rc.conf(5): dhcpcd has not started wpa_supplicant in ages

branches: 1.193.2;
rc.conf(5): Set entropy=wait by default.

We no longer block indefinitely -- if nothing else, the hardclock
timer should yield enough samples to unblock /dev/random on all but
the most severely deterministic machines -- so it should be generally
safe for availability to set entropy=wait.

This doesn't guarantee that HWRNG/seed has been provided before you
run ssh-keygen or call getentropy(3) in a user application, but it
does raise the security above netbsd<=9.

PR security/55659
PR lib/56905

XXX pullup-10

branches: 1.192.2;
Document critical_filesystems_zfs.

Document zfs variable.

Tweak wording for consistency: `if empty or not set', not `if unset'.

Clarify that `entropy' may be left unset in rc.conf.

Various entropy integration improvements.

- New /etc/security check for entropy in daily security report.

- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
check for entropy at boot -- in rc.conf, you can:

. set `entropy=check' to halt multiuser boot and enter single-user
mode if not enough entropy

. set `entropy=wait' to make multiuser boot wait until enough entropy

Default is to always boot without waiting -- and rely on other
channels like security report to alert the operator if there's a
problem.

- New man page entropy(7) discussing the higher-level concepts and
system integration with cross-references.

- New paragraph in afterboot(8) about entropy citing entropy(7) for
more details.

This change addresses many of the issues discussed in security/55659.
This is a first draft; happy to take improvements to the man pages and
scripted messages to improve clarity.

I considered changing motd to include an entropy warning with a
reference to the entropy(7) man page, but it's a little trickier:
- Not sure it's appropriate for all users to see at login rather than
users who have power to affect the entropy estimate (maybe it is,
just haven't decided).
- We only have a mechanism for changing once at boot; the message would
remain until next boot even if an operator adds enough entropy.
- The mechanism isn't really conducive to making a message appear
conditionally from boot to boot.

New sentence, new line.

Document update_motd_release and motd_release_tag

Document unbound and unbound_chrootdir.

's/blacklistd/blocklistd/'. Note also blocklistd_flags.

Note modules.

As bin/55344 was fixed, note the flags also in rc.conf(5).

branches: 1.181.2;
Fix typo in comment (s/seperate/separate/).

Add smtoff, an rc.d script that disables Simultaneous Multi-Threading. It
parses the output of cpuctl, and executes "cpuctl offline" for each CPU
that has SmtID!=0.

The default is "smtoff=NO", which means that SMT remains enabled.

Remove trailing whitespace. Fix a macro.

Apply patch from Ian D. Leroux in PR bin/51019:
when unmounting tmpfs file systems at shutdown time, avoid unmounting
a tmpfs created by init on /dev - behaviour overridable from rc.conf.
By default all tmpfs that have device nodes are not mounted.

Use more .Ql (quoted literal) for variable values.
Misc markup fixes.

Use more markup.

Discussed some years ago but never commited: add an option to have a
single tmpfs (on /tmp) and use that for /var/shm as well (via a symlink
created after the tmpfs on /tmp has been mounted)

Remove ISDN from the kernel. It has remained unmaintained for a long time,
is of poor quality, and is now an obstacle to MP-ification. It was removed
ten years ago from FreeBSD for the same reason.

This retires a big user of the mbuf API, and will ease maintenance of the
kernel.

Remove the userland part of ISDN. The kernel part is untouched for now.
ipppctl was actually an exact copy of pppoectl; there is no functional
change in pppoectl in this commit.

Allow rc.conf to setup resolv.conf via resolvconf(8).
This allows all static network config to be in rc.conf rather than
spread across files.

Remove dhclient references.

branches: 1.170.2;
Describe something for npf, npfd, blacklistd.

Remove documentation references to rtsol.

branches: 1.168.2;
Stop using Tn.

Merge autofs support from: Tomohiro Kusumi
XXX: Does not work yet

branches: 1.166.6;
Change one more "generic DHCP client" reference to say dhcpcd rather
than dhclient

branches: 1.165.2;
Fix typo. Remove trailing whitespace.

describe the ip6addrctl variables.

Bump date for previous.

attaching controllers to serial ports is configured using btattach.conf
and not btdevctl.conf, so say that

Spelling.

Note that dhcpcd will ignore the wpa_supplicant variable in rc.conf

Bump date for previous.
it's -> its

Add resize_root boot operation. If resize_root=YES in rc.conf then
the system attempts to resize the root file system to fill it's
partition prior to mounting read-write. Useful for things like AMI
file system images. May eventually be used by arm images after
coming up with similar solution for increasing the parition size.

branches: 1.157.4;
Document random_seed and random_file.

New sentence, new line.

Add ppp=YES variable. Currently pppd(8) starts automatically if ppp_peers
is not empty. Adding a ppp variable allows the default peer to be set,
and ppp set to NO so that dialing can happen with /etc/rc.d/ppp onestart.
Default set to YES so that old behaviour is preserved.
http://mail-index.netbsd.org/tech-userlevel/2012/08/21/msg006656.html

Discourage the use of ifconfig_bge0=dhcp and prefer setting dhcpcd=YES
in rc.conf(5) instead.

branches: 1.153.2;
* add entry for lvm(8)
* add subsection for block device subsystem setup
* s/OPTIONAL:/"OPTIONAL:" to make mdoclint happier
* add missing type specifications of variables

Switch device database to cdb(5). Rework ttyname(3) and ttyname_r(3) to
depend on new devname_r(3) as heart. Add /dev/pts magic directly to
devname(3). While it can lead to returning non-existing paths, the
behavior is more consistent that way. Drop caching layer in devname(3),
it doesn't buy anything for the common case of having access to the
database. Teach devname(3) proper fallback behavior of scanning /dev.
Create both old-style and new-style database for now in /etc/rc.d/sysdb.

branches: 1.151.2;
Sentences should verbs. From Snader_LB

branches: 1.150.4;
Remove the previous, as it was already there. Instead, split one long
paragraph and fix a typo.

Note bluetooth.

Bump date for previous.

provide a new 'bluetooth' rc.d script, to handle Bluetooth configuration
in a simpler manner. This replaces btattach, btconfig, bthcid, btdevctl
and sdpd scripts, and also should not require any configuration settings
other than "bluetooth=YES", though the full range of configurations is
still possible.

Fix xref; security(8) -> security(7).

bah! it's 2011 already?

mention mdnsd(8), and fix a typo while here

Fix xref.

Mention security(8) in rc.conf(5) and symlink(7) in security(8).

New sentence, new line.

Bump date for the previous commit.

Document some missing options. Fixes my own PR # 41913.

For the rpc* references use the full rpc.* names.
These match what is really installed.
I know the man links are there too. But this helps in the
case where someone has printed man pages but only has one
man page printed per inode -- so best to refer to the known Dt name.

Document the fact that wpa_supplicant won't start properly unless
/usr is mounted by mountcritlocal.

Punctuation nits.

Add the ability for file systems mounted via mount_critical_filesystems()
in rc.subr to be marked as optional. This means that it's not an
error if the file system is not mentioned in /etc/fstab. It is
still an error if something else goes wrong.

Change the defaults for these two variables in /etc/defaults/rc.conf:
critical_filesystems_local="OPTIONAL:/var"
critical_filesystems_remote="OPTIONAL:/usr"

Bump date for previous.

Add a postprocessor to /etc/rc, which logs messages to /var/run/rc.log,
and which can suppress output in silent mode. Silent mode is enabled
via the new rc_silent variable, which defaults to a value that depends
on the kern.boothowto sysctl.

Part of the /etc/rc silent changes requested in PR 41946
and proposed in tech-userlevel.

* Boolean values may be specified with any of YES/TRUE/ON/1 or
NO/FALSE/OFF/0, so explain that.
* Change all "Foo: YES or NO. If not set to YES then ..." to
"Foo: Boolean value. If false then ...".
* Some rewording for clarity.

Bump date for previous.

Document recent gpio(4) changes and introduce a new config file for GPIO.
Integrate with the startup scripts in /etc/rc.d. Introduce new variable
"gpio" for /etc/rc.conf.

Add rc_directories to specify where to look for rc scripts.
For the moment all scripts must be in /root and non-existent directories
are skipped.

Document ipfilter_flags.

branches: 1.127.2;
* Add etc/rc.d/rndctl script, based on work by Brian A. Seklecki. This
allows you to invoke rndctl(8) during the boot.
* Add rndctl=NO and rndctl_flags="" to /etc/defaults/rc.conf.
* Document rndctl and rndctl_flags variables in rc.conf(5).

Drop trailing whitespace. Bump date for poffd.

x68k pow(4) now uses MI sysmon_pswitch framework. suggested by tsutsui@.
- Make MD poffd(8) retire, and use MI powerd(8) instead of it.
- Make /dev/pow1 retire, because nobody holds /dev/pow0 any longer.
Use /dev/pow0 for pow(4) ioctl.
- POWIOCSSIGNAL ioctl which is for poffd(8) is also obsoleted.

Bump date for previous, improve wording a bit.

Import rc.d/httpd script for httpd(8) daemon control.
See rc.conf(5) for options explanation.

Remove LKMs and switch to the module framework, pass 1.

Proposed on tech-kern@.

Reference secmodel_securelevel(9) manual page.

branches: 1.120.2;
* Allow multiple commands in $ifconfig_xxN variables in rc.conf(5).
This may be done either by embedding newlines in the value,
or by using semicolons to represent line breaks (but not both at once).
* Allow shell quoting insode $ifconfig_xxN variables or /etc/ifconfig.xxN
files. This allows something like ifconfig_wi0="ssid 'my network'; dhcp"

merge yamt-pf42 branch.
(import newer pf from OpenBSD 4.2)

ok'ed by peter@. requested by core@

Fix xref. End sentence with a dot.

convert the rest of my licenses to 2-clause, extracting myself out
from a group as necessary.

bozohttpd remains, but it will get fixed next time i update it.

Allow per-interface DHCP configuration using dhcpcd via
ifconfig_xxN=dhcp or a dhcp line in /etc/ifconfig.xxN.

branches: 1.115.2; 1.115.4;
some changes to serial bluetooth host controller interfaces

btuartd(8) should be named btattach(8) for consistency
with other parts of NetBSD

make btattach(8) a single-use tool for less complexity

device specicific initialisation (from btuart(4)) is carried
out prior to activating the line discipline (in btattach(8)),
which simplifies the API somewhat and means that the user
tool and the kernel do not need to be kept in sync.

btuart(4) driver is much reduced; naming is made consistent
and all tsleep() and delay() are removed to userland

branches: 1.114.10;
Some Veriexec stuff that's been rotting in my tree for months.

Bug fixes:
- Fix crash reported by Scott Ellis on current-users@.

- Fix race conditions in enforcing the Veriexec rename and remove
policies. These are NOT security issues.

- Fix memory leak in rename handling when overwriting a monitored
file.

- Fix table deletion logic.

- Don't prevent query requests if not in learning mode.


KPI updates:
- fileassoc_table_run() now takes a cookie to pass to the callback.

- veriexec_table_add() was removed, it is now done internally. As a
result, there's no longer a need for VERIEXEC_TABLESIZE.

- veriexec_report() was removed, it is now internal.

- Perform sanity checks on the entry type, and enforce default type
in veriexec_file_add() rather than in veriexecctl.

- Add veriexec_flush(), used to delete all Veriexec tables, and
veriexec_dump(), used to fill an array with all Veriexec entries.


New features:
- Add a '-k' flag to veriexecctl, to keep the filenames in the kernel
database. This allows Veriexec to produce slightly more accurate
logs under certain circumstances. In the future, this can be either
replaced by vnode->pathname translation, or combined with it.

- Add a VERIEXEC_DUMP ioctl, to dump the entire Veriexec database.
This can be used to recover a database if the file was lost.
Example usage:

# veriexecctl dump > /etc/signatures

Note that only entries with the filename kept (that is, were loaded
with the '-k' flag) will be dumped.

Idea from Brett Lymn.

- Add a VERIEXEC_FLUSH ioctl, to delete all Veriexec entries. Sample
usage:

# veriexecctl flush

- Add a 'veriexec_flags' rc(8) variable, and make its default have
the '-k' flag. On systems using the default signatures file
(generaetd from running 'veriexecgen' with no arguments), this will
use additional 32kb of kernel memory on average.

- Add a '-e' flag to veriexecctl, to evaluate the fingerprint during
load. This is done automatically for files marked as 'untrusted'.


Misc. stuff:
- The code for veriexecctl was massively simplified as a result of
eliminating the need for VERIEXEC_TABLESIZE, and now uses a single
pass of the signatures file, making the loading somewhat faster.

- Lots of minor fixes found using the (still under development)
Veriexec regression testsuite.

- Some of the messages Veriexec prints were improved.

- Various documentation fixes.


All relevant man-pages were updated to reflect the above changes.

Binary compatibility with existing veriexecctl binaries is maintained.

For sdpd(8), change default user/group from nobody/nobody to _sdpd/_sdpd

Add support for per-user /tmp.

Enabled via per_user_tmp in /etc/rc.conf (default off).

See security(8) and rc.conf(5) for more details.

Lots of input from thorpej@ & christos@, thanks!

Undo accidental change in 1.109.

Mention wpa_supplicant rc script.
Noted by hubertf@

branches: 1.109.2; 1.109.4;
Bump date for previous.

Instead of pointing to vi man page, refer to new virecover
man page for the virecover details.

update to bluetooth device attachment:

remove pseudo-device btdev(4) and inherent limitations

add bthub(4) which autoconfigures at bluetooth controllers as they
are enabled. bluetooth devices now attach here.

btdevctl(8) and its cache is updated to handle new semantics

etc/rc.d/btdevctl is updated to configure devices from a list
in /etc/bluetooth/btdevctl.conf

sendmail is no more. from our anonymous admirer.

rename btcontrol(8) as btdevctl(8) to make it fit with the NetBSD naming
scheme for control programs. This fixes pr 34051.

branches: 1.104.2;
Bump date for previous. New sentence, new line.

Bluetooth fixes by Iain Hibbert:
Create "/etc/rc.d/btcontrol" to attach bluetooth devices at boot.

Initial import of bluetooth stack on behalf of Iain Hibbert. (plunky@,
NetBSD Foundation Membership still pending.) This stack was written by
Iain under sponsorship from Itronix Inc.

The stack includes support for rfcomm networking (networking via your
bluetooth enabled cell phone), hid devices (keyboards/mice), and headsets.

Drivers for both PCMCIA and USB bluetooth controllers are included.

Remove trailing space.

Add irdaattach and hostapd.

Document the defaultroute6 rc.conf variable and the /etc/mygate6 file in
/etc/defaults/rc.conf, /etc/mtree/special, and rc.conf(5). Ok with wiz.

New sentence, new line.

Drop trailing whitespace.

RFC 3879 deprecated the IPv6 site-local prefix (fec0::/10):
* remove all references to $ip6sitelocal and output a warning
message if the variable is defined.
* introduce $ip6uniquelocal (defaults to 'NO') that will control the
behaviour of the system when $ip6mode is ``router'' (i.e. fc00::/7
will not be routed if the variable is ``NO'') as per RFC 4193.

Thanks to Jonathan A. Kollasch for pointing this out in PR 32152.

Add information about recently added veriexec_strict and veriexec_verbose
rc.conf variables.

Fix typo.

Document permit_nonalpha.
PR/20497.

branches: 1.92.2;
More better description of current state of sendmail stuff in more
places. This is intended to make some people a tad happier.

Bump date for previous; mark up path with Pa.

Change the default settings for sendmail.

(1) The stock sendmail.cf will only listen on the loopback interface.
(2) The stock submit.cf specifally connects to "localhost." which
should be less susceptible to being confused or looking confused.
(3) The smtp listener starts by default, if needed. The setting in
/etc/default/rc.conf is still "no", but rc.d/sendmail detects the
default setting and will change it to yes if need is determined.

Need is defined as "nothing else seems to have been changed about the
mail configuration but we'd like locally originated and locally
destined mail to be delivered". If you change, eg, mailer.conf to
point to postfix or some other MTA, sendmail will not start.

Make the directory into which crash dumps are saved into something
that can be controlled via rc.conf. The default is, of course,
/var/crash.

branches: 1.88.2;
Sort lists of variables alphabetically. Also adjust "see also" entries to
refer to manpages related to the rc.d infrastructure.

Document the veriexec variable.

Refine English. From Luke.

Now /etc/rc.d/virecover can be configurable by rc.conf(5). Reflect
it. Bump date.

Fix typo. Closes PR 23622 by James Whitwell.

Bump date for previous.
Do not turn off hyphenation (no reason).

Added descripton about fsck_flags

Pa Sy -> Sy.

Document mixerctl behaviour during startup better.
Based on PR 21023 by Quentin Garnier.

Bump date.

Documentation for the new sendmail related rc.conf variables, and the
interactions between them.

x68k, not x86k. PR 20650 by Josh Glover.

.Nm does not need a dummy argument ("") before punctuation or
for correct formatting of the SYNOPSIS any longer.

Grammar fix, and drop a trailing space.

Document the force_down_interfaces variable.

New sentence, new line.

Improve ipmon_flags.

From Jason Lingohr <jason at lucid dot net dot au>.

New sentence, new line.

add ipmon_flags. from freebsd.

Mention wsmoused(8) in some places (based on patch from PR 18801 by
Julio Merino).

file systems, not filesystems.

Drop trailing space.

Added touch panel calibration utility.

Append ' - see rc.conf(5)' to unset variable warning:
/etc/rc.d/fu: WARNING: $fu is not set properly - see rc.conf(5).
Add a note to rc.conf that third party packages may test for additional
variables.

Cross reference rc.subr(8) from rc.conf(5).

ntpd_chrootdir needs /dev/clockctl as well

$ntpd_chroot requires "pseudo-device clockctl" in the kernel

branches: 1.61.2;
Add two new rc.conf(5) variables:
rc_rcorder_flags extra flags to rcorder(8) in /etc/rc
rcshutdown_rcorder_flags extra flags to rcorder(8) in /etc/rc.shutdown

This can be used to specify extra directories to search for rc.d scripts in.
For example, adding the following to rc.conf(5):
rc_rcorder_flags="/usr/pkg/etc/rc.d/*"
rcshutdown_rcorder_flags="/usr/pkg/etc/rc.d/*"
will add the files in /usr/pkg/etc/rc.d to the list of files that rcorder(8)
uses to build the list of scripts to start or stop.

I proposed this functionality on tech-userlevel@ over one month ago.
Closes the recent [misc/16888], which asked for a similar feature.

- deprecate ip6forwarding in favour of ip6mode
- various grammar fixes

deprecate $sshd_conf_dir (and hardcode as "/etc/ssh").
$sshd_conf_dir wasn't as flexible as liked (it didn't work for ssh(1),
host keys or known_hosts).

improve /etc/rc.conf.d/* documentation, as per reminder from matt green.

Replace $critical_filesystems_beforenet with $critical_filesystems_local .
Replace $critical_filesystems with $critical_filesystems_remote .

The new names are now consistent with the type argument that
mount_critical_filesystems() is called with, and allows for other types to
be easily supported by that function.

For backwards compatibility purposes, if the now obsolete variable is defined
(even empty), it takes precedence over the new form, and you will be warned.
If you want to stop the warnings, update your rc.conf(5) settings!

swapoff

note that securelevel=0 ends up -> securelevel=1 (part of PR#13647)

the rc_fast_and_loose behaviour is enabled if the variable != "", not
if it == "YES", so fix the documentation...

sshd_conf_dir

ipfs allows state information created for NAT entries and rules using
keep state to be locked (modification prevented) and then saved to disk,
allowing for the system to experience a reboot, followed by the restoration
of that information, resulting in connections not being interrupted.

To activate this feature, set ipfs=YES in /etc/rc.conf

Punctuation nit, file system separation, and slight formatting improvements.

- document rc_fast_and_loose, racoon, ifwatchd, altq, named_chrootdir,
ntpd_chrootdir, ndbootd, isdnd, isdn_autoupdown, poffd, moused
- reorder some entries
- add "passes xxxx_flags" for some entries
- clarify the types of a few variables
- fix typos

Whitespace/punctuation fixes.

Make newsyslog at boot optional, as it should have been.

document $rcshutdown_timeout.
document $mountd. (this one fixes [misc/13135])
remove $amd_master. (this one fixes [misc/11971])

Fix typo and missing word. PR/12744 by Gael Queri.

Remove paragraph about gated(8). Noted by Hubert Feyrer.

dhclient(8), not (1), but postfix(1), not (8).

sshd is part of NetBSD these days.... this should have been updated when
ssh was integrated into netbsd, so as not to confuse people who think they
need to (and do) install some other ssh package on 1.5 or later machines.

extend /etc/ifconfig.xxN, for comment lines (#) and shell script
fragment (!). inspired by openbsd /etc/hostname.xxN.

add $ip6sitelocal, to control installation of reject route for fec0::/10.

use Dq as appropriate

also note /etc/defaults/rc.conf

Clarify kdc section.

kdc superseded kerberos. not sure if the description is 100% right.

document sshd. add note that whilst sshd & gated are not part of the base
system they are available in the optional package collection.

* update to match etc/rc.conf
* clean up formatting

Sync with reality:
- Remove update and defcorename.
- portmap is replaced with rpcbind.
- xntpd is replaced with ntpd.
- Add clear_tmp and postfix.
- Remove description about nfsiod and describe that the number of
asynchronous i/o server is controlled via sysctl.
Cosmetic changes:
- Remove an empty line in the source.
- Break line at the end of statement.

remove ip6defaultif configuration. because:
- ndp is in /usr/sbin, chokes on NFS-mounted /usr installation
- the option is just for IPv6 specification geek, not for normal users

branches: 1.32.2;
add ipsec configuration.

branches: 1.31.2;
add ip6defaultif configuration variable in rc.conf, for configuring
default outgoing interface for IPv6 host when default router list is empty.

the configuration is just for very rare case. it is safe to leave it empty.

recommend ifconfig_ifN over ifaliases_ifN, for non-IPv4 cases as well.
ifaliases_ifN does not cover p2p case.

change IPv6 configuration syntax to avoid ambiguity.
ip6mode=host: IPv6 host
ip6mode=autohost: IPv6 host, with autoconfig
ip6mode=router: IPv6 router

backward compatibility to "ip6forwading" is provided.

recommend use of multi-line /etc/ifconfig.xxN than /etc/ifaliases, or
$ifaliases_xxN in /etc/rc.conf.
(no behavior change in /etc/netstart, comments only)

see recent tech-userlevel for discussions.

- document $accounting, $dmesg (and $dmesg_flags)
- cull copyright.

Document CTL_PROC, the core filename format it core(5), and xref sysctl(8),
sysctl(3), core(5) in various place.
Document 'options DEFCORENAME' inj options(4) and $defcorename in rc.conf(5).

branches: 1.25.2;
document rtsold.
improve rtsol section.

add IPv6 configuration (ip6forwarding, rtsol, route6d and rtadvd).
Right now netsetart does not bother you even if you do not have
"options INET6" in the kernel.

Document new variables required to automate DHCP client startup.

domestic'' is a relative specification

More and more .Os cleanups. .Os is defined in the tmac.doc-common file,
so we shouldn't override it with versions in the manpages. Many more to
come.

use .Ss to separate subsections, add TNF copyright for bits i've added

increase the securelevel (using the same rules as before) much earlier in the
boot process. before cron, sendmail, inetd, etc, are run, but after lkms are
loaded. this avoids the chances of `@reboot', mail .forwards, remote logins,
etc., happening before the securelevel has been raised.

reference nsswitch.conf(5) as necessary
change references from YP to NIS.

fix bad .Xr references

document "screenblank."

document critical_filesystems and no_swap

document ppp_peers

Add options to rc.conf and rc to start xfs (x font server) and xdm.
Add entries to rc.conf.5.
While we're here, note that the domestic kerberos damons are still
Kerberos IV, not kerberos version 5.

branches: 1.12.2;
remove advertising clause from all my licenses.

make some changes, from Enami Tsugutomo in PR misc/4066.
I also made some changes of my own.

Split rc.conf variables for starting programs into two: an on/off
switch and a set of flags. Get rid of DEFAULT flags entirely. Print
warnings if on/off switches are not set, or are set incorrectly.
Add a shell function to simplify this on/off switch testing.

document $hostname, $domainname, $defaultroute and $ifaliases_XXX

update to match reality. changes include:
- add missing update_motd and ntpdate_hosts variables
- fix incorrect variable names (syslogd_flags and kerberos_server)
- xntpd(8) has been integrated
- kerberos_server is no longer used by rc.local
- add some xrefs
plus some misc. cleanup.

Move network interface config after programs run on boot-up, to match
the order this actually happens in at boot time. Fix a few minor typos.

document net_interfaces, ifconfig_*

Re-write.

Rewrote second paragraph, and added mopd in a new format. All the other
entries will be converted soon after feedback is received.

Document statd_flags and lockd_flags

change rc.conf.5 to reflect change to Kerberos stuff in rc.local, as per mrg

add man pages for mostly new and some old configuration files.