Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueffer
Differential Revision: D452

Add $ipv6_cpe_wanif to enable functionality required for IPv6 CPE
(r225485). When setting an interface name to it, the following
configurations will be enabled:

1. "no_radr" is set to all IPv6 interfaces automatically.

2. "-no_radr accept_rtadv" will be set only for $ipv6_cpe_wanif. This is
done just before evaluating $ifconfig_IF_ipv6 in the rc.d scripts (this
means you can manually supersede this configuration if necessary).

3. The node will add RA-sending routers to the default router list
even if net.inet6.ip6.forwarding=1.

This mode is added to conform to RFC 6204 (a router which connects
the end-user network to a service provider network). To enable
packet forwarding, you still need to set ipv6_gateway_enable=YES.

Note that accepting router entries into the default router list when
packet forwarding capability and a routing daemon are enabled can
result in messing up the routing table. To minimize such unexpected
behaviors, "no_radr" is set on all interfaces but $ipv6_cpe_wanif.

Approved by: re (bz)

Replace ${SYSCTL_W} with ${SYSCTL} in rc.d scripts, as they are identical.
This is a further clean up after r202988.

SYSCTL_W is still initialized in rc.subr as some ports may still use it.

Add $ipv6_privacy to support net.inet6.ip6.use_tempaddr. Note that this
will be replaced with a per-IF version later.

Based on: changes in r206408 by dougb

Revert changes in r206408.

Discussed with: dougb, core.5, and core.6

Improve the handling of IPv6 configuration in rc.d. The ipv6_enable
and ipv6_ifconfig_<interface> options have already been deprecated,
these changes do not alter that.

With these changes any value set for ipv6_enable will emit a
warning. In order to avoid a POLA violation for the deprecation
of the option ipv6_enable=NO will still disable configuration
for all interfaces other than lo0. ipv6_enable=YES will not have
any effect, but will emit an additional warning. Support and
warnings for this option will be removed in FreeBSD 10.x.

Consistent with the current code, in order for IPv6 to be configured
on an interface (other than lo0) an ifconfig_<interface>_ipv6
option will have to be added to /etc/rc.conf[.local].

1. Clean up and minor optimizations for the following functions:
ifconfig_up (the ipv6 elements)
ipv6if
ipv6_autoconfif
get_if_var
_ifconfig_getargs
The cleanups generally were to move the "easy" tests earlier in the
functions, and consolidate duplicate code.

2. Stop overloading ipv6_prefer with the ability to disable IPv6
configuration.

3. Remove noafif() which was only ever called from ipv6_autoconfif.
Instead, simplify and integrate the tests into that function, and
convert the test to use is_wired_interface() instead of listing
wireless interfaces explicitly.

4. Integrate backwards compatibility for ipv6_ifconfig_<interface>
into _ifconfig_getargs. This dramatically simplifies the code in
all of the callers, and avoids a lot of other code duplication.

5. In rc.d/netoptions, add code for an ipv6_privacy option to use
RFC 4193 style pseudo-random addresses (this is what windows does
by default, FYI).

6. Add support for the [NO]RTADV options in ifconfig_getargs() and
ipv6_autoconfif(). In the latter, include support for the explicit
addition of [-]accept_rtadv in ifconfig_<interface>_ipv6 as is done
in the current code.

7. In rc.d/netif add a warning if $ipv6_enable is set, and remove
the set_rcvar_obsolete for it. Also remove the latter from
rc.d/ip6addrctl.

8. In /etc/defaults/rc.conf:

Add an example for RTADV configuration.

Set ipv6_network_interfaces to AUTO.

Switch ipv6_prefer to YES. If ipv6_enable is not set this will have
no effect.

Add a default for ipv6_privacy (NO).

9. Document all of this in rc.conf.5.

Use double-quotation marks to fix the unexpanded variable issue.

Spotted by: swell.k

The net.inet.tcp.log_in_vain accepts 0, 1 or 2, not Y/N.

- Fix logic inversion bug of net.inet.tcp.rfc1323[*].

- Split netoptions_start() to netoptions_AF() and add afexists() check
for each address family.

- Display a message only if the user sets a non-default value, and set
a sysctl explicitly even if it is the default value.

Spotted by: Pegasus Mc Cleaft[*]

Don't do an IPv6 operation when the kernel doesn't have
an IPv6 support.

Reported by: Alexander Best <alexbestms__at__math.uni-muenster.de>
Confirmed by: Paul B. Mahol <onemda__at__gmail.com>,
Alexander Best <alexbestms__at__math.uni-muenster.de>

Use RCng coding convention.

MFC after: 3 days

As previously discussed, add the svn:executable property to all scripts

Set the sysctl(8) value in the same shell, not a subshell. This was
causing calls to netoptions_init() to not properly set a global variable,
which ended up being in the parent shell.

Do not print anything unless one of the net/routing options is set.

Move options that do not have anything to do with routing out of
rc.d/routing and in to rc.d/netoptions. Also instead of saying
"TCP options" say "IP options".

When rc.d/NETWORKING included this script in its REQUIRE line, a circular
dependency was introduced because this script had rc.d/localpkg (which is
*after* rc.d/NETWORKING) in its REQUIRE line.

From an examination of its contents it seems that only the availability of
a local filesystem is necessary for this script to function properly.

Apply "additional TCP options" earlier.

Requested by: andre@
MFC after: 1 week

Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days

Mark scripts as not usable inside a jail by adding keyword 'nojail'.

Some suggestions from: rwatson, Ruben de Groot <mail25@bzerk.org>

Rename localdaemons to localpkg.
The original name was really a mistake since
/usr/local/etc/rc.d scripts can (and usually do) start
more than just daemons. Even the output in the script
uses 'local packages.' Also, the term 'local daemons' is
used by rc.d/local, which was etc/rc.local of rcOG fame.
No repo-copy because there isn't much history to save.
I will remove localdaemons shortly with all the other
files that don't belong in rc.d anymore.

Discussed with: dougb, freebsd-rc@yahoogroups.com

o Repocopied routing and netoptions from network2 and network3, respectively.
o Change the provider names.
o Separate routing into two parts: static routing and routing options. The
start command will run both parts, but they can be run separately using
the static and options command, respectively:
(/etc/rc.d/routing static; /etc/rc.d/routing options)

Move securelevel further back in the boot order.

Approved by: markm (mentor)(implicit)
Reviewed by: dougb

Fix style bugs:
* Space -> tabs conversion.
* Removed blanks before semicolon in "if ... ; then".
* Proper indentation of misindented lines.
* Put a full stop after some comments.
* Removed whitespace at end of line.

Approved by: silence from gordon

Merge in all the changes that Mike Makonnen has been maintaining for a
while. This is only the script pieces, the glue for the build comes next.

Submitted by: Mike Makonnen <makonnen@pacbell.net>
Reviewed by: silence on -current and -hackers
Prodded by: rwatson

Cosmetic changes to the previous commit, bringing it closer to what I
already had in my tree but didn't want to commit.

Since sshd expects /etc/ssh/ssh_host_rsa_key to exist, we had better
create it. Also specify protocol v1/v2 in case people wonder why we
generate two RSA keys.

The good news is that my initial PR was correct... the bad news is that I
was apparently smoking something when I committed the last fix, because as
ume was kindly enough to set me straight on, amd *will* start with no
arguments at all, as long as there is an /etc/amd.conf file for it to
read. What it won't do is start with *just* -p.

In any case, now it's fixed.

Don't try to generate ssh keys if ssh isn't installed.

IPFilter may need to be re-sync'ed even if we are not filtering, but
only doing ipnat(8). Go back to using $ipfilter_active, but turn off
$ipfilter_active when loading ipl.ko has failed.

Submitted by: devet@devet.org (Arjan de Vet)
MFC after: 3 days

Answer the question posed in 1.126. amd won't start without either a
conf file, or command line options. I brought this up in PR 12432,
which (ironically) obrien assigned to me after I became a committer. :)

PR: conf/12432
Submitted by: Me

The reload of ipf(8) rules should depend on $ipfilter_enable, not
$ipfilter_active. $ipfilter_enable is set to "NO" if modules fail to
load, and $ipfilter_active can be "YES" when we are not using ipf(8).

MFC after: 3 days

Background the startup of `Amd', it often blocks on startup.

Why shouldn't amd always write its PID to a file?
Since I cannot answer that question, make it.

Redirect stdout of `ipf -y' to /dev/null. This removes a stray
"filter sync'd" in the middle of the boot output if IPFilter is
enabled, but does not hide any potential errors, which go to stderr.

There is no reason to demand the administrator set 'natd_interface'
when running natd(8) out of the rc-files. It is perfectly valid for
the interface or alias address to be set in a natd(8) configuration
file, not on the command line. Also, loosen up the restrictions on
identifying an IP address argument in 'natd_interface.'

Fix the documentation, rc.conf(5), to reflect this change.

Take the bogus default for 'natd_interface' out of /etc/defaults/rc.conf.

MFC after: 3 days

peter points out that we probably should not mess with the sysctl(8)
values at all if they are not purposefully set. What if the
administrator messed with them in /etc/sysctl.conf? We don't want to
overwrite them.

If 'log_in_vain' is zero, do not force the issue. If it is non-zero,
set it.

(forced commit)

The previous change is subject to:

MFC after: 1 month

Register amd's dependency on NFS.

This change was submitted to the freebsd-audit mailing list for review
but received no feedback. Hindsight-enabled reviews are welcome.

PR: conf/31358
Submitted: Thomas Quinot <thomas@cuivre.fr.eu.org>

Make the rc.conf(5) 'log_in_vain' knob an integer.

Try this out in -CURRENT, MFC, and then consider dropping the
'log_in_vain' knob all together. It really is something for
sysctl.conf(5).

PR: bin/32953
Reviewed by: -bugs discussion
MFC after: 1 week

rpc.lockd needs rpc.statd to be running for it to start up properly.
so swap the order.

Also allow rpc.lockd and rpc.statd to be turned on if nfsclient is
enabled. They are needed to provide client side locking support.

PR: conf/27811

s/sysctl -w/sysctl/

o Update rc.network to reflect the recent change of default in the
kernel TCP timer code: rather than checking for tcp_keepalive being
set to "YES", check for "NO" and turn off keepalives if the variable
is set in that manner.

o Note: eventually, it would make sense to remove this variable from
rc.conf management, and instead rely on sysctl.conf. In fact, this
is probably true of a number of rc.conf variables whose sole aim
is to drive the setting of sysctls at boot time.

Protect the '*' in pppoed_provider (the default) from metacharacter
expansion in the rc-scripts.

PR: 32552
Submitted by: Gleb Smirnoff <glebius@rinet.ru>
Approved by: ru
Obtained from: ru
MFC after: 1 day

Spelling police: sucessful -> successful.

(Forced commit to list actual problems fixed / PRs affected).

Overview of problems fixed:

- fix support for saving and restoring filter/NAT state information
(across reboots for example);

- ipmon(8) is started before loading any filter/NAT rules;

- ipmon(8) and ipfs(8) do not solely depend on ipfilter_enable anymore,
they now also work when only ipnat_enable is true;

- the multiple occurrences of code loading the ipfilter kernel module
have been removed;

- the options have been removed from the _program variables in
defaults/rc.conf and the comments in that file have been updated to
reflect (possibly new) reality;

- the rc.conf.5 manual page has been updated to reflect the changes.

Submitted by: Arjan de Vet <devet@devet.org>
PR: conf/25223, kern/25344, conf/25809,
conf/26275, bin/27016, conf/31482

Resolve all the ipfilter startup issues in rc.network with one big patch
to get it all right, allowing ipnat to be enabled independantly of ipfilter
in rc.conf (among other things).

PR: multiple
Submitted by: Arjan de Vet <devet@devet.org>
Reviewed by: Giorgos Keramidas <keramida@FreeBSD.org>

Avoid unnecessary calls to expr(1) by using standard shell arithmetic
expansion instead.

Update the nsswitch.conf -> host.conf generator to handle criteria,
continuation lines, extra whitespace, and to use the last matching
line in the file. This syncs the host.conf generation with how
the nsswitch.conf is parsed.
Only print " host.conf" instead of a multi-line message, since this
happens on every boot.

Modify the way host.conf and nsswitch.conf are treated at boot time:

- if nsswitch.conf exists, host.conf is auto-generated for compatibility
with legacy applications and libraries.

- if host.conf exists but nsswitch.conf does not, nsswitch.conf is auto-
generated as usual.

Do an ipf -y after bringing up ppp to ensure rules which mention ppp get
matched. Moification on PR to handle ipnat not being dependant on
ipfilter_enable

PR: 22859

Allow ipnat_enable to be set to "yes" without requiring ipfiltre_enable to
be set to "yes"

PR: 25223

Put in place for using ipfs use on shutdown and startup.

PR: 27070

Handle the lack of nfs server or client support in the kernel by
kldload'ing the appropriate modules before enabling the service.

Remove references to nfsiod and nfs_client_flags now that they are
obsolete.

Submitted by: Gordon Tetlow <gordont@gnf.org>

Add a new rc.conf variable, cloned_interfaces, to create cloned
interfaces at boot.

The vfs.nfs.bufpackets sysctl is in the client, not the server. Move it
to the client section. Turn off nfsiod, it no longer exists (now just
kthreads). I need revisit nfsiod so that we have an argument passthrough.

Merge in patch to automagically decide whether or not a kldload of ipfilter
is required into rc.network.

Person failed to use a real name so both email addresses from PR included
(Sent was different to From).

PR: 22998
Submitted by: dl@leo.org/spock@empire.trek.org

Upgraded launchpad for kerberos. Noe kerberos IV OR kerberos 5
may be started at boot for kerberos servers.

Create gif devices in the "gifconfig" stage while configuring them.

Reviewed by: ru, ume
Obtained from: NetBSD
MFC after: 1 week

Fix misindented esac.

MFC after: 1 week

Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.

TODO:
- The definitions of SADB_* in sys/net/pfkeyv2.h are still different
from RFC2407/IANA assignment because of binary compatibility
issue. It should be fixed under 5-CURRENT.
- ip6po_m member of struct ip6_pktopts is no longer used. But, it
is still there because of binary compatibility issue. It should
be removed under 5-CURRENT.

Reviewed by: itojun
Obtained from: KAME
MFC after: 3 weeks

Add a missing \n

Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
PR: 28014
MFC after: 1 week

Move gif_interfaces from an IP6 option to a regular IP option.

PR: 26543
Submitted by: Brooks Davis <brooks@one-eyed-alien.net>
MFC after: 3 weeks

Restore the RSA host key to /etc/ssh/ssh_host_key.
Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16.

Link /etc/ssh/ssh_host_key to /etc/ssh/ssh_host_rsa_key to deal with
gratutious changes in the latest SSH

Reviewed by: obrien
Approved by: obrien

s/ssh_host_key/ssh_host_rsa_key/ since that is what openssh uses now
after a mergemaster.

Axe TCP_RESTRICT_RST. It was never a particularly good idea except for a few
very specific scenarios, and now that we have had net.inet.tcp.blackhole for
quite some time there is really no reason to use it any more.

(second of three commits)

Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and
associated changes that had to happen to make this possible as well as
bugs fixed along the way.

Bring in required TLI library routines to support this.

Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.

This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).

The submitter has agreed to continue on and bring us up to the
1999 release.

Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.

Many userland updates were done to bring the code up to par with
the recent RPC API.

There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.

While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.

New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.

Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.

Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.

Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul

* Add an eval so that ipnat_flags=">/dev/null" works, per the PR
* Do some line length and specify full path cleanups while I'm here

PR: conf/22937
Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>

Apply a more consistent style to the echo statements in /etc/ scripts.
* Put quotes around each line
* Single quotes for lines with no variable interpolation
* Double quotes if there is
* Capitalize each word that begins a line
* Make echo -n 'Doing foo:' ... echo '.' more of a standard

No functionality changes

Fixed the reporting of ip_portrange_{first|last}.

Add copyright notices. Other systems have been barrowing our /etc files
w/o giving any credit.

This brings support for IP Filter into rc.network and rc.conf with
the appropriate documentation added to rc.conf(5). If all goes well
with this over the next few weeks, the PR will be closed with the
pullup of patches back to 4-STABLE.

PR: 20202
Submitted by: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Reviewed by: Darren Reed <darrenr@freebsd.org>
Approved by: Darren Reed <darrenr@freebsd.org>
Obtained from: Gerhard Sittig <Gerhard.Sittig@gmx.net>

Use su -m instead of just su to avoid reading the users login profile

Add nsswitch support. By creating an /etc/nsswitch.conf file, you can
configure FreeBSD so that various databases such as passwd and group can be
looked up using flat files, NIS, or Hesiod.

= Hesiod has been added to libc (see hesiod(3)).

= A library routine for parsing nsswitch.conf and invoking callback
functions as specified has been added to libc (see nsdispatch(3)).

= The following C library functions have been modified to use nsdispatch:
. getgrent, getgrnam, getgrgid
. getpwent, getpwnam, getpwuid
. getusershell
. getaddrinfo
. gethostbyname, gethostbyname2, gethostbyaddr
. getnetbyname, getnetbyaddr
. getipnodebyname, getipnodebyaddr, getnodebyname, getnodebyaddr

= host.conf has been removed from src/etc. rc.network has been modified
to warn that host.conf is no longer used at boot time. In addition, if
there is a host.conf but no nsswitch.conf, the latter is created at boot
time from the former.

Obtained from: NetBSD

Fix a whitespace bogon.

Allow a ppp_user specification to run ppp at startup

PR: 20258

Add to, don't overwrite, user-settable mountd_flags.

PR: conf/15745
Submitted by: Vivek Khera <khera@kciLink.com>

Add ip_portrange_first and ip_portrange_last rc.conf/rc.network
options. This allows you to set the standard dynamic port
assignment range prior to any network daemons (like named) starting
up, necessary if you are also using a firewall to restrict lower ports.
will be MFC'd in a few days

Add ipsec_enable and ipsec_file options to run IPSEC's setkey program
with the specified configuration file at the appropriate time.

Remove extraneous ";;" in previous commit

Submitted by: jedgar

Create a DSA host key if one does not already exist, and teach sshd_config
about it.

Add firewall_logging knob to enable/disablle events logging, disabled
by default. Needed mainly for ipfw kernel module to enable logging
disabled there.

Add a sysctl to specify the amount of UDP receive space NFS should
reserve, in maximal NFS packets. Originally only 2 packets worth of
space was reserved. The default is now 4, which appears to greatly
improve performance for slow to mid-speed machines on gigabit networks.

Add documentation and correct some prior documentation.

Problem Researched by: Andrew Gallatin <gallatin@cs.duke.edu>
Approved by: jkh

cosmetic fix - add a space.

Get the order of things right; the keys need to be generated
early to allow entropy to replenish.
sshd must start late to catch the full effects of ldconfig.

Generate new sshd host key when necessary. I'm tired of
waiting for someone to commit this. :)

Run sshd at boot time if the sysadmin wants it. Also install
ssh[d] config files in the right place.

Approved by: jkh
Reviewed by: joerg

The isdnd is able to listen on a socket for isdnmonitor to connect to
it to remotely control it (similar to ppp and pppctl). When this is
enabled in the isdnd config file, it will fail currently because isdnd
is started before the network interfaces are configured.
It is necessary to move the isdnd start after the ifconfig of the network
interfaces, then this problem will not occur.

This is another in Martin Blapp's N-series of mount-related cleanups :)
Changes are:
- rpc.umntall is called at the right places now in /etc/rc*
- rpc.umntall timeout has been lowered from two days (too high) to one
- verbose messages in rpc.umntall have been clarified
- kill double entries in /var/db/mounttab when rpc.umntall is invoked
- ${early_nfs_mounts} has been removed from /etc/rc
- patched mount(8) -p to print different pass/dump values for ufs filesystems.
(last patch recieved from dan <bugg@bugg.strangled.net>)

Submitted by: Martin Blapp <mbr@imp.ch>, dan <bugg@bugg.strangled.net>

xntpd -> ntpd.

Submitted by: ru

Suport multiple ``ifconfig_*?="DHCP"'' configurations.

Currently we have a problem in that `dhclient' bails when configuring the
second interface as port 68 is already in use (by the `dhclient' started
for the first interface).

PR: 14810
Submitted by: n_hibma

Oops, typo

Add pppoed startup options

Add network pass4 - after all local (/usr/local/etc/rc.d f.e.)
daemons started. Move log_in_vain option there. It is needed to avoid
lot of connections to port 80 logged on production WWW server prior
Apache started from /usr/local/etc/rc.d

Add single_mountd_enable hook to run mountd but not NFS server
Needed for machine with CFS but without real NFS

Make the firewall file variable space-safe.

Apply a consistent style to most of the etc scripts. Particularly, use
case instead of test where appropriate, since case allows case is a sh
builtin and (as a side-effect) allows case-insensitivity.

Changes discussed on freebsd-hackers.

Submitted by: Doug Barton <Doug@gorean.org>

Add the net.inet.tcp.restrict_rst and net.inet.tcp.drop_synfin sysctl
variables, conditional on the TCP_RESTRICT_RST and TCP_DROP_SYNFIN kernel
options, respectively. See the comments in LINT for details.

-background is also a legitimate ppp mode. Don't change it to -auto.

$Id$ -> $FreeBSD$

Catch an extra X on DHCP.

Spotted by the eagle eyes of: Pierre DAVID <Pierre.David@prism.uvsq.fr>

Style clean-up:

* All variables are now embraced: ${foo}

* All comparisons against some value now take the form:
[ "${foo}" ? "value" ]
where ? is a comparison operator

* All empty string tests now take the form:
[ -z "${foo}" ]

* All non-empty string tests now take the form:
[ -n "${foo}" ]

Submitted by: jkh

ppp_alias -> ppp_nat

Submitted by: Josef L. Karthauser <joe@FreeBSD.org.uk>

Quieten ppp at startup.

Add net.inet.icmp.log_redirect and net.inet.icmp.drop_redirect, for
respectively logging and dropping ICMP REDIRECT packets.

Note that there is no rate limiting on the log messages, so log_redirect
should be used with caution (preferrably only for debugging purposes).

Start ppp before natd, not afterwards.

Submitted by: Josef L. Karthauser <joe@uk.FreeBSD.org>

Add a default ppp.conf (mode 600).

Originally submitted by: Wayne Self <wself@cdrom.com>

Allow a ppp startup option in rc.conf.

Adjust sysinstall so that it appends to the end of ppp.conf
and uses the generated profile to start ppp in auto mode on
boot.

Submitted by: Josef L. Karthauser <joe@uk.FreeBSD.org>

Allow DHCP to be used in an ifconfig variable instead of the usual
address information, producing the obvious effect (dhcp configuration).

Submitted by: "Sean O'Connell" <sean@stat.Duke.EDU>

Tweak previous commit. Only sense the configuration if network_interfaces
is set to "auto". Any network_interfaces settings will be treated as
before.

Do away with ${network_interfaces} in rc.conf. Just use `ifconfig -l` to
get a list of interfaces, and then automatically configure them if
${ifconfig_${ifn}} or /etc/start_if.${ifn} exists.

This makes it a lot easier to deal with machines that constantly change
their network configuration as you can leave ifconfig settings for all
the possible cards - just the ones that are present will be configured.

If amd_flags is empty, don't add -p as it makes amd abend.

Don't discard error output from sysctl(8).

Do discard standard output from the sysctl for approxy_all, and echo
what this sysctl is doing in the usual way. This fix is probably
backwards. We should probably just use the standard sysctl output
in all cases (it needs to have a newline filtered out).

Echo what the sysctls for nfs_reserved_port_only and nfs_access_cache
are doing.

Add handle to control global TCP keepalives and turn them on as
default.

Despite their name it doesn't keep TCP sessions alive, it kills
them if the other end has gone AWOL. This happens a lot with
clients which use NAT, dynamic IP assignment or which has a 2^32
* 10^-3 seconds upper bound on their uptime.

There is no detectable increase in network trafic because of this:
two minimal TCP packets every two hours for a live TCP connection.

Many servers already enable keepalives themselves.

The host requirements RFC is 10 years old, and doesn't know about
the loosing clients of todays InterNet.

Remove extraneous space
PR: 11096

Allow the user to specify a different firewall script than /etc/rc.firewall.

Add two features:
log_in_vain:
log_in_vain turns on logging for packets to ports for which
there is no listener.
rc.sysctl:
A generic way to set sysctl values. It reads /etc/syslog.conf
and sets values based on that. No /etc/syslog.conf has been
checked in yet, and I've not added this to the makefile yet
until I get more feedback.

Reviewed by: -current, -hackers and bde especially

Move natd from network_pass3 to network_pass1

Add ${lpd_program} and ${portmap_program} as variables in rc.conf, with
suitable defaults pointing to the FreeBSD-shipped versions. This will allow
for easier integration of third-party replacements for these daemons.
Reviewed by: Several members of -committers

Add some special hooks for sppp(4) interfaces. In addition to the
normal ifconfig stuff, one might need to pass down authentication
parameters for them.

This is closely tied to Hellmuth's impending rc patches for ISDN, but
sppp can also be used separately (thus it doesn't go directly into the
planned ISDN section of rc.conf).

Reviewed by: hm

Integrate the ISDN subsystem into the /etc/rc framework
Reviewed by: Joerg Wunsch

Allow rwhod to take flags.

PR: 7705
Submitted by: Johan Karlsson <k@numeri.campus.luth.se>

Direct std{err,out} to /dev/null when invoking sysctl(8) for setting
`nfs_access_cache_timeout'.

Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>

Implement the nfs_access_cache variable, allowing us to set the timeout for
the NFS client's ACCESS cache.

kldload ipfw, it's installed always and works on both kernel formats

Here are some scripts and man pages for configuring HARP ATM
interfaces.

Reviewed by: phk
Submitted by: Mike Spengler <mks@networkcs.com>

rc.conf variable $amd_map_program needs to be eval'ed.
PR: misc/7435
Submitted by: David Wolfskill <dhw@whistle.com>

Turn off replies to ICMP echo requests for broadcast and multicast
addresses by default.

Add a knob "icmp_bmcastecho" to "rc.network" to allow this
behaviour to be controlled from "rc.conf".

Document the controlling sysctl variable "net.inet.icmp.bmcastecho"
in sysctl(3).

Reviewed by: dg, jkh
Reminded on -hackers by: Steinar Haug <sthaug@nethelp.no>

tcp_extensions now only applies to RFC1323

In /etc/rc.network, near line 242, setting up Kerberos,
variable "stash_flag" is set. A few lines later, it is evaluated
as "stash_flags" with a trailing "s", and then a bit later the
singular version is unset.

PR: 7609
Reviewed by: phk
Submitted by: Walt Howard <howard@ee.utah.edu>

Allow either an IP address or an interface to be specified in
the rc.conf variable ``natd_interface''. rc.network will
determine whether it is an IP address or an interface name,
and invoke natd with the -a or -n flag as appropriate.

PR: 6947
Reviewed by: jkh@FreeBSD.ORG

Cleanup natd startup test.

PR: 6946
Submitted by: Jacques Vidrine <n@nectar.com>

cosmetic: clean up startup messages and rearrange some options
to go in a more proper order.

Overlooked, that newer naming convention is xxx_program instead of xxx_prog.
So changed it to ntpdate_program and xntpd_program.
Backout last change, now we have again named_program, sorry.

Add variables for the ntpdate and xntpd program, you might want
to run the binaries from the new ntp v4 port.

Jean-Simon Pendry's paper on amd refers to the use of "ypcat -k"
against the "master map" to get the list of mount point/amd map
correspondences, and using that list as command-line arguments to start
amd.

When I tried to do this with the existing /etc/rc* scripts, I found that
I couldn't do this by modifying only /etc/rc.conf: that file gets
sourced very early by /etc/rc, well before any networking functionality
is present, let alone NIS. Further, I wasn't able to figure out a way
to use various levels & types of quoting to defer evaluation of the
string to a point subsequent to NIS initialization.

As a result, I resorted to hacking /etc/rc.network -- but I did it in a
way that ought to be reasonably general, and avoid breakage for anyone
else.

PR: 6387
Reviewed by: phk
Submitted by: David Wolfskill <dhw@whistle.com>

Add natd support.
PR: 6339
Submitted by: cdillon@wolves.k12.mo.us

Enable the SecureRPC bits in rc.conf, if the Administrator wants them.

Allow rarpd to be started from rc.conf
PR: 5457
Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>

Remove useless argument to ``. start_if.$ifn''
Pointed out by: Tim Tsai <tim@futuresouth.com>

Add 2 new rc.conf variables:
forward_sourceroute : controls setting of existing net.inet.ip.sourceroute
accept_sourceroute : control setting of new net.inet.ip.accept_sourceroute

Avoid using grep when determining ipfw's default policy -- it may not
be available at this stage of the boot if /usr is NFS mounted.

Don't assume that IP services are disabled just because firewall_enable
is not set to YES in rc.conf.

Noticed by: Mikael Karpberg <karpen@ocean.campus.luth.se>

Add an additional `named_program' variable so that we can easily choose
between 4.9.6 and the port of 8.x.

Compare return code from ipfw against 0 for success instead of == 1
for error.

Pointed out by: Matthew Thyer <thyerm@camtech.net.au>

MF 22s

Allow the system to be configured to pass "-n" to kerberos and
kadmind or not; also, only run kadmind on a non-slave server. Man
page for rc.conf is also updated.

Reviewed by: Mark Murray

Fix some problems in the rules file loading and need for modload detection.

Found by: "James E. Housley" <housley@pr-comm.com>

Reviewed by: msmith, alex
Cosmetic changes to the loading of firewall rules and lkm.

Merge from 2.2 (tcp extensions in phase 1)

Neaten up some things which were inconsistent, add a few more flags
to things which need them, general cleanup.
Submitted by: Brian Somers <brian@awfulhak.org>

Add arp_proxyall knob.
Submitted by: Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>

Update the etc world from RELENG_2_2 which is now more up-to-date
(gotta get myself -current again, this is a drag).

Also-fixes-problems-noted-by: Wolfgang Helbig & Joerg Wunsch

Ack, learn to spell "extentions" the same way in the same file.
Also make the output a little less cryptic for sysctl settings.

Suggested by: bde

YAMF22
PR: 3456

YAMF22

Bring in rc file changes from -current.