OK krw@ halex@

- no space in redirections like </foo or >$bar
- few other minor whitespaces
OK krw@

- Add comments for functions
- Start comments with capital letters
- End comments with a full stop
- Allow comments to extend up to column 80
OK krw@

tweakable: there's no real point and these files support the 'include' option so
one can always get its config from whatever path... especially useful when
testing a new ruleset.
man page inputs from schwarze@
ok halex@ schwarze@ rpe@ deraadt@

Diff from Navan Carson via tech@

did). This allows any local changes to /etc/services to be effective
if all you have is the default.
Issue pointed out by Brian S. Vangsgaard on bugs@. Thanks!
ok phessler@ deraadt@

OK deraadt@

often space-constrained /var filesystem was a historical mistake.  There
are big implications for the daemons which assume they won't run out of
space, and this is a first step towards trying to improve the situation.
Move /tmp to the same 7-day expiration rules that /var/tmp had.
vi.recover works just as well as before, except on memory filesystems;
indicating that vi should be repaired to write files into homedirs or
something.
done with rpe
ok many

This is easier to understand and fixes a bug where the "-type d -prune"
was misplaced as noticed by pirofti@.  OK deraadt@

a proper & complete bind port will show up.
discussed with many for years

Committing early to make sure we have time to fix any side-effect.
ok deraadt@

writeable during shutdown.  This prevents ugly error messages when
the machine is rebooted from singe-user without mounting the file
systems read-write.
suggested by deraadt@

We don't want any of the variables created inside netstart to infect the
rc script.
ok claudio sthen aja

ok deraadt@

rc.securelevel,
with deraadt@

are created in /etc, they are executed (they used to be sourced) to
avoid polluting the rc variable space.  The powerdown= and securelevel=
features are removed; they are likely only used by 2 people.  the
secureleve is now always raised; this is the only sensible default.
ok ajacoutot

flag for fsck and mount to check and mount the iscsi file systems (marked
with option net) right after the mount -a.
"Get it in" deraadt@
rpe@ is OK with this going in but it may need further changes

script.
From now on rc.conf has a fixed syntax (key=val) and it is not allowed
to add anything to it besides the supported syntax, it all going to be
ignored.
discussed with and help from deraadt@ and halex@

the new status=none feature to make dd quiet.
OK halex@

ok reyk@

carp, rpc or nfs traffic in the initial ruleset active during network
startup for a short time (or a much longer time if /etc/pf.conf is
screwed up). ok phessler

OK krw@, gilles@, lteo@, tedu@, todd@, benno@, sthen@
"The time is right." and much help getting the show on
the road deraadt@

to refrain from trying to execute /etc/rc.d/ in that case.
Problem noticed by jasper@.
Opinions on this patch vary: "much nicer, ok" sthen@
"good god, what horrible shell voodoo, ok" ajacoutot@

Our dhclient only uses the bpf tap for broadcast packets (which bypass
pf) but lease renewals will use a regular socket and are blocked without
this change.  Rules are written so that accidential forwarding of packets
is not possible.
Diff from brad@, OK henning@, benno@, mikeb@

user mode now that init no longer raises securelevel during reboot.
OK deraadt@

- use its return code for single/multiuser detection
ok deraadt

ok deraadt

idea from rpe

unconditionally, and then do the optional powerdown
discussed at length with rpe

material

being obtuse and use /dev/random

okay rpe@, kirby@

into consideration.
Diff from Maurice Janssen, thanks!
ok rpe@ giovanni@

ok deraadt@

snippet; ok florian@

ok halex@

install sample configs to /etc/.
ok claudio deraadt henning mcbride