Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFC r230099:

Change rcvar= assignments to the literal values set_rcvar
would have returned. This will slightly reduce boot time,
and help in diff reduction to HEAD.

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Remove redundant keywords.

Submitted by: wxs

Add pf in quiet mode

In regards to the "Starting foo:" type messages at boot time, create and
employ a more generic solution, and use it in the individual rc.d scripts
that also have an $rc_quiet test:

1. Add check_startmsgs() to rc.subr.
2. In the rc.d scripts that use rc_quiet (and rc.subr) substitute
variations of [ -z "$rc_quiet" ] with check_startmsgs
3. In savecore add a trailing '.' to the end of the message to make it
more consistent with other scripts.
4. In newsyslog remove a : before the terminal '.' since we do not expect
there to be anything printed out in between to make it more consistent.
5. In the following scripts change "quotes" to 'quotes' where no variables
exist in the message: savecore pf newsyslog
6. In the following scripts substitute if/then/fi for the simpler (and
more consistent) check_startmsgs &&: faith stf
7. In the following scripts separate the "Starting foo:" from the terminal
'.' to make them more consistent: moused hostname pf
8. In nfsclient move the message to its own line to avoid a style bug
9. In pf rc_quiet does not apply to the _stop method, so remove the
test there.
10. In motd add 'quotes' around the terminal '.' for consistency

Reverse the effect of r193198 for pf and ipfw which will once again
allow them to start after netif. There were too many problems reported
with this change in the short period of time that it lived in HEAD, and
we are too late in the release cycle to properly shake it out.

IMO the issue of having the firewalls up before the network is still a
valid concern, particularly for pf whose default state is wide open.
However properly solving this issue is going to take some investment
on the part of the people who actually use those tools.

This is not a strict reversion of all the changes for r193198 since it
also included some simplification of the BEFORE/REQUIRE logic which is
still valid for ipfilter and ip6fw.

Make the pf and ipfw firewalls start before netif, just like ipfilter
already does. This eliminates a logical inconsistency, and a small
window where the system is open after the network comes up.

As previously discussed, add the svn:executable property to all scripts

The pfctl(8) program is already pretty verbose, so don't print extra
information in quiet mode.

FILESYSTEMS requires root, so requiring both of them is redundant.

Add a dummy script, FILESYSTEMS, which depends on root and mountcritlocal
and takes over mountcritlocal's role as the early / late divider. This
makes it far easier to add rc scripts which need to run early, such as a
startup script for zfs, which is right around the corner.

This change should be a no-op; I have verified that the only change in
rcorder's output is the insertion of FILESYSTEMS immediately after
mountcritlocal.

MFC after: 3 weeks

Use $required_modules wherever suitable. Use load_kld() in special
cases. So we get rid of quite a few lines of duplicated code.

Use an option form better matching the manual.

Backout r1.11...

> > There is no need to explicitly add "status" to $extra_commands in
> > the /etc/rc.d/pf script as it is implicitly added by /etc/rc.subr's
> > run_rc_command() because of the existing $pf_program.
> >
> > Submitted by: Christoph Schug <chris@schug.net>

...because as yar@ points out: "[...] you were relying on evil
side-effects of the variable being named *_program. hose side-effect
have been eliminated since rc.subr rev. 1.42. [...] The point is that
the default "status" method is for rc.d scripts that handle startup and
shutdown of conventional daemons, and not for custom tasks like the pf
case."

The change is still valid in RELENG_6 (and still doesn't have to be
backed out) as long as rc.subr:r1.42 is not MFC'ed to RELENG_6, too.

There is no need to explicitly add "status" to $extra_commands in
the /etc/rc.d/pf script as it is implicitly added by /etc/rc.subr's
run_rc_command() because of the existing $pf_program.

Submitted by: Christoph Schug <chris@schug.net>
MFC after: 1 week

Use available rc.subr features.
Reduce code duplication.
Follow the current style of rc.d scripting.

Record dependency on the newly introduced pfsync.

Start before routing for better system protection.
(pf used to start late during system boot, after
many a network daemon have started already, which
sucked from security POV.)

Remark: For maximum security, pf should start before
netif, but it would create a dependency loop because
pfsync has to start after netif, yet before pf.

Discussed with: mlaier on -pf
MFC after: 5 days

Simplify the code by making use of 'kldstat -q -m <mod>'.

No objections from: mlaier

When reloading rules via rc.d/pf, flush everything but existing state
entries that way when rules are read in, it doesn't break established
connections.

Approved by: mlaier
Reviewed by: rc
MFC after: 3 weeks

- Add 'check' command for checking rules syntax.
- Before flushing rules in 'reload' command, check first if rules are
correct.
- Do not duplicate checking if $pf_rules file exists.

Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days

We don't have any providers of `beforenetlkm' in FreeBSD. Remove the
dependency to it from our rc.d scripts.

Approved by: mtm

Swap order of ruleset load and enabling pf to work around a problem on altq
startup. Moreover, this is the "more logic" order.

Add rc.d script to start pflogd and add rcvars etc. Also document vars in
rc.conf(5) and put a sample entry to newsyslog.conf

Reviewed by: -current
Approved by: bms(mentor)

Add rc.d script for pf(4) (more to come once pflogd(8) works as well).
Update defaults and write some lines for rc.conf(5) also.
Mostly dup'ed from ipf

Reviewed by: -current
Approved by: bms(mentor)