diff --git a/client/fwknop.8.in b/client/fwknop.8.in
index 4e7b5fbc..c0bc4d93 100644
--- a/client/fwknop.8.in
+++ b/client/fwknop.8.in
@@ -2,12 +2,12 @@
 .\"     Title: fwknop
 .\"    Author: [see the "AUTHORS" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 05/22/2015
+.\"      Date: 08/24/2015
 .\"    Manual: Fwknop Client
 .\"    Source: Fwknop Client
 .\"  Language: English
 .\"
-.TH "FWKNOP" "8" "05/22/2015" "Fwknop Client" "Fwknop Client"
+.TH "FWKNOP" "8" "08/24/2015" "Fwknop Client" "Fwknop Client"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff --git a/doc/fwknopd.man.asciidoc b/doc/fwknopd.man.asciidoc
index 167eda54..7b21d432 100644
--- a/doc/fwknopd.man.asciidoc
+++ b/doc/fwknopd.man.asciidoc
@@ -547,23 +547,35 @@ directive starts a new stanza.
     *sudo* provides a powerful means of restricting the sets of commands that
     users can execute via the ``sudoers'' file. By enabling this feature (and
     in ``ENABLE_CMD_EXEC'' mode), all incoming commands from valid SPA packets
-    will be prefixed by ``/path/to/sudo -u <user>'' where the path to sudo is
-    set by the ``SUDO_EXE'' variable, and ``<user>'' is set by the
-    ``CMD_EXEC_USER'' variable (default is ``root'' if not set).
+    will be prefixed by ``/path/to/sudo -u <user> -g <group>'' where the path
+    to sudo is set by the ``SUDO_EXE'' variable, ``<user>'' is set by the
+    ``CMD_SUDO_EXEC_USER'' variable (default is ``root'' if not set), and
+    ``<group>'' is set by ``CMD_SUDO_EXEC_GROUP'' (default is also ``root'' if
+    not set).
 
 *CMD_EXEC_USER* '<username>'::
-     This specifies the user (via setuid) that will execute commands contained
-     within a SPA packet. If not specified, fwknopd will execute it as the user
-     it is running as (most likely root). Setting this to a non-root user such
-     as ``nobody'' is highly recommended if elevated permissions are not
-     needed.
+     Specify the user (via setuid) that will execute a command contained within
+     a SPA packet. If this variable is not given, fwknopd will execute the
+     command as the user it is running as (most likely root). Setting this to a
+     non-root user such as ``nobody'' is highly recommended if elevated
+     permissions are not needed.
+
+*CMD_SUDO_EXEC_USER* '<username>'::
+    Specify the user (via ``sudo -u <user>'') that will execute a command
+    contained within a SPA packet. If this variable is not given, fwknopd will
+    assume the command should be executed as root.
 
 *CMD_EXEC_GROUP* '<groupname>'::
-     This specifies the group (via setgid) that will execute commands contained
-     within a SPA packet. If not specified, fwknopd will execute it as the user
-     it is running as (most likely root). Setting this to a non-root user such
-     as ``nobody'' is highly recommended if elevated permissions are not
-     needed.
+     Specify the group (via setgid) that will execute a command contained within
+     a SPA packet. If this variable is not given, fwknopd will execute the
+     command as the user it is running as (most likely root). Setting this to a
+     non-root user such as ``nobody'' is highly recommended if elevated
+     permissions are not needed.
+
+*CMD_SUDO_EXEC_GROUP* '<groupname>'::
+    Specify the group (via ``sudo -gu <group>'') that will execute a command
+    contained within a SPA packet. If this variable is not given, fwknopd will
+    assume the command should be executed as root.
 
 *SUDO_EXE* '<path>'::
     Define the path to the sudo binary. Default is ``/usr/bin/sudo''.
diff --git a/server/fwknopd.8.in b/server/fwknopd.8.in
index 807df7e9..66131ed4 100644
--- a/server/fwknopd.8.in
+++ b/server/fwknopd.8.in
@@ -2,12 +2,12 @@
 .\"     Title: fwknopd
 .\"    Author: [see the "AUTHORS" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 05/22/2015
+.\"      Date: 08/24/2015
 .\"    Manual: Fwknop Server
 .\"    Source: Fwknop Server
 .\"  Language: English
 .\"
-.TH "FWKNOPD" "8" "05/22/2015" "Fwknop Server" "Fwknop Server"
+.TH "FWKNOPD" "8" "08/24/2015" "Fwknop Server" "Fwknop Server"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -387,6 +387,16 @@ Track digest sums associated with previous SPA packets processed by
 will not check incoming SPA packet data against any previously save digests\&. It is a good idea to leave this feature on to reduce the possibility of being vulnerable to a replay attack\&.
 .RE
 .PP
+\fBRULES_CHECK_THRESHOLD\fR \fI<count>\fR
+.RS 4
+Defines the number of times firewall rule expiration times must be checked before a "deep" check is run\&. This allows
+\fBfwknopd\fR
+to remove rules that contain a proper
+\fI\fIexp\fR\fR\fI<time>\fR
+even if a third party program added them instead of
+\fBfwknopd\fR\&. The default value for this variable is 20, and this typically results in this check being run every two seconds or so\&. To disable this type of checking altogether, set this variable to zero\&.
+.RE
+.PP
 \fBENABLE_IPT_FORWARDING\fR \fI<Y/N>\fR
 .RS 4
 Allow SPA clients to request access to services through an iptables firewall instead of just to it (i\&.e\&. access through the FWKNOP_FORWARD chain instead of the INPUT chain)\&.
@@ -447,6 +457,13 @@ Flush all existing rules in the fwknop chains when
 is stopped or otherwise exits cleanly\&. The default is \(lqY\(rq\&.
 .RE
 .PP
+\fBEXIT_AT_INTF_DOWN\fR \fI<Y/N>\fR
+.RS 4
+When
+\fBfwknopd\fR
+is sniffing an interface, if the interface is administratively downed or unplugged, fwknopd will cleanly exit and an assumption is made that any process monitoring infrastructure like systemd or upstart will restart it\&. However, if fwknopd is not being monitored by systemd, upstart, or anything else, this behavior can be disabled with the \(lqEXIT_AT_INTF_DOWN\(rq variable\&. If disabled, fwknopd will try to recover when a downed interface comes back up\&.
+.RE
+.PP
 \fBGPG_HOME_DIR\fR \fI<path>\fR
 .RS 4
 If GPG keys are used instead of a Rijndael symmetric key, this is the default GPG keys directory\&. Note that each access stanza in
@@ -667,9 +684,35 @@ server as the user specified by the \(lqCMD_EXEC_USER\(rq or as the user that st
 if that is not set\&.
 .RE
 .PP
+\fBENABLE_CMD_SUDO_EXEC\fR \fI<Y/N>\fR
+.RS 4
+\fBsudo\fR
+provides a powerful means of restricting the sets of commands that users can execute via the \(lqsudoers\(rq file\&. By enabling this feature (and in \(lqENABLE_CMD_EXEC\(rq mode), all incoming commands from valid SPA packets will be prefixed by \(lq/path/to/sudo \-u <user> \-g <group>\(rq where the path to sudo is set by the \(lqSUDO_EXE\(rq variable, \(lq<user>\(rq is set by the \(lqCMD_SUDO_EXEC_USER\(rq variable (default is \(lqroot\(rq if not set), and \(lq<group>\(rq is set by \(lqCMD_SUDO_EXEC_GROUP\(rq (default is also \(lqroot\(rq if not set)\&.
+.RE
+.PP
 \fBCMD_EXEC_USER\fR \fI<username>\fR
 .RS 4
-This specifies the user that will execute commands contained within a SPA packet\&. If not specified, fwknopd will execute it as the user it is running as (most likely root)\&. Setting this to a non\-root user is highly recommended\&.
+Specify the user (via setuid) that will execute a command contained within a SPA packet\&. If this variable is not given, fwknopd will execute the command as the user it is running as (most likely root)\&. Setting this to a non\-root user such as \(lqnobody\(rq is highly recommended if elevated permissions are not needed\&.
+.RE
+.PP
+\fBCMD_SUDO_EXEC_USER\fR \fI<username>\fR
+.RS 4
+Specify the user (via \(lqsudo \-u <user>\(rq) that will execute a command contained within a SPA packet\&. If this variable is not given, fwknopd will assume the command should be executed as root\&.
+.RE
+.PP
+\fBCMD_EXEC_GROUP\fR \fI<groupname>\fR
+.RS 4
+Specify the group (via setgid) that will execute a command contained within a SPA packet\&. If this variable is not given, fwknopd will execute the command as the user it is running as (most likely root)\&. Setting this to a non\-root user such as \(lqnobody\(rq is highly recommended if elevated permissions are not needed\&.
+.RE
+.PP
+\fBCMD_SUDO_EXEC_GROUP\fR \fI<groupname>\fR
+.RS 4
+Specify the group (via \(lqsudo \-gu <group>\(rq) that will execute a command contained within a SPA packet\&. If this variable is not given, fwknopd will assume the command should be executed as root\&.
+.RE
+.PP
+\fBSUDO_EXE\fR \fI<path>\fR
+.RS 4
+Define the path to the sudo binary\&. Default is \(lq/usr/bin/sudo\(rq\&.
 .RE
 .PP
 \fBREQUIRE_USERNAME\fR \fI<username>\fR
