Add ip_portrange_first and ip_portrange_last rc.conf/rc.network

options.  This allows you to set the standard dynamic port
    assignment range prior to any network daemons (like named) starting
    up, necessary if you are also using a firewall to restrict lower ports.
    will be MFC'd in a few days

etc/defaults/rc.conf

@@ -48,6 +48,10 @@ firewall_type="UNKNOWN"		# Firewall type (see /etc/rc.firewall)
 firewall_quiet="NO"		# Set to YES to suppress rule display
 firewall_logging="NO"           # Set to YES to enable events logging
 firewall_flags=""		# Flags passed to ipfw when type is a file
+ip_portrange_first="NO"		# Set first dynamically allocated port
+ip_portrange_last="NO"		# Set last dynamically allocated port
+ipsec_enable="NO"		# Set to YES to run setkey on ipsec_file
+ipsec_file="/etc/ipsec.conf"	# Name of config file for setkey
 natd_program="/sbin/natd"	# path to natd, if you want a different one.
 natd_enable="NO"                # Enable natd (if firewall_enable == YES).
 natd_interface="fxp0"           # Public interface or IPaddress to use.
@@ -158,8 +162,6 @@ nis_yppasswdd_flags=""		# Flags to rpc.yppasswdd (if enabled).
 defaultrouter="NO"		# Set to default gateway (or NO).
 static_routes=""		# Set to static route list (or leave empty).
 gateway_enable="NO"		# Set to YES if this host will be a gateway.
-ipsec_enable="NO"		# Set to YES to run setkey on ipsec_file
-ipsec_file="/etc/ipsec.conf"	# Name of config file for setkey
 router_enable="NO"		# Set to YES to enable a routing daemon.
 router="routed"			# Name of routing daemon to use if enabled.
 router_flags="-q"		# Flags for routing daemon.

etc/network.subr

@@ -350,6 +350,25 @@ network_pass1() {
 		sysctl -w net.link.ether.inet.proxyall=1 >/dev/null
 		;;
 	esac
+
+	case ${ip_portrange_first} in
+	[Nn][Oo] | '')
+		;;
+	*)
+		echo -n ' ip_portrange_first=$ip_portrange_first'
+		sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
+		;;
+	esac
+
+	case ${ip_portrange_last} in
+	[Nn][Oo] | '')
+	    ;;
+	*)
+		echo -n ' ip_portrange_last=$ip_portrange_last'
+		sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
+		;;
+	esac
+
 	echo '.'
 
 	case ${ipsec_enable} in

etc/rc.d/netoptions

@@ -350,6 +350,25 @@ network_pass1() {
 		sysctl -w net.link.ether.inet.proxyall=1 >/dev/null
 		;;
 	esac
+
+	case ${ip_portrange_first} in
+	[Nn][Oo] | '')
+		;;
+	*)
+		echo -n ' ip_portrange_first=$ip_portrange_first'
+		sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
+		;;
+	esac
+
+	case ${ip_portrange_last} in
+	[Nn][Oo] | '')
+	    ;;
+	*)
+		echo -n ' ip_portrange_last=$ip_portrange_last'
+		sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
+		;;
+	esac
+
 	echo '.'
 
 	case ${ipsec_enable} in

etc/rc.d/network1

@@ -350,6 +350,25 @@ network_pass1() {
 		sysctl -w net.link.ether.inet.proxyall=1 >/dev/null
 		;;
 	esac
+
+	case ${ip_portrange_first} in
+	[Nn][Oo] | '')
+		;;
+	*)
+		echo -n ' ip_portrange_first=$ip_portrange_first'
+		sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
+		;;
+	esac
+
+	case ${ip_portrange_last} in
+	[Nn][Oo] | '')
+	    ;;
+	*)
+		echo -n ' ip_portrange_last=$ip_portrange_last'
+		sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
+		;;
+	esac
+
 	echo '.'
 
 	case ${ipsec_enable} in

etc/rc.d/network2

@@ -350,6 +350,25 @@ network_pass1() {
 		sysctl -w net.link.ether.inet.proxyall=1 >/dev/null
 		;;
 	esac
+
+	case ${ip_portrange_first} in
+	[Nn][Oo] | '')
+		;;
+	*)
+		echo -n ' ip_portrange_first=$ip_portrange_first'
+		sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
+		;;
+	esac
+
+	case ${ip_portrange_last} in
+	[Nn][Oo] | '')
+	    ;;
+	*)
+		echo -n ' ip_portrange_last=$ip_portrange_last'
+		sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
+		;;
+	esac
+
 	echo '.'
 
 	case ${ipsec_enable} in

etc/rc.d/network3

@@ -350,6 +350,25 @@ network_pass1() {
 		sysctl -w net.link.ether.inet.proxyall=1 >/dev/null
 		;;
 	esac
+
+	case ${ip_portrange_first} in
+	[Nn][Oo] | '')
+		;;
+	*)
+		echo -n ' ip_portrange_first=$ip_portrange_first'
+		sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
+		;;
+	esac
+
+	case ${ip_portrange_last} in
+	[Nn][Oo] | '')
+	    ;;
+	*)
+		echo -n ' ip_portrange_last=$ip_portrange_last'
+		sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
+		;;
+	esac
+
 	echo '.'
 
 	case ${ipsec_enable} in

etc/rc.d/routing

@@ -350,6 +350,25 @@ network_pass1() {
 		sysctl -w net.link.ether.inet.proxyall=1 >/dev/null
 		;;
 	esac
+
+	case ${ip_portrange_first} in
+	[Nn][Oo] | '')
+		;;
+	*)
+		echo -n ' ip_portrange_first=$ip_portrange_first'
+		sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
+		;;
+	esac
+
+	case ${ip_portrange_last} in
+	[Nn][Oo] | '')
+	    ;;
+	*)
+		echo -n ' ip_portrange_last=$ip_portrange_last'
+		sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
+		;;
+	esac
+
 	echo '.'
 
 	case ${ipsec_enable} in

etc/rc.network

@@ -350,6 +350,25 @@ network_pass1() {
 		sysctl -w net.link.ether.inet.proxyall=1 >/dev/null
 		;;
 	esac
+
+	case ${ip_portrange_first} in
+	[Nn][Oo] | '')
+		;;
+	*)
+		echo -n ' ip_portrange_first=$ip_portrange_first'
+		sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
+		;;
+	esac
+
+	case ${ip_portrange_last} in
+	[Nn][Oo] | '')
+	    ;;
+	*)
+		echo -n ' ip_portrange_last=$ip_portrange_last'
+		sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
+		;;
+	esac
+
 	echo '.'
 
 	case ${ipsec_enable} in