ok beck

tested by many (thanks!) ok tedu, guenther@

ok krw@ millert@

ok jca@ krw@

as readlink() will tell you that more cheaply.
ok millert@

ok deraadt@

ok deraadt@

ok deraadt@

ok deraadt@

functions out the way of the main body;
ok guenther

Merge the manual pages and call them deprecated there.
ok and manpage tweak jmc@, ok natano@

remove some references to differences between versions 6 and 7.
ok jmc, millert, tedu

workarounds.  Some of them will soon stand in the way of armv7.
Off to the attic you go.

ok jung@ (some time ago) phessler@

ok deraadt@

pseudo-interfaces.
This unbreak vlan(4) on top of tap(4) since the refactoring to turn it
MP-safe.
ok claudio@, deraadt@

changes - map the previous configuration to the equivalent in the new
groups. This will be revisited post release.
Discussed with beck@

Found by Frank Scheiner, thanks for reporting this.
OK krw, halex
'cool' deraadt

with a little help from jmc@ for the man page bits
ok jca@  and a reluctant tedu@

ok kettenis@ deraadt@ jasper@

In the event of a failure in _rs_allocate for rsx, we still have a reference to
freed memory for rs on return. Not a huge deal since we subsequently abort in
_rs_init, but it looks strange on its own.
ok deraadt@

For Windows, we are simply using calloc, which has two annoyances:
the memory has more permissions than needed by default, and it comes
from the process heap, which looks like a memory leak since this memory
is rightfully never freed.
This switches _rs_alloc on Windows to use VirtualAlloc, which restricts the
memory to READ|WRITE and keeps the memory out of the process heap.
ok deraadt@

chunk rnd), rm P: is default

double unmap and I experienced a much more unstable firefox.
discussed with otto on icb

expensive syscall, and we don't want to tie up other threads. there's no
need to hold the lock, so defer it to afterwards.
from Michael McConville
ok deraadt

for login.conf, and we don't want to go lower.

already does this, so we don't want to go backwards on password changes.
ok krw

for example, were removed in 2013 because they don't make sense in ldpd.
ok deraadt

filters (AS, peer-as, source-as, transit-as).
Add a use case (block illegal AS numbers) to the bgpd.conf example.
feedback from claudio, sthen, florian,
ok florian@ phessler@

Point at wikipedia's list of blacklists instead, some are DNS-only but there
are a few rsyncable ones in there (including a good commercial one and some
free ones).

frequently for my taste, and disk is cheap.
ok deraadt millert

became more visible recently because a log_debug was changed to
log_warnx.  Change it back for now.
ok jsing