastecho" to "rc.network" to allow this
behaviour to be controlled from "rc.conf".

Document the controlling sysctl variable "net.inet.icmp.bmcastecho"
in sysctl(3).

Reviewed by: dg, jkh
Reminded on -hackers by: Steinar Haug <sthaug@nethelp.no>

tcp_extensions now only applies to RFC1323

In /etc/rc.network, near line 242, setting up Kerberos,
variable "stash_flag" is set. A few lines later, it is evaluated
as "stash_flags" with a trailing "s", and then a bit later the
singular version is unset.

PR: 7609
Reviewed by: phk
Submitted by: Walt Howard <howard@ee.utah.edu>

Allow either an IP address or an interface to be specified in
the rc.conf variable ``natd_interface''. rc.network will
determine whether it is an IP address or an interface name,
and invoke natd with the -a or -n flag as appropriate.

PR: 6947
Reviewed by: jkh@FreeBSD.ORG

Cleanup natd startup test.

PR: 6946
Submitted by: Jacques Vidrine <n@nectar.com>

cosmetic: clean up startup messages and rearrange some options
to go in a more proper order.

Overlooked, that newer naming convention is xxx_program instead of xxx_prog.
So changed it to ntpdate_program and xntpd_program.
Backout last change, now we have again named_program, sorry.

Add variables for the ntpdate and xntpd program, you might want
to run the binaries from the new ntp v4 port.

Jean-Simon Pendry's paper on amd refers to the use of "ypcat -k"
against the "master map" to get the list of mount point/amd map
correspondences, and using that list as command-line arguments to start
amd.

When I tried to do this with the existing /etc/rc* scripts, I found that
I couldn't do this by modifying only /etc/rc.conf: that file gets
sourced very early by /etc/rc, well before any networking functionality
is present, let alone NIS. Further, I wasn't able to figure out a way
to use various levels & types of quoting to defer evaluation of the
string to a point subsequent to NIS initialization.

As a result, I resorted to hacking /etc/rc.network -- but I did it in a
way that ought to be reasonably general, and avoid breakage for anyone
else.

PR: 6387
Reviewed by: phk
Submitted by: David Wolfskill <dhw@whistle.com>

Add natd support.
PR: 6339
Submitted by: cdillon@wolves.k12.mo.us

Enable the SecureRPC bits in rc.conf, if the Administrator wants them.

Allow rarpd to be started from rc.conf
PR: 5457
Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>

Remove useless argument to ``. start_if.$ifn''
Pointed out by: Tim Tsai <tim@futuresouth.com>

Add 2 new rc.conf variables:
forward_sourceroute : controls setting of existing net.inet.ip.sourceroute
accept_sourceroute : control setting of new net.inet.ip.accept_sourceroute

Avoid using grep when determining ipfw's default policy -- it may not
be available at this stage of the boot if /usr is NFS mounted.

Don't assume that IP services are disabled just because firewall_enable
is not set to YES in rc.conf.

Noticed by: Mikael Karpberg <karpen@ocean.campus.luth.se>

Add an additional `named_program' variable so that we can easily choose
between 4.9.6 and the port of 8.x.

Compare return code from ipfw against 0 for success instead of == 1
for error.

Pointed out by: Matthew Thyer <thyerm@camtech.net.au>

MF 22s

Allow the system to be configured to pass "-n" to kerberos and
kadmind or not; also, only run kadmind on a non-slave server. Man
page for rc.conf is also updated.

Reviewed by: Mark Murray

Fix some problems in the rules file loading and need for modload detection.

Found by: "James E. Housley" <housley@pr-comm.com>

Reviewed by: msmith, alex
Cosmetic changes to the loading of firewall rules and lkm.

Merge from 2.2 (tcp extensions in phase 1)

Neaten up some things which were inconsistent, add a few more flags
to things which need them, general cleanup.
Submitted by: Brian Somers <brian@awfulhak.org>

Add arp_proxyall knob.
Submitted by: Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>

Update the etc world from RELENG_2_2 which is now more up-to-date
(gotta get myself -current again, this is a drag).

Also-fixes-problems-noted-by: Wolfgang Helbig & Joerg Wunsch

Ack, learn to spell "extentions" the same way in the same file.
Also make the output a little less cryptic for sysctl settings.

Suggested by: bde

YAMF22
PR: 3456

YAMF22

Bring in rc file changes from -current.