1.\" Copyright (c) 1995 2.\" Jordan K. Hubbard 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.Dd October 2, 2025 26.Dt RC.CONF 5 27.Os 28.Sh NAME 29.Nm rc.conf 30.Nd system configuration information 31.Sh DESCRIPTION 32The file 33.Nm 34contains descriptive information about the local host name, configuration 35details for any potential network interfaces and which services should be 36started up at system initial boot time. 37In new installations, the 38.Nm 39file is generally initialized by the system installation utility. 40.Pp 41The purpose of 42.Nm 43is not to run commands or perform system startup actions 44directly. 45Instead, it is included by the 46various generic startup scripts in 47.Pa /etc 48which conditionalize their 49internal actions according to the settings found there. 50.Pp 51The 52.Pa /etc/rc.conf 53file is included from the file 54.Pa /etc/defaults/rc.conf , 55which specifies the default settings for all the available options. 56Options need only be specified in 57.Pa /etc/rc.conf 58when the system administrator wishes to override these defaults. 59The file 60.Pa /etc/defaults/vendor.conf 61allows vendors to override 62.Fx 63defaults. 64The file 65.Pa /etc/rc.conf.local 66is used to override settings in 67.Pa /etc/rc.conf 68for historical reasons. 69.Pp 70The sysrc(8) command provides a scripting interface to modify system 71config files. 72.Pp 73In addition to 74.Pa /etc/rc.conf.local 75you can also place smaller configuration files for each 76.Xr rc 8 77script in the 78.Pa /etc/rc.conf.d 79directory or 80.Ao Ar dir Ac Ns Pa /rc.conf.d 81directories (where 82.Ao Ar dir Ac 83is each entry specified in 84.Va local_startup , 85but with any trailing 86.Pa /rc.d 87stripped), 88which will be included by the 89.Va load_rc_config 90function. 91For jail configurations you could use the file 92.Pa /etc/rc.conf.d/jail 93to store jail-specific configuration options. 94If 95.Va local_startup 96contains 97.Pa /usr/local/etc/rc.d 98and 99.Pa /opt/conf , 100.Pa /usr/local/etc/rc.conf.d/jail 101and 102.Pa /opt/conf/rc.conf.d/jail 103will be loaded. 104If 105.Ao Ar dir Ac Ns Pa /rc.conf.d/ Ns Ao Ar name Ac 106is a directory then all of the files in the directory will be loaded. 107See also the 108.Va rc_conf_files 109variable below. 110.Pp 111Options are set with 112.Dq Ar name Ns Li = Ns Ar value 113assignments that use 114.Xr sh 1 115syntax. 116The following list provides a name and short description for each 117variable that can be set in the 118.Nm 119file: 120.Bl -tag -width indent-two 121.It Va rc_debug 122.Pq Vt bool 123If set to 124.Dq Li YES , 125enable output of debug messages from rc scripts. 126This variable can be helpful in diagnosing mistakes when 127editing or integrating new scripts. 128Beware that this produces copious output to the terminal and 129.Xr syslog 3 . 130.It Va rc_info 131.Pq Vt bool 132If set to 133.Dq Li NO , 134disable informational messages from the rc scripts. 135Informational messages are displayed when 136a condition that is not serious enough to warrant a warning or 137an error occurs. 138.It Va rc_startmsgs 139.Pq Vt bool 140If set to 141.Dq Li YES , 142show 143.Dq Starting foo: 144when faststart is used (e.g., at boot time). 145.It Va early_late_divider 146.Pq Vt str 147The name of the script that should be used as the 148delimiter between the 149.Dq early 150and 151.Dq late 152stages of the boot process. 153The early stage should contain all the services needed to 154get the disks (local or remote) mounted so that the late 155stage can include scripts contained in the directories 156listed in the 157.Va local_startup 158variable (see below). 159Thus, the two likely candidates for this value are 160.Pa mountcritlocal 161for the typical system, and 162.Pa mountcritremote 163if the system needs remote file 164systems mounted to get access to the 165.Va local_startup 166directories; for example when 167.Pa /usr/local 168is NFS mounted. 169For 170.Pa rc.conf 171within a 172.Xr jail 8 173.Pa NETWORKING 174is likely to be an appropriate value. 175Extreme care should be taken when changing this value, 176and before changing it one should ensure that there are 177adequate provisions to recover from a failed boot 178(such as physical contact with the machine, 179or reliable remote console access). 180.It Va always_force_depends 181.Pq Vt bool 182Various 183.Pa rc.d 184scripts use the force_depend function to check whether required 185services are already running, and to start them if necessary. 186By default during boot time this check is bypassed if the 187required service is enabled in 188.Pa /etc/rc.conf[.local] . 189Setting this option will bypass that check at boot time and 190always test whether or not the service is actually running. 191Enabling this option is likely to increase your boot time if 192services are enabled that utilize the force_depend check. 193.It Ao Ar name Ac Ns Va _chroot 194.Pq Vt str 195.Xr chroot 8 196to this directory before running the service. 197.It Ao Ar name Ac Ns Va _cpuset 198.Pq Vt str 199A list of CPUs to run the service on. 200Passed to 201.Xr cpuset 1 202using the 203.Fl l 204flag. 205.It Ao Ar name Ac Ns Va _fib 206.Pq Vt int 207The 208.Xr setfib 1 209value to run the service under. 210.It Ao Ar name Ac Ns Va _group 211.Pq Vt str 212Run the chrooted service under this system group. 213Unlike the 214.Ao Ar name Ac Ns Va _user 215setting, this setting has no effect if the service is not chrooted. 216.It Ao Ar name Ac Ns Va _limits 217.Pq Vt str 218Resource limits to apply to the service using 219.Xr limits 1 . 220By default, resource limits are based on the login class defined in 221.Ao Ar name Ac Ns Va _login_class . 222.It Ao Ar name Ac Ns Va _login_class 223.Pq Vt str 224Login class to be used with 225.Ao Ar name Ac Ns Va _limits . 226Defaults to 227.Dq Li daemon . 228.It Ao Ar name Ac Ns Va _nice 229.Pq Vt int 230The 231.Xr nice 1 232value to run the service under. 233.It Ao Ar name Ac Ns Va _oomprotect 234.Pq Vt str 235Use 236.Xr protect 1 237to prevent the service from being killed when swap space 238is exhausted. 239Use 240.Dq Li YES 241to protect only the service itself, and 242.Dq Li ALL 243to protect the service and all its child processes. 244.Pp 245Please note that rc scripts which redefine 246.Dl ${argument}_cmd 247.Pq see Xr rc.subr 8 248such as PostgreSQL will not inherit the OOM killer protection. 249.Pp 250This variable has no effect on services running within a 251.Xr jail 8 . 252.It Ao Ar name Ac Ns Va _setup 253.Pq Vt str 254Run the specified setup script right before starting the actual service 255command. 256Useful for automatic configuration file generation. 257.It Ao Ar name Ac Ns Va _umask 258.Pq Vt int 259Run the service using this 260.Xr umask 1 261value. 262.It Ao Ar name Ac Ns Va _user 263.Pq Vt str 264Run the service under this user account. 265.It Ao Ar name Ac Ns Va _svcj 266.Pq Vt bool 267If set to 268.Dq Li YES , 269auto-jail the service with inherited filesystem and other 270jail properties depending on 271.Ao Ar name Ac Ns Va _svcj_options . 272.It Ao Ar name Ac Ns Va _svcj_ipaddrs 273.Pq Vt str 274A list of IP addresses that the service jail will be permitted to use. 275If this is not specified, the service jail will be permitted to use all 276assigned IP addresses if networking is enabled in the jail. 277.It Ao Ar name Ac Ns Va _svcj_options 278.Pq Vt str 279A list of jail properties for the service. 280See 281.Sx SERVICE JAILS 282for a list of valid properties. 283.It Va apm_enable 284.Pq Vt bool 285If set to 286.Dq Li YES , 287enable support for Automatic Power Management with 288the 289.Xr apm 8 290command. 291.It Va apmd_enable 292.Pq Vt bool 293Run 294.Xr apmd 8 295to handle APM event from userland. 296This also enables support for APM. 297.It Va apmd_flags 298.Pq Vt str 299If 300.Va apmd_enable 301is set to 302.Dq Li YES , 303these are the flags to pass to the 304.Xr apmd 8 305daemon. 306.It Va devd_enable 307.Pq Vt bool 308Run 309.Xr devd 8 310to handle device added, removed or unknown events from the kernel. 311.It Va ddb_enable 312.Pq Vt bool 313Run 314.Xr ddb 8 315to install 316.Xr ddb 4 317scripts at boot time. 318.It Va ddb_config 319.Pq Vt str 320Configuration file for 321.Xr ddb 8 . 322Default 323.Pa /etc/ddb.conf . 324.It Va devmatch_enable 325.Pq Vt bool 326If set to 327.Dq Li NO , 328disable auto-loading of kernel modules with 329.Xr devmatch 8 . 330.It Va devmatch_blocklist 331.Pq Vt str 332A whitespace-separated list of kernel modules to be ignored by 333.Xr devmatch 8 . 334In addition, the 335.Xr kenv 1 336.Va devmatch_blocklist 337is appended to this variable to allow disabling of 338.Xr devmatch 8 339loaded modules from the boot loader. 340.It Va devmatch_blacklist 341.Pq Vt str 342This variable is deprecated. 343Use 344.Va devmatch_blocklist 345instead. 346A whitespace-separated list of kernel modules to be ignored by 347.Xr devmatch 8 . 348.It Va kld_list 349.Pq Vt str 350A whitespace-separated list of kernel modules to load right after 351the local disks are mounted, without any 352.Pa .ko 353extension or path. 354.It Va kldxref_enable 355.Pq Vt bool 356Set to 357.Dq Li NO 358by default. 359Set to 360.Dq Li YES 361to automatically rebuild 362.Pa linker.hints 363files with 364.Xr kldxref 8 365at boot time. 366.It Va kldxref_clobber 367.Pq Vt bool 368Set to 369.Dq Li NO 370by default. 371If 372.Va kldxref_enable 373is true, 374setting to 375.Dq Li YES 376will overwrite existing 377.Pa linker.hints 378files at boot time. 379Otherwise, 380only missing 381.Pa linker.hints 382files are generated. 383.It Va kldxref_module_path 384.Pq Vt str 385Empty by default. 386A semi-colon 387.Pq Ql \&; 388delimited list of paths containing 389.Xr kld 4 390modules. 391If empty, 392the contents of the 393.Va kern.module_path 394.Xr sysctl 8 395are used. 396.It Va powerd_enable 397.Pq Vt bool 398If set to 399.Dq Li YES , 400enable the system power control facility with the 401.Xr powerd 8 402daemon. 403.It Va powerd_flags 404.Pq Vt str 405If 406.Va powerd_enable 407is set to 408.Dq Li YES , 409these are the flags to pass to the 410.Xr powerd 8 411daemon. 412.It Va svcj_all_enable 413Enable auto-jailing of all services which are not explicitly 414excluded. 415See 416.Sx SERVICE JAILS 417for more info. 418.It Va tmpmfs 419Controls the creation of a 420.Pa /tmp 421memory file system. 422Always happens if set to 423.Dq Li YES 424and never happens if set to 425.Dq Li NO . 426If set to anything else, a memory file system is created if 427.Pa /tmp 428is not writable. 429.It Va tmpsize 430Controls the size of a created 431.Pa /tmp 432memory file system. 433.It Va tmpmfs_flags 434Extra options passed to the 435.Xr mdmfs 8 436utility when the memory file system for 437.Pa /tmp 438is created. 439The default is 440.Dq Li "-S" , 441which inhibits the use of softupdates on 442.Pa /tmp 443so that file system space is freed without delay 444after file truncation or deletion. 445See 446.Xr mdmfs 8 447for other options you can use in 448.Va tmpmfs_flags . 449.It Va varmfs 450Controls the creation of a 451.Pa /var 452memory file system. 453Always happens if set to 454.Dq Li YES 455and never happens if set to 456.Dq Li NO . 457If set to anything else, a memory file system is created if 458.Pa /var 459is not writable. 460.It Va varsize 461Controls the size of a created 462.Pa /var 463memory file system. 464.It Va varmfs_flags 465Extra options passed to the 466.Xr mdmfs 8 467utility when the memory file system for 468.Pa /var 469is created. 470The default is 471.Dq Li "-S" , 472which inhibits the use of softupdates on 473.Pa /var 474so that file system space is freed without delay 475after file truncation or deletion. 476See 477.Xr mdmfs 8 478for other options you can use in 479.Va varmfs_flags . 480.It Va populate_var 481Controls the automatic population of the 482.Pa /var 483file system. 484Always happens if set to 485.Dq Li YES 486and never happens if set to 487.Dq Li NO . 488If set to anything else, a memory file system is created if 489.Pa /var 490is not writable. 491Note that this process requires access to certain commands in 492.Pa /usr 493before 494.Pa /usr 495is mounted on normal systems. 496.It Va cleanvar_enable 497.Pq Vt bool 498Clean the 499.Pa /var 500directory. 501.It Va var_run_enable 502.Pq Vt bool 503Set to "YES" to enable saving of the 504.Pa /var/run 505directory structure into an mtree file at shutdown and the reload of the 506.Pa /var/run 507directory structure at boot. 508.It Va var_run_autosave 509.Pq Vt bool 510In some cases it may be undesirable to save 511.Pa /var/run 512at shutdown. 513When set to "NO" 514.Pa /var/run 515is loaded at reboot but not saved at shutdown. 516Typically in this scenario 517.Ql service var_run save 518would be performed to save a copy of the 519.Pa /var/run 520directory structure once, to be reloaded during all subsequent reboots. 521.It Va var_run_mtree 522.Pq Vt str 523Where to save the 524.Pa /var/run 525mtree. 526The default location is 527.Pa /var/db/mtree/BSD.var-run.mtree . 528.It Va local_startup 529.Pq Vt str 530List of directories to search for startup script files. 531.It Va script_name_sep 532.Pq Vt str 533The field separator to use for breaking down the list of startup script files 534into individual filenames. 535The default is a space. 536It is not necessary to change this unless there are startup scripts with names 537containing spaces. 538.It Va hostapd_enable 539.Pq Vt bool 540Set to 541.Dq Li YES 542to start 543.Xr hostapd 8 544at system boot time. 545.It Va hostname 546.Pq Vt str 547The fully qualified domain name (FQDN) of this host on the network. 548This should almost certainly be set to something meaningful, even if 549there is no network connection. 550If 551.Xr dhclient 8 552is used to set the hostname via DHCP, 553this variable should be set to an empty string. 554Within a 555.Xr jail 8 556the hostname is generally already set and this variable may be absent. 557If this value remains unset when the system is done booting 558your console login will display the default hostname of 559.Dq Amnesiac . 560.It Va nisdomainname 561.Pq Vt str 562The NIS domain name of this host, or 563.Dq Li NO 564if NIS is not used. 565.It Va hostid_enable 566.Pq Vt bool 567If set to 568.Dq Li NO , 569disable the generation or saving of the 570.Pa hostid 571and 572.Pa machine-id 573files at system boot and shutdown. 574.It Va hostid_file 575.Pq Vt str 576Path to the 577.Pa hostid 578file, default 579.Pa /etc/hostid . 580.It Va hostid_uuidgen_flags 581.Pq Vt str 582Flags passed to 583.Xr uuidgen 1 584when generating a software host UUID. 585This is used only if the system cannot determine a hardware UUID. 586Set to 587.Dq Li -r 588by default. 589.It Va machine_id_file 590.Pq Vt str 591Path to the 592.Pa machine-id 593file, default 594.Pa /etc/machine-id . 595.It Va dhclient_program 596.Pq Vt str 597Path to the DHCP client program, defaulting to 598.Pa /sbin/dhclient . 599.It Va dhclient_flags 600.Pq Vt str 601Additional flags to pass to the DHCP client program. 602See the 603.Xr dhclient 8 604manpage for a description of the command line options available. 605.It Va dhclient_flags_ Ns Aq Ar iface 606Additional flags to pass to the DHCP client program running on 607.Ar iface 608only. 609When specified, this variable overrides 610.Va dhclient_flags . 611.It Va background_dhclient 612.Pq Vt bool 613Set to 614.Dq Li YES 615to start the DHCP client in background. 616This can cause trouble with applications depending on 617a working network, but it will provide a faster startup 618in many cases. 619.It Va background_dhclient_ Ns Aq Ar iface 620When specified, this variable overrides the 621.Va background_dhclient 622variable for interface 623.Ar iface 624only. 625.It Va dhclient_arpwait 626.Pq Vt bool 627Set to 628.Dq Li NO 629to stop 630.Xr dhclient 8 631from waiting for ARP resolution, to make the system boot faster. 632This may be done on networks where the DHCP server is certain to 633know whether an address is available. 634.It Va synchronous_dhclient 635.Pq Vt bool 636Set to 637.Dq Li YES 638to start 639.Xr dhclient 8 640synchronously at startup. 641This behavior can be overridden on a per-interface basis by replacing 642the 643.Dq Li DHCP 644keyword in the 645.Va ifconfig_ Ns Aq Ar interface 646variable with 647.Dq Li SYNCDHCP 648or 649.Dq Li NOSYNCDHCP . 650.It Va defaultroute_delay 651.Pq Vt int 652When set to a positive value, wait up to this long after configuring 653DHCP interfaces at startup to give the interfaces time to receive a lease. 654.It Va firewall_enable 655.Pq Vt bool 656Set to 657.Dq Li YES 658to load firewall rules at startup. 659If the kernel was not built with 660.Cd "options IPFIREWALL" , 661the 662.Pa ipfw.ko 663kernel module will be loaded. 664See also 665.Va ipfilter_enable . 666.It Va firewall_script 667.Pq Vt str 668This variable specifies the full path to the firewall script to run. 669The default is 670.Pa /etc/rc.firewall . 671.It Va firewall_type 672.Pq Vt str 673Names the firewall type from the selection in 674.Pa /etc/rc.firewall , 675or the file which contains the local firewall ruleset. 676Valid selections from 677.Pa /etc/rc.firewall 678are: 679.Pp 680.Bl -tag -width ".Li workstation" -compact 681.It Li open 682unrestricted IP access 683.It Li closed 684all IP services disabled, except via 685.Dq Li lo0 686.It Li client 687basic protection for a workstation 688.It Li workstation 689basic protection for a workstation using stateful firewalling 690.It Li simple 691basic protection for a LAN. 692.El 693.Pp 694If a filename is specified, the full path 695must be given. 696.Pp 697Most of the predefined rulesets define additional configuration variables. 698These are documented in 699.Pa /etc/rc.firewall . 700.It Va firewall_quiet 701.Pq Vt bool 702Set to 703.Dq Li YES 704to disable the display of firewall rules on the console during boot. 705.It Va firewall_logging 706.Pq Vt bool 707Set to 708.Dq Li YES 709to enable firewall event logging. 710This is equivalent to the 711.Dv IPFIREWALL_VERBOSE 712kernel option. 713.It Va firewall_logif 714.Pq Vt bool 715Set to 716.Dq Li YES 717to create pseudo interface 718.Li ipfw0 719for logging. 720For more details, see 721.Xr ipfw 8 722manual page. 723.It Va firewall_flags 724.Pq Vt str 725Flags passed to 726.Xr ipfw 8 727if 728.Va firewall_type 729specifies a filename. 730.It Va firewall_coscripts 731.Pq Vt str 732List of executables and/or rc scripts to run after firewall starts/stops. 733Default is empty. 734.\" ----- firewall_nat_enable setting -------------------------------- 735.It Va firewall_nat_enable 736.Pq Vt bool 737The 738.Xr ipfw 8 739equivalent of 740.Va natd_enable . 741Setting this to 742.Dq Li YES 743will automatically load the 744.Xr ipfw 8 745NAT kernel module if 746.Va firewall_enable 747is also set to 748.Dq Li YES . 749.It Va firewall_nat_interface 750.Pq Vt str 751The 752.Xr ipfw 8 753equivalent of 754.Va natd_interface . 755This is the name of the public interface or IP address on which 756kernel NAT should run. 757.It Va firewall_nat_flags 758.Pq Vt str 759Additional configuration parameters for kernel NAT should be placed here. 760.It Va firewall_nat64_enable 761.Pq Vt bool 762Setting this to 763.Dq Li YES 764will automatically load the 765.Xr ipfw 8 766NAT64 kernel module if 767.Va firewall_enable 768is also set to 769.Dq Li YES . 770.It Va firewall_nptv6_enable 771.Pq Vt bool 772Setting this to 773.Dq Li YES 774will automatically load the 775.Xr ipfw 8 776NPTv6 kernel module if 777.Va firewall_enable 778is also set to 779.Dq Li YES . 780.It Va firewall_pmod_enable 781.Pq Vt bool 782Setting this to 783.Dq Li YES 784will automatically load the 785.Xr ipfw 8 786pmod kernel module if 787.Va firewall_enable 788is also set to 789.Dq Li YES . 790.It Va dummynet_enable 791.Pq Vt bool 792Setting this to 793.Dq Li YES 794will automatically load the 795.Xr dummynet 4 796module if 797.Va firewall_enable 798is also set to 799.Dq Li YES . 800.\" ------------------------------------------------------------------- 801.It Va ipfw_netflow_enable 802.Pq Vt bool 803Setting this to 804.Dq Li YES 805will enable netflow logging via 806.Xr ng_netflow 4 . 807.Pp 808By default a ipfw rule is inserted and all packets are duplicated with 809the ngtee command and netflow packets are sent to 127.0.0.1 on the netflow 810port using protocol version 5. 811.It Va ipfw_netflow_hook 812.Pq Vt int 813netflow hook name, must be numerical 814(default 815.Pa 9995 ) . 816.It Va ipfw_netflow_rule 817.Pq Vt int 818ipfw rule number 819(default 820.Pa 1000 ) . 821.It Va ipfw_netflow_ip 822.Pq Vt str 823Destination server ip for receiving netflow data 824(default 825.Pa 127.0.0.1 ) . 826.It Va ipfw_netflow_port 827.Pq Vt int 828Destination server port for receiving netflow data 829(default 830.Pa 9995 ) . 831.It Va ipfw_netflow_version 832.Pq Vt int 833Do not set for using version 5 of the netflow protocol, set it to 9 for using 834version 9. 835.It Va ipfw_netflow_fib 836.Pq Vt int 837Only match packet in FIB 838.Pa ipfw_netflow_fib 839(default is undefined meaning all FIBs). 840.It Va natd_program 841.Pq Vt str 842Path to 843.Xr natd 8 . 844.It Va natd_enable 845.Pq Vt bool 846Set to 847.Dq Li YES 848to enable 849.Xr natd 8 . 850.Va firewall_enable 851must also be set to 852.Dq Li YES , 853and 854.Xr divert 4 855sockets must be enabled in the kernel. 856If the kernel was not built with 857.Cd "options IPDIVERT" , 858the 859.Pa ipdivert.ko 860kernel module will be loaded. 861.It Va natd_interface 862.Pq Vt str 863This is the name of the public interface on which 864.Xr natd 8 865should run. 866The interface may be given as an interface name or as an IP address. 867.It Va natd_flags 868.Pq Vt str 869Additional 870.Xr natd 8 871flags should be placed here. 872The 873.Fl n 874or 875.Fl a 876flag is automatically added with the above 877.Va natd_interface 878as an argument. 879.\" ----- ipfilter_enable setting -------------------------------- 880.It Va ipfilter_enable 881.Pq Vt bool 882Set to 883.Dq Li NO 884by default. 885Setting this to 886.Dq Li YES 887enables 888.Xr ipf 8 889packet filtering. 890.Pp 891Typical usage will require putting 892.Bd -literal 893ipfilter_enable="YES" 894ipnat_enable="YES" 895ipmon_enable="YES" 896ipfs_enable="YES" 897.Ed 898.Pp 899into 900.Pa /etc/rc.conf 901and editing 902.Pa /etc/ipf.rules 903and 904.Pa /etc/ipnat.rules 905appropriately. 906.Pp 907Note that 908.Va ipfilter_enable 909and 910.Va ipnat_enable 911can be enabled independently. 912.Va ipmon_enable 913and 914.Va ipfs_enable 915both require at least one of 916.Va ipfilter_enable 917and 918.Va ipnat_enable 919to be enabled. 920.Pp 921Having 922.Bd -literal 923options IPFILTER 924options IPFILTER_LOG 925options IPFILTER_DEFAULT_BLOCK 926.Ed 927.Pp 928in the kernel configuration file is a good idea, too. 929.\" ----- ipfilter_program setting ------------------------------ 930.It Va ipfilter_program 931.Pq Vt str 932Path to 933.Xr ipf 8 934(default 935.Pa /sbin/ipf ) . 936.\" ----- ipfilter_rules setting -------------------------------- 937.It Va ipfilter_rules 938.Pq Vt str 939Set to 940.Pa /etc/ipf.rules 941by default. 942This variable contains the name of the filter rule definition file. 943The file is expected to be readable for the 944.Xr ipf 8 945command to execute. 946.\" ----- ipfilter_flags setting -------------------------------- 947.It Va ipfilter_flags 948.Pq Vt str 949Empty by default. 950This variable contains flags passed to the 951.Xr ipf 8 952program. 953.\" ----- ipnat_enable setting ---------------------------------- 954.It Va ipnat_enable 955.Pq Vt bool 956Set to 957.Dq Li NO 958by default. 959Set it to 960.Dq Li YES 961to enable 962.Xr ipnat 8 963network address translation. 964See 965.Va ipfilter_enable 966for a detailed discussion. 967.\" ----- ipnat_program setting --------------------------------- 968.It Va ipnat_program 969.Pq Vt str 970Path to 971.Xr ipnat 8 972(default 973.Pa /sbin/ipnat ) . 974.\" ----- ipnat_rules setting ----------------------------------- 975.It Va ipnat_rules 976.Pq Vt str 977Set to 978.Pa /etc/ipnat.rules 979by default. 980This variable contains the name of the file 981holding the network address translation definition. 982This file is expected to be readable for the 983.Xr ipnat 8 984command to execute. 985.\" ----- ipnat_flags setting ----------------------------------- 986.It Va ipnat_flags 987.Pq Vt str 988Empty by default. 989This variable contains flags passed to the 990.Xr ipnat 8 991program. 992.\" ----- ipmon_enable setting ---------------------------------- 993.It Va ipmon_enable 994.Pq Vt bool 995Set to 996.Dq Li NO 997by default. 998Set it to 999.Dq Li YES 1000to enable 1001.Xr ipmon 8 1002monitoring (logging 1003.Xr ipf 8 1004and 1005.Xr ipnat 8 1006events). 1007Setting this variable needs setting 1008.Va ipfilter_enable 1009or 1010.Va ipnat_enable 1011too. 1012See 1013.Va ipfilter_enable 1014for a detailed discussion. 1015.\" ----- ipmon_program setting --------------------------------- 1016.It Va ipmon_program 1017.Pq Vt str 1018Path to 1019.Xr ipmon 8 1020(default 1021.Pa /sbin/ipmon ) . 1022.\" ----- ipmon_flags setting ----------------------------------- 1023.It Va ipmon_flags 1024.Pq Vt str 1025Set to 1026.Dq Li -Ds 1027by default. 1028This variable contains flags passed to the 1029.Xr ipmon 8 1030program. 1031Another typical example would be 1032.Dq Fl D Pa /var/log/ipflog 1033to have 1034.Xr ipmon 8 1035log directly to a file bypassing 1036.Xr syslogd 8 . 1037Make sure to adjust 1038.Pa /etc/newsyslog.conf 1039in such case like this: 1040.Bd -literal 1041/var/log/ipflog 640 10 100 * Z /var/run/ipmon.pid 1042.Ed 1043.\" ----- ipfs_enable setting ----------------------------------- 1044.It Va ipfs_enable 1045.Pq Vt bool 1046Set to 1047.Dq Li NO 1048by default. 1049Set it to 1050.Dq Li YES 1051to enable 1052.Xr ipfs 8 1053saving the filter and NAT state tables during shutdown 1054and reloading them during startup again. 1055Setting this variable needs setting 1056.Va ipfilter_enable 1057or 1058.Va ipnat_enable 1059to 1060.Dq Li YES 1061too. 1062See 1063.Va ipfilter_enable 1064for a detailed discussion. 1065Note that if 1066.Va kern_securelevel 1067is set to 3, 1068.Va ipfs_enable 1069cannot be used 1070because the raised securelevel will prevent 1071.Xr ipfs 8 1072from saving the state tables at shutdown time. 1073.\" ----- ipfs_program setting ---------------------------------- 1074.It Va ipfs_program 1075.Pq Vt str 1076Path to 1077.Xr ipfs 8 1078(default 1079.Pa /sbin/ipfs ) . 1080.\" ----- ipfs_flags setting ------------------------------------ 1081.It Va ipfs_flags 1082.Pq Vt str 1083Empty by default. 1084This variable contains flags passed to the 1085.Xr ipfs 8 1086program. 1087.\" ----- end of added ipf hook --------------------------------- 1088.It Va pf_enable 1089.Pq Vt bool 1090Set to 1091.Dq Li NO 1092by default. 1093Setting this to 1094.Dq Li YES 1095enables 1096.Xr pf 4 1097packet filtering. 1098.Pp 1099Typical usage will require putting 1100.Pp 1101.Dl pf_enable="YES" 1102.Pp 1103into 1104.Pa /etc/rc.conf 1105and editing 1106.Pa /etc/pf.conf 1107appropriately. 1108Adding 1109.Pp 1110.Dl "device pf" 1111.Pp 1112builds support for 1113.Xr pf 4 1114into the kernel, otherwise the 1115kernel module will be loaded. 1116.It Va pf_rules 1117.Pq Vt str 1118Path to 1119.Xr pf 4 1120ruleset configuration file 1121(default 1122.Pa /etc/pf.conf ) . 1123.It Va pf_program 1124.Pq Vt str 1125Path to 1126.Xr pfctl 8 1127(default 1128.Pa /sbin/pfctl ) . 1129.It Va pf_flags 1130.Pq Vt str 1131If 1132.Va pf_enable 1133is set to 1134.Dq Li YES , 1135these flags are passed to the 1136.Xr pfctl 8 1137program when loading the ruleset. 1138.It Va pf_fallback_rules_enable 1139.Pq Vt bool 1140Set to 1141.Dq Li NO 1142by default. 1143Setting this to 1144.Dq Li YES 1145enables loading 1146.Va pf_fallback_rules_file 1147or 1148.Va pf_fallback_rules 1149in case of a problem when loading the ruleset in 1150.Va pf_rules . 1151.It Va pf_fallback_rules_file 1152.Pq Vt str 1153Path to a pf ruleset to load in case of failure when loading the 1154ruleset in 1155.Va pf_rules 1156(default 1157.Pa /etc/pf-fallback.conf ) . 1158.It Va pf_fallback_rules 1159.Pq Vt str 1160A pf ruleset to load in case of failure when loading the ruleset in 1161.Va pf_rules 1162and 1163.Va pf_fallback_rules_file 1164is not found. 1165Multiple rules can be set as follows: 1166.Bd -literal 1167pf_fallback_rules=" 1168 block drop log all 1169 pass in quick on em0" 1170.Pp 1171.Ed 1172The default fallback rule is 1173.Dq block drop log all 1174.It Va pflog_enable 1175.Pq Vt bool 1176Set to 1177.Dq Li NO 1178by default. 1179Setting this to 1180.Dq Li YES 1181enables 1182.Xr pflogd 8 1183which logs packets from the 1184.Xr pf 4 1185packet filter. 1186.It Va pflog_logfile 1187.Pq Vt str 1188If 1189.Va pflog_enable 1190is set to 1191.Dq Li YES 1192this controls where 1193.Xr pflogd 8 1194stores the logfile 1195(default 1196.Pa /var/log/pflog ) . 1197Check 1198.Pa /etc/newsyslog.conf 1199to adjust logfile rotation for this. 1200.It Va pflog_program 1201.Pq Vt str 1202Path to 1203.Xr pflogd 8 1204(default 1205.Pa /sbin/pflogd ) . 1206.It Va pflog_flags 1207.Pq Vt str 1208Empty by default. 1209This variable contains additional flags passed to the 1210.Xr pflogd 8 1211program. 1212.It Va pflog_instances 1213.Pq Vt str 1214If logging to more than one 1215.Xr pflog 4 1216interface is desired, 1217.Va pflog_instances 1218is set to the list of 1219.Xr pflogd 8 1220instances that should be started at system boot time. 1221If 1222.Va pflog_instances 1223is set, for each whitespace-separated 1224.Ar element 1225in the list, 1226.Ao Ar element Ac Ns Va _dev 1227and 1228.Ao Ar element Ac Ns Va _logfile 1229elements are assumed to exist. 1230.Ao Ar element Ac Ns Va _dev 1231must contain the 1232.Xr pflog 4 1233interface to be watched by the named 1234.Xr pflogd 8 1235instance. 1236.Ao Ar element Ac Ns Va _logfile 1237must contain the name of the logfile that will be used by the 1238.Xr pflogd 8 1239instance. 1240.It Va ftpproxy_enable 1241.Pq Vt bool 1242Set to 1243.Dq Li NO 1244by default. 1245Setting this to 1246.Dq Li YES 1247enables 1248.Xr ftp-proxy 8 1249which supports the 1250.Xr pf 4 1251packet filter in translating ftp connections. 1252.It Va ftpproxy_flags 1253.Pq Vt str 1254Empty by default. 1255This variable contains additional flags passed to the 1256.Xr ftp-proxy 8 1257program. 1258.It Va ftpproxy_instances 1259.Pq Vt str 1260Empty by default. 1261If multiple instances of 1262.Xr ftp-proxy 8 1263are desired at boot time, 1264.Va ftpproxy_instances 1265should contain a whitespace-separated list of instance names. 1266For each 1267.Ar element 1268in the list, a variable named 1269.Ao Ar element Ac Ns Va _flags 1270should be defined, containing the command-line flags to be passed to the 1271.Xr ftp-proxy 8 1272instance. 1273.It Va pfsync_enable 1274.Pq Vt bool 1275Set to 1276.Dq Li NO 1277by default. 1278Setting this to 1279.Dq Li YES 1280enables exposing 1281.Xr pf 4 1282state changes to other hosts over the network by means of 1283.Xr pfsync 4 . 1284The 1285.Va pfsync_syncdev 1286variable 1287must also be set then. 1288.It Va pfsync_syncdev 1289.Pq Vt str 1290Empty by default. 1291This variable specifies the name of the network interface 1292.Xr pfsync 4 1293should operate through. 1294It must be set accordingly if 1295.Va pfsync_enable 1296is set to 1297.Dq Li YES . 1298.It Va pfsync_syncpeer 1299.Pq Vt str 1300Empty by default. 1301This variable is optional. 1302By default, state change messages are sent out on the synchronisation 1303interface using IP multicast packets. 1304The protocol is IP protocol 240, PFSYNC, and the multicast group used is 1305224.0.0.240. 1306When a peer address is specified using the 1307.Va pfsync_syncpeer 1308option, the peer address is used as a destination for the pfsync 1309traffic, and the traffic can then be protected using 1310.Xr ipsec 4 . 1311See the 1312.Xr pfsync 4 1313manpage for more details about using 1314.Xr ipsec 4 1315with 1316.Xr pfsync 4 1317interfaces. 1318.It Va pfsync_ifconfig 1319.Pq Vt str 1320Empty by default. 1321This variable can contain additional options to be passed to the 1322.Xr ifconfig 8 1323command used to set up 1324.Xr pfsync 4 . 1325.It Va tcp_extensions 1326.Pq Vt bool 1327Set to 1328.Dq Li YES 1329by default. 1330Setting this to 1331.Dq Li NO 1332disables certain TCP options as described by 1333.Rs 1334.%T "RFC 1323" 1335.Re 1336Setting this to 1337.Dq Li NO 1338might help remedy such problems with connections as randomly hanging 1339or other weird behavior. 1340Some network devices are known 1341to be broken with respect to these options. 1342.It Va log_in_vain 1343.Pq Vt int 1344Set to 0 by default. 1345The 1346.Xr sysctl 8 1347variables, 1348.Va net.inet.tcp.log_in_vain 1349and 1350.Va net.inet.udp.log_in_vain , 1351as described in 1352.Xr tcp 4 1353and 1354.Xr udp 4 , 1355are set to the given value. 1356.It Va tcp_keepalive 1357.Pq Vt bool 1358Set to 1359.Dq Li YES 1360by default. 1361Setting to 1362.Dq Li NO 1363will disable probing idle TCP connections to verify that the 1364peer is still up and reachable. 1365.It Va tcp_drop_synfin 1366.Pq Vt bool 1367Set to 1368.Dq Li NO 1369by default. 1370Setting to 1371.Dq Li YES 1372will cause the kernel to ignore TCP frames that have both 1373the SYN and FIN flags set. 1374This prevents OS fingerprinting, but may 1375break some legitimate applications. 1376.It Va icmp_drop_redirect 1377.Pq Vt bool 1378Set to 1379.Dq Li AUTO 1380by default. 1381This setting will be identical to 1382.Dq Li YES , 1383if a dynamic routing daemon is enabled, because redirect processing may 1384cause performance issues for large routing tables. 1385If no such service is enabled, this setting behaves like a 1386.Dq Li NO . 1387Setting to 1388.Dq Li YES 1389will cause the kernel to ignore ICMP REDIRECT packets. 1390Setting to 1391.Dq Li NO 1392will cause the kernel to process ICMP REDIRECT packets. 1393Refer to 1394.Xr icmp 4 1395for more information. 1396.It Va icmp_log_redirect 1397.Pq Vt bool 1398Set to 1399.Dq Li NO 1400by default. 1401Setting to 1402.Dq Li YES 1403will cause the kernel to log ICMP REDIRECT packets. 1404Note that 1405the log messages are not rate-limited, so this option should only be used 1406for troubleshooting networks. 1407Refer to 1408.Xr icmp 4 1409for more information. 1410.It Va icmp_bmcastecho 1411.Pq Vt bool 1412Set to 1413.Dq Li YES 1414to respond to broadcast or multicast ICMP ping packets. 1415Refer to 1416.Xr icmp 4 1417for more information. 1418.It Va ip_portrange_first 1419.Pq Vt int 1420If not set to 1421.Dq Li NO , 1422this is the first port in the default portrange. 1423Refer to 1424.Xr ip 4 1425for more information. 1426.It Va ip_portrange_last 1427.Pq Vt int 1428If not set to 1429.Dq Li NO , 1430this is the last port in the default portrange. 1431Refer to 1432.Xr ip 4 1433for more information. 1434.It Va network_interfaces 1435.Pq Vt str 1436Set to the list of network interfaces to configure on this host or 1437.Dq Li AUTO 1438(the default) for all current interfaces. 1439Setting the 1440.Va network_interfaces 1441variable to anything other than the default is deprecated. 1442Interfaces that the administrator wishes to store configuration for, 1443but not start at boot should be configured with the 1444.Dq Li NOAUTO 1445keyword in their 1446.Va ifconfig_ Ns Aq Ar interface 1447variables as described below. 1448.Pp 1449An 1450.Va ifconfig_ Ns Aq Ar interface 1451variable is assumed to exist for each value of 1452.Ar interface . 1453When an interface name contains any of the characters 1454.Dq Li .-/+ 1455they are translated to 1456.Dq Li _ 1457before lookup. 1458For example, the interface 1459.Va em0.102 1460would be configured using the variable 1461.Va ifconfig_em0_102 . 1462.Pp 1463The variable can contain arguments to 1464.Xr ifconfig 8 , 1465as well as special case-insensitive keywords described below. 1466Such keywords are removed before passing the value to 1467.Xr ifconfig 8 1468while the order of the other arguments is preserved. 1469.Pp 1470For example, to assign the IPv4 address 192.0.2.1/24 to the interface em0: 1471.Bd -literal 1472ifconfig_em0="inet 192.0.2.1/24 up" 1473.Ed 1474.Pp 1475If the variable 1476.Va ifconfig_ Ns Ao Ar interface Ac Ns Pa _ipv6 1477is set, then 1478.Va ifconfig_ Ns Aq Ar interface 1479does not need to be set unless an IPv4 address should also be assigned to 1480the interface. 1481.Pp 1482It is possible to add IP alias entries using 1483.Xr ifconfig 8 1484syntax with the address family keyword such as 1485.Li inet . 1486Assuming that the interface in question was 1487.Li em0 , 1488it might look something like this: 1489.Bd -literal 1490ifconfig_em0_alias0="inet 127.0.0.253/32" 1491ifconfig_em0_alias1="inet 127.0.0.254/32" 1492.Ed 1493.Pp 1494It also possible to configure multiple IP addresses in Classless 1495Inter-Domain Routing 1496.Pq CIDR 1497address notation, 1498whose each address component can be a range like 1499.Li inet 192.0.2.5-23/24 1500or 1501.Li inet6 2001:db8:1-f::1/64 . 1502This notation allows address and prefix length part only, 1503not the other address modifiers. 1504Note that the maximum number of the generated addresses from a range 1505specification is limited to an integer value specified in 1506.Va netif_ipexpand_max 1507in 1508.Nm 1509because a small typo can unexpectedly generate a large number of addresses. 1510The default value is 1511.Li 2048 . 1512It can be increased by adding the following line into 1513.Nm : 1514.Bd -literal 1515netif_ipexpand_max="4096" 1516.Ed 1517.Pp 1518In the case of 1519.Li 192.0.2.5-23/24 , 1520the address 192.0.2.5 will be configured with the prefix length /24 and the 1521addresses 192.0.2.6 to 192.0.2.23 with the non-conflicting prefix length /32 as 1522explained in the 1523.Xr ifconfig 8 1524alias section. 1525Note that this special CIDR handling is only for 1526.Li inet , 1527not for the other address families such as 1528.Li inet6 . 1529.Pp 1530With the interface in question being 1531.Li em0 , 1532an example could look like: 1533.Bd -literal 1534ifconfig_em0_alias2="inet 192.0.2.129/27" 1535ifconfig_em0_alias3="inet 192.0.2.1-5/28" 1536.Ed 1537.Pp 1538and so on. 1539.Pp 1540Note that deprecated 1541.Va ipv4_addrs_ Ns Aq Ar interface 1542variable was supported for IPv4 CIDR address notation. 1543The 1544.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1545variable replaces it, though 1546.Va ipv4_addrs_ Ns Aq Ar interface 1547is still supported for backward compatibility. 1548.Pp 1549For each 1550.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1551entry with an address family keyword, 1552its contents are passed to 1553.Xr ifconfig 8 . 1554Execution stops at the first unsuccessful access, so if 1555something like this is present: 1556.Bd -literal 1557ifconfig_em0_alias0="inet 127.0.0.251/32" 1558ifconfig_em0_alias1="inet 127.0.0.252/32" 1559ifconfig_em0_alias2="inet 127.0.0.253/32" 1560ifconfig_em0_alias4="inet 127.0.0.254/32" 1561.Ed 1562.Pp 1563Then note that alias4 would 1564.Em not 1565be added since the search would 1566stop with the missing 1567.Dq Li alias3 1568entry. 1569Because of this difficult to manage behavior, 1570there is 1571.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _aliases 1572variable, which has the same functionality as 1573.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1574and can have all of the entries in a variable like the following: 1575.Bd -literal 1576ifconfig_em0_aliases="\\ 1577 inet 127.0.0.251/32 \\ 1578 inet 127.0.0.252/32 \\ 1579 inet 127.0.0.253/32 \\ 1580 inet 127.0.0.254/32" 1581.Ed 1582.Pp 1583It also supports netmask notation for backward compatibility. 1584.Pp 1585If the 1586.Pa /etc/start_if . Ns Aq Ar interface 1587file is present, it is read and executed by the 1588.Xr sh 1 1589interpreter 1590before configuring the interface as specified in the 1591.Va ifconfig_ Ns Aq Ar interface 1592and 1593.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1594variables. 1595.Pp 1596If a 1597.Va vlans_ Ns Aq Ar interface 1598variable is set, 1599a 1600.Xr vlan 4 1601interface will be created for each item in the list with the 1602.Ar vlandev 1603argument set to 1604.Ar interface . 1605If a vlan interface's name is a number, 1606then that number is used as the vlan tag and the new vlan interface is 1607named 1608.Ar interface . Ns Ar tag . 1609Otherwise, 1610the vlan tag must be specified via a 1611.Va vlan 1612parameter in the 1613.Va create_args_ Ns Aq Ar interface 1614variable. 1615.Pp 1616To create a vlan device named 1617.Li em0.101 1618on 1619.Li em0 1620with the vlan tag 101 and the optional IPv4 address 192.0.2.1/24: 1621.Bd -literal 1622vlans_em0="101" 1623ifconfig_em0_101="inet 192.0.2.1/24" 1624.Ed 1625.Pp 1626To create a vlan device named 1627.Li myvlan 1628on 1629.Li em0 1630with the vlan tag 102: 1631.Bd -literal 1632vlans_em0="myvlan" 1633create_args_myvlan="vlan 102" 1634.Ed 1635.Pp 1636If a 1637.Va wlans_ Ns Aq Ar interface 1638variable is set, 1639an 1640.Xr wlan 4 1641interface will be created for each item in the list with the 1642.Ar wlandev 1643argument set to 1644.Ar interface . 1645Further wlan cloning arguments may be passed to the 1646.Xr ifconfig 8 1647.Cm create 1648command by setting the 1649.Va create_args_ Ns Aq Ar interface 1650variable. 1651One or more 1652.Xr wlan 4 1653devices must be created for each wireless device as of 1654.Fx 8.0 . 1655Debugging flags for 1656.Xr wlan 4 1657devices as set by 1658.Xr wlandebug 8 1659may be specified with an 1660.Va wlandebug_ Ns Aq Ar interface 1661variable. 1662The contents of this variable will be passed directly to 1663.Xr wlandebug 8 . 1664.Pp 1665If the 1666.Va ifconfig_ Ns Aq Ar interface 1667contains the keyword 1668.Dq Li NOAUTO 1669then the interface will not be configured 1670at boot or by 1671.Pa /etc/pccard_ether 1672when 1673.Va network_interfaces 1674is set to 1675.Dq Li AUTO . 1676.Pp 1677It is possible to bring up an interface with DHCP by adding 1678.Dq Li DHCP 1679to the 1680.Va ifconfig_ Ns Aq Ar interface 1681variable. 1682For instance, to initialize the 1683.Li em0 1684device via DHCP, 1685it is possible to use something like: 1686.Bd -literal 1687ifconfig_em0="DHCP" 1688.Ed 1689.Pp 1690If you want to configure your wireless interface with 1691.Xr wpa_supplicant 8 1692for use with WPA, EAP/LEAP or WEP, you need to add 1693.Dq Li WPA 1694to the 1695.Va ifconfig_ Ns Aq Ar interface 1696variable. 1697.Pp 1698On the other hand, if you want to configure your wireless interface with 1699.Xr hostapd 8 , 1700you need to add 1701.Dq Li HOSTAP 1702to the 1703.Va ifconfig_ Ns Aq Ar interface 1704variable. 1705.Xr hostapd 8 1706will use the settings from 1707.Pa /etc/hostapd- Ns Ao Ar interface Ac Ns .conf 1708.Pp 1709Finally, you can add 1710.Xr ifconfig 8 1711options in this variable, in addition to the 1712.Pa /etc/start_if . Ns Aq Ar interface 1713file. 1714For instance, to configure an 1715.Xr ath 4 1716wireless device in station mode with an address obtained 1717via DHCP, using WPA authentication and 802.11b mode, it is 1718possible to use something like: 1719.Bd -literal 1720wlans_ath0="wlan0" 1721ifconfig_wlan0="DHCP WPA mode 11b" 1722.Ed 1723.Pp 1724In addition to the 1725.Va ifconfig_ Ns Aq Ar interface 1726form, a fallback variable 1727.Va ifconfig_DEFAULT 1728may be configured. 1729It will be used for all interfaces with no 1730.Va ifconfig_ Ns Aq Ar interface 1731variable. 1732.Pp 1733It is also possible to rename an interface by doing: 1734.Bd -literal 1735ifconfig_em0_name="net0" 1736ifconfig_net0="inet 192.0.2.1/24" 1737.Ed 1738.It Va ipv6_enable 1739.Pq Vt bool 1740This variable is deprecated. 1741Use 1742.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1743and 1744.Va ipv6_activate_all_interfaces 1745if necessary. 1746.Pp 1747If the variable is 1748.Dq Li YES , 1749.Dq Li inet6 accept_rtadv 1750is added to all of 1751.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1752and the 1753.Va ipv6_activate_all_interfaces 1754variable is defined as 1755.Dq Li YES . 1756.It Va ipv6_prefer 1757.Pq Vt bool 1758This variable is deprecated. 1759Use 1760.Va ip6addrctl_policy 1761instead. 1762.Pp 1763If the variable is 1764.Dq Li YES , 1765the default address selection policy table set by 1766.Xr ip6addrctl 8 1767will be IPv6-preferred. 1768.Pp 1769If the variable is 1770.Dq Li NO , 1771the default address selection policy table set by 1772.Xr ip6addrctl 8 1773will be IPv4-preferred. 1774.It Va ipv6_activate_all_interfaces 1775.Pq Vt bool 1776This controls initial configuration on IPv6-capable 1777interfaces with no corresponding 1778.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1779variable. 1780Note that it is not always necessary to set this variable to 1781.Dq YES 1782to use IPv6 functionality on 1783.Fx . 1784In most cases, just configuring 1785.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1786variables works. 1787.Pp 1788If the variable is 1789.Dq Li NO , 1790all interfaces which do not have a corresponding 1791.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1792variable will be marked as 1793.Dq Li IFDISABLED 1794at creation. 1795This means that all IPv6 functionality on that interface 1796is completely disabled to enforce a security policy. 1797If the variable is set to 1798.Dq YES , 1799the flag will be cleared on all of the interfaces. 1800.Pp 1801In most cases, just defining an 1802.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1803for an IPv6-capable interface should be sufficient. 1804However, if an interface is added dynamically 1805.Pq by some tunneling protocols such as PPP, for example , 1806it is often difficult to define the variable in advance. 1807In such a case, configuring the 1808.Dq Li IFDISABLED 1809flag can be disabled by setting this variable to 1810.Dq YES . 1811.Pp 1812For more details of the 1813.Dq Li IFDISABLED 1814flag and keywords 1815.Dq Li inet6 ifdisabled , 1816see 1817.Xr ifconfig 8 . 1818.Pp 1819Default is 1820.Dq Li NO . 1821.It Va ipv6_privacy 1822.Pq Vt bool 1823If the variable is 1824.Dq Li YES 1825privacy addresses will be generated for each IPv6 1826interface as described in RFC 4941. 1827.It Va ipv6_network_interfaces 1828.Pq Vt str 1829This is the IPv6 equivalent of 1830.Va network_interfaces . 1831Normally manual configuration of this variable is not needed. 1832.It Va ipv6_cpe_wanif 1833.Pq Vt str 1834If the variable is set to an interface name, 1835the 1836.Xr ifconfig 8 1837options 1838.Dq inet6 -no_radr accept_rtadv 1839will be added to the specified interface automatically before evaluating 1840.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 , 1841and two 1842.Xr sysctl 8 1843variables 1844.Va net.inet6.ip6.rfc6204w3 1845and 1846.Va net.inet6.ip6.no_radr 1847will be set to 1. 1848.Pp 1849This means the specified interface will accept ICMPv6 Router 1850Advertisement messages on that link and add the discovered 1851routers into the Default Router List. 1852While the other interfaces can still accept RA messages if the 1853.Dq inet6 accept_rtadv 1854option is specified, adding 1855routes into the Default Router List will be disabled by 1856.Dq inet6 no_radr 1857option by default. 1858See 1859.Xr ifconfig 8 1860for more details. 1861.Pp 1862Note that ICMPv6 Router Advertisement messages will be 1863accepted even when 1864.Va net.inet6.ip6.forwarding 1865is 1 1866.Pq packet forwarding is enabled 1867when 1868.Va net.inet6.ip6.rfc6204w3 1869is set to 1. 1870.Pp 1871Default is 1872.Dq Li NO . 1873.It Va ifconfig_ Ns Ao Ar interface Ac Ns _descr 1874.Pq Vt str 1875This assigns arbitrary description to an interface. 1876The 1877.Xr sysctl 8 1878variable 1879.Va net.ifdescr_maxlen 1880limits its length. 1881This static setting may be overridden by commands 1882started with dynamic interface configuration utilities 1883like 1884.Xr dhclient 8 1885hooks. 1886The description can be seen with 1887.Xr ifconfig 8 1888command and it may be exported with 1889.Xr bsnmpd 1 1890daemon using its MIB-2 module. 1891.It Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1892.Pq Vt str 1893IPv6 functionality on an interface should be configured by 1894.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 , 1895instead of setting ifconfig parameters in 1896.Va ifconfig_ Ns Aq Ar interface . 1897If this variable is empty, all IPv6 configurations on the 1898specified interface by other variables such as 1899.Va ipv6_prefix_ Ns Ao Ar interface Ac 1900will be ignored. 1901.Pp 1902Aliases should be set by 1903.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1904with 1905.Dq Li inet6 1906keyword. 1907For example: 1908.Bd -literal 1909ifconfig_em0_ipv6="inet6 2001:db8:1::1 prefixlen 64" 1910ifconfig_em0_alias0="inet6 2001:db8:2::1 prefixlen 64" 1911.Ed 1912.Pp 1913Interfaces that have an 1914.Dq Li inet6 accept_rtadv 1915keyword in 1916.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1917setting will be automatically configured by SLAAC 1918.Pq StateLess Address AutoConfiguration 1919described in 1920.Rs 1921.%T "RFC 4862" 1922.Re 1923.Pp 1924Note that a link-local address will be automatically configured in 1925addition to the configured global-scope addresses because the IPv6 1926specifications require it on each link. 1927The address is calculated from the MAC address by using an algorithm 1928defined in 1929.Rs 1930.%T "RFC 4862" 1931.%O "Section 5.3" 1932.Re 1933.Pp 1934If only a link-local address is needed on the interface, 1935the following configuration can be used: 1936.Bd -literal 1937ifconfig_em0_ipv6="inet6 auto_linklocal" 1938.Ed 1939.Pp 1940A link-local address can also be configured manually. 1941This is useful for the default router address of an IPv6 router 1942so that it does not change when the network interface 1943card is replaced. 1944For example: 1945.Bd -literal 1946ifconfig_em0_ipv6="inet6 fe80::1 prefixlen 64" 1947.Ed 1948.It Va ipv6_prefix_ Ns Aq Ar interface 1949.Pq Vt str 1950If one or more prefixes are defined in 1951.Va ipv6_prefix_ Ns Aq Ar interface 1952addresses based on each prefix and the EUI-64 interface index will be 1953configured on that interface. 1954Note that this variable will be ignored when 1955.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1956is empty. 1957.Pp 1958For example, the following configuration 1959.Bd -literal 1960ipv6_prefix_em0="2001:db8:1:0 2001:db8:2:0" 1961.Ed 1962.Pp 1963is equivalent to the following: 1964.Bd -literal 1965ifconfig_em0_alias0="inet6 2001:db8:1:: eui64 prefixlen 64" 1966ifconfig_em0_alias1="inet6 2001:db8:1:: prefixlen 64 anycast" 1967ifconfig_em0_alias2="inet6 2001:db8:2:: eui64 prefixlen 64" 1968ifconfig_em0_alias3="inet6 2001:db8:2:: prefixlen 64 anycast" 1969.Ed 1970.Pp 1971These Subnet-Router anycast addresses will be added only when 1972.Va ipv6_gateway_enable 1973is YES. 1974.It Va ipv6_default_interface 1975.Pq Vt str 1976If not set to 1977.Dq Li NO , 1978this is the default output interface for scoped addresses. 1979This works only with ipv6_gateway_enable="NO". 1980.It Va ip6addrctl_enable 1981.Pq Vt bool 1982This variable is to enable configuring default address selection policy table 1983.Pq RFC 3484 . 1984The table can be specified in another variable 1985.Va ip6addrctl_policy . 1986For 1987.Va ip6addrctl_policy 1988the following keywords can be specified: 1989.Dq Li ipv4_prefer , 1990.Dq Li ipv6_prefer , 1991or 1992.Dq Li AUTO . 1993.Pp 1994If 1995.Dq Li ipv4_prefer 1996or 1997.Dq Li ipv6_prefer 1998is specified, 1999.Xr ip6addrctl 8 2000installs a pre-defined policy table described in Section 10.3 2001.Pq IPv4-preferred 2002or 2.1 2003.Pq IPv6-preferred 2004of RFC 3484. 2005.Pp 2006If 2007.Dq Li AUTO 2008is specified, it attempts to read a file 2009.Pa /etc/ip6addrctl.conf 2010first. 2011If this file is found, 2012.Xr ip6addrctl 8 2013reads and installs it. 2014If not found, a policy is automatically set 2015according to 2016.Va ipv6_activate_all_interfaces 2017variable; if the variable is set to 2018.Dq Li YES 2019the IPv6-preferred one is used. 2020Otherwise IPv4-preferred. 2021.Pp 2022The default value of 2023.Va ip6addrctl_enable 2024and 2025.Va ip6addrctl_policy 2026are 2027.Dq Li YES 2028and 2029.Dq Li AUTO , 2030respectively. 2031.It Va cloned_interfaces 2032.Pq Vt str 2033Set to the list of clonable network interfaces to create on this host. 2034Further cloning arguments may be passed to the 2035.Xr ifconfig 8 2036.Cm create 2037command for each interface by setting the 2038.Va create_args_ Ns Aq Ar interface 2039variable. 2040If an interface name is specified with 2041.Dq :sticky 2042keyword, 2043the interface will not be destroyed even when 2044.Pa rc.d/netif 2045script is invoked with 2046.Dq stop 2047argument. 2048This is useful when reconfiguring the interface without destroying it. 2049Entries in 2050.Va cloned_interfaces 2051are automatically appended to 2052.Va network_interfaces 2053for configuration. 2054.It Va cloned_interfaces_sticky 2055.Pq Vt bool 2056This variable is to globally enable functionality of 2057.Dq :sticky 2058keyword in 2059.Va cloned_interfaces 2060for all interfaces. 2061The default value is 2062.Dq NO . 2063Even if this variable is specified to 2064.Dq YES , 2065.Dq :nosticky 2066keyword can be used to override it on per interface basis. 2067.It Va gif_interfaces 2068Set to the list of 2069.Xr gif 4 2070tunnel interfaces to configure on this host. 2071A 2072.Va gifconfig_ Ns Aq Ar interface 2073variable is assumed to exist for each value of 2074.Ar interface . 2075The value of this variable is used to configure the link layer of the 2076tunnel using the 2077.Cm tunnel 2078option to 2079.Xr ifconfig 8 . 2080Additionally, this option ensures that each listed interface is created 2081via the 2082.Cm create 2083option to 2084.Xr ifconfig 8 2085before attempting to configure it. 2086.Pp 2087For example, configure two 2088.Xr gif 4 2089interfaces with: 2090.Bd -literal 2091gif_interfaces="gif0 gif1" 2092gifconfig_gif0="100.64.0.1 100.64.0.2" 2093ifconfig_gif0="inet 10.0.0.1/30 10.0.0.2" 2094gifconfig_gif1="inet6 2a00::1 2a01::1" 2095ifconfig_gif1="inet 10.1.0.1/30 10.1.0.2" 2096.Ed 2097.It Va ppp_enable 2098.Pq Vt bool 2099If set to 2100.Dq Li YES , 2101run the 2102.Xr ppp 8 2103daemon. 2104.It Va ppp_profile 2105.Pq Vt str 2106The name of the profile to use from 2107.Pa /etc/ppp/ppp.conf . 2108Also used for per-profile overrides of 2109.Va ppp_mode 2110and 2111.Va ppp_nat , 2112and 2113.Va ppp_ Ns Ao Ar profile Ac Ns _unit . 2114When the profile name contains any of the characters 2115.Dq Li .-/+ 2116they are translated to 2117.Dq Li _ 2118for the proposes of the override variable names. 2119.It Va ppp_mode 2120.Pq Vt str 2121Mode in which to run the 2122.Xr ppp 8 2123daemon. 2124.It Va ppp_ Ns Ao Ar profile Ac Ns _mode 2125.Pq Vt str 2126Overrides the global 2127.Va ppp_mode 2128for 2129.Ar profile . 2130Accepted modes are 2131.Dq Li auto , 2132.Dq Li ddial , 2133.Dq Li direct 2134and 2135.Dq Li dedicated . 2136See the manual for a full description. 2137.It Va ppp_nat 2138.Pq Vt bool 2139If set to 2140.Dq Li YES , 2141enables network address translation. 2142Used in conjunction with 2143.Va gateway_enable 2144allows hosts on private network addresses access to the Internet using 2145this host as a network address translating router. 2146Default is 2147.Dq Li YES . 2148.It Va ppp_ Ns Ao Ar profile Ac Ns _nat 2149.Pq Vt str 2150Overrides the global 2151.Va ppp_nat 2152for 2153.Ar profile . 2154.It Va ppp_ Ns Ao Ar profile Ac Ns _unit 2155.Pq Vt int 2156Set the unit number to be used for this profile. 2157See the manual description of 2158.Fl unit Ns Ar N 2159for details. 2160.It Va ppp_user 2161.Pq Vt str 2162The name of the user under which 2163.Xr ppp 8 2164should be started. 2165By 2166default, 2167.Xr ppp 8 2168is started as 2169.Dq Li root . 2170.It Va rc_conf_files 2171.Pq Vt str 2172This option is used to specify a list of files that will override 2173the settings in 2174.Pa /etc/defaults/rc.conf . 2175The files will be read in the order in which they are specified and should 2176include the full path to the file. 2177By default, the files specified are 2178.Pa /etc/rc.conf 2179and 2180.Pa /etc/rc.conf.local . 2181.It Va zfs_enable 2182.Pq Vt bool 2183If set to 2184.Dq Li YES , 2185.Pa /etc/rc.d/zfs 2186will attempt to automatically mount ZFS file systems and initialize ZFS volumes 2187(ZVOLs). 2188.It Va zpool_reguid 2189.Pq Vt str 2190A space-separated list of ZFS pool names for which new pool GUIDs should be 2191assigned upon first boot. 2192This is useful when using a ZFS pool copied from a template, such as a virtual 2193machine image. 2194.It Va zpool_upgrade 2195.Pq Vt str 2196A space-separated list of ZFS pool names for which the version should be 2197upgraded upon first boot. 2198This is useful when using a ZFS pool generated by the 2199.Xr makefs 8 2200utility. 2201.It Va gptboot_enable 2202.Pq Vt bool 2203If set to 2204.Dq Li YES , 2205.Pa /etc/rc.d/gptboot 2206will log if the system successfully (or not) booted from a GPT partition, 2207which had the 2208.Ar bootonce 2209attribute set using 2210.Xr gpart 8 2211utility. 2212.It Va geli_devices 2213.Pq Vt str 2214List of devices to automatically attach on boot. 2215Note that .eli devices from 2216.Pa /etc/fstab 2217are automatically appended to this list. 2218.It Va geli_groups 2219.Pq Vt str 2220List of groups containing devices to automatically attach on boot with the same 2221keyfiles and passphrase. 2222This must be accompanied with a corresponding 2223.Va geli_ Ns Ao Ar group Ac Ns Va _devices 2224variable. 2225.It Va geli_tries 2226.Pq Vt int 2227Number of times user is asked for the pass-phrase. 2228If empty, it will be taken from 2229.Va kern.geom.eli.tries 2230sysctl variable. 2231.It Va geli_default_flags 2232.Pq Vt str 2233Default flags to use by 2234.Xr geli 8 2235when configuring disk encryption. 2236Flags can be configured for every device separately by defining the 2237.Va geli_ Ns Ao Ar device Ac Ns Va _flags 2238variable, and for every group separately by defining the 2239.Va geli_ Ns Ao Ar group Ac Ns Va _flags 2240variable. 2241.It Va geli_autodetach 2242.Pq Vt str 2243Specifies if GELI devices should be marked for detach on last close after 2244file systems are mounted. 2245Default is 2246.Dq Li YES . 2247This can be changed for every device separately by defining the 2248.Va geli_ Ns Ao Ar device Ac Ns Va _autodetach 2249variable. 2250.It Va root_rw_mount 2251.Pq Vt bool 2252Set to 2253.Dq Li YES 2254by default. 2255After the file systems are checked at boot time, the root file system 2256is remounted as read-write if this is set to 2257.Dq Li YES . 2258Diskless systems that mount their root file system from a read-only remote 2259NFS share should set this to 2260.Dq Li NO 2261in their 2262.Pa rc.conf . 2263.It Va fsck_y_enable 2264.Pq Vt bool 2265If set to 2266.Dq Li YES , 2267.Xr fsck 8 2268will be run with the 2269.Fl y 2270flag if the initial preen 2271of the file systems fails. 2272.It Va background_fsck 2273.Pq Vt bool 2274If set to 2275.Dq Li NO , 2276the system will not attempt to run 2277.Xr fsck 8 2278in the background where possible. 2279.It Va background_fsck_delay 2280.Pq Vt int 2281The amount of time in seconds to sleep before starting a background 2282.Xr fsck 8 . 2283It defaults to sixty seconds to allow large applications such as 2284the X server to start before disk I/O bandwidth is monopolized by 2285.Xr fsck 8 . 2286If set to a negative number, the background file system check will be 2287delayed indefinitely to allow the administrator to run it at a more 2288convenient time. 2289For example it may be run from 2290.Xr cron 8 2291by adding a line like 2292.Pp 2293.Dl "0 4 * * * root /etc/rc.d/bgfsck forcestart" 2294.Pp 2295to 2296.Pa /etc/crontab . 2297.It Va netfs_types 2298.Pq Vt str 2299List of file system types that are network-based. 2300This list should generally not be modified by end users. 2301Use 2302.Va extra_netfs_types 2303instead. 2304.It Va extra_netfs_types 2305.Pq Vt str 2306If set to something other than 2307.Dq Li NO 2308(the default), 2309this variable extends the list of file system types 2310for which automatic mounting at startup by 2311.Xr rc 8 2312should be delayed until the network is initialized. 2313It should contain 2314a whitespace-separated list of network file system descriptor pairs, 2315each consisting of a file system type as passed to 2316.Xr mount 8 2317and a human-readable, one-word description, 2318joined with a colon 2319.Pq Ql \&: . 2320Extending the default list in this way is only necessary 2321when third party file system types are used. 2322.It Va syslogd_enable 2323.Pq Vt bool 2324If set to 2325.Dq Li YES , 2326run the 2327.Xr syslogd 8 2328daemon. 2329Note, the 2330.Va syslogd_oomprotect 2331variable is set to 2332.Dq Li YES 2333by default in 2334.Pa /etc/defaults/rc.conf . 2335.It Va syslogd_program 2336.Pq Vt str 2337Path to 2338.Xr syslogd 8 2339(default 2340.Pa /usr/sbin/syslogd ) . 2341.It Va syslogd_flags 2342.Pq Vt str 2343If 2344.Va syslogd_enable 2345is set to 2346.Dq Li YES , 2347these are the flags to pass to 2348.Xr syslogd 8 . 2349.It Va inetd_enable 2350.Pq Vt bool 2351If set to 2352.Dq Li YES , 2353run the 2354.Xr inetd 8 2355daemon. 2356.It Va inetd_program 2357.Pq Vt str 2358Path to 2359.Xr inetd 8 2360(default 2361.Pa /usr/sbin/inetd ) . 2362.It Va inetd_flags 2363.Pq Vt str 2364If 2365.Va inetd_enable 2366is set to 2367.Dq Li YES , 2368these are the flags to pass to 2369.Xr inetd 8 . 2370.It Va hastd_enable 2371.Pq Vt bool 2372If set to 2373.Dq Li YES , 2374run the 2375.Xr hastd 8 2376daemon. 2377.It Va hastd_program 2378.Pq Vt str 2379Path to 2380.Xr hastd 8 2381(default 2382.Pa /sbin/hastd ) . 2383.It Va hastd_flags 2384.Pq Vt str 2385If 2386.Va hastd_enable 2387is set to 2388.Dq Li YES , 2389these are the flags to pass to 2390.Xr hastd 8 . 2391.It Va local_unbound_enable 2392.Pq Vt bool 2393If set to 2394.Dq Li YES , 2395run the 2396.Xr unbound 8 2397daemon as a local caching DNS resolver. 2398Note, the 2399.Va local_unbound_oomprotect 2400variable is set to 2401.Dq Li YES 2402by default in 2403.Pa /etc/defaults/rc.conf . 2404.It Va nscd_enable 2405.Pq Vt bool 2406Set to 2407.Dq Li YES 2408to start the 2409.Xr nscd 8 2410caching daemon for the 2411.Nm nsswitch 2412subsystem. 2413.It Va nscd_flags 2414.Pq Vt str 2415If 2416.Va nscd_enable 2417is set to 2418.Dq Li YES , 2419these flags are passed to 2420.Xr nscd 8 . 2421.It Va kdc_enable 2422.Pq Vt bool 2423Set to 2424.Dq Li YES 2425to start a Kerberos 5 authentication server 2426at boot time. 2427.It Va kdc_program 2428.Pq Vt str 2429If 2430.Va kdc_enable 2431is set to 2432.Dq Li YES 2433this is the path to Kerberos 5 Authentication Server. 2434.It Va kdc_flags 2435.Pq Vt str 2436Empty by default. 2437This variable contains additional flags to be passed to the Kerberos 5 2438authentication server. 2439.It Va kadmind_enable 2440.Pq Vt bool 2441Set to 2442.Dq Li YES 2443to start 2444.Xr kadmind 8 , 2445the Kerberos 5 Administration Daemon; set to 2446.Dq Li NO 2447on a slave server. 2448.It Va kadmind_program 2449.Pq Vt str 2450If 2451.Va kadmind_enable 2452is set to 2453.Dq Li YES 2454this is the path to Kerberos 5 Administration Daemon. 2455.It Va kpasswdd_enable 2456.Pq Vt bool 2457Set to 2458.Dq Li YES 2459to start 2460.Xr kpasswdd 8 , 2461the Kerberos 5 Password-Changing Daemon; set to 2462.Dq Li NO 2463on a slave server. 2464.It Va kpasswdd_program 2465.Pq Vt str 2466If 2467.Va kpasswdd_enable 2468is set to 2469.Dq Li YES 2470this is the path to Kerberos 5 Password-Changing Daemon. 2471.It Va kfd_enable 2472.Pq Vt bool 2473Set to 2474.Dq Li YES 2475to start 2476.Xr kfd 8 , 2477the Kerberos 5 ticket forwarding daemon, at the boot time. 2478.It Va kfd_program 2479.Pq Vt str 2480Path to 2481.Xr kfd 8 2482(default 2483.Pa /usr/libexec/kfd ) . 2484.It Va rwhod_enable 2485.Pq Vt bool 2486If set to 2487.Dq Li YES , 2488run the 2489.Xr rwhod 8 2490daemon at boot time. 2491.It Va rwhod_flags 2492.Pq Vt str 2493If 2494.Va rwhod_enable 2495is set to 2496.Dq Li YES , 2497these are the flags to pass to it. 2498.It Va update_motd 2499.Pq Vt bool 2500If set to 2501.Dq Li YES , 2502.Pa /var/run/motd 2503will be updated at boot time to reflect the kernel release 2504being run. 2505If set to 2506.Dq Li NO , 2507.Pa /var/run/motd 2508will not be updated. 2509.It Va nfs_client_enable 2510.Pq Vt bool 2511If set to 2512.Dq Li YES , 2513run the NFS client daemons at boot time. 2514.It Va nfs_access_cache 2515.Pq Vt int 2516If 2517.Va nfs_client_enable 2518is set to 2519.Dq Li YES , 2520this can be set to 2521.Dq Li 0 2522to disable NFS ACCESS RPC caching, or to the number of seconds for which 2523NFS ACCESS 2524results should be cached. 2525A value of 2-10 seconds will substantially reduce network 2526traffic for many NFS operations. 2527.It Va nfs_server_enable 2528.Pq Vt bool 2529If set to 2530.Dq Li YES , 2531run the NFS server daemons at boot time. 2532.It Va nfs_server_flags 2533.Pq Vt str 2534If 2535.Va nfs_server_enable 2536is set to 2537.Dq Li YES , 2538these are the flags to pass to the 2539.Xr nfsd 8 2540daemon. 2541.It Va nfsv4_server_enable 2542.Pq Vt bool 2543If 2544.Va nfs_server_enable 2545is set to 2546.Dq Li YES 2547and 2548.Va nfsv4_server_enable 2549is set to 2550.Dq Li YES , 2551enable the server for NFSv4 as well as NFSv2 and NFSv3. 2552.It Va nfsv4_server_only 2553.Pq Vt bool 2554If 2555.Va nfs_server_enable 2556is set to 2557.Dq Li YES 2558and 2559.Va nfsv4_server_only 2560is set to 2561.Dq Li YES , 2562enable the NFS server for NFSv4 only. 2563.It Va nfs_server_maxio 2564.Pq Vt int 2565value to set vfs.nfsd.srvmaxio to, which is the 2566maximum I/O size for the NFS server. 2567.It Va tlsclntd_enable 2568.Pq Vt bool 2569If set to 2570.Dq Li YES , 2571run the 2572.Xr rpc.tlsclntd 8 2573daemon, which is needed for NFS-over-TLS NFS mounts. 2574.It Va tlsservd_enable 2575.Pq Vt bool 2576If set to 2577.Dq Li YES , 2578run the 2579.Xr rpc.tlsservd 8 2580daemon, which is needed for the 2581.Xr nfsd 8 2582to support NFS-over-TLS NFS mounts. 2583.It Va nfsuserd_enable 2584.Pq Vt bool 2585If 2586.Va nfsuserd_enable 2587is set to 2588.Dq Li YES , 2589run the nfsuserd daemon, which is needed for NFSv4 in order 2590to map between user/group names vs uid/gid numbers. 2591If 2592.Va nfsv4_server_enable 2593is set to 2594.Dq Li YES , 2595this will be forced enabled. 2596.It Va nfsuserd_flags 2597.Pq Vt str 2598If 2599.Va nfsuserd_enable 2600is set to 2601.Dq Li YES , 2602these are the flags to pass to the 2603.Xr nfsuserd 8 2604daemon. 2605.It Va nfscbd_enable 2606.Pq Vt bool 2607If 2608.Va nfscbd_enable 2609is set to 2610.Dq Li YES , 2611run the nfscbd daemon, which enables callbacks/delegations for the NFSv4 client. 2612.It Va nfscbd_flags 2613.Pq Vt str 2614If 2615.Va nfscbd_enable 2616is set to 2617.Dq Li YES , 2618these are the flags to pass to the 2619.Xr nfscbd 8 2620daemon. 2621.It Va mountd_enable 2622.Pq Vt bool 2623If set to 2624.Dq Li YES , 2625and no 2626.Va nfs_server_enable 2627is set, start 2628.Xr mountd 8 , 2629but not 2630.Xr nfsd 8 2631daemon. 2632It is commonly needed to run CFS without real NFS used. 2633.It Va mountd_flags 2634.Pq Vt str 2635If 2636.Va mountd_enable 2637is set to 2638.Dq Li YES , 2639these are the flags to pass to the 2640.Xr mountd 8 2641daemon. 2642.It Va weak_mountd_authentication 2643.Pq Vt bool 2644If set to 2645.Dq Li YES , 2646allow services like PCNFSD to make non-privileged mount 2647requests. 2648.It Va nfs_reserved_port_only 2649.Pq Vt bool 2650If set to 2651.Dq Li YES , 2652provide NFS services only on a secure port. 2653.It Va nfs_bufpackets 2654.Pq Vt int 2655If set to a number, indicates the number of packets worth of 2656socket buffer space to reserve on an NFS client. 2657The kernel default is typically 4. 2658Using a higher number may be 2659useful on gigabit networks to improve performance. 2660The minimum value is 26612 and the maximum is 64. 2662.It Va rpc_lockd_enable 2663.Pq Vt bool 2664If set to 2665.Dq Li YES 2666and also an NFS server or client, run 2667.Xr rpc.lockd 8 2668at boot time. 2669.It Va rpc_lockd_flags 2670.Pq Vt str 2671If 2672.Va rpc_lockd_enable 2673is set to 2674.Dq Li YES , 2675these are the flags to pass to the 2676.Xr rpc.lockd 8 2677daemon. 2678.It Va rpc_statd_enable 2679.Pq Vt bool 2680If set to 2681.Dq Li YES 2682and also an NFS server or client, run 2683.Xr rpc.statd 8 2684at boot time. 2685.It Va rpc_statd_flags 2686.Pq Vt str 2687If 2688.Va rpc_statd_enable 2689is set to 2690.Dq Li YES , 2691these are the flags to pass to the 2692.Xr rpc.statd 8 2693daemon. 2694.It Va rpcbind_program 2695.Pq Vt str 2696Path to 2697.Xr rpcbind 8 2698(default 2699.Pa /usr/sbin/rpcbind ) . 2700.It Va rpcbind_enable 2701.Pq Vt bool 2702If set to 2703.Dq Li YES , 2704run the 2705.Xr rpcbind 8 2706service at boot time. 2707.It Va rpcbind_flags 2708.Pq Vt str 2709If 2710.Va rpcbind_enable 2711is set to 2712.Dq Li YES , 2713these are the flags to pass to the 2714.Xr rpcbind 8 2715daemon. 2716.It Va pppoed_enable 2717.Pq Vt bool 2718If set to 2719.Dq Li YES , 2720run the 2721.Xr pppoed 8 2722daemon at boot time to provide PPP over Ethernet services. 2723.It Va pppoed_ Ns Aq Ar provider 2724.Pq Vt str 2725.Xr pppoed 8 2726listens to requests to this 2727.Ar provider 2728and ultimately runs 2729.Xr ppp 8 2730with a 2731.Ar system 2732argument of the same name. 2733.It Va pppoed_flags 2734.Pq Vt str 2735Additional flags to pass to 2736.Xr pppoed 8 . 2737.It Va pppoed_interface 2738.Pq Vt str 2739The network interface to run 2740.Xr pppoed 8 2741on. 2742This is mandatory when 2743.Va pppoed_enable 2744is set to 2745.Dq Li YES . 2746.It Va ntpdate_enable 2747.Pq Vt bool 2748If set to 2749.Dq Li YES , 2750run 2751.Xr ntpdate 8 2752at system startup. 2753This command is intended to 2754synchronize the system clock only 2755.Em once 2756from some standard reference. 2757.Pp 2758Note that the use of the 2759.Va ntpd_sync_on_start 2760variable is a preferred alternative to the 2761.Xr ntpdate 8 2762utility as 2763.Xr ntpdate 8 2764is to be retired from the NTP distribution. 2765.It Va ntpdate_config 2766.Pq Vt str 2767Configuration file for 2768.Xr ntpdate 8 . 2769Default 2770.Pa /etc/ntp.conf . 2771.It Va ntpdate_hosts 2772.Pq Vt str 2773A whitespace-separated list of NTP servers to synchronize with at startup. 2774The default is to use the servers listed in 2775.Va ntpdate_config , 2776if that file exists. 2777.It Va ntpdate_program 2778.Pq Vt str 2779Path to 2780.Xr ntpdate 8 2781(default 2782.Pa /usr/sbin/ntpdate ) . 2783.It Va ntpdate_flags 2784.Pq Vt str 2785If 2786.Va ntpdate_enable 2787is set to 2788.Dq Li YES , 2789these are the flags to pass to the 2790.Xr ntpdate 8 2791command (typically a hostname). 2792.It Va ntpd_enable 2793.Pq Vt bool 2794If set to 2795.Dq Li YES , 2796run the 2797.Xr ntpd 8 2798command at boot time. 2799.It Va ntpd_program 2800.Pq Vt str 2801Path to 2802.Xr ntpd 8 2803(default 2804.Pa /usr/sbin/ntpd ) . 2805.It Va ntpd_config 2806.Pq Vt str 2807Path to 2808.Xr ntpd 8 2809configuration file. 2810Default 2811.Pa /etc/ntp.conf . 2812.It Va ntpd_flags 2813.Pq Vt str 2814If 2815.Va ntpd_enable 2816is set to 2817.Dq Li YES , 2818these are the flags to pass to the 2819.Xr ntpd 8 2820daemon. 2821.It Va ntpd_sync_on_start 2822.Pq Vt bool 2823If set to 2824.Dq Li YES , 2825.Xr ntpd 8 2826is run with the 2827.Fl g 2828flag, which syncs the system's clock on startup. 2829See 2830.Xr ntpd 8 2831for more information regarding the 2832.Fl g 2833option. 2834This is a preferred alternative to using 2835.Xr ntpdate 8 2836or specifying the 2837.Va ntpdate_enable 2838variable. 2839.It Va nis_client_enable 2840.Pq Vt bool 2841If set to 2842.Dq Li YES , 2843run the 2844.Xr ypbind 8 2845service at system boot time. 2846.It Va nis_client_flags 2847.Pq Vt str 2848If 2849.Va nis_client_enable 2850is set to 2851.Dq Li YES , 2852these are the flags to pass to the 2853.Xr ypbind 8 2854service. 2855.It Va nis_ypldap_enable 2856.Pq Vt bool 2857If set to 2858.Dq Li YES , 2859run the 2860.Xr ypldap 8 2861daemon at system boot time. 2862.It Va nis_ypldap_flags 2863.Pq Vt str 2864If 2865.Va nis.ypldap_enable 2866is set to 2867.Dq Li YES , 2868these are the flags to pass to the 2869.Xr ypldap 8 2870daemon. 2871.It Va nis_ypset_enable 2872.Pq Vt bool 2873If set to 2874.Dq Li YES , 2875run the 2876.Xr ypset 8 2877daemon at system boot time. 2878.It Va nis_ypset_flags 2879.Pq Vt str 2880If 2881.Va nis_ypset_enable 2882is set to 2883.Dq Li YES , 2884these are the flags to pass to the 2885.Xr ypset 8 2886daemon. 2887.It Va nis_server_enable 2888.Pq Vt bool 2889If set to 2890.Dq Li YES , 2891run the 2892.Xr ypserv 8 2893daemon at system boot time. 2894.It Va nis_server_flags 2895.Pq Vt str 2896If 2897.Va nis_server_enable 2898is set to 2899.Dq Li YES , 2900these are the flags to pass to the 2901.Xr ypserv 8 2902daemon. 2903.It Va nis_ypxfrd_enable 2904.Pq Vt bool 2905If set to 2906.Dq Li YES , 2907run the 2908.Xr rpc.ypxfrd 8 2909daemon at system boot time. 2910.It Va nis_ypxfrd_flags 2911.Pq Vt str 2912If 2913.Va nis_ypxfrd_enable 2914is set to 2915.Dq Li YES , 2916these are the flags to pass to the 2917.Xr rpc.ypxfrd 8 2918daemon. 2919.It Va nis_yppasswdd_enable 2920.Pq Vt bool 2921If set to 2922.Dq Li YES , 2923run the 2924.Xr rpc.yppasswdd 8 2925daemon at system boot time. 2926.It Va nis_yppasswdd_flags 2927.Pq Vt str 2928If 2929.Va nis_yppasswdd_enable 2930is set to 2931.Dq Li YES , 2932these are the flags to pass to the 2933.Xr rpc.yppasswdd 8 2934daemon. 2935.It Va rpc_ypupdated_enable 2936.Pq Vt bool 2937If set to 2938.Dq Li YES , 2939run the 2940.Nm rpc.ypupdated 2941daemon at system boot time. 2942.It Va bsnmpd_enable 2943.Pq Vt bool 2944If set to 2945.Dq Li YES , 2946run the 2947.Xr bsnmpd 1 2948daemon at system boot time. 2949Be sure to understand the security implications of running an SNMP daemon 2950on your host. 2951.It Va bsnmpd_flags 2952.Pq Vt str 2953If 2954.Va bsnmpd_enable 2955is set to 2956.Dq Li YES , 2957these are the flags to pass to the 2958.Xr bsnmpd 1 2959daemon. 2960.It Va defaultrouter 2961.Pq Vt str 2962If not set to 2963.Dq Li NO , 2964create a default route to this host name or IP address 2965(use an IP address if this router is also required to get to the 2966name server!). 2967.It Va defaultrouter_fibN 2968.Pq Vt str 2969If not set to 2970.Dq Li NO , 2971create a default route in FIB N to this host name or IP address. 2972.It Va ipv6_defaultrouter 2973.Pq Vt str 2974The IPv6 equivalent of 2975.Va defaultrouter . 2976.It Va ipv6_defaultrouter_fibN 2977.Pq Vt str 2978The IPv6 equivalent of 2979.Va defaultrouter_fibN . 2980.It Va static_arp_pairs 2981.Pq Vt str 2982Set to the list of static ARP pairs that are to be added at system 2983boot time. 2984For each whitespace separated 2985.Ar element 2986in the value, a 2987.Va static_arp_ Ns Aq Ar element 2988variable is assumed to exist whose contents will later be passed to a 2989.Dq Nm arp Cm -S 2990operation. 2991For example 2992.Bd -literal 2993static_arp_pairs="gw" 2994static_arp_gw="192.168.1.1 00:01:02:03:04:05" 2995.Ed 2996.It Va static_ndp_pairs 2997.Pq Vt str 2998Set to the list of static NDP pairs that are to be added at system 2999boot time. 3000For each whitespace separated 3001.Ar element 3002in the value, a 3003.Va static_ndp_ Ns Aq Ar element 3004variable is assumed to exist whose contents will later be passed to a 3005.Dq Nm ndp Cm -s 3006operation. 3007For example 3008.Bd -literal 3009static_ndp_pairs="gw" 3010static_ndp_gw="2001:db8:3::1 00:01:02:03:04:05" 3011.Ed 3012.It Va static_routes 3013.Pq Vt str 3014Set to the list of static routes that are to be added at system 3015boot time. 3016If not set to 3017.Dq Li NO 3018then for each whitespace separated 3019.Ar element 3020in the value, a 3021.Va route_ Ns Aq Ar element 3022variable is assumed to exist 3023whose contents will later be passed to a 3024.Dq Nm route Cm add 3025operation. 3026For example: 3027.Bd -literal 3028static_routes="ext mcast:gif0 gif0local:gif0" 3029route_ext="-net 10.0.0.0/24 -gateway 192.168.0.1" 3030route_mcast="-net 224.0.0.0/4 -iface gif0" 3031route_gif0local="-host 169.254.1.1 -iface lo0" 3032.Ed 3033.Pp 3034When an 3035.Ar element 3036is in the form of 3037.Li name:ifname , 3038the route is specific to the interface 3039.Li ifname . 3040.It Va ipv6_static_routes 3041.Pq Vt str 3042The IPv6 equivalent of 3043.Va static_routes . 3044If not set to 3045.Dq Li NO 3046then for each whitespace separated 3047.Ar element 3048in the value, a 3049.Va ipv6_route_ Ns Aq Ar element 3050variable is assumed to exist 3051whose contents will later be passed to a 3052.Dq Nm route Cm add Fl inet6 3053operation. 3054.It Va gateway_enable 3055.Pq Vt bool 3056If set to 3057.Dq Li YES , 3058configure host to act as an IP router, e.g.\& to forward packets 3059between interfaces. 3060.It Va ipv6_gateway_enable 3061.Pq Vt bool 3062The IPv6 equivalent of 3063.Va gateway_enable . 3064.It Va routed_enable 3065.Pq Vt bool 3066If set to 3067.Dq Li YES , 3068run a routing daemon of some sort, based on the 3069settings of 3070.Va routed_program 3071and 3072.Va routed_flags . 3073.It Va route6d_enable 3074.Pq Vt bool 3075The IPv6 equivalent of 3076.Va routed_enable . 3077If set to 3078.Dq Li YES , 3079run a routing daemon of some sort, based on the 3080settings of 3081.Va route6d_program 3082and 3083.Va route6d_flags . 3084.It Va routed_program 3085.Pq Vt str 3086If 3087.Va routed_enable 3088is set to 3089.Dq Li YES , 3090this is the name of the routing daemon to use. 3091The default is 3092.Xr routed 8 . 3093.It Va route6d_program 3094.Pq Vt str 3095The IPv6 equivalent of 3096.Va routed_program . 3097The default is 3098.Xr route6d 8 . 3099.It Va routed_flags 3100.Pq Vt str 3101If 3102.Va routed_enable 3103is set to 3104.Dq Li YES , 3105these are the flags to pass to the routing daemon. 3106.It Va route6d_flags 3107.Pq Vt str 3108The IPv6 equivalent of 3109.Va routed_flags . 3110.It Va rtadvd_enable 3111.Pq Vt bool 3112If set to 3113.Dq Li YES , 3114run the 3115.Xr rtadvd 8 3116daemon at boot time. 3117The 3118.Xr rtadvd 8 3119utility sends ICMPv6 Router Advertisement messages to 3120the interfaces specified in 3121.Va rtadvd_interfaces . 3122This should only be enabled with great care. 3123You may want to fine-tune 3124.Xr rtadvd.conf 5 . 3125.It Va rtadvd_flags 3126.Pq Vt str 3127If 3128.Va rtadvd_enable 3129is set to 3130.Dq Li YES , 3131these are the flags to pass to 3132.Xr rtadvd 8 . 3133.It Va rtadvd_interfaces 3134.Pq Vt str 3135If 3136.Va rtadvd_enable 3137is set to 3138.Dq Li YES 3139this is the list of interfaces to use. 3140.It Va arpproxy_all 3141.Pq Vt bool 3142If set to 3143.Dq Li YES , 3144enable global proxy ARP. 3145.It Va forward_sourceroute 3146.Pq Vt bool 3147If set to 3148.Dq Li YES 3149and 3150.Va gateway_enable 3151is also set to 3152.Dq Li YES , 3153source-routed packets are forwarded. 3154.It Va accept_sourceroute 3155.Pq Vt bool 3156If set to 3157.Dq Li YES , 3158the system will accept source-routed packets directed at it. 3159.It Va rarpd_enable 3160.Pq Vt bool 3161If set to 3162.Dq Li YES , 3163run the 3164.Xr rarpd 8 3165daemon at system boot time. 3166.It Va rarpd_flags 3167.Pq Vt str 3168If 3169.Va rarpd_enable 3170is set to 3171.Dq Li YES , 3172these are the flags to pass to the 3173.Xr rarpd 8 3174daemon. 3175.It Va bootparamd_enable 3176.Pq Vt bool 3177If set to 3178.Dq Li YES , 3179run the 3180.Xr bootparamd 8 3181daemon at system boot time. 3182.It Va bootparamd_flags 3183.Pq Vt str 3184If 3185.Va bootparamd_enable 3186is set to 3187.Dq Li YES , 3188these are the flags to pass to the 3189.Xr bootparamd 8 3190daemon. 3191.It Va stf_interface_ipv4addr 3192.Pq Vt str 3193If not set to 3194.Dq Li NO , 3195this is the local IPv4 address for 6to4 (IPv6 over IPv4 tunneling 3196interface). 3197Specify this entry to enable the 6to4 interface. 3198.It Va stf_interface_ipv4plen 3199.Pq Vt int 3200Prefix length for 6to4 IPv4 addresses, to limit peer address range. 3201An effective value is 0-31. 3202.It Va stf_interface_ipv6_ifid 3203.Pq Vt str 3204IPv6 interface ID for 3205.Xr stf 4 . 3206This can be set to 3207.Dq Li AUTO . 3208.It Va stf_interface_ipv6_slaid 3209.Pq Vt str 3210IPv6 Site Level Aggregator for 3211.Xr stf 4 . 3212.It Va ipv6_ipv4mapping 3213.Pq Vt bool 3214If set to 3215.Dq Li YES 3216this enables IPv4 mapped IPv6 address communication (like 3217.Li ::ffff:a.b.c.d ) . 3218.It Va rtsold_enable 3219.Pq Vt bool 3220Set to 3221.Dq Li YES 3222to enable the 3223.Xr rtsold 8 3224daemon to send ICMPv6 Router Solicitation messages. 3225.It Va rtsold_flags 3226.Pq Vt str 3227If 3228.Va rtsold_enable 3229is set to 3230.Dq Li YES , 3231these are the flags to pass to 3232.Xr rtsold 8 . 3233.It Va rtsol_flags 3234.Pq Vt str 3235For interfaces configured with the 3236.Dq Li inet6 accept_rtadv 3237keyword, these are the flags to pass to 3238.Xr rtsol 8 . 3239.Pp 3240Note that 3241.Va rtsold_enable 3242is mutually exclusive to 3243.Va rtsol_flags ; 3244.Va rtsold_enable 3245takes precedence. 3246.It Va keybell 3247.Pq Vt str 3248The keyboard bell sound. 3249Set to 3250.Dq Li normal , 3251.Dq Li visual , 3252.Dq Li off , 3253or 3254.Dq Li NO 3255if the default behavior is desired. 3256For details, refer to the 3257.Xr kbdcontrol 1 3258manpage. 3259.It Va keyboard 3260.Pq Vt str 3261If set to a non-null string, the virtual console's keyboard input is 3262set to this device. 3263.It Va keymap 3264.Pq Vt str 3265If set to 3266.Dq Li NO , 3267no keymap is installed, otherwise the value is used to install 3268the keymap file found in 3269.Pa /usr/share/syscons/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd 3270(if using 3271.Xr syscons 4 ) or 3272.Pa /usr/share/vt/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd 3273(if using 3274.Xr vt 4 ) . 3275.It Va keyrate 3276.Pq Vt str 3277The keyboard repeat speed. 3278Set to 3279.Dq Li slow , 3280.Dq Li normal , 3281.Dq Li fast , 3282or 3283.Dq Li NO 3284if the default behavior is desired. 3285.It Va keychange 3286.Pq Vt str 3287If not set to 3288.Dq Li NO , 3289attempt to program the function keys with the value. 3290The value should 3291be a single string of the form: 3292.Dq Ar funkey_number new_value Op Ar funkey_number new_value ... . 3293.It Va cursor 3294.Pq Vt str 3295Can be set to the value of 3296.Dq Li normal , 3297.Dq Li blink , 3298.Dq Li destructive , 3299or 3300.Dq Li NO 3301to set the cursor behavior explicitly or choose the default behavior. 3302.It Va scrnmap 3303.Pq Vt str 3304If set to 3305.Dq Li NO , 3306no screen map is installed, otherwise the value is used to install 3307the screen map file in 3308.Pa /usr/share/syscons/scrnmaps/ Ns Aq Ar value . 3309This parameter is ignored when using 3310.Xr vt 4 3311as the console driver. 3312.It Va font8x16 3313.Pq Vt str 3314If set to 3315.Dq Li NO , 3316the default 8x16 font value is used for screen size requests, otherwise 3317the value in 3318.Pa /usr/share/syscons/fonts/ Ns Aq Ar value 3319or 3320.Pa /usr/share/vt/fonts/ Ns Aq Ar value 3321is used (depending on the console driver being used). 3322.It Va font8x14 3323.Pq Vt str 3324If set to 3325.Dq Li NO , 3326the default 8x14 font value is used for screen size requests, otherwise 3327the value in 3328.Pa /usr/share/syscons/fonts/ Ns Aq Ar value 3329or 3330.Pa /usr/share/vt/fonts/ Ns Aq Ar value 3331is used (depending on the console driver being used). 3332.It Va font8x8 3333.Pq Vt str 3334If set to 3335.Dq Li NO , 3336the default 8x8 font value is used for screen size requests, otherwise 3337the value in 3338.Pa /usr/share/syscons/fonts/ Ns Aq Ar value 3339or 3340.Pa /usr/share/vt/fonts/ Ns Aq Ar value 3341is used (depending on the console driver being used). 3342.It Va blanktime 3343.Pq Vt int 3344If set to 3345.Dq Li NO , 3346the default screen blanking interval is used, otherwise it is set 3347to 3348.Ar value 3349seconds. 3350.It Va saver 3351.Pq Vt str 3352If not set to 3353.Dq Li NO , 3354this is the actual screen saver to use 3355.Li ( blank , snake , daemon , 3356etc). 3357.It Va moused_nondefault_enable 3358.Pq Vt str 3359If set to 3360.Dq Li NO , 3361the mouse device specified on 3362the command line is not automatically treated as enabled by the 3363.Pa /etc/rc.d/moused 3364script. 3365Having this variable set to 3366.Dq Li YES 3367allows a 3368.Xr usb 4 3369mouse, 3370for example, 3371to be enabled as soon as it is plugged in. 3372.It Va moused_enable 3373.Pq Vt str 3374If set to 3375.Dq Li YES , 3376the 3377.Xr moused 8 3378daemon is started for doing cut/paste selection on the console. 3379.It Va moused_type 3380.Pq Vt str 3381This is the protocol type of the mouse connected to this host. 3382This variable must be set if 3383.Va moused_enable 3384is set to 3385.Dq Li YES , 3386but defaults to 3387.Dq Li auto 3388as the 3389.Xr moused 8 3390daemon 3391is able to detect the appropriate mouse type automatically in many cases. 3392Set this variable to 3393one from the following list if the automatic detection fails. 3394.Pp 3395If the mouse is attached to the PS/2 mouse port, choose 3396.Dq Li auto 3397or 3398.Dq Li ps/2 , 3399regardless of the brand and model of the mouse. 3400Likewise, if the 3401mouse is attached to the bus mouse port, choose 3402.Dq Li auto 3403or 3404.Dq Li busmouse . 3405All other protocols are for serial mice and will not work with 3406the PS/2 and bus mice. 3407If this is a USB mouse, 3408.Dq Li auto 3409is the only protocol type which will work. 3410.Pp 3411.Bl -tag -width ".Li x10mouseremote" -compact 3412.It Li microsoft 3413Microsoft mouse (serial) 3414.It Li intellimouse 3415Microsoft IntelliMouse (serial) 3416.It Li mousesystems 3417Mouse systems Corp.\& mouse (serial) 3418.It Li mmseries 3419MM Series mouse (serial) 3420.It Li logitech 3421Logitech mouse (serial) 3422.It Li busmouse 3423A bus mouse 3424.It Li mouseman 3425Logitech MouseMan and TrackMan (serial) 3426.It Li glidepoint 3427ALPS GlidePoint (serial) 3428.It Li thinkingmouse 3429Kensington ThinkingMouse (serial) 3430.It Li ps/2 3431PS/2 mouse 3432.It Li mmhittab 3433MM HitTablet (serial) 3434.It Li x10mouseremote 3435X10 MouseRemote (serial) 3436.It Li versapad 3437Interlink VersaPad (serial) 3438.El 3439.Pp 3440Even if the mouse is not in the above list, it may be compatible 3441with one in the list. 3442Refer to the manual page for 3443.Xr moused 8 3444for compatibility information. 3445.Pp 3446It should also be noted that while this is enabled, any 3447other client of the mouse (such as an X server) should access 3448the mouse through the virtual mouse device, 3449.Pa /dev/sysmouse , 3450and configure it as a 3451.Dq Li sysmouse 3452type mouse, since all 3453mouse data is converted to this single canonical format when 3454using 3455.Xr moused 8 . 3456If the client program does not support the 3457.Dq Li sysmouse 3458type, 3459specify the 3460.Dq Li mousesystems 3461type. 3462It is the second preferred type. 3463.It Va moused_port 3464.Pq Vt str 3465If 3466.Va moused_enable 3467is set to 3468.Dq Li YES , 3469this is the actual port the mouse is on. 3470It might be 3471.Pa /dev/cuau0 3472for a COM1 serial mouse, or 3473.Pa /dev/psm0 3474for a PS/2 mouse, for example. 3475.It Va moused_flags 3476.Pq Vt str 3477If 3478.Va moused_flags 3479is set, its value is used as an additional set of flags to pass to the 3480.Xr moused 8 3481daemon. 3482.It Va "moused_" Ns Ar XXX Ns Va "_flags" 3483When 3484.Va moused_nondefault_enable 3485is enabled, and a 3486.Xr moused 8 3487daemon is started for a non-default port, the 3488.Va "moused_" Ns Ar XXX Ns Va "_flags" 3489set of options has precedence over and replaces the default 3490.Va moused_flags 3491(where 3492.Ar XXX 3493is the name of the non-default port, i.e.,\& 3494.Ar ums0 ) . 3495By setting 3496.Va "moused_" Ns Ar XXX Ns Va "_flags" 3497it is possible to set up a different set of default flags for each 3498.Xr moused 8 3499instance. 3500For example, you can use 3501.Dq Li "-3" 3502for the default 3503.Va moused_flags 3504to make your laptop's touchpad more comfortable to use, 3505but an empty set of options for 3506.Va moused_ums0_flags 3507when your 3508.Xr usb 4 3509mouse has three or more buttons. 3510.It Va mousechar_start 3511.Pq Vt int 3512If set to 3513.Dq Li NO , 3514the default mouse cursor character range 3515.Li 0xd0 Ns - Ns Li 0xd3 3516is used, 3517otherwise the range start is set 3518to 3519.Ar value 3520character, see 3521.Xr vidcontrol 1 . 3522Use if the default range is occupied in the language code table. 3523.It Va allscreens_flags 3524.Pq Vt str 3525If set, 3526.Xr vidcontrol 1 3527is run with these options for each of the virtual terminals 3528.Pq Pa /dev/ttyv* . 3529For example, 3530.Dq Fl m Cm on 3531will enable the mouse pointer on all virtual terminals 3532if 3533.Va moused_enable 3534is set to 3535.Dq Li YES . 3536.It Va allscreens_kbdflags 3537.Pq Vt str 3538If set, 3539.Xr kbdcontrol 1 3540is run with these options for each of the virtual terminals 3541.Pq Pa /dev/ttyv* . 3542For example, 3543.Dq Fl h Li 200 3544will set the 3545.Xr syscons 4 3546or 3547.Xr vt 4 3548scrollback (history) buffer to 200 lines. 3549.It Va cron_enable 3550.Pq Vt bool 3551If set to 3552.Dq Li YES , 3553run the 3554.Xr cron 8 3555daemon at system boot time. 3556.It Va cron_program 3557.Pq Vt str 3558Path to 3559.Xr cron 8 3560(default 3561.Pa /usr/sbin/cron ) . 3562.It Va cron_flags 3563.Pq Vt str 3564If 3565.Va cron_enable 3566is set to 3567.Dq Li YES , 3568these are the flags to pass to 3569.Xr cron 8 . 3570.It Va cron_dst 3571.Pq Vt bool 3572If set to 3573.Dq Li YES , 3574enable the special handling of transitions to and from the 3575Daylight Saving Time in 3576.Xr cron 8 3577(equivalent to using the flag 3578.Fl s ) . 3579.It Va lpd_program 3580.Pq Vt str 3581Path to 3582.Xr lpd 8 3583(default 3584.Pa /usr/sbin/lpd ) . 3585.It Va lpd_enable 3586.Pq Vt bool 3587If set to 3588.Dq Li YES , 3589run the 3590.Xr lpd 8 3591daemon at system boot time. 3592.It Va lpd_flags 3593.Pq Vt str 3594If 3595.Va lpd_enable 3596is set to 3597.Dq Li YES , 3598these are the flags to pass to the 3599.Xr lpd 8 3600daemon. 3601.It Va chkprintcap_enable 3602.Pq Vt bool 3603If set to 3604.Dq Li YES , 3605run the 3606.Xr chkprintcap 8 3607command before starting the 3608.Xr lpd 8 3609daemon. 3610.It Va chkprintcap_flags 3611.Pq Vt str 3612If 3613.Va lpd_enable 3614and 3615.Va chkprintcap_enable 3616are set to 3617.Dq Li YES , 3618these are the flags to pass to the 3619.Xr chkprintcap 8 3620program. 3621The default is 3622.Dq Li -d , 3623which causes missing directories to be created. 3624.It Va dumpdev 3625.Pq Vt str 3626Indicates the device (usually a swap partition) to which a crash dump 3627should be written in the event of a system crash. 3628If the value of this variable is 3629.Dq Li AUTO , 3630the first suitable swap device listed in 3631.Pa /etc/fstab 3632will be used as dump device. 3633Otherwise, the value of this variable is passed as the argument to 3634.Xr dumpon 8 3635and 3636.Xr savecore 8 . 3637To disable crash dumps, set this variable to 3638.Dq Li NO . 3639.It Va dumpon_flags 3640.Pq Vt str 3641Flags to pass to 3642.Xr dumpon 8 3643when configuring 3644.Va dumpdev 3645as the system dump device. 3646.It Va dumpdir 3647.Pq Vt str 3648When the system reboots after a crash and a crash dump is found on the 3649device specified by the 3650.Va dumpdev 3651variable, 3652.Xr savecore 8 3653will save that crash dump and a copy of the kernel to the directory 3654specified by the 3655.Va dumpdir 3656variable. 3657The default value is 3658.Pa /var/crash . 3659Set to 3660.Dq Li NO 3661to not run 3662.Xr savecore 8 3663at boot time when 3664.Va dumpdir 3665is set. 3666.It Va savecore_enable 3667.Pq Vt bool 3668If set to 3669.Dq Li NO , 3670disable automatic extraction of the crash dump from the 3671.Va dumpdev . 3672.It Va savecore_flags 3673.Pq Vt str 3674If crash dumps are enabled, these are the flags to pass to the 3675.Xr savecore 8 3676utility. 3677.It Va quota_enable 3678.Pq Vt bool 3679Set to 3680.Dq Li YES 3681to turn on user and group disk quotas on system startup via the 3682.Xr quotaon 8 3683command for all file systems marked as having quotas enabled in 3684.Pa /etc/fstab . 3685The kernel must be built with 3686.Cd "options QUOTA" 3687for disk quotas to function. 3688.It Va check_quotas 3689.Pq Vt bool 3690Set to 3691.Dq Li YES 3692to enable user and group disk quota checking via the 3693.Xr quotacheck 8 3694command. 3695.It Va quotacheck_flags 3696.Pq Vt str 3697If 3698.Va quota_enable 3699is set to 3700.Dq Li YES , 3701and 3702.Va check_quotas 3703is set to 3704.Dq Li YES , 3705these are the flags to pass to the 3706.Xr quotacheck 8 3707utility. 3708The default is 3709.Dq Li "-a" , 3710which checks quotas for all file systems with quotas enabled in 3711.Pa /etc/fstab . 3712.It Va quotaon_flags 3713.Pq Vt str 3714If 3715.Va quota_enable 3716is set to 3717.Dq Li YES , 3718these are the flags to pass to the 3719.Xr quotaon 8 3720utility. 3721The default is 3722.Dq Li "-a" , 3723which enables quotas for all file systems with quotas enabled in 3724.Pa /etc/fstab . 3725.It Va quotaoff_flags 3726.Pq Vt str 3727If 3728.Va quota_enable 3729is set to 3730.Dq Li YES , 3731these are the flags to pass to the 3732.Xr quotaoff 8 3733utility when shutting down the quota system. 3734The default is 3735.Dq Li "-a" , 3736which disables quotas for all file systems with quotas enabled in 3737.Pa /etc/fstab . 3738.It Va accounting_enable 3739.Pq Vt bool 3740Set to 3741.Dq Li YES 3742to enable system accounting through the 3743.Xr accton 8 3744facility. 3745.It Va firstboot_sentinel 3746.Pq Vt str 3747This variable specifies the full path to a 3748.Dq first boot 3749sentinel file. 3750If a file exists with this path, 3751.Pa rc.d 3752scripts with the 3753.Dq firstboot 3754keyword will be run on startup and the sentinel file will be deleted 3755after the boot process completes. 3756The sentinel file must be located on a writable file system which is 3757mounted no later than 3758.Va early_late_divider 3759to function properly. 3760The default is 3761.Pa /firstboot . 3762.It Va linux_enable 3763.Pq Vt bool 3764Set to 3765.Dq Li YES 3766to enable Linux/ELF binary emulation at system initial 3767boot time. 3768.It Va sysvipc_enable 3769.Pq Vt bool 3770If set to 3771.Dq Li YES , 3772load System V IPC primitives at boot time. 3773.It Va clear_tmp_enable 3774.Pq Vt bool 3775Set to 3776.Dq Li YES 3777to have 3778.Pa /tmp 3779cleaned at startup. 3780.It Va clear_tmp_X 3781.Pq Vt bool 3782Set to 3783.Dq Li NO 3784to disable removing of X11 lock files, 3785and the removal and (secure) recreation 3786of the various socket directories for X11 3787related programs. 3788.It Va ldconfig_paths 3789.Pq Vt str 3790Set to the list of shared library paths to use with 3791.Xr ldconfig 8 . 3792NOTE: 3793.Pa /lib 3794and 3795.Pa /usr/lib 3796will always be added first, so they need not appear in this list. 3797.It Va ldconfig32_paths 3798.Pq Vt str 3799Set to the list of 32-bit compatibility shared library paths to 3800use with 3801.Xr ldconfig 8 . 3802.It Va ldconfig_insecure 3803.Pq Vt bool 3804The 3805.Xr ldconfig 8 3806utility normally refuses to use directories 3807which are writable by anyone except root. 3808Set this variable to 3809.Dq Li YES 3810to disable that security check during system startup. 3811.It Va ldconfig_local_dirs 3812.Pq Vt str 3813Set to the list of local 3814.Xr ldconfig 8 3815directories. 3816The names of all files in the directories listed will be 3817passed as arguments to 3818.Xr ldconfig 8 . 3819.It Va ldconfig_local32_dirs 3820.Pq Vt str 3821Set to the list of local 32-bit compatibility 3822.Xr ldconfig 8 3823directories. 3824The names of all files in the directories listed will be 3825passed as arguments to 3826.Dq Nm ldconfig Fl 32 . 3827.It Va kern_securelevel_enable 3828.Pq Vt bool 3829Set to 3830.Dq Li YES 3831to set the kernel security level at system startup. 3832.It Va kern_securelevel 3833.Pq Vt int 3834The kernel security level to set at startup. 3835The allowed range of 3836.Ar value 3837ranges from \-1 (the compile time default) to 3 (the 3838most secure). 3839See 3840.Xr security 7 3841for the list of possible security levels and their effect 3842on system operation. 3843.It Va sshd_program 3844.Pq Vt str 3845Path to the SSH server program 3846.Pa ( /usr/sbin/sshd 3847is the default). 3848.It Va sshd_enable 3849.Pq Vt bool 3850Set to 3851.Dq Li YES 3852to start 3853.Xr sshd 8 3854at system boot time. 3855Note, the 3856.Va sshd_oomprotect 3857variable is set to 3858.Dq Li YES 3859by default in 3860.Pa /etc/defaults/rc.conf . 3861.It Va sshd_flags 3862.Pq Vt str 3863If 3864.Va sshd_enable 3865is set to 3866.Dq Li YES , 3867these are the flags to pass to the 3868.Xr sshd 8 3869daemon. 3870.It Va watchdogd_enable 3871.Pq Vt bool 3872If set to 3873.Dq Li YES , 3874start the 3875.Xr watchdogd 8 3876daemon at boot time. 3877This requires that the kernel have been compiled with a 3878.Xr watchdog 4 3879compatible device. 3880.It Va watchdogd_flags 3881.Pq Vt str 3882If 3883.Va watchdogd_enable 3884is set to 3885.Dq Li YES , 3886these are the flags passed to the 3887.Xr watchdogd 8 3888daemon. 3889.It Va watchdogd_timeout 3890.Pq Vt int 3891If 3892.Va watchdogd_enable 3893is set to 3894.Dq Li YES , 3895this is a timeout that will be used by the 3896.Xr watchdogd 8 3897daemon. 3898If this option is set, it overrides 3899.Fl t 3900in 3901.Va watchdogd_flags . 3902.It Va watchdogd_shutdown_timeout 3903.Pq Vt int 3904If 3905.Va watchdogd_enable 3906is set to 3907.Dq Li YES , 3908this is a timeout that will be set by the 3909.Xr watchdogd 8 3910daemon when it exits during the system shutdown. 3911This timeout will not be set when returning to the single-user mode 3912or when the watchdogd service is stopped individually using the 3913.Xr service 8 3914command or the rc.d script. 3915Note that the timeout will be applied if 3916.Xr watchdogd 8 3917is stopped outside of 3918.Xr rc 8 3919framework. 3920If this option is set, it overrides 3921.Fl x 3922in 3923.Va watchdogd_flags . 3924.It Va devfs_rulesets 3925.Pq Vt str 3926List of files containing sets of rules for 3927.Xr devfs 8 . 3928.It Va devfs_system_ruleset 3929.Pq Vt str 3930Rule name(s) to apply to the system 3931.Pa /dev 3932itself. 3933.It Va devfs_set_rulesets 3934.Pq Vt str 3935Pairs of already-mounted 3936.Pa dev 3937directories and rulesets that should be applied to them. 3938For example: /mount/dev=ruleset_name 3939.It Va devfs_load_rulesets 3940.Pq Vt bool 3941If set, always load the default rulesets listed in 3942.Va devfs_rulesets . 3943.It Va performance_cx_lowest 3944.Pq Vt str 3945CPU idle state to use while on AC power. 3946The string 3947.Dq Li LOW 3948indicates that 3949.Xr acpi 4 3950should use the lowest power state available while 3951.Dq Li HIGH 3952indicates that the lowest latency state (less power savings) should be used. 3953.It Va performance_cpu_freq 3954.Pq Vt str 3955CPU clock frequency to use while on AC power. 3956The string 3957.Dq Li LOW 3958indicates that 3959.Xr cpufreq 4 3960should use the lowest frequency available while 3961.Dq Li HIGH 3962indicates that the highest frequency (less power savings) should be used. 3963.It Va economy_cx_lowest 3964.Pq Vt str 3965CPU idle state to use when off AC power. 3966The string 3967.Dq Li LOW 3968indicates that 3969.Xr acpi 4 3970should use the lowest power state available while 3971.Dq Li HIGH 3972indicates that the lowest latency state (less power savings) should be used. 3973.It Va economy_cpu_freq 3974.Pq Vt str 3975CPU clock frequency to use when off AC power. 3976The string 3977.Dq Li LOW 3978indicates that 3979.Xr cpufreq 4 3980should use the lowest frequency available while 3981.Dq Li HIGH 3982indicates that the highest frequency (less power savings) should be used. 3983.It Va jail_enable 3984.Pq Vt bool 3985If set to 3986.Dq Li NO , 3987any configured jails will not be started. 3988.It Va jail_conf 3989.Pq Vt str 3990The configuration filename used by 3991.Xr jail 8 3992utility. 3993The default value is 3994.Pa /etc/jail.conf . 3995.Pa /etc/jail\&. Ns Ao Va jname Ac Ns Pa .conf 3996and 3997.Pa /etc/jail.conf.d/ Ns Ao Va jname Ac Ns Pa .conf 3998will also be used if 3999.Ao Va jname Ac 4000is set in 4001.Va jail_list . 4002.It Va jail_parallel_start 4003.Pq Vt bool 4004If set to 4005.Dq Li YES , 4006all configured jails will be started in the background (in parallel). 4007.It Va jail_flags 4008.Pq Vt str 4009Unset by default. 4010When set, use as default value for 4011.Va jail_ Ns Ao Ar jname Ac Ns Va _flags 4012for every jail in 4013.Va jail_list . 4014.It Va jail_list 4015.Pq Vt str 4016A space-delimited list of jail names. 4017When left empty, all of the 4018.Xr jail 8 4019instances defined in the configuration file are started. 4020The names specified in this list control the jail startup order. 4021.Xr jail 8 4022instances missing from 4023.Va jail_list 4024must be started manually. 4025Note that a jail's 4026.Va depend 4027parameter in the configuration file may override this list. 4028.It Va jail_reverse_stop 4029.Pq Vt bool 4030When set to 4031.Dq Li YES , 4032all configured jails in 4033.Va jail_list 4034are stopped in reverse order. 4035.It Va jail_ Ns * variables 4036Note that older releases supported per-jail configuration via 4037.Nm 4038variables. 4039For example, 4040hostname of a jail named 4041.Li vjail 4042was able to be set by 4043.Li jail_vjail_hostname . 4044These per-jail configuration variables are now obsolete in favor of 4045.Xr jail 8 4046configuration file. 4047For backward compatibility, 4048when per-jail configuration variables are defined, 4049.Xr jail 8 4050configuration files are created as 4051.Pa /var/run/jail . Ns Ao Ar jname Ac Ns Pa .conf 4052and used. 4053.Pp 4054The following per-jail parameters are handled by 4055.Pa rc.d/jail 4056script out of their corresponding 4057.Nm 4058variables. 4059In addition to them, parameters in 4060.Va jail_ Ns Ao Ar jname Ac Ns Va _parameters 4061will be added to the configuration file. 4062They must be a semi-colon 4063.Pq Ql \&; 4064delimited list of 4065.Dq key=value . 4066For more details, 4067see 4068.Xr jail 8 4069manual page. 4070.Bl -tag -width "host.hostname" -offset indent 4071.It Li path 4072set from 4073.Va jail_ Ns Ao Ar jname Ac Ns Va _rootdir 4074.It Li host.hostname 4075set from 4076.Va jail_ Ns Ao Ar jname Ac Ns Va _hostname 4077.It Li exec.consolelog 4078set from 4079.Va jail_ Ns Ao Ar jname Ac Ns Va _consolelog . 4080The default value is 4081.Pa /var/log/jail_ Ns Ao Ar jname Ac Ns Pa _console.log . 4082.It Li interface 4083set from 4084.Va jail_ Ns Ao Ar jname Ac Ns Va _interface . 4085.It Li vnet.interface 4086set from 4087.Va jail_ Ns Ao Ar jname Ac Ns Va _vnet_interface . 4088This implies 4089.Li vnet 4090parameter will be enabled and cannot be specified with 4091.Va jail_ Ns Ao Ar jname Ac Ns Va _interface , 4092.Va jail_ Ns Ao Ar jname Ac Ns Va _ip 4093and/or 4094.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n 4095at the same time. 4096.It Li fstab 4097set from 4098.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab 4099.It Li mount 4100set from 4101.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable . 4102.It Li exec.fib 4103set from 4104.Va jail_ Ns Ao Ar jname Ac Ns Va _fib 4105.It Li exec.start 4106set from 4107.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start . 4108The parameter name was 4109.Li command 4110in some older releases. 4111.It Li exec.prestart 4112set from 4113.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart 4114.It Li exec.poststart 4115set from 4116.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart 4117.It Li exec.stop 4118set from 4119.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop 4120.It Li exec.prestop 4121set from 4122.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop 4123.It Li exec.poststop 4124set from 4125.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop 4126.It Li ip4.addr 4127set if 4128.Va jail_ Ns Ao Ar jname Ac Ns Va _ip 4129or 4130.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n 4131contain IPv4 addresses 4132.It Li ip6.addr 4133set if 4134.Va jail_ Ns Ao Ar jname Ac Ns Va _ip 4135or 4136.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n 4137contain IPv6 addresses 4138.It Li allow.mount 4139set from 4140.Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable 4141.It Li mount.devfs 4142set from 4143.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable 4144.It Li devfs_ruleset 4145set from 4146.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset . 4147This must be an integer, 4148not a string. 4149.It Li mount.fdescfs 4150set from 4151.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable 4152.It Li allow.set_hostname 4153set from 4154.Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow 4155.It Li allow.rawsocket 4156set from 4157.Va jail_ Ns Ao Ar jname Ac Ns Va _socket_unixiproute_only 4158.It Li allow.sysvipc 4159set from 4160.Va jail_ Ns Ao Ar jname Ac Ns Va _sysvipc_allow 4161.El 4162.\" ----------------------------------------------------- 4163.It Va harvest_mask 4164.Pq Vt int 4165Set to a bit-mask 4166representing the entropy sources 4167you wish to harvest. 4168Refer to 4169.Xr random 4 4170for more information. 4171.It Va entropy_dir 4172.Pq Vt str 4173Set to 4174.Dq Li NO 4175to disable caching entropy via 4176.Xr cron 8 . 4177Otherwise set to the directory 4178in which the entropy files are stored. 4179To be useful, 4180there must be 4181a system cron job 4182that regularly writes and rotates 4183files here. 4184All files found 4185will be used at boot time. 4186The default is 4187.Pa /var/db/entropy . 4188.It Va entropy_file 4189.Pq Vt str 4190Set to 4191.Dq Li NO 4192to disable caching entropy through reboots. 4193Otherwise set to the name 4194of a file used to store cached entropy. 4195This file should be located 4196on a file system that is readable 4197before all the volumes specified in 4198.Xr fstab 5 4199are mounted. 4200By default, 4201.Pa /entropy 4202is used, 4203but if 4204.Pa /var/db/entropy-file 4205is found it will also be used. 4206This will be of some use to 4207.Xr bsdinstall 8 . 4208.It Va entropy_boot_file 4209.Pq Vt str 4210Set to 4211.Dq Li NO 4212to disable 4213very early caching entropy 4214through reboots. 4215Otherwise set to the filename 4216used to read 4217very early reboot cached entropy. 4218This file should be located where 4219.Xr loader 8 4220can read it. 4221See also 4222.Xr loader.conf 5 . 4223The default location is 4224.Pa /boot/entropy . 4225.It Va entropy_save_sz 4226.Pq Vt int 4227Size of the entropy cache files saved by 4228.Nm save-entropy 4229periodically. 4230.It Va entropy_save_num 4231.Pq Vt int 4232Number of entropy cache files to save by 4233.Nm save-entropy 4234periodically. 4235.It Va ipsec_enable 4236.Pq Vt bool 4237Set to 4238.Dq Li YES 4239to run 4240.Xr setkey 8 4241on 4242.Va ipsec_file 4243at boot time. 4244.It Va ipsec_file 4245.Pq Vt str 4246Configuration file for 4247.Xr setkey 8 . 4248.It Va dmesg_enable 4249.Pq Vt bool 4250Set to 4251.Dq Li YES 4252to save 4253.Xr dmesg 8 4254to 4255.Pa /var/run/dmesg.boot 4256on boot. 4257.It Va rcshutdown_timeout 4258.Pq Vt int 4259If set, start a watchdog timer in the background which will terminate 4260.Pa rc.shutdown 4261if 4262.Xr shutdown 8 4263has not completed within the specified time (in seconds). 4264Notice that in addition to this soft timeout, 4265.Xr init 8 4266also applies a hard timeout for the execution of 4267.Pa rc.shutdown . 4268This is configured via 4269.Xr sysctl 8 4270variable 4271.Va kern.init_shutdown_timeout 4272and defaults to 120 seconds. 4273Setting the value of 4274.Va rcshutdown_timeout 4275to more than 120 seconds will have no effect until the 4276.Xr sysctl 8 4277variable 4278.Va kern.init_shutdown_timeout 4279is also increased. 4280.It Va virecover_enable 4281.Pq Vt bool 4282Set to 4283.Dq Li NO 4284to prevent the system from trying to 4285recover prematurely terminated 4286.Xr vi 1 4287sessions. 4288.It Va ugidfw_enable 4289.Pq Vt bool 4290Set to 4291.Dq Li YES 4292to load the 4293.Xr mac_bsdextended 4 4294module upon system initialization and load a default 4295ruleset file. 4296.It Va bsdextended_script 4297.Pq Vt str 4298The default 4299.Xr mac_bsdextended 4 4300ruleset file to load. 4301The default value of this variable is 4302.Pa /etc/rc.bsdextended . 4303.It Va newsyslog_enable 4304.Pq Vt bool 4305If set to 4306.Dq Li YES , 4307run 4308.Xr newsyslog 8 4309command at startup. 4310.It Va newsyslog_flags 4311.Pq Vt str 4312If 4313.Va newsyslog_enable 4314is set to 4315.Dq Li YES , 4316these are the flags to pass to the 4317.Xr newsyslog 8 4318program. 4319The default is 4320.Dq Li -CN , 4321which causes log files flagged with a 4322.Cm C 4323to be created. 4324.It Va mdconfig_md Ns Aq Ar X 4325.Pq Vt str 4326Arguments to 4327.Xr mdconfig 8 4328for 4329.Xr md 4 4330device 4331.Ar X . 4332At minimum a 4333.Fl t Ar type 4334must be specified and either a 4335.Fl s Ar size 4336for malloc or swap backed 4337.Xr md 4 4338devices or a 4339.Fl f Ar file 4340for vnode backed 4341.Xr md 4 4342devices. 4343Note that 4344.Va mdconfig_md Ns Aq Ar X 4345variables are evaluated until one variable is unset or null. 4346.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _newfs 4347.Pq Vt str 4348Optional arguments passed to 4349.Xr newfs 8 4350to initialize 4351.Xr md 4 4352device 4353.Ar X . 4354.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _owner 4355.Pq Vt str 4356An ownership specification passed to 4357.Xr chown 8 4358after the specified 4359.Xr md 4 4360device 4361.Ar X 4362has been mounted. 4363Both the 4364.Xr md 4 4365device and the mount point will be changed. 4366.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _perms 4367.Pq Vt str 4368A mode string passed to 4369.Xr chmod 1 4370after the specified 4371.Xr md 4 4372device 4373.Ar X 4374has been mounted. 4375Both the 4376.Xr md 4 4377device and the mount point will be changed. 4378.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _files 4379.Pq Vt str 4380Files to be copied to the mount point of the 4381.Xr md 4 4382device 4383.Ar X 4384after it has been mounted. 4385.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _cmd 4386.Pq Vt str 4387Command to execute after the specified 4388.Xr md 4 4389device 4390.Ar X 4391has been mounted. 4392Note that the command is passed to 4393.Ic eval 4394and that both 4395.Va _dev 4396and 4397.Va _mp 4398variables can be used to reference respectively the 4399.Xr md 4 4400device and the mount point. 4401Assuming that the 4402.Xr md 4 4403device is 4404.Li md0 , 4405one could set the following: 4406.Bd -literal 4407mdconfig_md0_cmd="tar xfzC /var/file.tgz \e${_mp}" 4408.Ed 4409.It Va autobridge_interfaces 4410.Pq Vt str 4411Set to the list of bridge interfaces that will have newly arriving interfaces 4412checked against to be automatically added. 4413If not set to 4414.Dq Li NO 4415then for each whitespace separated 4416.Ar element 4417in the value, a 4418.Va autobridge_ Ns Aq Ar element 4419variable is assumed to exist which has a whitespace separated list of interface 4420names to match, these names can use wildcards. 4421For example: 4422.Bd -literal 4423autobridge_interfaces="bridge0" 4424autobridge_bridge0="tap* dc0 vlan[345]" 4425.Ed 4426.It Va mixer_enable 4427.Pq Vt bool 4428If set to 4429.Dq Li YES , 4430enable support for sound mixer. 4431.It Va hcsecd_enable 4432.Pq Vt bool 4433If set to 4434.Dq Li YES , 4435enable Bluetooth security daemon. 4436.It Va hcsecd_config 4437.Pq Vt str 4438Configuration file for 4439.Xr hcsecd 8 . 4440Default 4441.Pa /etc/bluetooth/hcsecd.conf . 4442.It Va sdpd_enable 4443.Pq Vt bool 4444If set to 4445.Dq Li YES , 4446enable Bluetooth Service Discovery Protocol daemon. 4447.It Va sdpd_control 4448.Pq Vt str 4449Path to 4450.Xr sdpd 8 4451control socket. 4452Default 4453.Pa /var/run/sdp . 4454.It Va sdpd_groupname 4455.Pq Vt str 4456Sets 4457.Xr sdpd 8 4458group to run as after it initializes. 4459Default 4460.Dq Li nobody . 4461.It Va sdpd_username 4462.Pq Vt str 4463Sets 4464.Xr sdpd 8 4465user to run as after it initializes. 4466Default 4467.Dq Li nobody . 4468.It Va bthidd_enable 4469.Pq Vt bool 4470If set to 4471.Dq Li YES , 4472enable Bluetooth Human Interface Device daemon. 4473.It Va bthidd_config 4474.Pq Vt str 4475Configuration file for 4476.Xr bthidd 8 . 4477Default 4478.Pa /etc/bluetooth/bthidd.conf . 4479.It Va bthidd_hids 4480.Pq Vt str 4481Path to a file, where 4482.Xr bthidd 8 4483will store information about known HID devices. 4484Default 4485.Pa /var/db/bthidd.hids . 4486.It Va rfcomm_pppd_server_enable 4487.Pq Vt bool 4488If set to 4489.Dq Li YES , 4490enable Bluetooth RFCOMM PPP wrapper daemon. 4491.It Va rfcomm_pppd_server_profile 4492.Pq Vt str 4493The name of the profile to use from 4494.Pa /etc/ppp/ppp.conf . 4495Multiple profiles can be specified here. 4496Also used to specify per-profile overrides. 4497When the profile name contains any of the characters 4498.Dq Li .-/+ 4499they are translated to 4500.Dq Li _ 4501for the proposes of the override variable names. 4502.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _bdaddr 4503.Pq Vt str 4504Overrides local address to listen on. 4505By default 4506.Xr rfcomm_pppd 8 4507will listen on 4508.Dq Li ANY 4509address. 4510The address can be specified as BD_ADDR or name. 4511.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _channel 4512.Pq Vt str 4513Overrides local RFCOMM channel to listen on. 4514By default 4515.Xr rfcomm_pppd 8 4516will listen on RFCOMM channel 1. 4517Must set properly if multiple profiles used in the same time. 4518.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_sp 4519.Pq Vt bool 4520Tells 4521.Xr rfcomm_pppd 8 4522if it should register Serial Port service on the specified RFCOMM channel. 4523Default 4524.Dq Li NO . 4525.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_dun 4526.Pq Vt bool 4527Tells 4528.Xr rfcomm_pppd 8 4529if it should register Dial-Up Networking service on the specified 4530RFCOMM channel. 4531Default 4532.Dq Li NO . 4533.It Va ubthidhci_enable 4534.Pq Vt bool 4535If set to 4536.Dq Li YES , 4537change the USB Bluetooth controller from HID mode to HCI mode. 4538You also need to specify the location of USB Bluetooth controller with the 4539.Va ubthidhci_busnum 4540and 4541.Va ubthidhci_addr 4542variables. 4543.It Va ubthidhci_busnum 4544Bus number where the USB Bluetooth controller is located. 4545Check the output of 4546.Xr usbconfig 8 4547on your system to find this information. 4548.It Va ubthidhci_addr 4549Bus address of the USB Bluetooth controller. 4550Check the output of 4551.Xr usbconfig 8 4552on your system to find this information. 4553.It Va utx_enable 4554.Pq Vt bool 4555Set to 4556.Dq Li YES 4557to enable user accounting through the 4558.Xr utx 8 4559facility. 4560.It Va netwait_enable 4561.Pq Vt bool 4562If set to 4563.Dq Li YES , 4564delays the start of network-reliant services until 4565.Va netwait_if 4566is up, duplicate address discovery (DAD) has completed, and ICMP 4567packets to a destination defined in 4568.Va netwait_ip 4569are flowing. 4570Link state is examined first, followed by DAD, then 4571.Dq Li pinging 4572an IP address to verify network usability. 4573If no destination can be reached or timeouts are exceeded, 4574network services are started anyway with no guarantee that 4575the network is usable. 4576.It Va netwait_ip 4577.Pq Vt str 4578Empty by default. 4579This variable contains a space-delimited list of IP addresses to 4580.Xr ping 8 . 4581DNS hostnames should not be used as resolution is not guaranteed 4582to be functional at this point. 4583If multiple IP addresses are specified, 4584each will be tried until one is successful or the list is exhausted. 4585.It Va netwait_timeout 4586.Pq Vt int 4587Indicates the total number of seconds to perform a 4588.Dq Li ping 4589against each IP address in 4590.Va netwait_ip , 4591at a rate of one ping per second. 4592If any of the pings are successful, 4593full network connectivity is considered reliable. 4594The default is 60. 4595.It Va netwait_if 4596.Pq Vt str 4597Empty by default. 4598Defines the name of the network interface on which watch for link. 4599.Xr ifconfig 8 4600is used to monitor the interface, looking for 4601.Dq Li status: no carrier . 4602Once gone, the link is considered up. 4603This can be a 4604.Xr vlan 4 4605interface if desired. 4606.It Va netwait_if_timeout 4607.Pq Vt int 4608Defines the total number of seconds to wait for link to become usable, 4609polled at a 1-second interval. 4610The default is 30. 4611.It Va netwait_dad 4612.Pq Vt str 4613Set to 4614.Dq Li NO 4615by default. 4616Set to 4617.Dq Li YES 4618to enable waiting for DAD to complete. 4619.It Va netwait_dad_timeout 4620.Pq Vt int 4621Indicates the total number of seconds to wait for DAD to complete. 4622The default is 10. 4623.It Va rctl_enable 4624.Pq Vt bool 4625If set to 4626.Dq Li YES , 4627load 4628.Xr rctl 8 4629rules from the defined ruleset. 4630The kernel must be built with 4631.Cd "options RACCT" 4632and 4633.Cd "options RCTL" . 4634.It Va rctl_rules 4635.Pq Vt str 4636Set to 4637.Pa /etc/rctl.conf 4638by default. 4639This variables contains the 4640.Xr rctl.conf 5 4641ruleset to load for 4642.Xr rctl 8 . 4643.It Va iovctl_files 4644.Pq Vt str 4645A space-separated list of configuration files used by 4646.Xr iovctl 8 . 4647The default value is an empty string. 4648.It Va autofs_enable 4649.Pq Vt bool 4650If set to 4651.Dq Li YES , 4652start the 4653.Xr automount 8 4654utility and the 4655.Xr automountd 8 4656and 4657.Xr autounmountd 8 4658daemons at boot time. 4659.It Va automount_flags 4660.Pq Vt str 4661If 4662.Va autofs_enable 4663is set to 4664.Dq Li YES , 4665these are the flags to pass to the 4666.Xr automount 8 4667program. 4668By default no flags are passed. 4669.It Va automountd_flags 4670.Pq Vt str 4671If 4672.Va autofs_enable 4673is set to 4674.Dq Li YES , 4675these are the flags to pass to the 4676.Xr automountd 8 4677daemon. 4678By default no flags are passed. 4679.It Va autounmountd_flags 4680.Pq Vt str 4681If 4682.Va autofs_enable 4683is set to 4684.Dq Li YES , 4685these are the flags to pass to the 4686.Xr autounmountd 8 4687daemon. 4688By default no flags are passed. 4689.It Va ctld_enable 4690.Pq Vt bool 4691If set to 4692.Dq Li YES , 4693start the 4694.Xr ctld 8 4695daemon at boot time. 4696.It Va iscsid_enable 4697.Pq Vt bool 4698If set to 4699.Dq Li YES , 4700start the 4701.Xr iscsid 8 4702daemon at boot time. 4703.It Va iscsictl_enable 4704.Pq Vt bool 4705If set to 4706.Dq Li YES , 4707start the 4708.Xr iscsictl 8 4709utility at boot time. 4710.It Va iscsictl_flags 4711.Pq Vt str 4712If 4713.Va iscsictl_enable 4714is set to 4715.Dq Li YES , 4716these are the flags to pass to the 4717.Xr iscsictl 8 4718program. 4719The default is 4720.Dq Li -Aa , 4721which configures sessions based on the 4722.Pa /etc/iscsi.conf 4723configuration file. 4724.It Va cfumass_enable 4725.Pq Vt bool 4726If set to 4727.Dq Li YES , 4728create and export an USB LUN using 4729.Xr cfumass 4 4730at boot time. 4731.It Va cfumass_dir 4732.Pq Vt str 4733The directory where the files exported by USB LUN are located. 4734The default directory is 4735.Pa /var/cfumass . 4736.It Va service_delete_empty 4737.Pq Vt bool 4738If set to 4739.Dq Li YES , 4740.Ql Li service delete 4741removes empty 4742.Dq Li rc.conf.d 4743files. 4744.It Va zfs_bootonce_activate 4745.Pq Vt bool 4746If set to 4747.Dq Li YES , 4748and a boot environment marked bootonce is successfully booted, 4749it will be made permanently active. 4750.It Va zfskeys_enable 4751.Pq Vt bool 4752If set to 4753.Dq Li YES , 4754enable auto-loading of encryption keys for encrypted ZFS datasets. 4755For every dataset the script will first load the appropriate encryption key 4756and then attempt to unlock the dataset. 4757.Pp 4758The script operates only on datasets which are encrypted with 4759ZFS native encryption 4760and have a ZFS 4761.Dq Li keylocation 4762dataset property beginning with 4763.Dq Li file:// . 4764.It Va zfskeys_datasets 4765.Pq Vt str 4766A whitespace-separated list of ZFS datasets to unlock. 4767The list is empty by default, 4768which means that the script will attempt to unlock all datasets. 4769.It Va zfskeys_timeout 4770.Pq Vt int 4771Define the total number of seconds to wait for the zfskeys script 4772to unlock an encrypted dataset. 4773The default is 10. 4774.It Va sendmail_enable 4775.Pq Vt str 4776If set to 4777.Dq Li YES , 4778run the 4779.Xr sendmail 8 4780daemon at system boot time. 4781If set to 4782.Dq Li NO , 4783do not run a 4784.Xr sendmail 8 4785daemon to listen for incoming network mail. 4786This does not preclude a 4787.Xr sendmail 8 4788daemon listening on the SMTP port of the loopback interface. 4789The 4790.Dq Li NONE 4791option sets each 4792.Va sendmail_enable , 4793.Va sendmail_submit_enable , 4794.Va sendmail_outbound_enable , 4795.Va sendmail_msp_queue_enable 4796to 4797.Dq Li NO . 4798.It Va sendmail_cert_create 4799.Pq Vt str 4800If 4801.Va sendmail_enable 4802is set to 4803.Dq Li YES , 4804create a signed certificate 4805.Pa /etc/mail/certs/host.cert 4806representing 4807.Pa /etc/mail/certs/host.key 4808by the CA certificate in 4809.Pa /etc/mail/certs/cacert.pem . 4810This will enable connecting hosts to negotiate STARTTLS allowing incoming 4811email to be encrypted in transit. 4812.Xr sendmail 8 4813needs to be configured to use these generated files. 4814The default configuration in 4815.Pa /etc/mail/freebsd.mc 4816has the required options in it. 4817.It Va sendmail_cert_cn 4818.Pq Vt str 4819If 4820.Va sendmail_enable 4821is set to 4822.Dq Li YES 4823and 4824.Va sendmail_cert_create 4825is set to 4826.Dq Li YES , 4827this is the Common Name (CN) of the certificate that will be created. 4828If 4829.Va sendmail_cert_cn 4830is not set, the system's hostname will be used. 4831If there is no hostname set, 4832.Dq Li amnesiac 4833will be used. 4834.It Va sendmail_flags 4835.Pq Vt str 4836If 4837.Va sendmail_enable 4838is set to 4839.Dq Li YES , 4840these are the flags to pass to the 4841.Xr sendmail 8 4842daemon. 4843.It Va sendmail_submit_enable 4844.Pq Vt bool 4845If set to 4846.Dq Li YES 4847and 4848.Va sendmail_enable 4849is set to 4850.Dq Li NO , 4851run 4852.Xr sendmail 8 4853using 4854.Va sendmail_submit_flags 4855instead of 4856.Va sendmail_flags . 4857This is intended to allow local mail submission via 4858a localhost-only listening SMTP service required for running 4859.Xr sendmail 8 4860as a non-set-user-ID binary. 4861Note that this does not work inside 4862.Xr jail 2 4863systems, as jails do not allow binding to just the localhost interface. 4864.It Va sendmail_submit_flags 4865.Pq Vt str 4866If 4867.Va sendmail_enable 4868is set to 4869.Dq Li NO 4870and 4871.Va sendmail_submit_enable 4872is set to 4873.Dq Li YES , 4874these are the flags to pass to the 4875.Xr sendmail 8 4876daemon. 4877.It Va sendmail_outbound_enable 4878.Pq Vt bool 4879If set to 4880.Dq Li YES 4881and both 4882.Va sendmail_enable 4883and 4884.Va sendmail_submit_enable 4885are set to 4886.Dq Li NO , 4887run 4888.Xr sendmail 8 4889using 4890.Va sendmail_outbound_flags 4891instead of 4892.Va sendmail_flags . 4893This is intended to allow local mail queue management 4894for systems that do not offer a listening SMTP service. 4895.It Va sendmail_outbound_flags 4896.Pq Vt str 4897If both 4898.Va sendmail_enable 4899and 4900.Va sendmail_submit_enable 4901are set to 4902.Dq Li NO 4903and 4904.Va sendmail_outbound_enable 4905is set to 4906.Dq Li YES , 4907these are the flags to pass to the 4908.Xr sendmail 8 4909daemon. 4910.It Va sendmail_msp_queue_enable 4911.Pq Vt bool 4912If set to 4913.Dq Li YES , 4914start a client (MSP) queue runner 4915.Xr sendmail 8 4916daemon at system boot time. 4917As of sendmail 8.12, a separate queue is used for command line 4918submissions. 4919The client queue runner ensures that nothing is 4920left behind in the submission queue. 4921.It Va sendmail_msp_queue_flags 4922.Pq Vt str 4923If 4924.Va sendmail_msp_queue_enable 4925is set to 4926daemon. 4927.Dq Li YES , 4928these are the flags to pass to the 4929.Xr sendmail 8 4930.It Va precious_machine 4931If set to 4932.Dq Li YES , 4933some destructive actions require removal of the action-specific safe-belts 4934before being allowed. 4935For instance, the file 4936.Pa /var/run/noshutdown 4937is created to prevent 4938.Xr shutdown 8 4939targeted at the wrong machine. 4940.El 4941.Sh SERVICE JAILS 4942The service jails part of the rc system automatically puts a service 4943into a jail. 4944This jail inherits the filesystem and various other parts of the 4945parent (if you allow child-jails in your jails, service jails 4946can be used in jails) depending on the content of the 4947.Ao Ar name Ac Ns Va _svcj_options 4948variable. 4949Typically this variable is set inside rc scripts, but it can be 4950overriden in the rc config. 4951Valid options for 4952.Ao Ar name Ac Ns Va _svcj_options 4953are: 4954.Bl -tag -width indent-two 4955.It mlock 4956Allows to lock memory pages into the physical memory. 4957.It netv4 4958Allows IPv4 network access and the ability to bind to reserved ports. 4959If 4960.Ao Ar name Ac Ns Va _svcj_ipaddrs 4961is set, only the IPv4 addresses listed there will be visible to the jail, 4962otherwise all assigned IPv4 addresses will be visible. 4963This can not be combined with 4964.Pa netv6 . 4965.It netv6 4966Allows IPv6 network access and the ability to bind to reserved ports. 4967If 4968.Ao Ar name Ac Ns Va _svcj_ipaddrs 4969is set, only the IPv6 addresses listed there will be visible to the jail, 4970otherwise all assigned IPv6 addresses will be visible. 4971This can not be combined with 4972.Pa netv4 . 4973.It net_basic 4974Equivalent to enabling both 4975.Pa netv6 4976and 4977.Pa netv4 . 4978.It net_raw 4979Allow to open raw sockets. 4980This option can be combined with 4981.Pa netv4 , 4982.Pa netv6 , 4983.Pa net_basic . 4984.It net_all 4985Allows IPv6 and IPv4 network access as for 4986.Pa netv4 4987and 4988.Pa netv6 , 4989allows to open raw sockets, and allows to open sockets of protocol stacks that 4990have not had jail functionality added to them. 4991.It nfsd 4992Allows to run nfsd and affiliated daemons. 4993.It routing 4994Allows to modify the system routing table. 4995.It settime 4996Allows to set and slew the system time. 4997.It sysvipc 4998Inherits the SysV semaphores, SysV shared memory and 4999SysV messages from the host or the parent jail. 5000.It sysvipcnew 5001Creates a new namespace for SysV semaphores, SysV shared memory 5002and SysV messages for this particular service jail. 5003.It vmm 5004Allows access to 5005.Xr vmm 4 . 5006This option is only available when 5007.Xr vmm 4 5008is enabled in the kernel. 5009.El 5010 5011All non-network options can be combined with all other options. 5012From the SysV options only one option can be specified. 5013 5014If the 5015.Ao Ar name Ac Ns Va _svcj 5016variable is set to 5017.Dq Li YES , 5018this particular service is started in a 5019service jail named 5020.Va svcj- Ns Ar name . 5021 5022The 5023.Va svcj_all_enable 5024variable allows to enable service jails for all services of the 5025system at once. 5026Services which have 5027.Ao Ar name Ac Ns Va _svcj 5028set to 5029.Dq Li NO 5030are excluded. 5031Some services may set 5032.Ao Ar name Ac Ns Va _svcj 5033to 5034.Dq Li NO 5035in the script to either prevent service jails for this 5036service at all, or may set it to 5037.Dq Li NO 5038if it is not set in the 5039rc config, to exclude it from 5040.Va svcj_all_enable 5041but allow to explicitely enable it. 5042The sshd service for example would not see other jails, if 5043it would run as a service jail. 5044This may or may not be what is needed, and as such it is 5045excluded from 5046.Va svcj_all_enable 5047but can be enabled via setting 5048.Va sshd_svcj 5049to 5050.Dq Li YES . 5051.Sh FILES 5052.Bl -tag -width "/etc/defaults/rc.conf" -compact 5053.It Pa /etc/defaults/rc.conf 5054.It Pa /etc/defaults/vendor.conf 5055.It Pa /etc/rc.conf 5056.It Pa /etc/rc.conf.local 5057.It Pa /etc/rc.conf.d/ 5058.El 5059.Sh SEE ALSO 5060.Xr chmod 1 , 5061.Xr cpuset 1 , 5062.Xr gdb 1 Pq Pa ports/devel/gdb , 5063.Xr kbdcontrol 1 , 5064.Xr limits 1 , 5065.Xr protect 1 , 5066.Xr sh 1 , 5067.Xr umask 1 , 5068.Xr uuidgen 1 , 5069.Xr vi 1 , 5070.Xr vidcontrol 1 , 5071.Xr bridge 4 , 5072.Xr dummynet 4 , 5073.Xr ip 4 , 5074.Xr ipf 4 , 5075.Xr ipfw 4 , 5076.Xr ipnat 4 , 5077.Xr kld 4 , 5078.Xr pf 4 , 5079.Xr pflog 4 , 5080.Xr pfsync 4 , 5081.Xr tcp 4 , 5082.Xr udp 4 , 5083.Xr exports 5 , 5084.Xr fstab 5 , 5085.Xr ipf 5 , 5086.Xr ipnat 5 , 5087.Xr jail.conf 5 , 5088.Xr loader.conf 5 , 5089.Xr login.conf 5 , 5090.Xr motd 5 , 5091.Xr newsyslog.conf 5 , 5092.Xr pf.conf 5 , 5093.Xr firewall 7 , 5094.Xr growfs 7 , 5095.Xr security 7 , 5096.Xr tuning 7 , 5097.Xr accton 8 , 5098.Xr apm 8 , 5099.Xr bsdinstall 8 , 5100.Xr bthidd 8 , 5101.Xr chkprintcap 8 , 5102.Xr chown 8 , 5103.Xr cron 8 , 5104.Xr devfs 8 , 5105.Xr dhclient 8 , 5106.Xr geli 8 , 5107.Xr hcsecd 8 , 5108.Xr ifconfig 8 , 5109.Xr inetd 8 , 5110.Xr iovctl 8 , 5111.Xr ipf 8 , 5112.Xr ipfw 8 , 5113.Xr ipnat 8 , 5114.Xr jail 8 , 5115.Xr kldxref 8 , 5116.Xr loader 8 , 5117.Xr lpd 8 , 5118.Xr makewhatis 8 , 5119.Xr mdconfig 8 , 5120.Xr mdmfs 8 , 5121.Xr mixer 8 , 5122.Xr mountd 8 , 5123.Xr moused 8 , 5124.Xr newfs 8 , 5125.Xr newsyslog 8 , 5126.Xr nfsd 8 , 5127.Xr ntpd 8 , 5128.Xr ntpdate 8 , 5129.Xr pfctl 8 , 5130.Xr pflogd 8 , 5131.Xr ping 8 , 5132.Xr powerd 8 , 5133.Xr quotacheck 8 , 5134.Xr quotaon 8 , 5135.Xr rc 8 , 5136.Xr rc.subr 8 , 5137.Xr rcorder 8 , 5138.Xr rfcomm_pppd 8 , 5139.Xr route 8 , 5140.Xr route6d 8 , 5141.Xr routed 8 , 5142.Xr rpc.lockd 8 , 5143.Xr rpc.statd 8 , 5144.Xr rpc.tlsclntd 8 , 5145.Xr rpc.tlsservd 8 , 5146.Xr rpcbind 8 , 5147.Xr rwhod 8 , 5148.Xr savecore 8 , 5149.Xr sdpd 8 , 5150.Xr sendmail 8 , 5151.Xr service 8 , 5152.Xr sshd 8 , 5153.Xr swapon 8 , 5154.Xr sysctl 8 , 5155.Xr syslogd 8 , 5156.Xr sysrc 8 , 5157.Xr unbound 8 , 5158.Xr usbconfig 8 , 5159.Xr utx 8 , 5160.Xr wlandebug 8 , 5161.Xr yp 8 , 5162.Xr ypbind 8 , 5163.Xr ypserv 8 , 5164.Xr ypset 8 5165.Sh HISTORY 5166The 5167.Nm 5168file appeared in 5169.Fx 2.2.2 . 5170.Sh AUTHORS 5171.An Jordan K. Hubbard . 5172