Fix devfs rules not applied by default for jails.

Fix OpenSSL use-after-free vulnerability.

Fix TCP reassembly vulnerability.

Security: FreeBSD-SA-14:07.devfs
Security: CVE-2014-3001
Security: FreeBSD-SA-14:08.tcp
Security: CVE-2014-3000
Security: FreeBSD-SA-14:09.openssl
Security: CVE-2010-5298
Approved by: so

- Copy stable/10 (r259064) to releng/10.0 as part of the
10.0-RELEASE cycle.
- Update __FreeBSD_version [1]
- Set branch name to -RC1

[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so
start releng/10.0 at '100' so the branch is started with
a value ending in zero.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Merge r257694 from head:

Remove remnants of BIND from /etc, since there is no BIND in base now.

Sorry, that would break users running head and BIND from ports, since
ports rely on these scripts. The ports will be fixed soon.

Approved by: re (kib)

MFC r257361:
Fix compatibility function for old daily_status_security_${name}_enable
variables.

PR: conf/183137

MFC r257364:
Fix indentation.

Approved by: re (gjb)

MFC r256773:
Enable the automatic creation of a certificate (if one does not exists)
and enable the usage by sendmail if sendmail is enabled.

Reviewed by: gshapiro
Approved by: re (gjb)

MFC r256775,r256776:
Add support for "first boot" rc.d scripts.

Document this new functionality in rc.conf(5) and rc(8).

Bump __FreeBSD_version so that ports can make use of this.

Approved by: re (gjb)

Merge from project branch via main. Uninteresting commits are trimmed.

Refactor of /dev/random device. Main points include:

* Userland seeding is no longer used. This auto-seeds at boot time
on PC/Desktop setups; this may need some tweeking and intelligence
from those folks setting up embedded boxes, but the work is believed
to be minimal.

* An entropy cache is written to /entropy (even during installation)
and the kernel uses this at next boot.

* An entropy file written to /boot/entropy can be loaded by loader(8)

* Hardware sources such as rdrand are fed into Yarrow, and are no
longer available raw.

------------------------------------------------------------------------
r256240 | des | 2013-10-09 21:14:16 +0100 (Wed, 09 Oct 2013) | 4 lines

Add a RANDOM_RWFILE option and hide the entropy cache code behind it.
Rename YARROW_RNG and FORTUNA_RNG to RANDOM_YARROW and RANDOM_FORTUNA.
Add the RANDOM_* options to LINT.

------------------------------------------------------------------------
r256239 | des | 2013-10-09 21:12:59 +0100 (Wed, 09 Oct 2013) | 2 lines

Define RANDOM_PURE_RNDTEST for rndtest(4).

------------------------------------------------------------------------
r256204 | des | 2013-10-09 18:51:38 +0100 (Wed, 09 Oct 2013) | 2 lines

staticize struct random_hardware_source

------------------------------------------------------------------------
r256203 | markm | 2013-10-09 18:50:36 +0100 (Wed, 09 Oct 2013) | 2 lines

Wrap some policy-rich code in 'if NOTYET' until we can thresh out
what it really needs to do.

------------------------------------------------------------------------
r256184 | des | 2013-10-09 10:13:12 +0100 (Wed, 09 Oct 2013) | 2 lines

Re-add /dev/urandom for compatibility purposes.

------------------------------------------------------------------------
r256182 | des | 2013-10-09 10:11:14 +0100 (Wed, 09 Oct 2013) | 3 lines

Add missing include guards and move the existing ones out of the
implementation namespace.

------------------------------------------------------------------------
r256168 | markm | 2013-10-08 23:14:07 +0100 (Tue, 08 Oct 2013) | 10 lines

Fix some just-noticed problems:

o Allow this to work with "nodevice random" by fixing where the
MALLOC pool is defined.

o Fix the explicit reseed code. This was correct as submitted, but
in the project branch doesn't need to set the "seeded" bit as this
is done correctly in the "unblock" function.

o Remove some debug ifdeffing.

o Adjust comments.

------------------------------------------------------------------------
r256159 | markm | 2013-10-08 19:48:11 +0100 (Tue, 08 Oct 2013) | 6 lines

Time to eat crow for me.

I replaced the sx_* locks that Arthur used with regular mutexes;
this turned out the be the wrong thing to do as the locks need to
be sleepable. Revert this folly.

# Submitted by: Arthur Mesh <arthurmesh@gmail.com> (In original diff)

------------------------------------------------------------------------
r256138 | des | 2013-10-08 12:05:26 +0100 (Tue, 08 Oct 2013) | 10 lines

Add YARROW_RNG and FORTUNA_RNG to sys/conf/options.

Add a SYSINIT that forces a reseed during proc0 setup, which happens
fairly late in the boot process.

Add a RANDOM_DEBUG option which enables some debugging printf()s.

Add a new RANDOM_ATTACH entropy source which harvests entropy from the
get_cyclecount() delta across each call to a device attach method.

------------------------------------------------------------------------
r256135 | markm | 2013-10-08 07:54:52 +0100 (Tue, 08 Oct 2013) | 8 lines

Debugging. My attempt at EVENTHANDLER(multiuser) was a failure; use
EVENTHANDLER(mountroot) instead.

This means we can't count on /var being present, so something will
need to be done about harvesting /var/db/entropy/... .

Some policy now needs to be sorted out, and a pre-sync cache needs
to be written, but apart from that we are now ready to go.

Over to review.

------------------------------------------------------------------------
r256094 | markm | 2013-10-06 23:45:02 +0100 (Sun, 06 Oct 2013) | 8 lines

Snapshot.

Looking pretty good; this mostly works now. New code includes:

* Read cached entropy at startup, both from files and from loader(8)
preloaded entropy. Failures are soft, but announced. Untested.

* Use EVENTHANDLER to do above just before we go multiuser. Untested.

------------------------------------------------------------------------
r256088 | markm | 2013-10-06 14:01:42 +0100 (Sun, 06 Oct 2013) | 2 lines

Fix up the man page for random(4). This mainly removes no-longer-relevant
details about HW RNGs, reseeding explicitly and user-supplied
entropy.

------------------------------------------------------------------------
r256087 | markm | 2013-10-06 13:43:42 +0100 (Sun, 06 Oct 2013) | 6 lines

As userland writing to /dev/random is no more, remove the "better
than nothing" bootstrap mode.

Add SWI harvesting to the mix.

My box seeds Yarrow by itself in a few seconds! YMMV; more to follow.

------------------------------------------------------------------------
r256086 | markm | 2013-10-06 13:40:32 +0100 (Sun, 06 Oct 2013) | 11 lines

Debug run. This now works, except that the "live" sources haven't
been tested. With all sources turned on, this unlocks itself in
a couple of seconds! That is no my box, and there is no guarantee
that this will be the case everywhere.

* Cut debug prints.

* Use the same locks/mutexes all the way through.

* Be a tad more conservative about entropy estimates.

------------------------------------------------------------------------
r256084 | markm | 2013-10-06 13:35:29 +0100 (Sun, 06 Oct 2013) | 5 lines

Don't use the "real" assembler mnemonics; older compilers may not
understand them (like when building CURRENT on 9.x).

# Submitted by: Konstantin Belousov <kostikbel@gmail.com>

------------------------------------------------------------------------
r256081 | markm | 2013-10-06 10:55:28 +0100 (Sun, 06 Oct 2013) | 12 lines

SNAPSHOT.

Simplify the malloc pools; We only need one for this device.

Simplify the harvest queue.

Marginally improve the entropy pool hashing, making it a bit faster
in the process.

Connect up the hardware "live" source harvesting. This is simplistic
for now, and will need to be made rate-adaptive.

All of the above passes a compile test but needs to be debugged.

------------------------------------------------------------------------
r256042 | markm | 2013-10-04 07:55:06 +0100 (Fri, 04 Oct 2013) | 25 lines

Snapshot. This passes the build test, but has not yet been finished or debugged.

Contains:

* Refactor the hardware RNG CPU instruction sources to feed into
the software mixer. This is unfinished. The actual harvesting needs
to be sorted out. Modified by me (see below).

* Remove 'frac' parameter from random_harvest(). This was never
used and adds extra code for no good reason.

* Remove device write entropy harvesting. This provided a weak
attack vector, was not very good at bootstrapping the device. To
follow will be a replacement explicit reseed knob.

* Separate out all the RANDOM_PURE sources into separate harvest
entities. This adds some secuity in the case where more than one
is present.

* Review all the code and fix anything obviously messy or inconsistent.
Address som review concerns while I'm here, like rename the pseudo-rng
to 'dummy'.

# Submitted by: Arthur Mesh <arthurmesh@gmail.com> (the first item)

------------------------------------------------------------------------
r255319 | markm | 2013-09-06 18:51:52 +0100 (Fri, 06 Sep 2013) | 4 lines

Yarrow wants entropy estimations to be conservative; the usual idea
is that if you are certain you have N bits of entropy, you declare
N/2.

------------------------------------------------------------------------
r255075 | markm | 2013-08-30 18:47:53 +0100 (Fri, 30 Aug 2013) | 4 lines

Remove short-lived idea; thread to harvest (eg) RDRAND enropy into the
usual harvest queues. It was a nifty idea, but too heavyweight.

# Submitted by: Arthur Mesh <arthurmesh@gmail.com>

------------------------------------------------------------------------
r255071 | markm | 2013-08-30 12:42:57 +0100 (Fri, 30 Aug 2013) | 4 lines

Separate out the Software RNG entropy harvesting queue and thread
into its own files.

# Submitted by: Arthur Mesh <arthurmesh@gmail.com>

------------------------------------------------------------------------
r254934 | markm | 2013-08-26 20:07:03 +0100 (Mon, 26 Aug 2013) | 2 lines

Remove the short-lived namei experiment.

------------------------------------------------------------------------
r254928 | markm | 2013-08-26 19:35:21 +0100 (Mon, 26 Aug 2013) | 2 lines

Snapshot; Do some running repairs on entropy harvesting. More needs
to follow.

------------------------------------------------------------------------
r254927 | markm | 2013-08-26 19:29:51 +0100 (Mon, 26 Aug 2013) | 15 lines

Snapshot of current work;

1) Clean up namespace; only use "Yarrow" where it is Yarrow-specific
or close enough to the Yarrow algorithm. For the rest use a neutral
name.

2) Tidy up headers; put private stuff in private places. More could
be done here.

3) Streamline the hashing/encryption; no need for a 256-bit counter;
128 bits will last for long enough.

There are bits of debug code lying around; these will be removed
at a later stage.

------------------------------------------------------------------------
r254784 | markm | 2013-08-24 14:54:56 +0100 (Sat, 24 Aug 2013) | 39 lines

1) example (partially humorous random_adaptor, that I call "EXAMPLE")
* It's not meant to be used in a real system, it's there to show how
the basics of how to create interfaces for random_adaptors. Perhaps
it should belong in a manual page

2) Move probe.c's functionality in to random_adaptors.c
* rename random_ident_hardware() to random_adaptor_choose()

3) Introduce a new way to choose (or select) random_adaptors via tunable
"rngs_want" It's a list of comma separated names of adaptors, ordered
by preferences. I.e.:
rngs_want="yarrow,rdrand"

Such setting would cause yarrow to be preferred to rdrand. If neither of
them are available (or registered), then system will default to
something reasonable (currently yarrow). If yarrow is not present, then
we fall back to the adaptor that's first on the list of registered
adaptors.

4) Introduce a way where RNGs can play a role of entropy source. This is
mostly useful for HW rngs.

The way I envision this is that every HW RNG will use this
functionality by default. Functionality to disable this is also present.
I have an example of how to use this in random_adaptor_example.c (see
modload event, and init function)

5) fix kern.random.adaptors from
kern.random.adaptors: yarrowpanicblock
to
kern.random.adaptors: yarrow,panic,block

6) add kern.random.active_adaptor to indicate currently selected
adaptor:
root@freebsd04:~ # sysctl kern.random.active_adaptor
kern.random.active_adaptor: yarrow

# Submitted by: Arthur Mesh <arthurmesh@gmail.com>

Submitted by: Dag-Erling Smørgrav <des@FreeBSD.org>, Arthur Mesh <arthurmesh@gmail.com>
Reviewed by: des@FreeBSD.org
Approved by: re (delphij)
Approved by: secteam (des,delphij)

- Remove debugging from GENERIC* kernel configurations
- Enable MALLOC_PRODUCTION
- Default dumpdev=NO
- Remove UPDATING entry regarding debugging features
- Bump __FreeBSD_version to 1000500

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

- Update rc.d/jail to use a jail(8) configuration file instead of
command line options. The "jail_<jname>_*" rc.conf(5) variables for
per-jail configuration are automatically converted to
/var/run/jail.<jname>.conf before the jail(8) utility is invoked.
This is transparently backward compatible.

- Fix a minor bug in jail(8) which prevented it from returning false
when jail -r failed.

Approved by: re (glebius)

Add a setup script for unbound(8) called local-unbound-setup. It
generates a configuration suitable for running unbound as a caching
forwarding resolver, and configures resolvconf(8) to update unbound's
list of forwarders in addition to /etc/resolv.conf. The initial list
is taken from the existing resolv.conf, which is rewritten to point to
localhost. Alternatively, a list of forwarders can be provided on the
command line.

To assist this script, add an rc.subr command called "enabled" which
does nothing except return 0 if the service is enabled and 1 if it is
not, without going through the usual checks. We should consider doing
the same for "status", which is currently pointless.

Add an rc script for unbound, called local_unbound. If there is no
configuration file, the rc script runs local-unbound-setup to generate
one.

Note that these scripts place the unbound configuration files in
/var/unbound rather than /etc/unbound. This is necessary so that
unbound can reload its configuration while chrooted. We should
probably provide symlinks in /etc.

Approved by: re (blanket)

Bring in the new iSCSI target and initiator.

Reviewed by: ken (parts)
Approved by: re (delphij)
Sponsored by: FreeBSD Foundation

Since r254974, periodic scripts' period can be configured
independently. There is no reason to leave their options
with the daily ones, so move them to their own section.
Move periodic scripts' options into their own section. Since r254974,

Make the period of each periodic security script configurable.

There are now six additional variables
weekly_status_security_enable
weekly_status_security_inline
weekly_status_security_output
monthly_status_security_enable
monthly_status_security_inline
monthly_status_security_output
alongside their existing daily counterparts. They all have the same
default values.

All other "daily_status_security_${scriptname}_${whatever}"
variables have been renamed to "security_status_${name}_${whatever}".
A compatibility shim has been introduced for the old variable names,
which we will be able to remove in 11.0-RELEASE.

"security_status_${name}_enable" is still a boolean but a new
"security_status_${name}_period" allows to define the period of
each script. The value is one of "daily" (the default for backward
compatibility), "weekly", "monthly" and "NO".

Note that when the security periodic scripts are run directly from
crontab(5) (as opposed to being called by daily or weekly periodic
scripts), they will run unless the test is explicitely disabled with a
"NO", either for in the "_enable" or the "_period" variable.

When the security output is not inlined, the mail subject has been
changed from "$host $arg run output" to "$host $arg $period run output".
For instance:
myfbsd security run output -> myfbsd security daily run output
I don't think this is considered as a stable API, but feel free to
correct me if I'm wrong.

Finally, I will rearrange periodic.conf(5) and default/periodic.conf
to put the security options in their own section. I left them in
place for this commit to make reviewing easier.

Reviewed by: hackers@

Move daily_status_security_noamd next to 200.chkmounts's variables.

- Trim an unused and bogus Makefile for mount_smbfs.
- Reconnect with some minor modifications, in particular now selsocket()
internals are adapted to use sbintime units after recent'ish calloutng
switch.

- Add vnode-backed swap space specification support. This is enabled when
device names "md" or "md[0-9]*" and a "file" option are specified in
/etc/fstab like this:

md none swap sw,file=/swap.bin 0 0

- Add GBDE/GELI encrypted swap space specification support, which
rc.d/encswap supported. The /etc/fstab lines are like the following:

/dev/ada1p1.bde none swap sw 0 0
/dev/ada1p2.eli none swap sw 0 0

.eli devices accepts aalgo, ealgo, keylen, and sectorsize as options.

swapctl(8) can understand an encrypted device in the command line
like this:

# swapctl -a /dev/ada2p1.bde

- "-L" flag is added to support "late" option to defer swapon until
rc.d/mountlate runs.

- rc.d script change:

rc.d/encswap -> removed
rc.d/addswap -> just display a warning message if $swapfile is defined
rc.d/swap1 -> renamed to rc.d/swap
rc.d/swaplate -> newly added to support "late" option

These changes alleviate a race condition between device creation/removal
and swapon/swapoff.

MFC after: 1 week
Reviewed by: wblock (manual page)

Clean up swapfile memory disk on shutdown

Make the md unit number configurable so that it can be predicted

PR: bin/168544
Submitted by: wblock (based on)
Approved by: kevlo

Remove periodic script for ataraid(4) and add instead script for graid(8).

Use new savecore(8) option and limit number of kernel dumps that will
be kept around to the 10 most recent ones.

Add UPDATING entry with info how to return to the previous behaviour (no
limits).

Obtained from: WHEEL Systems

Merge a number of changes required to hook up OpenBSM 1.2-alpha2's
auditdistd (distributed audit daemon) to the build:

- Manual cross references
- Makefile for auditdistd
- rc.d script, rc.conf entrie
- New group and user for auditdistd; associated aliases, etc.

The audit trail distribution daemon provides reliable,
cryptographically protected (and sandboxed) delivery of audit tails
from live clients to audit server hosts in order to both allow
centralised analysis, and improve resilience in the event of client
compromises: clients are not permitted to change trail contents
after submission.

Submitted by: pjd
Sponsored by: The FreeBSD Foundation (auditdistd)

Set default for ${pkg_info} like ${pkg_version}.

MFC after: 1 week

Use correct INDEX on 10-CURRENT.

Disconnect non-MPSAFE SMBFS from the build in preparation for dropping
GIANT from VFS. In addition, disconnect also netsmb, which is a base
requirement for SMBFS.

In the while SMBFS regular users can use FUSE interface and smbnetfs
port to work with their SMBFS partitions.

Also, there are ongoing efforts by vendor to support in-kernel smbfs,
so there are good chances that it will get relinked once properly locked.

This is not targeted for MFC.

Disconnect non-MPSAFE NWFS from the build in preparation for dropping
GIANT from VFS. In addition, disconnect also netncp, which is a base
requirement for NWFS.

In the possibility of a future maintenance of the code and later
readd to the FreeBSD base, maybe we should think about a better location
for netncp. I'm not entirely sure the / top location is actually right,
however I will let network people to comment on that more specifically.

This is not targeted for MFC.

Disconnect non-MPSAFE PORTALFS from the build in preparation for dropping
GIANT from VFS.

This is not targeted for MFC.

- Allow to pass extra parameters for each jails.
- To achieve above, convert jail(8) invocation to use new style
command line "-c" flag.

Reviewed at: freebsd-jail@

Whitespace nit

Make ipfw0 logging pseudo-interface clonable. It can be created automatically
by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8)
after a boot.

Discussed on: freebsd-ipfw@

Don't attempt to delete .sujournal in /tmp

PR: conf/163828
Submitted by: Tatsuki Makino <tatsuki_makino@hotmail.com>
Approved by: cperciva
MFC after: 1 week

- Change kfd rc script to be more conformant with rcNG conventions:
o change rcname to kfd;
o move mandatory options to command_args;
o add missing "shutdown" keyword;
o fix require line. Kfd doesn't really need to be started before
daemons.

Suggested by: dougb

- Add rc.d script for kfd, kerberos forwarded tickets daemon.

Unhide /dev/zfs in devfsrules_jail.

The /dev/zfs device is required for managing jailed ZFS datasets.

Discussed with: pjd, jamie
MFC after: 1 week

Increase the default shutdown timer to 90 seconds. This will allow
certain systems that take a long time to shut down, without adversely
affecting things that shut down quickly. It's also 30 seconds less than
the default hard limit of 120 seconds in kern.init_shutdown_timeout.

PR: conf/109272
Submitted by: Radim Kolar SF.NET <hsn@sendmail.cz>

Fix various issues with the NFS and RPC related scripts:

1. Add new functionality to the force_depend method to incorporate the
tests for whether the service is enabled and/or already running.
2. Add a new option to bypass checking only that the service is enabled
at boot time, and always check if it is running.
3. Use this new functionality to greatly simplify the rc.d scripts that
use force_depend.
4. Add a force_depend for statd in lockd
5. Remove the check that either nfs_server or nfs_client is _enable'd
from statd and lockd. This was always overkill, and prevented using
the {one|force}start options, as well as stop'ing on the command line.
6. The yp* scripts had some of their arguments in various weird orders.
Bring them into line with the model.
7. If mountd fails to create /var/db/mountdtab, err out.

Ideas, suggestions, and/or review from delphij and jilles.
Pointy hats are completely my responsibility however.

As it stands right now, the default devfs rulesets are only loaded as a
side effect of something else using them. If they haven't been loaded
already but you want to use them, say for configuring a jail, you're out
of luck.

So add a knob to always load the default rulesets. While I'm here document
the other devfs_ knobs in rc.conf.5.

Add an option to 404.status-zfs (enabled by default) to list all
zfs pools on the system.

While here, document daily_status_zfs_enable in periodic.conf(5).

Discussed on: -fs [1]
Reviewed by: netchild [1]
Approved by: jhb
MFC after: 1 week

[1] - http://lists.freebsd.org/pipermail/freebsd-fs/2011-June/011869.html

Increase default scrub threshold from 30 days to 5 weeks. Using
whole weeks makes it easier to predicate when the scrub would
happen.

MFC after: 1 week

Add etc/rc.d/static_ndp, analogous to etc/rc.d/static_arp.
Make sure that static ARP and NDP bindings are set before NETWORKING.

As static_ndp is based on static_arp, pass copyright to the project with
permission of the original author (delphij@).

Reviewed by: delphij@FreeBSD.org
MFC after: 3 days

Add missing default values for daily/800.scrub-zfs for documentation
purposes. No functional change, since all parameters are set to their
default values.
MFC after: 1 week

Expose "log" in the default devfs rules. /etc/rc.d/jail creates /dev/log
as a symbolic link.

PR: conf/160711
Submitted by: Jase Thew
Approved by: re (kib)
MFC after: 1 week

Correct the RFC number for the description of IPv6 privacy addressing

Reviewed by: bz
Approved by: re (kib)

Add $ipv6_cpe_wanif to enable functionality required for IPv6 CPE
(r225485). When setting an interface name to it, the following
configurations will be enabled:

1. "no_radr" is set to all IPv6 interfaces automatically.

2. "-no_radr accept_rtadv" will be set only for $ipv6_cpe_wanif. This is
done just before evaluating $ifconfig_IF_ipv6 in the rc.d scripts (this
means you can manually supersede this configuration if necessary).

3. The node will add RA-sending routers to the default router list
even if net.inet6.ip6.forwarding=1.

This mode is added to conform to RFC 6204 (a router which connects
the end-user network to a service provider network). To enable
packet forwarding, you still need to set ipv6_gateway_enable=YES.

Note that accepting router entries into the default router list when
packet forwarding capability and a routing daemon are enabled can
result in messing up the routing table. To minimize such unexpected
behaviors, "no_radr" is set on all interfaces but $ipv6_cpe_wanif.

Approved by: re (bz)

- Move bus_auto.conf back into /etc/devd/
- Rename bus_auto.conf into usb.conf

Requested by: imp @
MFC after: 14 days

- Move auto-load devd config file into etc/defaults folder.
- Regenerate file after bugfix in the generator.

Suggested by: Jeremy Messenger
MFC after: 14 days

Add the netwait rc.d script. It waits for the specified period for the
network to become active.

PR: conf/151063
Submitted by: Jeremy Chadwick <freebsd@jdc.parodius.com>

Add rc.d/kld to load kernel modules after local disks are up.
This method is many times faster than doing it in /boot/loader.conf.

Make three one line changes to the rc scripts so that
they work with the new NFS client being the default,
since the new NFS client's module name is nfscl and
not nfsclient.

No logner set an IPv4 loopback address by default in defaults/rc.conf.
If not specified, network.subr will add it automatically if we have
INET support (1).

In network.subr only call the address family up/down functions
if the respective AF is available.

Switch to new kern.features variables for inet and inet6 as the
inet sysctl tree is also available for IPv6-only kernels leading
to unexpected results.

Suggested by: hrs (1)
Reviewed by: hrs
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 20 days

Update the /etc/rc.d scripts for mountd and nfsd so they
can use the "-o" option to force the old NFS server to run.
Running the old NFS server is enabled by setting
oldnfs_server_enable="YES". The scripts will only enable
providing service for NFSv4 if nfsv4_server_enable="YES"
is set.

Reviewed by: dougb (rc)

Introduce to rc.subr get_pidfile_from_conf(). It does just what it sounds
like, determines the path to a pid file as it is specified in a conf file.

Use the new feature for rc.d/named and rc.d/devd, the 2 services in the
base that list their pid files in their conf files.

Remove the now-obsolete named_pidfile, and warn users if they have it set.

Add a daily period script to back up /var/db/pkg

The final product contains work from the originator, and
Florent Thoumie <florent.thoumie@gmail.com>. The final
product contains considerable re-working by me, so all
responsibility for bugs rests under my pointy hat.

PR: ports/145957
Submitted by: Eitan Adler <EitanAdlerList@gmail.com>

- Merge in OFED 1.5.3 from projects/ofed/head

Enable the check for negative permissions (the group on a file can't do
something "everyone" can) by default.

X-MFC after: never

Replace nfs4 with newnfs in netfs_types. nfs4 was removed in r192578 and
mount(8) has supported newnfs since r192930.

PR: conf/153655
Submitted by: Anonymous <swell.k@gmail.com>
MFC after: 3 weeks

Add gptboot_enable rc variable, which allows to turn gptboot reporting off in
case user wants to implement his own actions and doesn't want the attributes to
vanish.

Obtained from: Wheel Systems Sp. z o.o. http://www.wheelsystems.com
MFC after: 3 days

Add an (off by default) check for negative permissions (where the
group on a object has less permissions that everyone). These
permissions will not work reliably over NFS if you have more than
14 supplemental groups and are usually not what you mean.

MFC after: 1 week

Commit the rest of r213270.

Thanks to Anonymous <swell dot k at gmail.com> for spotting this.

Split $ipv6_prefer into $ip6addrctl_policy and $ipv6_activate_all_interfaces.

The $ip6addrctl_policy is a variable to choose a pre-defined address
selection policy set by ip6addrctl(8).
The keyword "ipv4_prefer" sets IPv4-preferred one described in Section 10.3,
the keyword "ipv6_prefer" sets IPv6-preferred one in Section 2.1 in RFC 3484,
respectively. When "AUTO" is specified, it attempts to read
/etc/ip6addrctl.conf first. If it is found, it reads and installs it as
a policy table. If not, either of the two pre-defined policy tables is
chosen automatically according to $ipv6_activate_all_interfaces.

When $ipv6_activate_all_interfaces=NO, interfaces which have no corresponding
$ifconfig_IF_ipv6 is marked as IFDISABLED for security reason.

The default values are ip6addrctl_policy=AUTO and
ipv6_activate_all_interfaces=NO.

Discussed with: ume and bz

Add $ipv6_privacy to support net.inet6.ip6.use_tempaddr. Note that this
will be replaced with a per-IF version later.

Based on: changes in r206408 by dougb

Fix $ipv6_network_interfaces and set it as AUTO by default.

Based on: changes in r206408 by dougb

Revert changes in r206408.

Discussed with: dougb, core.5, and core.6

o Correct typo.

Submitted by: Bojidara Marinchovska via -stable
MFC after: 1 week

Add a daily script to the periodic framework that reports
changes to the package database, i.e. any packages that
have been added, updated or deleted in the past 24 hours.
The format is intentionally simple and concise.

That information is particularly useful on servers that
are maintained by multiple administrators. When someone
adds, updates or deletes a package, the others will see
it in the daily periodic output.

This script is disabled by default.

PR: conf/113913
Submitted by: olli
Approved by: des (mentor)
MFC after: 3 weeks

- Add a periodic script, which can be used to find installed ports' files with
mismatched checksum

PR: conf/124641
Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua>
Approved by: delphij (mentor)

Remove trailing white space. No functional changes.

Better handling of ipv6_default_interface using
net.inet6.ip6.use_defaultzone=1. Now, it works IPv6 link-local
unicast addresses as well as IPv6 link-local multicast addresses.

MFC after: 1 week

Use ubthidhci_enable="NO" to avoid the bootup warning.

Submitted by: Jilles Tjoelker <jilles@stack.nl>
MFC after: 3 days

In case a user wants to configure only an IPv6 link-local address
add an example that shows how to do it.

Add rc.d/ubthidhci. This small script calls usbconfig(1) to change a USB
Bluetooth controller from HID mode to HCI mode.

MFC after: 1 week

Improve the handling of IPv6 configuration in rc.d. The ipv6_enable
and ipv6_ifconfig_<interface> options have already been deprecated,
these changes do not alter that.

With these changes any value set for ipv6_enable will emit a
warning. In order to avoid a POLA violation for the deprecation
of the option ipv6_enable=NO will still disable configuration
for all interfaces other than lo0. ipv6_enable=YES will not have
any effect, but will emit an additional warning. Support and
warnings for this option will be removed in FreeBSD 10.x.

Consistent with the current code, in order for IPv6 to be configured
on an interface (other than lo0) an ifconfig_<interface>_ipv6
option will have to be added to /etc/rc.conf[.local].

1. Clean up and minor optimizations for the following functions:
ifconfig_up (the ipv6 elements)
ipv6if
ipv6_autoconfif
get_if_var
_ifconfig_getargs
The cleanups generally were to move the "easy" tests earlier in the
functions, and consolidate duplicate code.

2. Stop overloading ipv6_prefer with the ability to disable IPv6
configuration.

3. Remove noafif() which was only ever called from ipv6_autoconfif.
Instead, simplify and integrate the tests into that function, and
convert the test to use is_wired_interface() instead of listing
wireless interfaces explicitly.

4. Integrate backwards compatibility for ipv6_ifconfig_<interface>
into _ifconfig_getargs. This dramatically simplifies the code in
all of the callers, and avoids a lot of other code duplication.

5. In rc.d/netoptions, add code for an ipv6_privacy option to use
RFC 4193 style pseudo-random addresses (this is what windows does
by default, FYI).

6. Add support for the [NO]RTADV options in ifconfig_getargs() and
ipv6_autoconfif(). In the latter, include support for the explicit
addition of [-]accept_rtadv in ifconfig_<interface>_ipv6 as is done
in the current code.

7. In rc.d/netif add a warning if $ipv6_enable is set, and remove
the set_rcvar_obsolete for it. Also remove the latter from
rc.d/ip6addrctl.

8. In /etc/defaults/rc.conf:

Add an example for RTADV configuration.

Set ipv6_network_interfaces to AUTO.

Switch ipv6_prefer to YES. If ipv6_enable is not set this will have
no effect.

Add a default for ipv6_privacy (NO).

9. Document all of this in rc.conf.5.

Add .snap to daily_clean_tmps_ignore; /tmp/.snap ist not supposed to
be auto-removed (and /tmp is a filesystem of its own now by default).

MFC after: 3 days

Redirect stdin from /dev/null when starting a jail:
At least in RELENG_7 this fixes some start problems for some programs
from the ports. It is also more correct, as a jail shall not expect
input (interactivity) from the jail-host.

Revert the current behavior of starting jails in the background and
make it optional only for the start of jails (jail_parallell_start=YES
in rc.conf):
- The stop can not be done in the background, the system needs to wait
until everything is stopped correctly before it can reboot or power
down.
- The start should not be done in parallel by default, this not only
breaks POLA for people comming from RELENG_x, it may also break a
dependency chain with other scripts in the jail-host, which need to
do some stuff after the jails are up and running (e.g. hardlinking
a mysql socket from one jail into another one).

Discussed on: freebsd-jails@

Please welcome HAST - Highly Avalable Storage.

HAST allows to transparently store data on two physically separated machines
connected over the TCP/IP network. HAST works in Primary-Secondary
(Master-Backup, Master-Slave) configuration, which means that only one of the
cluster nodes can be active at any given time. Only Primary node is able to
handle I/O requests to HAST-managed devices. Currently HAST is limited to two
cluster nodes in total.

HAST operates on block level - it provides disk-like devices in /dev/hast/
directory for use by file systems and/or applications. Working on block level
makes it transparent for file systems and applications. There in no difference
between using HAST-provided device and raw disk, partition, etc. All of them
are just regular GEOM providers in FreeBSD.

For more information please consult hastd(8), hastctl(8) and hast.conf(5)
manual pages, as well as http://wiki.FreeBSD.org/HAST.

Sponsored by: FreeBSD Foundation
Sponsored by: OMCnet Internet Service GmbH
Sponsored by: TransIP BV

Introduce new rc.conf variable firewall_coscripts. It can be used to
specify list of executables and/or rc scripts that should be executed
after firewall starts/stops.

Submitted by: Yuri Kurenkov <y dot kurenkov at init dot ru>
Reviewed by: rhodes, rc@
MFC after: 1 week

Add rc.d script for the rtsold(8) daemon.

The rtsol(8) handles just one RA then exit. So, the OtherConfig flag
may not be handled well by rtsol(8) in the environment where there are
multiple RA servers on the segment. In such case, rtsold(8) will be
your friend.

Reviewed by: hrs
MFC after: 2 weeks

Remove the rules using 'me6'. Now, 'me' matches both any IPv6 address
and any IPv4 address configured on an interface in the system.

Reviewed by: David Horn <dhorn2000__at__gmail.com>, luigi, qingli
MFC after: 2 weeks

Expose the upper 256 ptys in the default devfs rules. I should have updated
this when expanding the old pty(4) driver to use 512 ptys by default. This
is more important for 7.x.

MFC after: 1 week

With the introduction of named_conf the -c example in named_flags
is no longer necessary or desirable. Update the comment to indicate
that _flags should be used for options other than -u and -c.

Add support for configuring vlan(4) interfaces as child devices similar to
wlan(4) interfaces. vlan(4) interfaces are listed via a new 'vlans_<IF>'
variable. If a vlan interface is a number, then that number is treated as
the vlan tag for the interface and the interface will be named '<IF>.<tag>'.
Otherwise, the vlan tag must be provided via a vlan parameter in a
'create_args_<vlan>' variable.

While I'm here, fix a few nits in rc.conf(5) and mention create_args_<IF> in
the description of cloned_interfaces.

Reviewed by: brooks
MFC after: 2 weeks

Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6
and rc.d/ip6fw.

Reviewed by: dougb, jhb
MFC after: 1 month

Add empty watchdogd_flags.

PR: 136620
Submitted by: amdmi3
MFC after: 3 days

By popular acclaim, enable "Starting foo:" messages by default

Add a knob to show 'Starting foo:' messages when faststart is used,
such as at boot time.

The following changes are added because of
network_ipv6->rc.d/netif integration:

- $ipv6_enable is now obsolete. Instead, IPv6 is enabled by
default if the kernel supports it, and $ipv6_network_interfaces
is "none" by default. If you want to use IPv6, define
$ipv6_network_interfaces and $ifconfig_xxx_ipv6.

An interface which is in $network_interfaces and not in
$ipv6_network_interfaces will be marked as "inet6
-auto_linklocal ifdisabled" (see ifconfig(8)).

- $ipv6_ifconfig_xxx is renamed to ifconfig_xxx_ipv6 for
consistency with other address families. The old variables
still work but can be removed in the future. Note that
ipv6_ifconfig_xxx="..." should be replaced with
ifconfig_xxx_ipv6="inet6 ...".

- Receiving ICMPv6 Router Advertisement is not automatically
enabled even if there is no manual configuration of IPv6 in
rc.conf. If you want it, define
ifconfig_xxx_ipv6="inet6 ... accept_rtadv".

- The rc.d/ip6addrctl now chooses address selection policy based
on $ipv6_prefer, not $ipv6_enable. The default is
ipv6_prefer=NO.

- $router* and $ipv6_router* are replaced with $routed_* and
$route6d_* for consistency. The old variables still work but
can be removed in the future.

MFC after: 3 days

Add a new rc.d script, static_arp, which enables the administrator to
statically bind IPv4 <-> MAC address at boot time.

In order to use this, the administrator needs to configure the following
rc.conf(5) variable:

- static_arp_pairs: A list of names for static bind pairs, and,
- a series of static_arp_(name): the arguments that is being passed to
``arp -S'' operation.

Example:
static_arp_pairs="gw"
static_arp_gw="192.168.1.1 00:01:02:03:04:05"

See the rc.conf(5) manual page for more details.

Reviewed by: -rc@
MFC after: 2 weeks

Update name of INDEX file as part of 8.0 -> 9.0 transition.

rc.d/fsck: allow additional options for fsck_y_enable via fsck_y_flags

Primary intention is to allow to pass -C option to avoid (re-)checking
clean filesystems when preening fails and fsck -y kicks in.

Submitted by: marck
Reviewed by: current@
Approved by: jhb (mentor)
MFC after: 1 week

Add support for the experimental nfs subsystem to the scripts in
/etc/rc.d. They use the following new rc variables:
nfsv4_server_enable - set to "YES" to run the experimental server
nfsuserd_enable - set to "YES" to run nfsuserd for NFSv4 client and
server
nfsuserd_flags - command line flags for nfsuserd
nfscbd_enable - set to "YES" to run the experimental nfs client's
NFSv4 callback daemon
nfscbd_flags - command line flags for nfscbd

Reviewed by: dougb
Approved by: kib (mentor)

Further idmapd garbage collection -- remove rc.d Makefile reference and
default settings.

Submitted by: Pawel Worach <pawel.worach at gmail.com>

1. New feature; option to have the script loop until a specified hostname
(localhost by default) can be successfully looked up. Off by default.
2. New feature: option to create a forwarder configuration file based on
the contents of /etc/resolv.conf. This allows you to utilize a local
resolver for better performance, less network traffic, custom zones, etc.
while still relying on the benefits of your local network resolver.
Off by default.
3. Add named-checkconf into the startup routine. This will prevent named
from trying to start in a situation where it would not be possible to do
so.

Set crashinfo_enable to "YES" by default.
During bootup, if /etc/rc.d/savecore detects a core dump file
on the dump device, the core file will be saved, and the crashinfo
script will be run to generate a human-readable report.

This will make it easier for end-users to provide feedback to
developers about kernel crashes.

Reviewed by: jhb

Revert r188010. When dhclient is backgrounded, services such as ntpdate,
sendmail / postfix etc. may fail to start because DNS is unavailable and /
or the server is unreachable. In the worst case, the machine may become
unusable.

Debugging this issue was far more difficult than it should have been, due
to earlier changes to the rc framework to hide almost all useful information
about the boot process.

Approved by: silence

Add support for setting the debug flags on wlan interfaces after the are
created using wlandebug_<ifn> variables.

Rename the rc.conf(5) knob if_up_delay to defaultroute_delay to better
reflect its purpose.

Since, rc.d/defaultroute has the ability to wait for a
default route to show up we can turn this knob back on
without screwing subsequent daemons that expect to be
able to talk to the outside world.

Update jail startup script for multi-IPv4/v6/no-IP jails.

Note: this is only really necessary because of the ifconfig
logic to add/remove the jail IPs upon start/stop.
Consensus among simon and I is that the logic should
really be factored out from the startup script and put
into a proper management solution.

- We now support starting of no-IP jails.
- Remove the global jail_<jname>_netmask option as it is only
helpful to set netmasks/prefixes for the right address
family and per address.
- Implement jail_<jname>_ip options to support both
address familes with regard to ifconfig logic.
- Implement _multi<n> support suffix to the jail_<jname>_ip
option to configure additional addresses to avoid overlong,
unreadbale jail_<jname>_ip lines with lots of addresses.

Submitted by: initial work from Ruben van Staveren
Discussed on: freebsd-jail in Nov 2008.
Reviewed by: simon, ru (partial, older version)
MFC after: 1 week

The description of the various securelevels has moved to the
security.7 manpage a while ago.

MFC after: 1 week

Put the devfs ruleset next to devfs enable, add a comment about
the suggested ruleset[1].

While here use an IP from the 'test-net' prefix for docs.

PR: kern/130102 ([1] different problem in the end)
Reviewed by: simon
MFC after: 2 weeks

Add defaults for /etc/rc.d/gssd

Approved by: dfr

Allow a jail to be started with a specific route fib.

Reviewed by: secteam (simon)
Reviewed by: brooks, bz

Add the ability to run /usr/sbin/crashinfo on a new core dump automatically
during boot. Right now this is disabled by default, but it can be enabled
by setting 'crashinfo_enable=YES' in rc.conf.

MFC after: 2 weeks

Make obrien happy #2

Integrate the new MPSAFE TTY layer to the FreeBSD operating system.

The last half year I've been working on a replacement TTY layer for the
FreeBSD kernel. The new TTY layer was designed to improve the following:

- Improved driver model:

The old TTY layer has a driver model that is not abstract enough to
make it friendly to use. A good example is the output path, where the
device drivers directly access the output buffers. This means that an
in-kernel PPP implementation must always convert network buffers into
TTY buffers.

If a PPP implementation would be built on top of the new TTY layer
(still needs a hooks layer, though), it would allow the PPP
implementation to directly hand the data to the TTY driver.

- Improved hotplugging:

With the old TTY layer, it isn't entirely safe to destroy TTY's from
the system. This implementation has a two-step destructing design,
where the driver first abandons the TTY. After all threads have left
the TTY, the TTY layer calls a routine in the driver, which can be
used to free resources (unit numbers, etc).

The pts(4) driver also implements this feature, which means
posix_openpt() will now return PTY's that are created on the fly.

- Improved performance:

One of the major improvements is the per-TTY mutex, which is expected
to improve scalability when compared to the old Giant locking.
Another change is the unbuffered copying to userspace, which is both
used on TTY device nodes and PTY masters.

Upgrading should be quite straightforward. Unlike previous versions,
existing kernel configuration files do not need to be changed, except
when they reference device drivers that are listed in UPDATING.

Obtained from: //depot/projects/mpsafetty/...
Approved by: philip (ex-mentor)
Discussed: on the lists, at BSDCan, at the DevSummit
Sponsored by: Snow B.V., the Netherlands
dcons(4) fixed by: kan

Rename the RCng 'kernel' script to 'kernel_symlink'.

Requested by: many

Allow the network addresses and interface names for the "client" and
"workstation" firewall types to be set from rc.conf so that rc.firewall
no longer needs local patching to be usable for those types. For now
I've set the variables in /etc/defaults/rc.conf to the previous defaults
in /etc/rc.firewall.

PR: bin/65258
Submitted by: Valentin Nechayev netch of netch.kiev.ua
Silence from: net
MFC after: 2 weeks

For the firewall_* variables that are specific to the "workstation"
firewall type, note that property in their description.

MFC after: 1 week

Only symlink booted kernel directory to /boot/kernel if user has explicitly
requested it. This is too dangerous to just do behind the admin's back.

Add the -c option for named_flags (still commented out) that is
relevant for ports users, and change the comment to match.

While I'm here fix the capitalization of the named_program comment.

Make quota knob conform to other rc(8) knobs. Keep older knob for
compatibility.

Requested by: Volker <volker@vwsoft.com>

Bluetooth SIG is being difficult and keep moving specification
documents away from being public accessible. Replace link to
the Bluetooth specification document with the document name.

Pointed out by: SoftLover < slserg at uic dot tula dot ru >
MFC after: 3 days

Remove ISDN4BSD (I4B) from HEAD as it is not MPSAFE and
parts relied on the now removed NET_NEEDS_GIANT.
Most of I4B has been disconnected from the build
since July 2007 in HEAD/RELENG_7.

This is what was removed:
- configuration in /etc/isdn
- examples
- man pages
- kernel configuration
- sys/i4b (drivers, layers, include files)
- user space tools
- i4b support from ppp
- further documentation

Discussed with: rwatson, re

Change the default value of synchronous_dhclient to NO.

To preserve the existing behavior of etc/rc.d/netif, add code to wait
up to if_up_delay seconds (30 seconds by default) for a default route to
be configured if there are any dhcp interfaces. This should be extended
to test that the interface is actually up.

X-MFC after:

Replace a couple mentions of the soon to be removed vaps_<ifn>
variable form with wlans_<ifn>.

Revert rev 1.332 and keep ddb scripts off by default for now. Minidumps
are more flexable and much text-dump like output can be produced from
them so there's a good argument they are a better default.

Change the default of ddb_enable to YES so we default to generating textdumps
on panic. This means you get a potentially useful dump even if your system
is running X when you panic.

X-MFC after: never

rc support for vaps

Set defaults for the rfcomm_pppd_server rc script

MFC after: 1 week

o add rc.conf knobs to set the wpa_supplicant program, logging flags,
and config file
o change default logging options from -q to -s (log to syslog); this
is currently broken for boot-time startup as syslogd is started too
late but that'll be dealt with separately

MFC after: 2 weeks

The rarpd(8) daemon must be instructed to start on all interfaces or a
specific one. Instruct it to listen on all interfaces so that enabling
it in rc.conf(5) works "out of the box."

PR: conf/121406
Submited by: trasz
MFC after: 1 week

Use the new command file feature of ddb(8) to support setting ddb(4)
scripts at boot. This is currently disabled by default. /etc/ddb.conf
contains some potentially reasonable default scripts.

PR: conf/119995
Submitted by: Scot Hetzel <swhetzel at gmail dot com> (Earlier version)
X-MFC after: textdumps

Add a dummynet_enable knob to go with firewall_enable. If this knob
is enabled dummynet(4) is added to the list of required modules.

Discussed on: #freebsd-bugbusters (rwatson, trhodes)
PR: conf/79196
MFC after: 1 week

Clarify that devfs_system_ruleset should contain a name, not a number.
Prompted by PR conf/85363

MFC after: 3 days

Rev. 1.6 made it impossible to use rc.d/kerberos with the krb5 port.
Re-implement the change so that the script once again works with
the krb5 port.

Submitted by: kensmith (slightly modified)
MFC after: 3 days

Improve kernel NAT support in rc.firewall

- Allow IP in firewall_nat_interface, just like natd_interface
- Allow additional configuration parameters passed to ipfw via
firewall_nat_flags
- Document firewall_nat_* in defaults/rc.conf

Tested by: Albert B. Wang <abwang at gmail.com>
MFC after: 1 month

o From the Problem Report: the TCP_DROP_SYNFIN kernel option is now
included in the kernel by default. Remove reference to this option
from defaults/rc.conf and rc.conf(5).

PR: conf/119098
Submitted by: Beat Gaetzi
MFC after: 1 week

A new configuration variable, daily_status_mail_rejects_shorten, allows
the rejected mail reports to tally the rejects per blacklist without
providing details about individual sender hosts. The default configuration
keeps the reports in their original form.

MFC after: 1 week

Update pkg_version_index to INDEX-8

Don't delete files in the X11 socket directories under /tmp (.X11-unix,
.ICE-unix, .font-unix, .XIM-unix) when purging files from /tmp via the
daily 100.clean-tmps job. If you are logged into an X session longer
than the timeout period (default of 3 days), then this job can delete
the X11 sockets out from under the session without this fix.

MFC after: 3 days

Another vestige of OLDCARD that needs to be retired.

Prodded by: jhb@

Backout sensors framework.

Requested by: phk
Discussed on: cvs-all

Import OpenBSD's sysctl hardware sensors framework.

This commit includes the following core components:

* sample configuration file for sensorsd
* rc(8) script and glue code for sensorsd(8)
* sysctl(3) doc fixes for CTL_HW tree
* sysctl(3) documentation for hardware sensors
* sysctl(8) documentation for hardware sensors
* support for the sensor structure for sysctl(8)
* rc.conf(5) documentation for starting sensorsd(8)
* sensor_attach(9) et al documentation
* /sys/kern/kern_sensors.c
o sensor_attach(9) API for drivers to register ksensors
o sensor_task_register(9) API for the update task
o sysctl(3) glue code
o hw.sensors shadow tree for sysctl(8) internal magic
* <sys/sensors.h>
* HW_SENSORS definition for <sys/sysctl.h>
* sensors display for systat(1), including documentation
* sensorsd(8) and all applicable documentation

The userland part of the framework is entirely source-code
compatible with OpenBSD 4.1, 4.2 and -current as of today.

All sensor readings can be viewed with `sysctl hw.sensors`,
monitored in semi-realtime with `systat -sensors` and also
logged with `sensorsd`.

Submitted by: Constantine A. Murenin <cnst@FreeBSD.org>
Sponsored by: Google Summer of Code 2007 (GSoC2007/cnst-sensors)
Mentored by: syrinx
Tested by: many
OKed by: kensmith
Obtained from: OpenBSD (parts)

Teach /etc/rc.d/ppp to start multiple instances of ppp.

ppp_profile variable can now contain multiple profiles.
Overrides for ppp mode and nat can go into ppp_$profile_mode
and ppp_$profile_nat variables respectively. If those are
not specified, defaults from ppp_mode and ppp_nat are used.

Submitted by: Yuri Kurenkov < y dot kurenkov at init dot ru >
Reviewed by: mtm
MFC after: 1 week

Add pts/pty to the un-hidden devices for logins. This un-breaks
logins to jailed environments when the system is using PTS style
ptys (kern.pts.enable=1).

Discussed with: rwatson
MFc after: 1 week

Finishing renaming of cached into nscd. etc/rc.d and usr.sbin/Makefile
updated. Note added to UPDATING.

Approved by: re (kensmith, bmah), brooks (mentor)

Add a startup script for ftp-proxy(8) now that it is no longer started as
part of inetd(8).

Approved by: re (bmah)
Reviewed by: freebsd-rc (a while back)
Reminded by: kevlo

Add a new rc.conf variable, sendmail_rebuild_aliases, which tells
/etc/rc.d/sendmail whether or not to run newaliases if the database
is missing or the aliases text file is newer than aliases.db.

In my opinion, the aliases file should never be automatically rebuilt.
The current text form could represent a work in progress. Therefore,
in FreeBSD 7.0, this new option will default to "NO". When this rc.d
change is MFC'ed, it will need to remain "YES" to maintain backward
compatibility.

PR: conf/86252
Approved by: re (kensmith)
MFC after: 3 days

Now that a separate /usr/X11R6 directory is no longer in fashion,
stop looking there for things like rc.d and periodic. This avoids
duplicating effort when /usr/X11R6 is a symlink to /usr/local,
which it is by default now.

It is not anticipated at this time that we will MFC this change, since
we'd like to avoid breaking legacy systems. However, there is a fix for
/etc/rc.subr in the works to avoid running any rc.d scripts twice which
we should be able to MFC.

o Add a script to check ntpd(8) state. Default is off.

PR: conf/112604
Submitted by: Oliver Fromme
MFC after: 1 month

Add a pfsync_syncpeer option to /etc/defaults/rc.conf and rc.conf(5),
which can be used to turn off multicast pfsync support, and enable
the transmission of directed PFSYNC (IP protocol: 240) packets to
a specific "sync peer" host.

PR: conf/111225
Submitted by: Bas van Beek <bas@tobin.nl>
Approved by: mtm, mlaier
MFC after: 2 weeks

Add rc.d/hostid script (turned on by default) which on first boot generates
UUID and stores it in /etc/hostid ($hostid_file) as well as sets kern.hostuuid
and kern.hostid sysctls on every boot.

Hostid can be reset using '/etc/rc.d/hostid reset' command.

Hostid generation and setting can be turned off by setting variable
hostid_enable to "NO" in /etc/rc.conf.

Reviewed by: mlaier, rink, brooks, rwatson

Add ZFS periodic scripts that monitors status of ZFS pools.

Submitted by: des

- Add ZFS startup script.

Submitted by: des

- When starting mountd(8) and ZFS is enabled, add /etc/zfs/exports file.
- Update rc.conf(5).

Add rpc_statd_flags and rpc_lockd_flags options to allow options to be
passed to rpc.statd and rpc.lockd

MFC after: 1 week

Fix typo FILESYSTEM -> FILESYSTEMS
This bug prevents local scripts to start up

Add a dummy script, FILESYSTEMS, which depends on root and mountcritlocal
and takes over mountcritlocal's role as the early / late divider. This
makes it far easier to add rc scripts which need to run early, such as a
startup script for zfs, which is right around the corner.

This change should be a no-op; I have verified that the only change in
rcorder's output is the insertion of FILESYSTEMS immediately after
mountcritlocal.

MFC after: 3 weeks

Oops wrong line commented out in prev fix

Back out network.subr :- fix and comment out dhc*_fxp0 examples instead

Submitted by: jhb

As suggested more than once in the lists, drop -M from flags to mfs
for /tmp and /var. This makes the memory discs swap-backed instead
of malloc-backed. A swap-backed memory disc should not be worse
than a malloc-backed one in any scenario because it will start
touching swap only when needed. OTOH, a malloc-backed disc can
starve limited kernel resources and evenually crash the system.

Reflect the change in the rc.conf(5) manpage. Also stop telling
lies there about softupdates: it does not waste disc space, it
just can delay its freeing.

Suggested by: many
PR: kern/87255
MFC after: 1 week

Turn default address selection on by default. Now, when
ipv6_enable="NO", an IPv4 address is preferred for a
destination address.

MFC after: 1 month

Add support for EtherChannel configuration to rc startup scripts.

Note: This also deprecates "NO" as a way to specify an empty list of
interfaces for gif_interfaces.

PR: conf/104884
Submitted by: nork
Harassed by: brd
Discussed with: brooks, dougb

Add the following knobs for quotas if they are enabled:

quotaon_flags - flags for the quotaon command
quotaoff_flags - flags for the quotaoff command
quotacheck_flags - flags for the quotacheck command

Add auditd_program variable to defaults, in order to make it more clear
how to change the auditd instance. When using a port/package-based
OpenBSM, changing the auditd pointer may be desirable.

Obtained from: TrustedBSD Project
MFC after: 3 weeks

Give rc.firewall a polish and a new method.

Factor out the loopback setup

Use "me" instead of hardcoded $ip where possible.

Add "workstation" which protects just this machine with stateful
firewalling. Put the variables for this in rc.conf.

Submitted by: Flemming Jacobsen <fj@batmule.dk>
Reviewed by: cperciva

Add idmapd_flags to defaults/rc.conf.
Document it and idmapd_enable.

RC script for idmapd(8), defaulting to off.

Introduce mixer_enable (default: YES).

PR: conf/101268
Submitted by: Eugene Grosbein <eugen@grosbein.pp.ru>
Approved by: cperciva (mentor)
X-MFC after: 6.2-RELEASE
Sponsored by: FreeBSD Test-Bugathon

Push removal of mrouted down to the rest of the tree.

Flushing all IPv4 routes when an interface is removed or unconfigured
makes no sense. Remove the undocumented removable_route_flush feature
from pccard_ether.

X-MFC after: never

Add bthidd(8) rc(8) script

MFC after: 1 month

The kvm_mkdb(8) is long dead.

Use ports INDEX-7 instead of INDEX-6

Submitted by: Niclas Zeising <lothrandil@n00b.apagnu.se>

Add login.conf checking to periodic security scripts. If the login.conf file
is not UID/GID 0, limits will be ignored and a strange error sent to auth.log.

Head nod: ru, rwatson

Make it a little clearer that interface-specific flags aren't additional
to specified dhclient flags.

Mention background_dhclient_iface.

Suggested by: ru

Add a -p switch to dhclient. The switch tells dhclient to persist
despite the interface link status.

Add dhclient_flags_iface and background_dhclient_iface rc.conf options.
(where iface is a specific interface). These can be used to give
interface specific flags to dhclient.

Reviewed by: brooks@

Set removable_route_flush to NO be default. It's clearly the wrong
thing to do in most (all?) cases and certainly should not be the default
now that we're running pccard_ether on all interface creates and
destroys.

MFC after: 3 days

Back out 1.272. The LAPIC timer conflicts with C2/3 on various systems,
and so users get hangs until interrupts are generated another way. We'll
have to find a way to make the 2 work together before re-enabling this by
default.

Since Alpha support isn't in HEAD anymore, remove Alpha-specific
rc.conf(5) knobs, too: osf1_enable, unaligned_print.

- Remove hardcoded /etc/ntp.conf configuration file from ntpdate rc.d script
and replace it with a new ntpdate_config variable.
- Document it in defaults/rc.conf and rc.conf.5.
- Document ntpdate_hosts in defaults/rc.conf.

Requested by: Chris Timmons <cwt@networks.cwu.edu>
Approved by: cperciva (mentor, implicit)
MFC after: 1 week

Update geli_swap_flags, -e is now used to specify the encryption algorithm.

Add rc.d/bridge which is invoked when a new interface arrives and can
automaticly add it to an Ethernet bridge. This is intended for applications
such as qemu, vmware, openvpn, ... which open tap interfaces and need them
bridged with the hosts network adapter, the user can set up a glob for
interfaces to be automatically added (eg tap*).

Add jail_<jname>_exec_afterstart<N> rc.conf variable, where <N> is
1,2 and so on.
It specifies the command to be run as Nth after jail startup.

sh(1)-fu by: Dario Freni
PR: conf/97697
MFC after: 2 weeks
Reviewed by: ru@ (man page)

Increase the nfs access cache timeout from 2 to 60. The latter is a
more appropriate value and is also the default set by the kernel. I
could not find a justification of why rc.conf began overriding it back
in 1998.

This dramatically cuts NFS traffic on e.g. a busy system with NFS root.

Reviewed by: mohans
MFC After: 2 weeks

Send the pcvt(4) driver off to retirement.

Move etc/rc.firewall6 to ipfw2+v6, update related rc.d and periodic scripts.
Since ipfw2 now does dual-stack, statistics for IPv6 come from the ipfw
scripts as well.

- Change the "jail_" prefix for internal script variables. This fixes an
issue where some global jail_* variables were overriden in the script. [1]
- Change "jid" to "jname" in rc.conf(5), since it's more a jail name than a
jail id. [1]
- Update examples and comments in defaults/rc.conf to advertise new
variables and the fact that some of the jail-specific variables may be made
jail-global. [2]

Reported by: pjd [1], clsung [2]
Approved by: cperciva
X-MFC after: i got sufficient testing from people using rc.d/jail

- Extend the nsswitch to support Services, Protocols and Rpc
databases.
- Make nsswitch support caching.

Submitted by: Michael Bushkov <bushman__at__rsu.ru>
Sponsored by: Google Summer of Code 2005

Correct two typos in comments.

- Add new ntpd_config variable so that people can override it in rc.conf.
- Add default value in /etc/defaults/rc.conf.
- Add documentation bits to rc.conf(5).

Approved by: cperciva (mentor)
MFC after: 1 week

Spell synchronous with required silent 'h'.

Reported by: ru, ceri
Pointy hat: brooks

Commit the various network interface configutation updates I've been
working on.
1) Make it possible to configure interfaces with certain characters in
their names that aren't valid in shell variables. Currently supported
characters are ".-/+". They are converted into '_' characters.
2) Replace nearly all eval statements in network.subr with a new
function get_if_var which substitues an interface name (after the
translations above) for "IF" in a variable name.
3) Fix list_net_interfaces() in the nodhcp case.
4) Allow the administrator to specify if dhclient should be started
when /etc/rc.d/netif configures the interface or only by devd.
This can be set on both a per interface and system wide basis.

PR: conf/88974 [1,2], conf/92433 [1,2]

- Fix amd startup when amd is installed from ports.
- Add the according amd_program default value in defaults.

PR: conf/82738
Submitted by: TAOKA Fumiyoshi <fmysh@iijmio-mail.jp>
Approved by: cperciva (mentor)
MFC after: 3 days

Add the graid3(8), gstripe(8) and gconcat(8) status scripts, default is "off".

Approved by: rwatson (mentor)

Remove vestiges of OLDCARD.

Add a default ldconfig32_paths entry in default/rc.conf for 32-bit compatability shared libraries.
It is used by the ldconfig rc.d scripts.
Document this variable in the man page

PR: amd64/91571
Approved by: philip (mentor)
MFC after: 3

Overhaul the named boot script:

1. Remove a now-spurious NetBSD CVS Id, as we are no longer synching work
2. Remove a now-spurious BEFORE, since ntpdate now REQUIRE's named
3. Replace the call to set rcvar with what that function would output,
and generally reduce indirection ($name -> named) since it's highly
unlikely the name of the named process or service will change any time soon.
4. Resort the order the variables at the top of the file to a more
traditional format, and remove a spurious required_dirs from the top, as it
works better after load_rc_config.
5. We do not want the default reload method with named, so define a simple
but appropriate substitute using rndc. If I were writing this script for
the first time I would not include this at all, since it's preferable to
control a running daemon with rndc to start with, but given that this is
already here, let's do it right. I hope that future generations will
however resist the tempation to add reconfig to extra_commands.
6. By the same token, we want to use rndc to shut down named, but given
that by defining a stop function we lose the "find the process by its
pid file in an emergency" goodness of rc.subr, try to do something useful
in the event that rndc is not available, and keep the user informed.
7. Replace some "test -f" with "test -r" to handle the unlikely event
that the relevant file exists, but is unreadable.
8. Twiddle whitespace in a few areas, remove a spurious blank line,
a bogus double space, and try to do better indenting.
9. Improve generation of the rndc.key file significantly
a. If for some reason a user has an rndc.conf file, assume that they
did that on purpose, and hence know what they are doing, so leave them alone.
b. Introduce a named_uid configuration variable so that the user which owns
the rndc.key file and the user named runs as always match, and is more
easily configurable. This should dramatically reduce problems with rndc.
c. Also test that the rndc.key file size is greater than zero, rather than
simply that the file exists. I have seen at least one user report this exact
problem, and although neither of us is sure where the empty file came from,
the fix is simple, so include it.
d. Rather than try to create an rndc.key file in both /etc/namedb and the
chroot'ed /etc/namedb, assume that they are be the same (which they should
be), and only create the file in the chroot'ed version of the directory.
This partially addresses the problem described in conf/73929, but I have
not yet finished thinking about the PREFIX issue that PR also raises.

As a result of introducing the named_uid knob, the default named_flags
are now empty.

Update defaults/rc.conf and rc.conf(5) to reflect these changes.

- Add a startup script for hostapd.
- Document associated variable in rc.conf(5).

Approved by: dougb
MFC after: 1 week

Add auditd_enable and auditd_flags rc.d scripts.

Obtained from: TrustedBSD Project

Make df output more consistent:
Remove -k now that -h is present
use -l instead of -t nonfs to match smbfs too [1]
PR: conf/50956 [1]
Approved by: philip (mentor)
MFC after: 3 days

Make df output in periodic mail human readable

PR: conf/87196
Submitted by: Mike <mspam@ideaway.net>
Approved by: philip (mentor)
MFC after: 3 days

Enable the lowest Cx state by default. This will save power and we have
had enough testing of acpi_cpu to know this is stable now.

Add an rc.d script for stand-alone ftpd.

Document the script's controls on the rc.conf(5)
manpage and touch its Dd.

PR: conf/90893
MFC after: 5 days

Add a daily script to show the status of gmirror(8) devices.

Add a mechanism to include files added by ports which contain
the names of directories to include in the base ldconfig script.
This will eliminate the need for each port to install its own
boot script which does nothing but ldocnfig a given directory.

This code was developed by flz (ports committer), discussed on
freebsd-rc@, and modified slightly by me.

Submitted by: flz
Reviewed by: brooks

Brooks pointed out a potential problem with disabling the X cleaning
by default, so add a new knob that is on by default, and check that
knob in start_precmd so that it can run even if cleaning /tmp is
not enabled. This has the advantage of not violating POLA, while
still allowing the user to disable this behavior if they wish (for
example on a server that will never run X).

Clear up problems with /etc/rc.d/{abi|cleanvar|cleartmp} brought
to light by the PR. Specifically, convert these three scripts
into good rc.d citizens, making sure that their functionality
is preserved, but the rc.d framework rules are not broken.

Add support for cleanvar as a regular rc.d script in the
default rc.conf, and document this in the man page.

Add a descriptive comment to rc.conf that regarding the
three emulation/compatibility services provided by abi
so users will not be confused by these services not having
their own startup scripts.

PR: conf/84574
Submitted by: Alexander Botero-Lowry

Remove usbd(8) and all references to it. It is no longer necessary
since devd(8) now provides the same functionality.

Submitted by: Anish Mistry

Remove rcconf.sh from /etc/rc.d, and instead load the configuration
as part of rc. Doing this, and the sourcing of rc.subr after we have
determined if we are booting diskless (and correspondingly run
rc.initdiskless if necessary) are safe, and actually allow fewer files
to be needed on the diskless box. This also allows variables from
the configuration to be available to rc itself, such as ...

Add a variable to rc.conf, early_late_divider, which designates the
script which separates the early and late stages of the boot process.
Default this to mountcritlocal, and add text to etc/defaults/rc.conf,
rc.conf(5) and diskless(8) which describes how and why one might want
to change this.

Reviewed by: brooks

Files are installed with mode 444 by default.

Add a -f configfile option to devd(8), based on a patch submitted by
Wojciech A. Koszek.

Submitted by: Wojciech A. Koszek <dunstan@freebsd.czest.pl>

Revise hcsecd(8) and sdpd(8) rc.d scripts one more time

- Use _prestart rc.d method to automatically kldload ng_btsocket(4) if needed;

- Rename "sdpd_user" to "sdpd_username" and "sdpd_group" to "sdpd_groupname"
to avoid collision with "magic" variables;

Inspired by: yar
MFC after: 3 days

Add a new configuration variable, ipv4_addrs_<ifn>, which adds one or
more IPv4 address from a ranged list in CIRD notation:

ipv4_addrs_ed0="192.168.0.1/24 192.168.1.1-5/28"

In the process move alias processing into new ipv4_up/down functions to
more toward a less IPv4 centric world.

Submitted by: Philipp Wuensche <cryx dash freebsd at h3q dot com>

Start integrating Bluetooth into rc.d system.

Introduce /etc/rc.d/bluetooth script to start/stop Bluetooth devices. It
will be called from devd(8) in response to device arrival/departure events.
It is also possible to call it by hand to start/stop particular device
without unplugging it.

Introduce generic way to set configuration parameters for Bluetooth devices.
By default /etc/rc.d/bluetooth script has hardwired defaults compatible
with old rc.bluetooth from /usr/share/netgraph/bluetooth/examples. These
can be overridden using /etc/defaults/bluetooth.device.conf file (system
wide defaults). Finally, there could be another device specific override
file located in /etc/bluetooth/$device.conf (where $device is ubt0, btccc0
etc.)

The list of configuration parameters and their meaning described in the
/etc/defaults/bluetooth.device.conf file. Even though Bluetooth device
configuration files are not shell scripts, they must follow basic sh(1) syntax.

The bluetooth.device.conf(5) and handbook update will follow shortly.

Inspired by: Panagiotis Astithas ( past at ebs dot gr )
Reviewed by: brooks, yar
MFC after: 1 week

Add rc.d scripts for the hcsecd(8) and sdpd(8) daemons. Put defaults into
/etc/defaults/rc.conf. Both daemons can run even if no Bluetooth devices
are attached to the system. Both daemons depend on Bluetooth socket layer
and thus disabled by default. Bluetooth sockets layer must be either loaded
as a module or compiled into kernel before the daemons can run.

MFC after: 1 month

Add an rc.d script to start pfsync at the right moment of the
system boot, and hook it up in the system.

The separate script is needed because in the presence of various
interface lists in rc.conf ($network_interfaces, $cloned_interfaces,
$sppp_interfaces, $gif_interfaces, more to come) it is hard to start
them orderly, so that pfsync is brought up after its syncdev, which
is required for the proper startup of pfsync.

Discussed with: mlaier on -pf
MFC after: 5 days

Add a new rc.conf entry, kerberos5_server_flags, which allows the
administrator to specify additional start-up flags to the Kerberos
5 Authentication Server.

MFC after: 3 days

Stop hard-coding an -M flag to mdmfs(8) in /etc/rc.subr.
Now this flag can be set, or not set, for memory-backed
file systems on individual basis, as illustrated by the
rc.conf(5) variables tmpmfs_flags and varmfs_flags. The
flag is set for those FS'en by default, in /etc/defaults/rc.conf,
in order to stay compatible with the old rc.subr behaviour.

Submitted by: marck
MFC after: 3 days

- Remove the removable_interfaces variable. /etc/pccard_ether will
now run on any interface.
- Add a new ifconfig_<ifn> keyword, NOAUTO which prevents configuration
of an interface at boot or via /etc/pccard_ether. This allows
/etc/rc.d/netif to be used to start and stop an interface on a purely
manual basis. The decision to affect pccard_ether may be revisited at
a later date.

Requested by: imp, gallatin (removable_interfaces)
Discussed with: sam, Randy Bush (NOAUTO)

Add scripts for GELI device configuration on boot.

rc.d/geli - configures encryption (ask for passphrases, etc.);
rc.d/geli2 - is called after file systems are mounted and mark devices for
detach on last close.

Sponsored by: Wheel Sp. z o.o.
http://www.wheel.pl
MFC after: 3 days

Teach rc.d/encswap script how to use geli(8) for swap encryption.

MFC after: 3 days

Remove gbde_swap_enable option which doesn't work and doesn't really have to
work, as one still needs to put <device>.bde into /etc/fstab.

Minor comment re-alignment.

- Mention special behaviour of init(8) when kern_securelevel="0"

Suggested by: Miroslav Lachman <000.fbsd@quip.cz>
Approved by: cperciva (src hat)

Introduce new per-jail variable jail_<name>_flags, which allows to specify
jail(8) flags (before the change we had hardcoded "-l -U root").

Submitted by: Frank Behrens <frank@pinky.sax.de>
PR: conf/80244
Approved by: re (scottl)
MFC after: 1 week

Remove default and documenation for pccard_ether_delay since I removed
it from /etc/pccard_ether.

Submitted by: Jeremie Le Hen <jeremie at le-hen dot org>

Change the default for dumpdev to "AUTO". It should be reverted to "NO"
on RELENG_* branches.

Support code for the OpenBSD dhclient. This significantly changes the
way interfaces are configured. Some key points:

- At startup, all interfaces are configured through /etc/rc.d/netif.
- ifconfig_<if> variables my now mix real ifconfig commands the with
DHCP and WPA directives. For example, this allows media
configuration prior to running dhclient.
- /etc/rc.d/dhclient is not run at startup except by netif to start
dhclient on specific interfaces.
- /etc/pccard_ether calls "/etc/rc.d/netif start <if>" to do most of
it's work.
- /etc/pccard_ether no longer takes additional arguments to pass to
ifconfig. Instead, ifconfig_<if> variables are now honored in favor
of pccard_ifconfig when available.
- /etc/pccard_ether will only run on interfaces specified in
removable_interfaces, even if pccard_ifconfig is set.

Add startup script and default configuration file for bsnmpd.

Reviewed by: harti

Document that dumpdev may be set to AUTO to dump to the first appropriate
swap device listed in /etc/fstab.

The alternative suggested for /entropy as a shutdown
save file was /var/db/entropy, which also happens to
be the directory where the individual entropy files
created by /usr/libexec/save-entropy are stored.
Change the suggestion to be /var/db/entropy-file
instead.

In an error condition where the shutdown file is not
created, the error message accessed a variable that
doesn't exist.

PR: conf/75722
Submitted by: Nicolas Rachinsky <list@rachinsky.de>

Set CPU speed to 100% in acpi_throttle attach. This is needed for some
systems that boot with this value at the lowest setting. Change the
default boot config back to "leave frequency as BIOS set it". Also, fix
buglet where acpi_throttle wouldn't be used if p4tcc was present but
disabled by the user.

MFC after: 1 week

Instead of leaving the current frequency setting at whatever the BIOS set
on boot, force it to HIGH. This is needed for some systems which appear
to boot with a low acpi_throttle setting by default. Thanks to Christian
Brueffer for tracking this down on his system.

MFC after: 1 day

Remove mac_lomac(4) functionality. The proper way is to use loader.conf
or build the policy into a kernel.

Approved by: rwatson

Allow chkprintcap(8) to be run before lpd is started. Disabled by
default for now. Default flags create missing directories.

Remove comment about doing this in etc/rc.d/var.

Unlike in the PR, I chose to do this in the lpd script where we reliably
have /usr available.

PR: conf/71488
Submitted by: RZ-FreeBSD0904 at fh-karlsruhe dot de

- Update etc/rc.d/newsyslog to FreeBSD standards and install it.
- Enable it by default, running newsyslog with -CN which creates files
that have the C flag specified in /etc/newsyslog.conf.
- Remove the "newsyslog -CC" call from etc/rc.d/var and the check for
newsyslog.
- Add the C flag to entries in /etc/newsyslog.conf that are currently
installed as part of the base system.

There are two effects from this change:
- Users who delete default syslog files to stop logging to them
will need to set newsyslog_enable=NO in rc.conf or remove the C
flag from those file in /etc/newsyslog.conf or they will come back
on the next boot.
- Diskless systems now create the same set of files that ordinary
systems have by default instead of every file in newsyslog.conf.

Due to a couple complaints about C3 failing on an old Compaq Armada and
a mobile Celeron, disable it by default for the release. We'll have to
nail the last few cases later.

Add rc.conf options for powerd (disabled by default) and hook the script
up to the build.

Make power_profile not touch cpufreq by default.

Add support for cpufreq to power_profile(8). Values for on/offline cpu
frequencies are specified with performance_cpu_freq and economy_cpu_freq.
Of course, special values LOW and HIGH are also supported. Also, remove
old throttling support.

Add a reference to the periodic.conf(5) manual page.

Suggested by: simon

Add a reference to rc.conf(5).

PR: docs/35648
Submitted by: Gary W. Swearingen

Another prism2 card (not sure what, if anything, is needed for >=5)

Pr: 43805

Ports index file is now INDEX-6

Start the dreaded NOFOO -> NO_FOO conversion.

OK'ed by: core

Use rc.subr

PR: 72505
Submitted by: Amir Shalem <amir@active.ath.cx>

Improve the RC framework for the clean booting/shutdown of Jails:

1. Feature: for flexibility reasons and as a prerequisite to clean
shutdowns, allow the configuration of a stop/shutdown command
via rc.conf variable "jail_<name>_exec_stop" in addition to the
start/boot command (rc.conf variable "jail_<name>_exec_start"). For
backward compatibility reasons, rc.conf variable "jail_<name>_exec"
is still supported, too.

2. Debug: Add the used boot/shutdown commands to the debug output of
the /etc/rc.d/jail script, too.

3. Security: Run the Jail start/boot command in a cleaned environment
to not leak information from the host to the Jail during startup.

4. Feature: Run the Jail stop/shutdown command "jail_<name>_exec_stop" on
"/etc/rc.d/jail stop <name>" to allow a graceful shutdown of the Jail
before its processes are just killed.

5. Bugfix: When killing the remaining Jail processes give the processes
time to actually perform their termination sequence. Without this the
subsequent umount(8) operations usually fail because the resources
are still in use. Additionally, if after trying to TERM-inate the
processes there are still processes hanging around, finally just KILL
them.

6. Bugfix: In rc.shutdown, if running inside a Jail, skip the /etc/rc.d/*
scripts which are flagged with the KEYWORD "nojail" to allow the
correct operation of rc.shutdown under jail_<name>_exec_stop="/bin/sh
/etc/rc.shutdown". This is analogous to what /etc/rc does inside a Jail.

Now the following typical host-configuration for two Jails works as
expected and correctly boots and shutdowns the Jails:

-----------------------------------------------------------
# /etc/rc.conf:
jail_enable="YES"
jail_list="foo bar"
jail_foo_rootdir="/j/foo"
jail_foo_hostname="foo.example.com"
jail_foo_ip="192.168.0.1"
jail_foo_devfs_enable="YES"
jail_foo_mount_enable="YES"
jail_foo_exec_start="/bin/sh /etc/rc"
jail_foo_exec_stop="/bin/sh /etc/rc.shutdown"
jail_bar_rootdir="/j/bar"
jail_bar_hostname="bar.example.com"
jail_bar_ip="192.168.0.2"
jail_bar_devfs_enable="YES"
jail_bar_mount_enable="YES"
jail_bar_exec_start="/path/to/kjailer -v"
jail_bar_exec_stop="/bin/sh -c 'killall kjailer && sleep 60'"
-----------------------------------------------------------
# /etc/fstab.foo
/v/foo /j/foo/v/foo nullfs rw 0 0
-----------------------------------------------------------
# /etc/fstab.bar
/v/bar /j/bar/v/bar nullfs rw 0 0
-----------------------------------------------------------

Reviewed by: freebsd-hackers
MFC after: 2 weeks

Add Ethernet part of Intel EtherExpress PRO/100 LAN/Modem card. This is a
rebadged Xircom REM56 RealPort card. Short MFC timeout to beat the 4.11
code freeze.

PR: 53027
Submitted by: John Merryweather Cooper <coop9211 at uidaho dot edu>
Approved by: imp (mentor)
MFC after: 2 days

Add nfs4 to list of net filesystems.

Approved by: alfred

Teach periodic(8) security output to display information about blocked
packet counts by pf(4).

This adds a ``daily_status_security_pfdenied_enable'' variable to
periodic.conf, which defaults to ``YES'' as the matching IPF(W) versions.

The output will look like this (line wrapped):

pf denied packets:
> block drop log on rl0 proto tcp all [ Evaluations: 504986 Packets: 0
Bytes: 0 States: 0 ]
> block drop log on rl0 all [ Evaluations: 18559 Packets: 427 Bytes: 140578
States: 0 ]

Submitted by: clive (thanks a lot!)
MFC after: 2 weeks

Implement per-jail fstab(5) files. Here's a rc.conf sample using
this feature for a jail named foo :

jail_foo_mount_enable="YES"
jail_foo_fstab="/etc/fstab.foo"

The second line is actually useless, since the code defaults to
using "/etc/fstab.$jailname" as the fstab file if none is specified.

MFC after: 3 days
Submitted by: Jeremie Le Hen <jeremie@le-hen.org>

Revert the noexec,nosuid,nodev options for md /tmp file systems, since
the change in the default behavior may break existing, working setups.

Requested by: brooks

Add two new rc.conf options: tmpmfs_flags and varmfs_flags.

These can be used to pass extra options to the mdmfs(8) utility,
to customize the finer details of the md file system creation
(i.e. to turn on/off softupdates, to specify a default owner for md
filesystem, etc).

Use these two new flags to mount tmpmfs and varmfs without
softupdates, since it doesn't make much sense to use SU on
malloc-backed file systems.

Reviewed by: mtm
Inspired by: J. D. Bronson, jbronson at wixb dot com

Someone (sanpei-san?) sent me this entry some time ago. Add COREGA
FEtherII PCC-TXD to the FEther PCC-TXD entry (since they appear to be
handled the same).

Sync up with vinum(8) and rc.d/vinum removal.

OK'ed by: phk

Do a better job of supporting more than one mouse device
on the system.

To start/stop/check on a specific device give the device name as
the second argument to the script:
# /etc/rc.d/moused start ums0

To use different rc.conf(5) knobs with different mice use the device
name as part of the knob. For example, if the mouse device is ums0, then:
moused_ums0_enable=yes
moused_ums0_flags="-z 4"
moused_ums0_port="/dev/ums0"

Starting rc.d/moused without the device argument will use the standard
moused_* flags. So, this commit should not disrupt or change current usage.

To preserve current behaviour with respect to usb mice, which appear
automatically when inserted, there is a new knob, moused_nondefault_enable,
which will treat any devices without rc.conf knobs as enabled.

To minimize knobs in /etc/rc.conf, the device file and pid file are
auto-computed, so that in the typical case for a usb mouse you don't
need to add anything extra in /etc/rc.conf to get it working.

Additionally, this updates /etc/usbd.conf to use the rc.d/moused script so
people don't have to modify it to configure their usb mouse anymore.

MFC after: 1 month

Allow to change interfaces name on boot time.
Now, one should be able to put something like this into /etc/rc.conf:

ifconfig_fxp0_name="net0"
ifconfig_net0="inet 10.0.0.1/16"

Reviewed by: green

For variables that are only checked with defined(), don't provide
any fake value.

Introduce root_rw_mount as a new variable in defaults/rc.conf to
unbreak /etc/rc.d/root for diskless systems that get their root
filesystem from a read-only NFS mount.

PR: conf/72927
Submitted by: Ralf Wenk <RZ-FreeBSD1004@fh-karlsruhe.de>
Reviewed by: brooks

Accidentally removed the last component of the pathname when committing.

Fix a botched rev. 1.221 commit. Also, a number of people have
pointed out that /usr/local/etc/rc.d/000.pkgtools.sh installed
with the portupgrade does an equivalent thing, so I personally
would like to see the change reverted, but let David handle it.

Remove hcsecd line which was inadvertantly included in the previous commit.

Remove a pointless syslogd_flags example.

MFC after: 2 weeks

'portupgrade' places obsoleted shared libraries in /usr/local/lib/compat/pkg,
so add this the list of directories ldconfig'ed.

Correct a trivial typo.

Give users the ability to load a mac_bsdextended(4) ruleset on boot (defaults
to NO of course). Provide a basic ruleset file, rc.bsdextended, but allow
the filename to be overridden through rc.conf.

Discussed with: rwatson (awhile ago)

Create a named chroot directory structure in /var/named, and use it
by default when named is enabled. Also, improve our default directory
layout by creating /var/named/etc/namedb/{master|slave} directories,
and use the former for the generated localhost* files.

Rather than using pax to copy device entries, mount devfs in the
chroot directory.

There may be some corner cases where things need to be adjusted,
but overall this structure has been well tested on a production
network, and should serve the needs of the vast majority of users.

UPDATING has instructions on how to do the conversion for those
with existing configurations.

For the default FreeBSD install, the file path actually is
/var/run/named/pid. This is done so that named can start
with -u bind and still dump a pid file in that directory,
which is chowned to user bind.

It's named.pid, not named/pid.

Pointy hat to: dougb@

Add a note to indicate that the path set in named_pidfile must
also be set in named.conf. Our default named.conf has this already.

Update the note for named_symlink_enable to indicate that ndc is gone.

Add a knob 'daily_status_security_diff_flags' controlling the
format of the 'diff' output generated during periodic(8) scripts.

Submitted by: keramida (script changes)
Reviewed by: keramida (man page changes)

Bring back etc/rc.d/ntpdate as requested by scads of people. This isn't a
complete backout as the ntpd_sync_on_start etc/rc.conf tunable is still
present, though the default is now NO (was YES). Since we're no longer
syncing time at startup by default when ntpd is enabled (as was the case
24hrs ago), remove UPDATING entry pointing out that ntpd(1) -g is slower
than ntpdate(1).

Hopefully ntpd_sync_on_start="YES" can be made the default for -CURRENT
after 5.3 is cut. At the very least, this should be set to YES when a
user requests to have ntpd enabled via sysinstall(1).

Requested by: many

Stop using ntpdate(1) in our startup proceedure. Replace ntpdate(1) with
calls to ntpd -g. ntpd is noticably slower than ntpdate, but is also more
accurate. This removes the nasty hackery in rc.d/ntpdate that would parse
out ntp servers from /etc/ntp.conf (ntpd knows how to read its own config
file). By default, ntpd *will* sync with its listed time servers. To
turn this off so that ntpd does not sync, ntpd_sync_on_start="NO" can be
added to /etc/rc.conf. If ntpd is not enabled (the default), then time is
not synced on startup. ntpdate's use has been depreciated by the ntpd
authors for quite some time so this change shouldn't be unexpected.

Suggested by: des
Approved by: roberto (resident ntp guru)

Fix typo in description of pflog_logfile.

Submitted by: Mike Jakubik

For the gbde attach script:
- Ask the user up to X times (3 by default) for the pass-phrase, if
it is incorrect the first time.
- Add support for storing the lockfiles in another other directory
than /etc.
- Document that it is possible to override the location of each single
lockfile.

Approved by: pjd

devd is now on by default

Reviewed by: dfr,njr (not nate!)

Allow setting the system console keyboard via the ${keyboard} rc.conf
directive.

Removed whitespace at BOF, EOL & EOF.

fix MELCO LPC3-TX entry.
I mistaked at 1.166.

Submitted by: SARUMARU Yoshihiko <mistral@imasy.or.jp>
Pointed out by: MORIYASU Hirano <m-hirano@konsei.co.jp>
FreeBSD-users-jp 79808
FreeBSD-users-jp 79816

fix typo in comment in my previous commit.

Add ip6addrctl_enable and ip6_addrctl_verbose option. If
ip6addrctl_enable is set to YES, address selection policy is installed
into kernel.
If there is /etc/ip6addrctl.conf, it is used for address selection
policy. Even if there is no /etc/ip6addrctl.conf, we install default
policy. In this case, if ipv6_enable is set to YES, we use address
selection policy described in RFC 3484 as default. Otherwise, we
install priority policy for IPv4 address.
The default of ip6addrctl_enable is NO for now. However, it may
better to enable it by default.

Throw the switch and enable use of the lowest idle states while online in
addition to offline. This can be overridden in /etc/rc.conf if it causes
trouble although this has been stable since 2003/12.

Allow the location of the INDEX file to specified to pkg_version.
This is particularly convenient on a cluster of machines to prevent
having to rebuild the INDEX file on each.

Reviewed by: portmgr

Add script for checking ipv6 blocked packets from PR.

PR: misc/50154
Submitted by: Kimura Fuyuki <fuyuki@hadaly.org>

Document devfs_set_rulesets a little.

Add Xircom XEM5600 card (appears to be a renamed REM56).
Observe that Xircom CEM28 and CEM33 are known to work in Ethernet mode.

Reviewed by: imp (mentor)

Document sendmail_pidfile variable.
Add sendmail_procname variable.

Add rc.d script to start pflogd and add rcvars etc. Also document vars in
rc.conf(5) and put a sample entry to newsyslog.conf

Reviewed by: -current
Approved by: bms(mentor)

Overhaul the /etc/rc.d/diskless script by splitting it out into
hostname, resolve, tmp, and var scripts. The latter three are new and
were repo copied. These scripts no longer depend on being booted with
and NFS root instead attempt to automaticly create mfs /tmp and /var
volumes if the they are not writable. This behavior can be overridden
in /etc/rc.conf.

Reviewed by: luigi, pjd

Add rc.d script for pf(4) (more to come once pflogd(8) works as well).
Update defaults and write some lines for rc.conf(5) also.
Mostly dup'ed from ipf

Reviewed by: -current
Approved by: bms(mentor)

1. Remove the named_rcng variable. Mike's caution in this area was a good
thing, but we're ready to move on.

2. Remove the -g default argument in named_flags. It doesn't actually do
what most users think it does, and what most users want it to do is already
accomplished with a proper default group for the bind user, which we have.
Also, the -g knob does something entirely different in BIND 9, which leads
to a lot of needless confusion/aggravation.

3. In the rc.d script, don't bogusly override $command, or $rc_flags. Both
are adequately handled in rc.conf[.local].

4. DO properly override $rc_flags if user has named_chrootdir set.
This may need to be revisited, but should be ok for now.

5. Protect all chrootdir-related bits under that variable, instead of
named_rcng.

There is more work to be done here, especially in the area of BIND 9
compatibility, but this is a start at least.

Prompted in part by (legitmate) grousing from: kuriyama, Randy Bush

From the PR:
Certain MTA configurations mean that the notifications from
virecover keep bouncing; so here's a patch to allow administrators
to turn them off.

PR: conf/54910
Submitted by: bms (with a minor cleanup)

Add support for initializing swap devices with random one-shot keys. Note
that the keys are currently generated by computing the MD5 checksum of 512
bytes read from /dev/random, and are passed to gbde on the command line.

Sponsored by: Teleplan AS

Ruleset numbers are not allowed in devfs_* knobs.
Noticed by someone on -current.

Support starting/stoping of jails individually.

This commit also removes the support for the sysutils/jailer port. This
is inline with the general policy to keep ports related knobs out
of the base system's configuration mechanism.

Submitted by: Juergen Unger <j.unger@addict.de>

If we're going to "add path 'fd/*' unhide", it only makes
sense to "add path fd unhide" first.

Requested by: mtm
Approved by: rwatson (mentor)

Added support for intelligent handling of DST transitions in cron.

reviewed by: imp

Add power_profile, a script that changes the ACPI CPU Cx idle state and/or
the throttling state in response to line transitions. Future plans
include adding support for CPU frequency changes.

Add a devd.conf entry for calling this script.

The default values for this are:
performance_cx_lowest="HIGH" # Use HLT (C0) online
performance_throttle_state="HIGH" # 100% (no throttling)
economy_cx_lowest="LOW" # Use the lowest Cx state possible
economy_throttle_state="HIGH" # 100% (no throttling)

Backout ataraid rcng script. I must have missed ar0 in my scan of /dev
after my first reboot because sure enough, I'm seeing it there now and
ata(4) is doing the right thing(TM).

Pointed out by: des

Add a script that allows software RAID sets to be created before file
systems are mounted. An example set of entries for /etc/rc.conf:

ataraid_enable="YES"
ataraid_devices="ar0"
ataraid_ar0_set="ad2 ad3"
ataraid_ar0_type="RAID1"

Because there is no "correct" way of doing ATA raid (ie, geom vs.
atacontrol vs. vinum) that is bikeshed proof, this rcng script stays within
the bounds of atacontrol and assumes that other RAID solutions for GEOM or
vinum will end up in a different rcNG script.

Reviewed by: green

Fix typo, I forgot daily_ in front of the status_ata_raid_enable

Add a means of starting an IKE daemon from the rc system at an appropriate
time during the boot process. This is needed in the case where NFS mounts
from servers reachable only via IPSEC are in /etc/fstab.

PR: conf/42497
Submitted by: Volker Stolz
Approved by: re (rwatson)

Add status checking of ATA raid to the daily periodic scripts.

any -> ? for new entry (to allow time for people to upgrade their pccardd)

Default ntpd to write a "driftfile" in /var/db/ntpd.drift.

A "driftfile" caches the oscillator offset estimate from boot to boot,
having this means faster and less bumpy time synchronization. Will
be overridden by any value in the config file.

As far as we know, there is no reason to not expose /dev/crypto in
jails so code in there can take advantage of hardware assisted
crypto.

A new proxim harmony oem card spotted in the field.

Submitted by: Jeremy Bingham

Add a default setting of NO for the gbde auto attach script, and
document the options.

Add `-C 60' to the default flags for inetd, so that it is less
vulnerable to run-of-the-mill DoS attacks in the default installation.

add ELSA Vianect WLAN (Marco Wertejuk)
benq awl100 (David Leemans)

ObTerminalRoomCommit: done!

Enhance the jail start/stop script.
o The following additional configuration attributes of a jail can be
controlled from rc.conf:
- mounting devfs(5)
- mounting fdescfs(5)
- mounting procfs(5)
- custom devfs(8) ruleset
If no ruleset is specified, the default jail ruleset is used.

o The output of executing /etc/rc in the jail is now redirected
to /dev/null. Instead, the hostname of the jail is echoed if
the jail(8) command exited successfully. If the output is wanted
it can probably be redirected to a file (/var/run/$jail maybe)
instead of /dev/null.

Submitted by: Scot W. Hetzel <hetzels@westbend.net>
with modifications by Jens Rehsack <rehsack@liwing.de>
and me.

o Do not keep a separate list of src/etc/defaults files in
the src/etc makefile. This list was used to manually
install the files from src/etc. Instead, simply change
directory and 'make install'.
o There is no reason for the files in src/etc/defaults to
be installed as writeable.

Reviewed by: ru

o Reduce rc(8) startup clutter by turning the informational messages
off by default.
o Apparently the routine displaying the informational messages wasn't
checking its knob in rc.conf, so fix that as well.

Requested by: obrien

Add a general mechanism for creating and applying
devfs(8) rules in rc(8). It is most useful for applying
rules to devfs(5) mount points in /dev or inside jails.
The following line of script is sufficient to
mount a relatively useful+secure devfs(5) in a jail:

devfs_mount_jail /some/jail/dev

Some new shell routines available to scripts that source
rc.subr(5):
o devfs_link - Makes it a little easier to create symlinks
o devfs_init_rulesets - Create devfs(8) rulesets from devfs.rules
o devfs_set_ruleset - Set a ruleset to a devfs(5) mount
o devfs_apply_ruleset - Apply a ruleset to a devfs(5) mount
o devfs_domount - Mount devfs(5) and apply some ruleset
o devfs_mount_jail - Mount devfs(5) and apply a ruleset
appropriate to jails.

Additional rulesets can be specified in /etc/devfs.rules.
If the devfs_system_ruleset variable is defined in rc.conf
and it contains the name of a ruleset defined in /etc/defaults/devfs.rules
or user supplied rulesets in /etc/devfs.rules then that ruleset will
be applied to /dev at startup by the /etc/rc.d/devfs script. It can
also be applied post-startup:

/etc/rc.d/devfs start

This is a more flexible mechanism than the previous method of using
/etc/devfs.conf. However, that method is still available.

Note: since devfs(8) doesn't provide any way for creating symlinks
as part of a ruleset, anyone wishing to create symlinks in a devfs(5)
as part of the bootup sequence will still have to rely on /etc/devfs.conf.

Now that routes for IP over ATM may look much more complex than before,
use the atmconfig(8) utility instead of route(8) to install those routes.
For this we need a new rc.conf variable natm_static_routes that works
just like static_routes except that the referenced routes use the syntax
of atmconfig(8).

Okay'ed by: mtm

add rtsol_flags.

MFC after: 1 week

Add entries for NETGEAR MA401RA, IO DATA PCET10CL and Panasonic KXL-CB10AN.

Appologies to: those that submitted these to me.

Change the default for background_dhclient back to NO. It can
cause to much troubles with applications.

Always start dhclient in the background.

Reviewed by: mtm

Added entry for Billionton LM5LT-10N
Fixed small typo

Reviewed by: imp
Approved by: imp

Add support for DFE-670TXD to OLDCARD

Submitted by: David Wolfskill
PR: 53356

- Add a software watchdog facility.

This commit has two pieces. One half is the watchdog kernel code which lives
primarily in hardclock() in sys/kern/kern_clock.c. The other half is a userland
daemon which, when run, will keep the watchdog from firing while the userland
is intact and functioning.

Approved by: jeff (mentor)

Update a comment about symlinking named's pid file to correctly
reflect the code.

Suggested by: maxim

The dhcp_program and dhcp_flags variables have to be renamed to
take advantage of the rc.subr(8) glue. They are renamed dhclient_program
and dhclient_flags.
o Rename them in rc.conf(5)
o Rename them in /etc/defaults/rc.conf
o Add the deprecated variables to /etc/rc.subr
o Isolate the use of the 'command' variable to the
NetBSD specific parts in /etc/rc.d/dhclient.
o Now that dhcp_flags has also been renamed it will
be applied properly by rc.subr(8) glue code.

Reported by: John Nielsen <john@jnielsen.net>

Move networkfs_types from mountcritlocal into defaults/rc.conf as netfs_types.
Also add logic into mountcritremote to add extra_netfs_types to the list.

This unbreaks putting smbfs, portalfs and now nwfs in fstab.

Per previous announcement, remove the old version of the rc system.

All functionality from the previous system has been preserved, and
users should still customize their system boot with the familiar
methods, rc.conf, rc.conf.local, rc.firewall, sysctl.conf, etc.

Users who have customized versions of scripts that have been removed
should take great care when upgrading, since the compatibility code
that used those old scripts has also been removed.

Make the defaults for Kerberos 5 a little more up-to-date.

Change the name of the kadmind binary to match reality, now that
KerberosIV is no longer an issue.

xten isn't needed after tw is gone.

Approved by: re@ (scottl)

Add new knobs for controlling jails in rc.d and document them.

Approved by: makrm (mentor)

Add NTT-ME SS-LAN CARD MN128. This card entry has been
committed into NEWCARD.

Complete removal of 320.rdist by removing its entry from periodic.conf and
removing the related 220.backup-distfile script and associatd periodic.conf
entry.

Discussed with: obrien

Add pc-card from ARCHOS CD-224E cdrom.

MFC after: 1 week

A new rc-ng script to build linker.hints files with kldxref(8)
automatically at boot time. Associated rc.conf(5) knobs and
documentation are included.

Make it more clear how to disable keybell, and where its options are found.

PR: conf/41772

Initiate KerberosIV de-orbit burn. Disconnect the /etc configs.

Add YIS YWL-11B.

/etc/rc.network isn't built to handle a value of "DEFAULT" (nor should it
be). Using that string leads rc.network to execute:

# sysctl -w vfs.nfs.bufpackets=DEFAULT
vfs.nfs.bufpackets: 4 -> 0

Which isn't what was intended.

PR: conf/31280
MFC after: 3 days

ep(4) does not have link0 and link1 options.

PR: conf/46651
Submitted by: Eugene Grosbein <eugen@grosbein.pp.ru>
Reviewed by: imp, mdodd
MFC after: 1 week

Add BUFFALO LPC-CF-CLT(10Base-T Compact Flash Ether Card).

Add Allied Telesis WR211PCM.

Add rc_debug knob to rc.conf. The code for it has been in rc.subr for
some time now.
Document all knobs introduced by rc.d

Approved by: markm (mentor)
Reviewd by: gordon (earlier revision)

Add an entry for the Dlink Air 660 Wireless PC Card.

PR: 46977
Submitted by: gioria
Approved by: imp

Fix the named script to find the correct pid file for the
named(8) daemon by providing a new rc.conf knob: named_pidfile
that defaults to the path specified in the system-installed named.conf(5).

Approved by: markm (mentor)
Reviewed by: dougb
Noticed by : Galen Sampson <galen_sampson@yahoo.com>
Dan Pelleg <daniel+bsd@pelleg.org>
PR: conf/46402
MFC: 2 weeks (with re@ approval)

Either compaq has two variants of the WL200, or the old entry is
wrong. Go ahead and include a second entry for the WL200 until I can
sort this out.

Submitted by: Matt Pearce

Tighten wording of comment.

Suggested by: gshapiro

Do not do manually what sendmail(8) can do better automatically.
Tell sendmail to clean up its own host status cache.
The error condition handling could probably be done better.

Delay an optional amount of time after booting before starting a
background fsck. The delay defaults to sixty seconds to allow
large applications such as the X server to start before disk I/O
bandwidth is monopolized by fsck.

Submitted by: Brooks Davis <brooks@one-eyed-alien.net>
Sponsored by: DARPA & NAI Labs.

Make pccardd have -z by default. This fixes a few startup problems
where people want to have the cards configured. Lack of -z is a speed
optimization.

Submitted by: many voices on mobile@
Approved by: re@ (rwatson)
MFC after: 3 days

Fixed two typos in comments.

Turn off devd until I have a devd.conf file that I can install one
that does no harm.

Add devd_enable

Submitted by: dougb

Add IPv6 setup for ipfilter. `ipv6_ipfilter_rules' was added
to specify rules definition file for ipfilter. The default is
/etc/ipf6.rules. If there is a file which is specified by
'ipv6_ipfilter_rules', IPv6 rule is installed.

Reviewed by: Ronald van der Pol <Ronald.vanderPol@rvdp.org>
MFC after: 1 week

Add a new /etc/periodic/security script to check for packets
rejected by ipfilter (510.ipfdenied), and a corresponding periodic.conf
knob (daily_status_security_ipfdenied_enable).

Reviewed by: roberto
Approved by: re@

SAMSUNG SWL-2000P PCI Card

Submitted by: Robert Dezorzo

Psion Dacom Gold Card Ethernet

Submitted by: Rick Hoppe

Generic Prism2.5 card

Submitted by: Matt Peterson

Belkin F5D5020 pccard.

Submitted by: Philip Pereira

Entry for I-O Data PCET/100-CL

Submitted by: MATSUO Masahiko-san

oops, last second botch: fix extra 'i'

o Belkin wireless card

PR: 38919
Submitted by: Tommy Johnson

o IBM IDE CDROM

PR: 39537
Submitted by: Kevin Van Maren

o T-Sunus 130 card

PR: 41802
Submitted by: Oliver Schneider

o FreeSPirit ISDN/56K modem card
o No-name OEM Prism card
o ActionTec Prism card
o ZoomAir 11Mbps High Rate wireless networking

PR: 41929, 41928
Submitted by: Bruce M Simpson

o Dynalink L100C16

PR: 41938
Submitted by: Marco van de Voort

Newer Netgear MA401RA entry.

Submitted by: Michael Ranner

Two fixes:
1) Add new card entry for nortel eMobility wi card (from email
that I've lost the sender on :-(
2) put ata devices at config 0x1 rather than auto. This should be
better for nearly all cases.

MFC after: 3 days

Add a pkg_version variable so that it's possible to run portsversion instead
of pkg_version in periodic/weekly/400.status-pkg.

Add an entry for corega WL PCCL-11.

PR: conf/42481
Submitted by: NINOMIYA Hideyuki <nin@jp.FreeBSD.org>
Approved by: imp
MFC after: 1 week

Introduce bootparamd into the boot scripts. Add a bootparamd_enable and
_flags to rc.conf

Submitted by: John Hay <jhay@zibbi.icomtek.csir.co.za>

Deprecate the use of sendmail_enable="NONE" as it adversely affects the
new rcNG effort.

Submitted by: Mike Makonnen <makonnen@pacbell.net>

Turn rc_ng on by default now, it's time has come. While we are at it, I'd
like to thank Mike Makonnen for all his work on rcNG. Without him, none
of this would have been possible.

establish default values for /etc/rc.d/pcvt script

Clean up some variables that should have been done before:
xntpd_* -> ntpd_*
portmap_* -> rpcbind_*

Also change single_mountd_enable to mountd_enable.

We also include shims for all the old variable names.

Submitted by: Mike Makonnen <makonnen@pacbell.net>

Remove trailing whitespace.

Add a generic NANOSPEED wi card.

Submitted by: matt peterson

While I'm here, kill the flags 0x10000 on all the prism based cards.
Both stable and current figure this out on their own and we've had at
least one releases where this is the case.

Change the default setting of an IPv4-mapped IPv6 address to off.

Requested by: many people

The Compaq WL200 is a CL-PD6729 based pci card with a prism 2 pcmcia
card behind it (without the pcmcia form factor). This entry gets to
the point of attaching, but there's something wrong with the '29
support, so it doesn't quite work yet.

be able to configure to run an IPv6 routing daemon even on
an end node.

Requested by: Masachika ISHIZUKA <ishizuka@ish.org>
MFC after: 1 week

Add a couple of variables for rc.d

Submitted by: Mike Makonnen

We want to play osterage and stick our heads in the sand and ignore things.

Requested by: jhb

ntpdate(1) is depreciated.

Add new entry PLANEX GW-NS11H(PRISM3.0).

Submitted by [bsd-nomads:16322] Yasufumi Susuki <yasu@triaez.kaisei.org>

Correct US Robotics Wireless Card 2410 entry

Explictly set kerberos_stash to NO instead of blank. While we are at it,
fix a comment that suggested setting ipv6_ipv4mapping to blank. This
will aid in merging with rcng which requires all veriables to be
explicitly set.

Submitted by: Mike Makonnen
MFC after: 1 week

This is two new entries for Taiwanese 16bit PCMCIA cards.
The Blue Concentric CF 802.11b card is a compactflash form-factored card
that does 802.11b, including 128bit encryption.
The Zonet modem pccard is a simple FAX/Modem card.

Both are sold in Guang-Hua Market in Taipei, and functions perfectly
with -current and -stable.

Remove reference to the TCP_RESTRICT_RST option, which was removed
over a year ago.

Small ws twiddle while I'm here.

Consistently use full pathnames for files, especially executables.

PR: conf/37292
Submitted by: Helge Oldach <send-pr@oldach.net>
MFC after: 3 days

Back out /etc/rc.d addition. I'd like to see something come of what has
already been imported. It would have been nice to get it out there
in DP1, but that is too late now.

<peril sensitive sunglasses on>
Add /etc/rc.d to the startup dirs list. It is a convenient place to put
custom startup scripts instead of hacking a shared rc.local. eg: ftpd in
listener mode, or maybe even sendmail or another mailer, etc.
<peril sensitive sunglasses off>

Update mail queue related periodic scripts to account for sendmail 8.12's
clientmqueue (submit mail queue).

The new mailq display is only active if both the old
daily_status_mailq_enable is set to "YES" and the new
daily_status_include_submit_mailq is set to "YES" so people who disabled
440.status-mailq won't have any surprises.

Likewise, the new queue run is only active if both the old
daily_queuerun_enable is set to "YES" and the new daily_submit_queuerun
is set to "YES" so people who disabled 500.queuerun won't have any
surprises.

While I am here, remove the [ ! -d /var/spool/mqueue ] checks from
both scripts as the queue directory isn't always /var/spool/mqueue for
the main daemon -- it can be set to anything in the sendmail.cf file.

MFC after: 1 week

Correct path for saver to reflect reality.

Submitted by: Martin Faxer <gmh003532@brfmasthugget.se>

Correct grammar(?) in comments.

PR: 36808
Submitted by: Andrew Boothman <andrew@cream.org>

Quoting Peter Wemm, "At great personal risk, touch the sendmail startup
again."

As an alternative to sendmail_enable=NONE, solve the boot time problem
for non-sendmail users completely by moving all of the sendmail startup
code from /etc/rc to /etc/rc.sendmail. The source for that script will
be kept in src/etc/sendmail/rc.sendmail so make.conf's NO_SENDMAIL will
prevent it from being installed. A new rc.conf variable,
mta_start_script specifies the script to run to start the user's
preferred MTA. For backward compatibility, it will default to
/etc/rc.sendmail. The specified script is called out of /etc/rc after
checking to make sure it exists. A new rc.sendmail.8 man page has also
been added which now houses the sendmail_* variable descriptions
formerly in rc.conf.5.

Use /etc/rc.sendmail in /etc/mail/Makefile to reduce code duplication.

Reviewed by: -current, -stable, obrien, peter, ru
MFC after: 1 week

Provide a way for users to completely prevent sendmail from trying to start
at boot time.

Instead of rc.conf's sendmail_enable only accepting YES or NO, it can now
also accept NONE. If set to NONE, none of the other sendmail related
startup items will be done.

Remove an extra queue running daemon might be started that wasn't necessary
(it didn't hurt anything but it wasn't needed).

The new logic is:

# MTA
if ${sendmail_enable} == NONE
# Do nothing
else if ${sendmail_enable} == YES
start sendmail with ${sendmail_flags}
else if ${sendmail_submit_enable} == YES
start sendmail with ${sendmail_submit_flags}
else if ${sendmail_outbound_enable} == YES
start sendmail with ${sendmail_outbound_flags}
endif
# MSP Queue Runner
if ${sendmail_enable} != NONE &&
[ -r /etc/mail/submit.cf] && ${sendmail_msp_queue_enable} == YES
start sendmail with ${sendmail_msp_queue_flags}
endif

Discussed with: Thomas Quinot <Thomas.Quinot@Cuivre.FR.EU.ORG>,
Christopher Schulte <schulte+freebsd@nospam.schulte.org>
MFC after: 1 week

Home Wireless Network Airway wireless card

Allow LOMAC to be loaded as part of the boot scripts using "lomac_enable"
setting in rc.conf.

Extracted from the still clammy hands of: green
Sponsored by: DARPA, NAI Labs

Buffalo LPC3-CLT

Submitted by: TANAKA Tomohiko <tomo@oso.to>
PR: 34954

Fix Simple Tech STI-ATA

Submitted by: dwhite@paypal.com
PR: 34243

US Robotics Wireless Card 2410

Submitted by: Jerry A! <jerry@thehutt.org>
PR: 33858

Use the regular expression form to solve the ambiguous card parameters
which have tailing spaces.
Some card entries had problem because of incorrect number of spaces.

Approved by: imp
MFC after: 1 week

There is no reason to demand the administrator set 'natd_interface'
when running natd(8) out of the rc-files. It is perfectly valid for
the interface or alias address to be set in a natd(8) configuration
file, not on the command line. Also, loosen up the restrictions on
identifying an IP address argument in 'natd_interface.'

Fix the documentation, rc.conf(5), to reflect this change.

Take the bogus default for 'natd_interface' out of /etc/defaults/rc.conf.

MFC after: 3 days

Add infrastructure for sendmail 8.12. If users are not starting a daemon
at boot (sendmail_enable=NO), a localhost-only daemon may started
(sendmail_submit_enable) as it is needed to accept mail from command line
submissions. If this isn't desired, see etc/mail/README for more hints.

Optionally (sendmail_msp_queue_enable) start a queue runner for the
submission queue in case a daemon isn't available to accept command line
submitted mail at submission time.

Note that the syslog labels for all of these sendmail processes have been
uniquified for easier log parsing.

Add Proxim RangeLAN-DS.

Submitted by: Matt Peterson <matt@peterson.org>
PR: 35057

Also update my note for the 3crwe737A after talking to Alan Clegg at BSDcon.

Added this makefile. This is not attached to the build yet. I often
install parts of /etc manually and it helps to have a makefile for
each subdir even if the main makefile doesn't invoke it.

By commit of usr.sbin/pccard/pccardd/cardd.c at Nov 29 (Dec
10 in -STABLE), pccardd's string comparison between
pccard.conf's entry and PC card's CIS tupple became strict
matching.

As influences of this commit, some PC cards don't work since
some /etc/default/pccard.conf's card identifiers entries are
incorrectly described.

- Lexar Media compact flash
- IO DATA CBIDE2 in 16 bit mode
- TOSHIBA Portable 24X Speed CD-ROM Drive PA2673UJ
- Hewlett Packard M820e (CD-writer)

Update these card configs.

PR: 33815
Obtained from: [bsd-nomads:16128]

Add Linksys Instant Wireless WPC11 v2.5

Submitted by: eliedtke@apogeetelecom.com

Add ADLINK340C wireless card mentioned in nomads.

# This card has the same PCMCIA and OEM id as ELSA XI300 wireless card, which
# appears to be listed elsewhere in this file.

Submitted by: Abe Toshiaki-san <ans@sun-tec.co.jp>
MFC After: 5 days

Make the rc.conf(5) 'log_in_vain' knob an integer.

Try this out in -CURRENT, MFC, and then consider dropping the
'log_in_vain' knob all together. It really is something for
sysctl.conf(5).

PR: bin/32953
Reviewed by: -bugs discussion
MFC after: 1 week

Add flags 0x10000 to IO Data WN-B11/PCM's entry. Evidentally, they
changed firmware and the new cards don't work without this.

Submitted by: ume
MFC after: 3 days

Add:
Accton airDirect WN3301
Melco WLI-CF-S11G
GeoWave GW-NS11S

Submitted by: Shigeru Ishida-san on bsd-nomads (16142,16143,16144)

Re-add a call to "camcontrol rescan" after insertion of an aic pccard.
We now do it as a "camcontrol rescan all" which is something ken
promised to implement; for the time being it's not worse than the old
"camcontrol rescan $device" which ended up in something like
"camcontrol rescan aic1". Currently, camcontrol misinterprets the
third non-numeric arg as number 0, and rescans bus 0, which is about
the best we could get at this time.

Approved by: imp
MFC after: 1 week

Correct Corega KK Wireless entry

o Add T-POWER flash
Submitted by: Michael Johansson <micke@nevermind.net>

o Sony PCWA-C100 WaveLAN card
Submitted by: "Jeremiah Gowdy" <jgowdy@home.com>

o Corega KK Wireless LAN PCCA-11 (version b?)
Submitted by: Masahide *MAC* Noda <mac@clave.gr.jp>

Add a commented-out alternative for the ether line of a DIGITIAL
DEPCM-BA card, as found on my rev. C01 card.

MFC after: 1 week

Don't require operators to override the list of network filesystem
types (networkfs_types) with a version that includes the original
list.

This increases the scope for user error and also means that systems with
networkfs_types set in /etc/rc.conf will not benefit from changes to the
list in /etc/defaults/rc.conf on upgrade.

Instead, store the default list in /etc/rc itself and allow the operator
to append to that list by specifying her own list in networkfs_types.

Rename networkfs_types to extra_netfs_types accordingly, as the new name
better describes the purpose of the variable. Default the value to
'NO'.

"10/100Base FastEthernet PC CARD" (LNA-100) from Billionton Systems Inc.

Submitted by: "Torfinn Ingolfsen" <torfinn.ingolfsen@oslo.online.no>

Novac DVD/CD Station(Portable DVD/CD-ROM player

Submitted by: moment@pluto.dti.ne.jp

Xircom RealPort RE-10

Submitted by: Willem van Engen <wvengen@stack.nl>

Add Proxim Harmony card (from Bob)
Also fix a minor disordering of a wi card while I'm here.

Submitted by: bob bobing <this_is_my_act@yahoo.com>

Re-introduce the fix that delays mounting of network filesystems until
the network is initialized. This was first implemented in rev 1.268
of src/etc/rc, but was backed out at wollman's request.

The objection was that the right place for the fix is in mount(8).
Having looked at that problem, I find it hard to believe that
the hoops one would have to jump through can be justified by the
desire for purity alone.

Note that there are reported issues surrounding nfsclient kernel
support and mount_nfs(8), which currently make NFS an ugly exception
to the general case.

With this change, systems with non-NFS network filesystems configured
for mounting on startup in /etc/fstab are no longer guaranteed to
fail on startup.

Longshire LCS-8634TB

Submitted by: "Frank W. Josellis" <josellis@dynamics.claranet.de>

Some new cards:
o uncommnent joy stuff (me)
o Add BONDWELL B236 joystick card (me)
o Add Buffalo WLI-CF-S11G wi card (me)
o CNF CD-m (submitted by gda)

Submitted by: Dmitry A Goncharov <gda@sani.ru>

Long ago, there was just /etc/daily. Then /etc/security was split out
of /etc/daily. Some time later, /etc/daily became a set of periodic(8)
scripts. Now, this evolution continues, and /etc/security has been
broken into periodic(8) scripts to make local customization easier and
more maintainable.

Reviewed by: ru
Approved by: ru

Add a commented-out defaultrouter entry for 6to4 users. See RFC-3068

Whitespace police.

Submitted by: cjc, ru

second part of the patches to complete ipf changes to rc

PR: multiple
Submitted by: Arjan de Vet <devet@devet.org>

Add Toshiba wireless LAN card

Submitted by: "Mark Sergeant" <msergeant@snsonline.net>

Avaya Wireless PCCARD

Submitted by: Ants Aader <ants@kernel.ee>

Add Xircom wireless card from pir@pir.net

GVC 10Mbps Ethernet Card

PR: 30329
Submitted by: David Xu <davidx@viasoft.com.cn>

Add Compaq WL110 PC Card to the list.

PR: 31023
Submitted by: wilko

Finish the removal of uucp scripts.

Forgotten by: kris

Put in place for using ipfs use on shutdown and startup.

PR: 27070

Update to note that rpc.statd and rpc.lockd are now needed for
client side NFS mounts.

Stumbled upon by: rwatson

Remove references to nfsiod and nfs_client_flags now that they are
obsolete.

Submitted by: Gordon Tetlow <gordont@gnf.org>

Add a dumpdir variable that determines where savecore stores crash dumps.
I've had this on my development box for ages...

Quote the value of pccard_ether_delay, the only unquoted value in the
entire file.

We don't ship pim6dd/pim6sd any more.

MFC after: 1 week

Add an apparently working entry for the BayStack 660, 2mbps direct
sequence wireless card.

Approved by: imp (in principle)

Add a new rc.conf variable, cloned_interfaces, to create cloned
interfaces at boot.

Due to a bug in the ed driver, which leads to hangs when using it with
dhclient and pccard_ether, introduce the concept of a "settle time" to
pccard_ether with the new pccard_ether_delay variable. Defaults to 5
seconds, which is enough time for the ed driver to finish its
autoconfiguration for newer Linksys based cards. This also can
eliminate the ed0: timeout messages that happen at startup as well.

MFC: after RE says OK.

Typo s/AirLAncer/AirLancer/g

clarify PCMLM56 status

The EXCard-10-PCMCIA entry was slightly bogus.

Add cs driver for IBM EtherJet card. Doesn't completely work yet, but
it won't work without it.

2Mbps card from Teletronics. Looks like a generic OEM card for the
awi driver, but the MAC address isn't recognized, so maybe this is
wrong.

ELSA Air Lancer wireless card. Appears to be a Lucent OEM.

Submitted by: Eric Masson <e-masson@kisoft-services.com>

Mihira-san says that this works for him. Linksys EtherFast 10/100 +
56k modem with the fat connector.

Submitted by: sanpei@sanpei.org (MIHIRA yoshiro)
Ignored since Jan 2001 by: imp

Addtron AWP-100 wireless card.

Submitted by: Alfred Perlstein <bright@mu.org>

EZCard, not EXCard

Speculatively commit fix for Surecom EP-427TX PCMCIA adapter. This
appears to be another OEM version of the Netgear FA411. This is a
guess, since the original didn't include the flags, but this is too
similar to my netgear card...

Submitted by: neal@nelsonnet.org

SMC EZ Card 10 PCMCIA

Submitted by: Goncharov D <gda@sani.ru>

Add NE-2000 compatible card sold by addron.

Submitted by: johs@copyleft.no

Add NetGEAR FA411 card. This appears to be based on the AX88190 chipset
and works with those flags.

o Add sample syslogd_flags for "-ss" which causes syslogd not to bind
an inet socket.

Move /etc/defaults/make.conf to /usr/share/examples/etc/make.conf as
discussed on the arch@ mailinglist (after repo-copy).

sys.mk will .error if it finds /etc/defaults/make.conf but include
it anyways (this is the same behaviour as with the make.conf.local
removal).

/usr/share/examples/etc/make.conf has BDEFLAGS commented out now,
since it's only an example file.

Adjust all textes that talk about make.conf or defaults/make.conf to
match the new situation.

RIP all ports options, as discussed on arch@.

Remove more vestages of diskcheckd, which is now in ports/sysutils.

Invoke named with privilege of bind:bind.
Change pidfile location to /var/run/named/pid.

Add the `WANT_FORCE_OPTIMIZATION_DOWNGRADE' knob. If set to an integer
value, it forces GCC to not optimize above this level. For intance, GCC
made with "WANT_FORCE_OPTIMIZATION_DOWNGRADE=1" is a good setting for the
Alpha platform when building ports.

Remove the WANT_INSECURE_OPIE option - it is now a default. This is not
nearly as ominous as it sounds, and it allows OPIE to be used over SSH
and on xterms.

Requested by: ache
Discussed on: -security

Chagne MASTER_SITE_FREEBSD to MASTER_SITE_FREEBSD_ORG, because
MASTER_SITE_FREEBSD is already used in bsd.port.mk for some different
purpose.

Fix MASTER_SITE_RUBY. The listed master site is obsolete.

Add MASTER_SITE_FREEBSD.

Upgraded launchpad for kerberos. Noe kerberos IV OR kerberos 5
may be started at boot for kerberos servers.

Take -Wconversion out of BDECFLAGS. It is not particularly useful for
us anyway because it doesn't work right on the x86 and alpha. On
K&R code, small ints would be promoted to int. ANSI-C doesn't require
this and the small ints can be passed taking 8 or 16 bits of stack
space. However, the x86 abi that we use *does* promote to 32 bit,
and the alpha ABI passes them in 64 bit registers so we dont have
that aspect of the problem here. Losing float precision by having it
cast down to int because the funtion prototype specifies int is the
least of our problems. -Wmissing-prototypes helps here anyway.

Remove $daily_status_named_logs and figure out which /var/log/messages*
files to look an (in the same way that /etc/security does).

Don't single-quote $start, reducing it to an empty string.

MFC after: 3 days

change the default for isdn_fsdev to NO. specifying a device here
results in a potential conflict with a getty running on that device.
PR: 26818
Submitted by: Clement Ballabriga <clement@asso.ups-tlse.fr>

New make knob, SENDMAIL_M4_FLAGS, modifies the flags passed to m4 when
building a .cf file from a .mc file.

Include -D_FFR_TLS_O_T to enable tls policy control since the sendmail binary
build enables that FFR as well.

PR: conf/28361
MFC after: 1 week

Add entry for SMC 2632W card.

Submitted by: lots of people, most recently by Mike Buchanon

Also, Tried to clean up the comments about IRQs to match the new world
order.

The MA401 is a Prism II

Approved by: imp

Add a script_name_sep rc.conf knob to specify the IFS character
for separating the startup scripts' list into individual filenames.

Run the shutdown scripts in reverse alphabetical order, so dependent
services are stopped before the services they depend upon.

Reviewed by: -arch, -audit
MFC after: 3 weeks

Provide a hint for the OPIE 'insecure' mode.

The Netgear card works for me under 'wi'.

Change default of ipv6_default_interface to NO. This is meaningless
in most cases and rather harmful.

Reported by: Kevin Oberman <oberman@es.net>
MFC after: 1 week

Introduce syslogd_program and inetd_program variables in case somebody
wants to replace one of those programs.

PR: 13609
Submitted by: Goran Lowkrantz <goran.lowkrantz@infologigruppen.se>

Typo fix (modifes -> modifies)

stpo --> stop (typo).

Use tabs where tabs are supposed to go!

Add dell wireless card

Submitted by: keichi

Add support for linksys instant wireless.

Approved by: imp

Add support for the Cisco Aironet 350 Series of adaptors. Also, make
a minor ocrrection to the Aironet 340 Series comment.

Approved by: imp (in principle)

Add BreezeNET PC-DS.11. It is yet another wireless card.

Submitted by: Danny Braniss <danny@cs.huji.ac.il>

Change default value of rtadvd_enable to NO to be compatible with
the following description in RFC2461:

AdvSendAdvertisements
A flag indicating whether or not the router sends
periodic Router Advertisements and responds to
Router Solicitations.

Default: FALSE

Note that AdvSendAdvertisements MUST be FALSE by
default so that a node will not accidentally start
acting as a router unless it is explicitly
configured by system management to send Router
Advertisements.

Submitted by: JINMEI Tatuya <jinmei@isl.rdc.toshiba.co.jp>
MFC after: 1 week

Add configuration for a FAITH IPv6-to-IPv4 TCP translator.
To use a FAITH actually, you also need faithd(8) setup.
Please consult faithd(8) manpage.

Add IBM "High Rate Wireless LAN PC Card", a rebadged Lucent WaveLAN/IEEE.

MFC after: 2 weeks

Explicitly set arpproxy_all and start_vinum to "NO" for consistency.

PR: 28185
Submitted by: Gordon Tetlow <gordont@bluemtn.net>

Include a mention of WRKDIRPREFIX, useful when mounting /usr/ports readonly
from another host.

prefixcmd_enable was obsoleted by syncing recent KAME. New prefix(8)
is just a shell script for backward compatibility. Now, we always use
ifconfig(8) instead of prefix(8).

MFC after: 3 weeks

ISO_ -> ISO in DOC_LANG

Add diskcheckd to /etc/rc with a knob in rc.conf.

Make the default setting YES for now to get some experience with it.

Note: If people starts seeing disk errors because of this then it
should not be backed.

Move gif_interfaces from an IP6 option to a regular IP option.

PR: 26543
Submitted by: Brooks Davis <brooks@one-eyed-alien.net>
MFC after: 3 weeks

Remove vestiges of MFS.

PERL_THREADED is too experimental at this stage. Remove.

Add Billionton LNT-10TN

Submitted by: Miklos Niedermayer <mico@bsd.hu>
PR: conf/27726

Default daily_accounting_flags to -q. I thought this was a typo in the
originally submitted patch (oops!).

Also check for an empty $daily_accounting_save.

Submitted by: Udo Schweigert <Udo.Schweigert@cert.siemens.de>

Add $daily_accounting_save and $daily_accounting_flags

Submitted by: Udo Schweigert <Udo.Schweigert@cert.siemens.de>
MFC after: 2 weeks

Add Melco's WLI-PCM-L11G.

MFC after: 1 week

List the valid IRQs and the non-sharingness.

Submitted by: gshapiro

The PERL_THREADED knob is causing too many people too many problems.
Add a dire warning about the experimental nature of threaded Perl.

Add support for
card "D" "Link DWL-650 11Mbps WLAN Card"
which is the most amusing CIS mistake I've seen in some time.

# I'm using this card to make this commit!

I didn't fix the comment in rev 1.107.

Turn on TCP_EXTENSIONS (rfc1323) by defualt.

Add NO_I4B to avoid building/installing isdn4bsd package.

Prompted by: Alexandr Listopad <laa@laa.zp.ua>
MFC after: 3 days

Introduce a background_fsck rc.conf option which allows the user to
enable or disable background fsck'ing all in one shot. Default is
currently 'YES'.

Reviewed by: jkh

Add an entry for RAYLINK pccard using the ray driver.

MFC after: 3 days

New option isdn_screenflags to set the syscons screen params for isdnd,
plus documentation.

Submitted by: Alexander Leidinger <Alexander@Leidinger.net>
Not objected to by: hm
MFC after: 1 week

clarify comment about MAKE_KERBEROS5. noticed by Peter Pentchev
<roam@orbitel.bg>

Use foo () instead of foo ( ) for function definition,
so zsh can parse this file as well.

Add an allscreens_kbdflags option. Same thing as allscreens_flags,
but runs kbdcontrol instead of vidcontrol.

Reviewed by: ru

Removed reference to withdrawn secure-supfile.

Document XFREE86_VERSION.

Add isdn_ttype (moved to rc.conf from rc.isdn)
PR: conf/24865
Submitted by: schweikh
Reviewed by: hm

Add missed and update existing MASTER_SITE_*.

Check for denied zone transfers (AXFR and IXFR).

Fix typo in mouse_char range

Add mousechar_start hook

Reviewed by: Nick Hibma <n_hibma@qubesoft.com>