general openssl cnf files install the ikeca.cnf file.
ok sthen@ requested by reyk@

creating the directory /usr/share/nls.  Having a non-existing default
path in catopen(3) does not make sense, so remove it.  If the user
does not specify a NLS path, better fail early than fail because
of an empty directory.  Remove path form hier(7).
OK stsp@ schwarze@ jmc@

General changes:
- apply a similar 'style' as used in the installer scripts
- improve comments to be more to the point, remove where code is obvious
- document usage of functions if they have arguments
- rename variables where it improves readability
- replace really old-school shell code with more contemporary idioms
Other changes:
- No need to care about "autoboot" because netstart doesn't inherit the
positional parameters from /etc/rc anymore. /etc/rc executes netstart
instead of sourcing it since r1.439.
- Use simpler for-loop to process list of interfaces with ifstart.
OK halex@

OK krw@

stripcom() output directly with the hostname command.
OK deraadt@ krw@

and pwd_gensalt.c - so remove it from the default /etc/login.conf files as well.
ok millert@

OK dlg@ mpi@

ok renato@

OpenSSH requires a 2048 minimum for DH in the client and server.
input and ok sthen@
ok dtucker@, djm@

Move the one useful bit of information contained in the file ("one
user name per line") to the ftpd(8) manual page where it belongs.
OK deraadt@ sthen@

OK krw@ halex@

ok aja

ok schwarze@

The file format is so simple that no example is needed.
All relevant documentation is already available
from the proper place, which is the lpd(8) manual.
Consequently, delete the empty file.
OK millert@ dcoppa@ beck@ deraadt@

ok gilles@

ok deraadt@

- verify that kbd is executable and kbdtype is not empty
- use safer 'print --' to pipe the initial pf ruleset to pfctl
- simplify the ipsecctl if-block
Feedback and OK halex@
OK krw@

ok florian@ rpe@

necessary
ok deraadt@ jsing@

feedback/ok rpe

- run domainname only with a non-empty /etc/defaultdomain file
- Make single-user if-block more intuitive, which also matches
better what the comment actually says
OK halex@, krw@ on a similar diff

The creation of Unix sockets directories in /tmp for X happens right
after pruning /tmp. So the whole dance of checking for their
existence, ownership or permissions is not necessary. It's safe to
just create them with the right permissions if X is installed.
Changes to do_fsck():
Remove the _flags variable and pass flags to fsck directly with "$@".
Feedback and OK halex@
OK krw@ on a similar diff

at a time, so a second instance of the daemon is required.
OK mikeb stsp ajacoutot

**smaller than /24 allocations**.  Our default ruleset will not allow
those, even though they will be for various pieces of critical dual-stack
infrastructure to help IPv6-only systems survive.
This adds a default rule to allow those blocks.  With it, I see the
RIPE announced test blocks on our AMS-IX peers.
ARIN announced this block and policy at, enjoy
https://www.arin.net/announcements/2014/20140130.html
OK benno@, claudio@, sthen@, florian@

hostname.if, previously netstart tried to configure them all at once
("ifconfig if0 if1 if2 inet6 autoconf").  From Delan Azabani, ok phessler@

- use more descriptive variable name
Changes for make_keys():
- use variables for file paths
- key -> keys in message
- take into account the return codes of isakmpd private *and* public
key generation
OK krw@ halex@

requested by several
discussed with deraadt@

- initialize _ban variable
- style
OK halex@

In wsconsctl.conf configuration variables can contain doublequotes
which are removed by the shell if wsconsctl is used interactively.
In scripts, without using eval, these doublequotes are preserved
and the wsconsctl command complains about "illegal character in
input".
Found by and OK jmc@
With feedback from and OK krw@, halex@