xref: /freebsd/share/man/man5/rc.conf.5 (revision 357378bbdedf24ce2b90e9bd831af4a9db3ec70a)
1.\" Copyright (c) 1995
2.\"	Jordan K. Hubbard
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.Dd May 22, 2024
26.Dt RC.CONF 5
27.Os
28.Sh NAME
29.Nm rc.conf
30.Nd system configuration information
31.Sh DESCRIPTION
32The file
33.Nm
34contains descriptive information about the local host name, configuration
35details for any potential network interfaces and which services should be
36started up at system initial boot time.
37In new installations, the
38.Nm
39file is generally initialized by the system installation utility.
40.Pp
41The purpose of
42.Nm
43is not to run commands or perform system startup actions
44directly.
45Instead, it is included by the
46various generic startup scripts in
47.Pa /etc
48which conditionalize their
49internal actions according to the settings found there.
50.Pp
51The
52.Pa /etc/rc.conf
53file is included from the file
54.Pa /etc/defaults/rc.conf ,
55which specifies the default settings for all the available options.
56Options need only be specified in
57.Pa /etc/rc.conf
58when the system administrator wishes to override these defaults.
59The file
60.Pa /etc/defaults/vendor.conf
61allows vendors to override
62.Fx
63defaults.
64The file
65.Pa /etc/rc.conf.local
66is used to override settings in
67.Pa /etc/rc.conf
68for historical reasons.
69.Pp
70The sysrc(8) command provides a scripting interface to modify system
71config files.
72.Pp
73In addition to
74.Pa /etc/rc.conf.local
75you can also place smaller configuration files for each
76.Xr rc 8
77script in the
78.Pa /etc/rc.conf.d
79directory or
80.Ao Ar dir Ac Ns Pa /rc.conf.d
81directories (where
82.Ao Ar dir Ac
83is each entry specified in
84.Va local_startup ,
85but with any trailing
86.Pa /rc.d
87stripped),
88which will be included by the
89.Va load_rc_config
90function.
91For jail configurations you could use the file
92.Pa /etc/rc.conf.d/jail
93to store jail-specific configuration options.
94If
95.Va local_startup
96contains
97.Pa /usr/local/etc/rc.d
98and
99.Pa /opt/conf ,
100.Pa /usr/local/etc/rc.conf.d/jail
101and
102.Pa /opt/conf/rc.conf.d/jail
103will be loaded.
104If
105.Ao Ar dir Ac Ns Pa /rc.conf.d/ Ns Ao Ar name Ac
106is a directory,
107all of the files in the directory will be loaded.
108Also see the
109.Va rc_conf_files
110variable below.
111.Pp
112Options are set with
113.Dq Ar name Ns Li = Ns Ar value
114assignments that use
115.Xr sh 1
116syntax.
117The following list provides a name and short description for each
118variable that can be set in the
119.Nm
120file:
121.Bl -tag -width indent-two
122.It Va rc_debug
123.Pq Vt bool
124If set to
125.Dq Li YES ,
126enable output of debug messages from rc scripts.
127This variable can be helpful in diagnosing mistakes when
128editing or integrating new scripts.
129Beware that this produces copious output to the terminal and
130.Xr syslog 3 .
131.It Va rc_info
132.Pq Vt bool
133If set to
134.Dq Li NO ,
135disable informational messages from the rc scripts.
136Informational messages are displayed when
137a condition that is not serious enough to warrant a warning or
138an error occurs.
139.It Va rc_startmsgs
140.Pq Vt bool
141If set to
142.Dq Li YES ,
143show
144.Dq Starting foo:
145when faststart is used (e.g., at boot time).
146.It Va early_late_divider
147.Pq Vt str
148The name of the script that should be used as the
149delimiter between the
150.Dq early
151and
152.Dq late
153stages of the boot process.
154The early stage should contain all the services needed to
155get the disks (local or remote) mounted so that the late
156stage can include scripts contained in the directories
157listed in the
158.Va local_startup
159variable (see below).
160Thus, the two likely candidates for this value are
161.Pa mountcritlocal
162for the typical system, and
163.Pa mountcritremote
164if the system needs remote file
165systems mounted to get access to the
166.Va local_startup
167directories; for example when
168.Pa /usr/local
169is NFS mounted.
170For
171.Pa rc.conf
172within a
173.Xr jail 8
174.Pa NETWORKING
175is likely to be an appropriate value.
176Extreme care should be taken when changing this value,
177and before changing it one should ensure that there are
178adequate provisions to recover from a failed boot
179(such as physical contact with the machine,
180or reliable remote console access).
181.It Va always_force_depends
182.Pq Vt bool
183Various
184.Pa rc.d
185scripts use the force_depend function to check whether required
186services are already running, and to start them if necessary.
187By default during boot time this check is bypassed if the
188required service is enabled in
189.Pa /etc/rc.conf[.local] .
190Setting this option will bypass that check at boot time and
191always test whether or not the service is actually running.
192Enabling this option is likely to increase your boot time if
193services are enabled that utilize the force_depend check.
194.It Ao Ar name Ac Ns Va _chroot
195.Pq Vt str
196.Xr chroot 8
197to this directory before running the service.
198.It Ao Ar name Ac Ns Va _cpuset
199.Pq Vt str
200A list of CPUs to run the service on.
201Passed to
202.Xr cpuset 1
203using the
204.Fl l
205flag.
206.It Ao Ar name Ac Ns Va _fib
207.Pq Vt int
208The
209.Xr setfib 1
210value to run the service under.
211.It Ao Ar name Ac Ns Va _group
212.Pq Vt str
213Run the chrooted service under this system group.
214Unlike the
215.Ao Ar name Ac Ns Va _user
216setting, this setting has no effect if the service is not chrooted.
217.It Ao Ar name Ac Ns Va _limits
218.Pq Vt str
219Resource limits to apply to the service using
220.Xr limits 1 .
221By default, resource limits are based on the login class defined in
222.Ao Ar name Ac Ns Va _login_class .
223.It Ao Ar name Ac Ns Va _login_class
224.Pq Vt str
225Login class to be used with
226.Ao Ar name Ac Ns Va _limits .
227Defaults to
228.Dq Li daemon .
229.It Ao Ar name Ac Ns Va _nice
230.Pq Vt int
231The
232.Xr nice 1
233value to run the service under.
234.It Ao Ar name Ac Ns Va _oomprotect
235.Pq Vt str
236Use
237.Xr protect 1
238to prevent the service from being killed when swap space
239is exhausted.
240Use
241.Dq Li YES
242to protect only the service itself, and
243.Dq Li ALL
244to protect the service and all its child processes.
245.Pp
246Please note that rc scripts which redefine
247.Dl ${argument}_cmd
248.Pq see Xr rc.subr 8
249such as PostgreSQL will not inherit the OOM killer protection.
250.Pp
251This variable has no effect on services running within a
252.Xr jail 8 .
253.It Ao Ar name Ac Ns Va _setup
254.Pq Vt str
255Run the specified setup script right before starting the actual service
256command.
257Useful for automatic configuration file generation.
258.It Ao Ar name Ac Ns Va _umask
259.Pq Vt int
260Run the service using this
261.Xr umask 1
262value.
263.It Ao Ar name Ac Ns Va _user
264.Pq Vt str
265Run the service under this user account.
266.It Ao Ar name Ac Ns Va _svcj
267.Pq Vt bool
268If set to
269.Dq Li YES ,
270auto-jail the service with inherited filesystem and other
271jail properties depending on
272.Ao Ar name Ac Ns Va _svcj_options .
273.It Ao Ar name Ac Ns Va _svcj_options
274.Pq Vt str
275A list of jail properties for the service.
276See
277.Sx SERVICE JAILS
278for a list of valid properties.
279.It Va apm_enable
280.Pq Vt bool
281If set to
282.Dq Li YES ,
283enable support for Automatic Power Management with
284the
285.Xr apm 8
286command.
287.It Va apmd_enable
288.Pq Vt bool
289Run
290.Xr apmd 8
291to handle APM event from userland.
292This also enables support for APM.
293.It Va apmd_flags
294.Pq Vt str
295If
296.Va apmd_enable
297is set to
298.Dq Li YES ,
299these are the flags to pass to the
300.Xr apmd 8
301daemon.
302.It Va devd_enable
303.Pq Vt bool
304Run
305.Xr devd 8
306to handle device added, removed or unknown events from the kernel.
307.It Va ddb_enable
308.Pq Vt bool
309Run
310.Xr ddb 8
311to install
312.Xr ddb 4
313scripts at boot time.
314.It Va ddb_config
315.Pq Vt str
316Configuration file for
317.Xr ddb 8 .
318Default
319.Pa /etc/ddb.conf .
320.It Va devmatch_enable
321.Pq Vt bool
322If set to
323.Dq Li NO ,
324disable auto-loading of kernel modules with
325.Xr devmatch 8 .
326.It Va devmatch_blocklist
327.Pq Vt str
328A whitespace-separated list of kernel modules to be ignored by
329.Xr devmatch 8 .
330In addition, the
331.Xr kenv 1
332.Va devmatch_blocklist
333is appended to this variable to allow disabling of
334.Xr devmatch 8
335loaded modules from the boot loader.
336.It Va devmatch_blacklist
337.Pq Vt str
338This variable is deprecated.
339Use
340.Va devmatch_blocklist
341instead.
342A whitespace-separated list of kernel modules to be ignored by
343.Xr devmatch 8 .
344.It Va kld_list
345.Pq Vt str
346A whitespace-separated list of kernel modules to load right after
347the local disks are mounted, without any
348.Pa .ko
349extension or path.
350.It Va kldxref_enable
351.Pq Vt bool
352Set to
353.Dq Li NO
354by default.
355Set to
356.Dq Li YES
357to automatically rebuild
358.Pa linker.hints
359files with
360.Xr kldxref 8
361at boot time.
362.It Va kldxref_clobber
363.Pq Vt bool
364Set to
365.Dq Li NO
366by default.
367If
368.Va kldxref_enable
369is true,
370setting to
371.Dq Li YES
372will overwrite existing
373.Pa linker.hints
374files at boot time.
375Otherwise,
376only missing
377.Pa linker.hints
378files are generated.
379.It Va kldxref_module_path
380.Pq Vt str
381Empty by default.
382A semi-colon
383.Pq Ql \&;
384delimited list of paths containing
385.Xr kld 4
386modules.
387If empty,
388the contents of the
389.Va kern.module_path
390.Xr sysctl 8
391are used.
392.It Va powerd_enable
393.Pq Vt bool
394If set to
395.Dq Li YES ,
396enable the system power control facility with the
397.Xr powerd 8
398daemon.
399.It Va powerd_flags
400.Pq Vt str
401If
402.Va powerd_enable
403is set to
404.Dq Li YES ,
405these are the flags to pass to the
406.Xr powerd 8
407daemon.
408.It Va svcj_all_enable
409Enable auto-jailing of all services which are not explicitly
410excluded.
411See
412.Sx SERVICE JAILS
413for more info.
414.It Va tmpmfs
415Controls the creation of a
416.Pa /tmp
417memory file system.
418Always happens if set to
419.Dq Li YES
420and never happens if set to
421.Dq Li NO .
422If set to anything else, a memory file system is created if
423.Pa /tmp
424is not writable.
425.It Va tmpsize
426Controls the size of a created
427.Pa /tmp
428memory file system.
429.It Va tmpmfs_flags
430Extra options passed to the
431.Xr mdmfs 8
432utility when the memory file system for
433.Pa /tmp
434is created.
435The default is
436.Dq Li "-S" ,
437which inhibits the use of softupdates on
438.Pa /tmp
439so that file system space is freed without delay
440after file truncation or deletion.
441See
442.Xr mdmfs 8
443for other options you can use in
444.Va tmpmfs_flags .
445.It Va varmfs
446Controls the creation of a
447.Pa /var
448memory file system.
449Always happens if set to
450.Dq Li YES
451and never happens if set to
452.Dq Li NO .
453If set to anything else, a memory file system is created if
454.Pa /var
455is not writable.
456.It Va varsize
457Controls the size of a created
458.Pa /var
459memory file system.
460.It Va varmfs_flags
461Extra options passed to the
462.Xr mdmfs 8
463utility when the memory file system for
464.Pa /var
465is created.
466The default is
467.Dq Li "-S" ,
468which inhibits the use of softupdates on
469.Pa /var
470so that file system space is freed without delay
471after file truncation or deletion.
472See
473.Xr mdmfs 8
474for other options you can use in
475.Va varmfs_flags .
476.It Va populate_var
477Controls the automatic population of the
478.Pa /var
479file system.
480Always happens if set to
481.Dq Li YES
482and never happens if set to
483.Dq Li NO .
484If set to anything else, a memory file system is created if
485.Pa /var
486is not writable.
487Note that this process requires access to certain commands in
488.Pa /usr
489before
490.Pa /usr
491is mounted on normal systems.
492.It Va cleanvar_enable
493.Pq Vt bool
494Clean the
495.Pa /var
496directory.
497.It Va var_run_enable
498.Pq Vt bool
499Set to "YES" to enable saving of the
500.Pa /var/run
501directory structure into an mtree file at shutdown and the reload of the
502.Pa /var/run
503directory structure at boot.
504.It Va var_run_autosave
505.Pq Vt bool
506In some cases it may be undesirable to save
507.Pa /var/run
508at shutdown.
509When set to "NO"
510.Pa /var/run
511is loaded at reboot but not saved at shutdown.
512Typically in this scenario
513.Ql service var_run save
514would be performed to save a copy of the
515.Pa /var/run
516directory structure once, to be reloaded during all subsequent reboots.
517.It Va var_run_mtree
518.Pq Vt str
519Where to save the
520.Pa /var/run
521mtree.
522The default location is
523.Pa /var/db/mtree/BSD.var-run.mtree .
524.It Va local_startup
525.Pq Vt str
526List of directories to search for startup script files.
527.It Va script_name_sep
528.Pq Vt str
529The field separator to use for breaking down the list of startup script files
530into individual filenames.
531The default is a space.
532It is not necessary to change this unless there are startup scripts with names
533containing spaces.
534.It Va hostapd_enable
535.Pq Vt bool
536Set to
537.Dq Li YES
538to start
539.Xr hostapd 8
540at system boot time.
541.It Va hostname
542.Pq Vt str
543The fully qualified domain name (FQDN) of this host on the network.
544This should almost certainly be set to something meaningful, even if
545there is no network connection.
546If
547.Xr dhclient 8
548is used to set the hostname via DHCP,
549this variable should be set to an empty string.
550Within a
551.Xr jail 8
552the hostname is generally already set and this variable may be absent.
553If this value remains unset when the system is done booting
554your console login will display the default hostname of
555.Dq Amnesiac .
556.It Va nisdomainname
557.Pq Vt str
558The NIS domain name of this host, or
559.Dq Li NO
560if NIS is not used.
561.It Va hostid_enable
562.Pq Vt bool
563If set to
564.Dq Li NO ,
565disable the generation or saving of the
566.Pa hostid
567and
568.Pa machine-id
569files at system boot and shutdown.
570.It Va hostid_file
571.Pq Vt str
572Path to the
573.Pa hostid
574file, default
575.Pa /etc/hostid .
576.It Va hostid_uuidgen_flags
577.Pq Vt str
578Flags passed to
579.Xr uuidgen 1
580when generating a software host UUID.
581This is used only if the system cannot determine a hardware UUID.
582Set to
583.Dq Li -r
584by default.
585.It Va machine_id_file
586.Pq Vt str
587Path to the
588.Pa machine-id
589file, default
590.Pa /etc/machine-id .
591.It Va dhclient_program
592.Pq Vt str
593Path to the DHCP client program, defaulting to
594.Pa /sbin/dhclient .
595.It Va dhclient_flags
596.Pq Vt str
597Additional flags to pass to the DHCP client program.
598See the
599.Xr dhclient 8
600manpage for a description of the command line options available.
601.It Va dhclient_flags_ Ns Aq Ar iface
602Additional flags to pass to the DHCP client program running on
603.Ar iface
604only.
605When specified, this variable overrides
606.Va dhclient_flags .
607.It Va background_dhclient
608.Pq Vt bool
609Set to
610.Dq Li YES
611to start the DHCP client in background.
612This can cause trouble with applications depending on
613a working network, but it will provide a faster startup
614in many cases.
615.It Va background_dhclient_ Ns Aq Ar iface
616When specified, this variable overrides the
617.Va background_dhclient
618variable for interface
619.Ar iface
620only.
621.It Va synchronous_dhclient
622.Pq Vt bool
623Set to
624.Dq Li YES
625to start
626.Xr dhclient 8
627synchronously at startup.
628This behavior can be overridden on a per-interface basis by replacing
629the
630.Dq Li DHCP
631keyword in the
632.Va ifconfig_ Ns Aq Ar interface
633variable with
634.Dq Li SYNCDHCP
635or
636.Dq Li NOSYNCDHCP .
637.It Va defaultroute_delay
638.Pq Vt int
639When set to a positive value, wait up to this long after configuring
640DHCP interfaces at startup to give the interfaces time to receive a lease.
641.It Va firewall_enable
642.Pq Vt bool
643Set to
644.Dq Li YES
645to load firewall rules at startup.
646If the kernel was not built with
647.Cd "options IPFIREWALL" ,
648the
649.Pa ipfw.ko
650kernel module will be loaded.
651See also
652.Va ipfilter_enable .
653.It Va firewall_script
654.Pq Vt str
655This variable specifies the full path to the firewall script to run.
656The default is
657.Pa /etc/rc.firewall .
658.It Va firewall_type
659.Pq Vt str
660Names the firewall type from the selection in
661.Pa /etc/rc.firewall ,
662or the file which contains the local firewall ruleset.
663Valid selections from
664.Pa /etc/rc.firewall
665are:
666.Pp
667.Bl -tag -width ".Li workstation" -compact
668.It Li open
669unrestricted IP access
670.It Li closed
671all IP services disabled, except via
672.Dq Li lo0
673.It Li client
674basic protection for a workstation
675.It Li workstation
676basic protection for a workstation using stateful firewalling
677.It Li simple
678basic protection for a LAN.
679.El
680.Pp
681If a filename is specified, the full path
682must be given.
683.Pp
684Most of the predefined rulesets define additional configuration variables.
685These are documented in
686.Pa /etc/rc.firewall .
687.It Va firewall_quiet
688.Pq Vt bool
689Set to
690.Dq Li YES
691to disable the display of firewall rules on the console during boot.
692.It Va firewall_logging
693.Pq Vt bool
694Set to
695.Dq Li YES
696to enable firewall event logging.
697This is equivalent to the
698.Dv IPFIREWALL_VERBOSE
699kernel option.
700.It Va firewall_logif
701.Pq Vt bool
702Set to
703.Dq Li YES
704to create pseudo interface
705.Li ipfw0
706for logging.
707For more details, see
708.Xr ipfw 8
709manual page.
710.It Va firewall_flags
711.Pq Vt str
712Flags passed to
713.Xr ipfw 8
714if
715.Va firewall_type
716specifies a filename.
717.It Va firewall_coscripts
718.Pq Vt str
719List of executables and/or rc scripts to run after firewall starts/stops.
720Default is empty.
721.\" ----- firewall_nat_enable setting --------------------------------
722.It Va firewall_nat_enable
723.Pq Vt bool
724The
725.Xr ipfw 8
726equivalent of
727.Va natd_enable .
728Setting this to
729.Dq Li YES
730will automatically load the
731.Xr ipfw 8
732NAT kernel module if
733.Va firewall_enable
734is also set to
735.Dq Li YES .
736.It Va firewall_nat_interface
737.Pq Vt str
738The
739.Xr ipfw 8
740equivalent of
741.Va natd_interface .
742This is the name of the public interface or IP address on which
743kernel NAT should run.
744.It Va firewall_nat_flags
745.Pq Vt str
746Additional configuration parameters for kernel NAT should be placed here.
747.It Va firewall_nat64_enable
748.Pq Vt bool
749Setting this to
750.Dq Li YES
751will automatically load the
752.Xr ipfw 8
753NAT64 kernel module if
754.Va firewall_enable
755is also set to
756.Dq Li YES .
757.It Va firewall_nptv6_enable
758.Pq Vt bool
759Setting this to
760.Dq Li YES
761will automatically load the
762.Xr ipfw 8
763NPTv6 kernel module if
764.Va firewall_enable
765is also set to
766.Dq Li YES .
767.It Va firewall_pmod_enable
768.Pq Vt bool
769Setting this to
770.Dq Li YES
771will automatically load the
772.Xr ipfw 8
773pmod kernel module if
774.Va firewall_enable
775is also set to
776.Dq Li YES .
777.It Va dummynet_enable
778.Pq Vt bool
779Setting this to
780.Dq Li YES
781will automatically load the
782.Xr dummynet 4
783module if
784.Va firewall_enable
785is also set to
786.Dq Li YES .
787.\" -------------------------------------------------------------------
788.It Va ipfw_netflow_enable
789.Pq Vt bool
790Setting this to
791.Dq Li YES
792will enable netflow logging via
793.Xr ng_netflow 4 .
794.Pp
795By default a ipfw rule is inserted and all packets are duplicated with
796the ngtee command and netflow packets are sent to 127.0.0.1 on the netflow
797port using protocol version 5.
798.It Va ipfw_netflow_hook
799.Pq Vt int
800netflow hook name, must be numerical
801(default
802.Pa 9995 ) .
803.It Va ipfw_netflow_rule
804.Pq Vt int
805ipfw rule number
806(default
807.Pa 1000 ) .
808.It Va ipfw_netflow_ip
809.Pq Vt str
810Destination server ip for receiving netflow data
811(default
812.Pa 127.0.0.1 ) .
813.It Va ipfw_netflow_port
814.Pq Vt int
815Destination server port for receiving netflow data
816(default
817.Pa 9995 ) .
818.It Va ipfw_netflow_version
819.Pq Vt int
820Do not set for using version 5 of the netflow protocol, set it to 9 for using
821version 9.
822.It Va ipfw_netflow_fib
823.Pq Vt int
824Only match packet in FIB
825.Pa ipfw_netflow_fib
826(default is undefined meaning all FIBs).
827.It Va natd_program
828.Pq Vt str
829Path to
830.Xr natd 8 .
831.It Va natd_enable
832.Pq Vt bool
833Set to
834.Dq Li YES
835to enable
836.Xr natd 8 .
837.Va firewall_enable
838must also be set to
839.Dq Li YES ,
840and
841.Xr divert 4
842sockets must be enabled in the kernel.
843If the kernel was not built with
844.Cd "options IPDIVERT" ,
845the
846.Pa ipdivert.ko
847kernel module will be loaded.
848.It Va natd_interface
849.Pq Vt str
850This is the name of the public interface on which
851.Xr natd 8
852should run.
853The interface may be given as an interface name or as an IP address.
854.It Va natd_flags
855.Pq Vt str
856Additional
857.Xr natd 8
858flags should be placed here.
859The
860.Fl n
861or
862.Fl a
863flag is automatically added with the above
864.Va natd_interface
865as an argument.
866.\" ----- ipfilter_enable setting --------------------------------
867.It Va ipfilter_enable
868.Pq Vt bool
869Set to
870.Dq Li NO
871by default.
872Setting this to
873.Dq Li YES
874enables
875.Xr ipf 8
876packet filtering.
877.Pp
878Typical usage will require putting
879.Bd -literal
880ipfilter_enable="YES"
881ipnat_enable="YES"
882ipmon_enable="YES"
883ipfs_enable="YES"
884.Ed
885.Pp
886into
887.Pa /etc/rc.conf
888and editing
889.Pa /etc/ipf.rules
890and
891.Pa /etc/ipnat.rules
892appropriately.
893.Pp
894Note that
895.Va ipfilter_enable
896and
897.Va ipnat_enable
898can be enabled independently.
899.Va ipmon_enable
900and
901.Va ipfs_enable
902both require at least one of
903.Va ipfilter_enable
904and
905.Va ipnat_enable
906to be enabled.
907.Pp
908Having
909.Bd -literal
910options IPFILTER
911options IPFILTER_LOG
912options IPFILTER_DEFAULT_BLOCK
913.Ed
914.Pp
915in the kernel configuration file is a good idea, too.
916.\" ----- ipfilter_program setting ------------------------------
917.It Va ipfilter_program
918.Pq Vt str
919Path to
920.Xr ipf 8
921(default
922.Pa /sbin/ipf ) .
923.\" ----- ipfilter_rules setting --------------------------------
924.It Va ipfilter_rules
925.Pq Vt str
926Set to
927.Pa /etc/ipf.rules
928by default.
929This variable contains the name of the filter rule definition file.
930The file is expected to be readable for the
931.Xr ipf 8
932command to execute.
933.\" ----- ipfilter_flags setting --------------------------------
934.It Va ipfilter_flags
935.Pq Vt str
936Empty by default.
937This variable contains flags passed to the
938.Xr ipf 8
939program.
940.\" ----- ipnat_enable setting ----------------------------------
941.It Va ipnat_enable
942.Pq Vt bool
943Set to
944.Dq Li NO
945by default.
946Set it to
947.Dq Li YES
948to enable
949.Xr ipnat 8
950network address translation.
951See
952.Va ipfilter_enable
953for a detailed discussion.
954.\" ----- ipnat_program setting ---------------------------------
955.It Va ipnat_program
956.Pq Vt str
957Path to
958.Xr ipnat 8
959(default
960.Pa /sbin/ipnat ) .
961.\" ----- ipnat_rules setting -----------------------------------
962.It Va ipnat_rules
963.Pq Vt str
964Set to
965.Pa /etc/ipnat.rules
966by default.
967This variable contains the name of the file
968holding the network address translation definition.
969This file is expected to be readable for the
970.Xr ipnat 8
971command to execute.
972.\" ----- ipnat_flags setting -----------------------------------
973.It Va ipnat_flags
974.Pq Vt str
975Empty by default.
976This variable contains flags passed to the
977.Xr ipnat 8
978program.
979.\" ----- ipmon_enable setting ----------------------------------
980.It Va ipmon_enable
981.Pq Vt bool
982Set to
983.Dq Li NO
984by default.
985Set it to
986.Dq Li YES
987to enable
988.Xr ipmon 8
989monitoring (logging
990.Xr ipf 8
991and
992.Xr ipnat 8
993events).
994Setting this variable needs setting
995.Va ipfilter_enable
996or
997.Va ipnat_enable
998too.
999See
1000.Va ipfilter_enable
1001for a detailed discussion.
1002.\" ----- ipmon_program setting ---------------------------------
1003.It Va ipmon_program
1004.Pq Vt str
1005Path to
1006.Xr ipmon 8
1007(default
1008.Pa /sbin/ipmon ) .
1009.\" ----- ipmon_flags setting -----------------------------------
1010.It Va ipmon_flags
1011.Pq Vt str
1012Set to
1013.Dq Li -Ds
1014by default.
1015This variable contains flags passed to the
1016.Xr ipmon 8
1017program.
1018Another typical example would be
1019.Dq Fl D Pa /var/log/ipflog
1020to have
1021.Xr ipmon 8
1022log directly to a file bypassing
1023.Xr syslogd 8 .
1024Make sure to adjust
1025.Pa /etc/newsyslog.conf
1026in such case like this:
1027.Bd -literal
1028/var/log/ipflog  640  10  100  *  Z  /var/run/ipmon.pid
1029.Ed
1030.\" ----- ipfs_enable setting -----------------------------------
1031.It Va ipfs_enable
1032.Pq Vt bool
1033Set to
1034.Dq Li NO
1035by default.
1036Set it to
1037.Dq Li YES
1038to enable
1039.Xr ipfs 8
1040saving the filter and NAT state tables during shutdown
1041and reloading them during startup again.
1042Setting this variable needs setting
1043.Va ipfilter_enable
1044or
1045.Va ipnat_enable
1046to
1047.Dq Li YES
1048too.
1049See
1050.Va ipfilter_enable
1051for a detailed discussion.
1052Note that if
1053.Va kern_securelevel
1054is set to 3,
1055.Va ipfs_enable
1056cannot be used
1057because the raised securelevel will prevent
1058.Xr ipfs 8
1059from saving the state tables at shutdown time.
1060.\" ----- ipfs_program setting ----------------------------------
1061.It Va ipfs_program
1062.Pq Vt str
1063Path to
1064.Xr ipfs 8
1065(default
1066.Pa /sbin/ipfs ) .
1067.\" ----- ipfs_flags setting ------------------------------------
1068.It Va ipfs_flags
1069.Pq Vt str
1070Empty by default.
1071This variable contains flags passed to the
1072.Xr ipfs 8
1073program.
1074.\" ----- end of added ipf hook ---------------------------------
1075.It Va pf_enable
1076.Pq Vt bool
1077Set to
1078.Dq Li NO
1079by default.
1080Setting this to
1081.Dq Li YES
1082enables
1083.Xr pf 4
1084packet filtering.
1085.Pp
1086Typical usage will require putting
1087.Pp
1088.Dl pf_enable="YES"
1089.Pp
1090into
1091.Pa /etc/rc.conf
1092and editing
1093.Pa /etc/pf.conf
1094appropriately.
1095Adding
1096.Pp
1097.Dl "device pf"
1098.Pp
1099builds support for
1100.Xr pf 4
1101into the kernel, otherwise the
1102kernel module will be loaded.
1103.It Va pf_rules
1104.Pq Vt str
1105Path to
1106.Xr pf 4
1107ruleset configuration file
1108(default
1109.Pa /etc/pf.conf ) .
1110.It Va pf_program
1111.Pq Vt str
1112Path to
1113.Xr pfctl 8
1114(default
1115.Pa /sbin/pfctl ) .
1116.It Va pf_flags
1117.Pq Vt str
1118If
1119.Va pf_enable
1120is set to
1121.Dq Li YES ,
1122these flags are passed to the
1123.Xr pfctl 8
1124program when loading the ruleset.
1125.It Va pf_fallback_rules_enable
1126.Pq Vt bool
1127Set to
1128.Dq Li NO
1129by default.
1130Setting this to
1131.Dq Li YES
1132enables loading
1133.Va pf_fallback_rules_file
1134or
1135.Va pf_fallback_rules
1136in case of a problem when loading the ruleset in
1137.Va pf_rules .
1138.It Va pf_fallback_rules_file
1139.Pq Vt str
1140Path to a pf ruleset to load in case of failure when loading the
1141ruleset in
1142.Va pf_rules
1143(default
1144.Pa /etc/pf-fallback.conf ) .
1145.It Va pf_fallback_rules
1146.Pq Vt str
1147A pf ruleset to load in case of failure when loading the ruleset in
1148.Va pf_rules
1149and
1150.Va pf_fallback_rules_file
1151is not found.
1152Multiple rules can be set as follows:
1153.Bd -literal
1154pf_fallback_rules="\\
1155	block drop log all\\
1156	pass in quick on em0"
1157.Pp
1158.Ed
1159The default fallback rule is
1160.Dq block drop log all
1161.It Va pflog_enable
1162.Pq Vt bool
1163Set to
1164.Dq Li NO
1165by default.
1166Setting this to
1167.Dq Li YES
1168enables
1169.Xr pflogd 8
1170which logs packets from the
1171.Xr pf 4
1172packet filter.
1173.It Va pflog_logfile
1174.Pq Vt str
1175If
1176.Va pflog_enable
1177is set to
1178.Dq Li YES
1179this controls where
1180.Xr pflogd 8
1181stores the logfile
1182(default
1183.Pa /var/log/pflog ) .
1184Check
1185.Pa /etc/newsyslog.conf
1186to adjust logfile rotation for this.
1187.It Va pflog_program
1188.Pq Vt str
1189Path to
1190.Xr pflogd 8
1191(default
1192.Pa /sbin/pflogd ) .
1193.It Va pflog_flags
1194.Pq Vt str
1195Empty by default.
1196This variable contains additional flags passed to the
1197.Xr pflogd 8
1198program.
1199.It Va pflog_instances
1200.Pq Vt str
1201If logging to more than one
1202.Xr pflog 4
1203interface is desired,
1204.Va pflog_instances
1205is set to the list of
1206.Xr pflogd 8
1207instances that should be started at system boot time.
1208If
1209.Va pflog_instances
1210is set, for each whitespace-separated
1211.Ar element
1212in the list,
1213.Ao Ar element Ac Ns Va _dev
1214and
1215.Ao Ar element Ac Ns Va _logfile
1216elements are assumed to exist.
1217.Ao Ar element Ac Ns Va _dev
1218must contain the
1219.Xr pflog 4
1220interface to be watched by the named
1221.Xr pflogd 8
1222instance.
1223.Ao Ar element Ac Ns Va _logfile
1224must contain the name of the logfile that will be used by the
1225.Xr pflogd 8
1226instance.
1227.It Va ftpproxy_enable
1228.Pq Vt bool
1229Set to
1230.Dq Li NO
1231by default.
1232Setting this to
1233.Dq Li YES
1234enables
1235.Xr ftp-proxy 8
1236which supports the
1237.Xr pf 4
1238packet filter in translating ftp connections.
1239.It Va ftpproxy_flags
1240.Pq Vt str
1241Empty by default.
1242This variable contains additional flags passed to the
1243.Xr ftp-proxy 8
1244program.
1245.It Va ftpproxy_instances
1246.Pq Vt str
1247Empty by default.
1248If multiple instances of
1249.Xr ftp-proxy 8
1250are desired at boot time,
1251.Va ftpproxy_instances
1252should contain a whitespace-separated list of instance names.
1253For each
1254.Ar element
1255in the list, a variable named
1256.Ao Ar element Ac Ns Va _flags
1257should be defined, containing the command-line flags to be passed to the
1258.Xr ftp-proxy 8
1259instance.
1260.It Va pfsync_enable
1261.Pq Vt bool
1262Set to
1263.Dq Li NO
1264by default.
1265Setting this to
1266.Dq Li YES
1267enables exposing
1268.Xr pf 4
1269state changes to other hosts over the network by means of
1270.Xr pfsync 4 .
1271The
1272.Va pfsync_syncdev
1273variable
1274must also be set then.
1275.It Va pfsync_syncdev
1276.Pq Vt str
1277Empty by default.
1278This variable specifies the name of the network interface
1279.Xr pfsync 4
1280should operate through.
1281It must be set accordingly if
1282.Va pfsync_enable
1283is set to
1284.Dq Li YES .
1285.It Va pfsync_syncpeer
1286.Pq Vt str
1287Empty by default.
1288This variable is optional.
1289By default, state change messages are sent out on the synchronisation
1290interface using IP multicast packets.
1291The protocol is IP protocol 240, PFSYNC, and the multicast group used is
1292224.0.0.240.
1293When a peer address is specified using the
1294.Va pfsync_syncpeer
1295option, the peer address is used as a destination for the pfsync
1296traffic, and the traffic can then be protected using
1297.Xr ipsec 4 .
1298See the
1299.Xr pfsync 4
1300manpage for more details about using
1301.Xr ipsec 4
1302with
1303.Xr pfsync 4
1304interfaces.
1305.It Va pfsync_ifconfig
1306.Pq Vt str
1307Empty by default.
1308This variable can contain additional options to be passed to the
1309.Xr ifconfig 8
1310command used to set up
1311.Xr pfsync 4 .
1312.It Va tcp_extensions
1313.Pq Vt bool
1314Set to
1315.Dq Li YES
1316by default.
1317Setting this to
1318.Dq Li NO
1319disables certain TCP options as described by
1320.Rs
1321.%T "RFC 1323"
1322.Re
1323Setting this to
1324.Dq Li NO
1325might help remedy such problems with connections as randomly hanging
1326or other weird behavior.
1327Some network devices are known
1328to be broken with respect to these options.
1329.It Va log_in_vain
1330.Pq Vt int
1331Set to 0 by default.
1332The
1333.Xr sysctl 8
1334variables,
1335.Va net.inet.tcp.log_in_vain
1336and
1337.Va net.inet.udp.log_in_vain ,
1338as described in
1339.Xr tcp 4
1340and
1341.Xr udp 4 ,
1342are set to the given value.
1343.It Va tcp_keepalive
1344.Pq Vt bool
1345Set to
1346.Dq Li YES
1347by default.
1348Setting to
1349.Dq Li NO
1350will disable probing idle TCP connections to verify that the
1351peer is still up and reachable.
1352.It Va tcp_drop_synfin
1353.Pq Vt bool
1354Set to
1355.Dq Li NO
1356by default.
1357Setting to
1358.Dq Li YES
1359will cause the kernel to ignore TCP frames that have both
1360the SYN and FIN flags set.
1361This prevents OS fingerprinting, but may
1362break some legitimate applications.
1363.It Va icmp_drop_redirect
1364.Pq Vt bool
1365Set to
1366.Dq Li AUTO
1367by default.
1368This setting will be identical to
1369.Dq Li YES ,
1370if a dynamic routing daemon is enabled, because redirect processing may
1371cause performance issues for large routing tables.
1372If no such service is enabled, this setting behaves like a
1373.Dq Li NO .
1374Setting to
1375.Dq Li YES
1376will cause the kernel to ignore ICMP REDIRECT packets.
1377Setting to
1378.Dq Li NO
1379will cause the kernel to process ICMP REDIRECT packets.
1380Refer to
1381.Xr icmp 4
1382for more information.
1383.It Va icmp_log_redirect
1384.Pq Vt bool
1385Set to
1386.Dq Li NO
1387by default.
1388Setting to
1389.Dq Li YES
1390will cause the kernel to log ICMP REDIRECT packets.
1391Note that
1392the log messages are not rate-limited, so this option should only be used
1393for troubleshooting networks.
1394Refer to
1395.Xr icmp 4
1396for more information.
1397.It Va icmp_bmcastecho
1398.Pq Vt bool
1399Set to
1400.Dq Li YES
1401to respond to broadcast or multicast ICMP ping packets.
1402Refer to
1403.Xr icmp 4
1404for more information.
1405.It Va ip_portrange_first
1406.Pq Vt int
1407If not set to
1408.Dq Li NO ,
1409this is the first port in the default portrange.
1410Refer to
1411.Xr ip 4
1412for more information.
1413.It Va ip_portrange_last
1414.Pq Vt int
1415If not set to
1416.Dq Li NO ,
1417this is the last port in the default portrange.
1418Refer to
1419.Xr ip 4
1420for more information.
1421.It Va network_interfaces
1422.Pq Vt str
1423Set to the list of network interfaces to configure on this host or
1424.Dq Li AUTO
1425(the default) for all current interfaces.
1426Setting the
1427.Va network_interfaces
1428variable to anything other than the default is deprecated.
1429Interfaces that the administrator wishes to store configuration for,
1430but not start at boot should be configured with the
1431.Dq Li NOAUTO
1432keyword in their
1433.Va ifconfig_ Ns Aq Ar interface
1434variables as described below.
1435.Pp
1436An
1437.Va ifconfig_ Ns Aq Ar interface
1438variable is assumed to exist for each value of
1439.Ar interface .
1440When an interface name contains any of the characters
1441.Dq Li .-/+
1442they are translated to
1443.Dq Li _
1444before lookup.
1445For example, the interface
1446.Va em0.102
1447would be configured using the variable
1448.Va ifconfig_em0_102 .
1449.Pp
1450The variable can contain arguments to
1451.Xr ifconfig 8 ,
1452as well as special case-insensitive keywords described below.
1453Such keywords are removed before passing the value to
1454.Xr ifconfig 8
1455while the order of the other arguments is preserved.
1456.Pp
1457For example, to assign the IPv4 address 192.0.2.1/24 to the interface em0:
1458.Bd -literal
1459ifconfig_em0="inet 192.0.2.1/24 up"
1460.Ed
1461.Pp
1462If the variable
1463.Va ifconfig_ Ns Ao Ar interface Ac Ns Pa _ipv6
1464is set, then
1465.Va ifconfig_ Ns Aq Ar interface
1466does not need to be set unless an IPv4 address should also be assigned to
1467the interface.
1468.Pp
1469It is possible to add IP alias entries using
1470.Xr ifconfig 8
1471syntax with the address family keyword such as
1472.Li inet .
1473Assuming that the interface in question was
1474.Li em0 ,
1475it might look something like this:
1476.Bd -literal
1477ifconfig_em0_alias0="inet 127.0.0.253/32"
1478ifconfig_em0_alias1="inet 127.0.0.254/32"
1479.Ed
1480.Pp
1481It also possible to configure multiple IP addresses in Classless
1482Inter-Domain Routing
1483.Pq CIDR
1484address notation,
1485whose each address component can be a range like
1486.Li inet 192.0.2.5-23/24
1487or
1488.Li inet6 2001:db8:1-f::1/64 .
1489This notation allows address and prefix length part only,
1490not the other address modifiers.
1491Note that the maximum number of the generated addresses from a range
1492specification is limited to an integer value specified in
1493.Va netif_ipexpand_max
1494in
1495.Nm
1496because a small typo can unexpectedly generate a large number of addresses.
1497The default value is
1498.Li 2048 .
1499It can be increased by adding the following line into
1500.Nm :
1501.Bd -literal
1502netif_ipexpand_max="4096"
1503.Ed
1504.Pp
1505In the case of
1506.Li 192.0.2.5-23/24 ,
1507the address 192.0.2.5 will be configured with the prefix length /24 and the
1508addresses 192.0.2.6 to 192.0.2.23 with the non-conflicting prefix length /32 as
1509explained in the
1510.Xr ifconfig 8
1511alias section.
1512Note that this special CIDR handling is only for
1513.Li inet ,
1514not for the other address families such as
1515.Li inet6 .
1516.Pp
1517With the interface in question being
1518.Li em0 ,
1519an example could look like:
1520.Bd -literal
1521ifconfig_em0_alias2="inet 192.0.2.129/27"
1522ifconfig_em0_alias3="inet 192.0.2.1-5/28"
1523.Ed
1524.Pp
1525and so on.
1526.Pp
1527Note that deprecated
1528.Va ipv4_addrs_ Ns Aq Ar interface
1529variable was supported for IPv4 CIDR address notation.
1530The
1531.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1532variable replaces it, though
1533.Va ipv4_addrs_ Ns Aq Ar interface
1534is still supported for backward compatibility.
1535.Pp
1536For each
1537.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1538entry with an address family keyword,
1539its contents are passed to
1540.Xr ifconfig 8 .
1541Execution stops at the first unsuccessful access, so if
1542something like this is present:
1543.Bd -literal
1544ifconfig_em0_alias0="inet 127.0.0.251/32"
1545ifconfig_em0_alias1="inet 127.0.0.252/32"
1546ifconfig_em0_alias2="inet 127.0.0.253/32"
1547ifconfig_em0_alias4="inet 127.0.0.254/32"
1548.Ed
1549.Pp
1550Then note that alias4 would
1551.Em not
1552be added since the search would
1553stop with the missing
1554.Dq Li alias3
1555entry.
1556Because of this difficult to manage behavior,
1557there is
1558.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _aliases
1559variable, which has the same functionality as
1560.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1561and can have all of the entries in a variable like the following:
1562.Bd -literal
1563ifconfig_em0_aliases="\\
1564	inet 127.0.0.251/32 \\
1565	inet 127.0.0.252/32 \\
1566	inet 127.0.0.253/32 \\
1567	inet 127.0.0.254/32"
1568.Ed
1569.Pp
1570It also supports netmask notation for backward compatibility.
1571.Pp
1572If the
1573.Pa /etc/start_if . Ns Aq Ar interface
1574file is present, it is read and executed by the
1575.Xr sh 1
1576interpreter
1577before configuring the interface as specified in the
1578.Va ifconfig_ Ns Aq Ar interface
1579and
1580.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1581variables.
1582.Pp
1583If a
1584.Va vlans_ Ns Aq Ar interface
1585variable is set,
1586a
1587.Xr vlan 4
1588interface will be created for each item in the list with the
1589.Ar vlandev
1590argument set to
1591.Ar interface .
1592If a vlan interface's name is a number,
1593then that number is used as the vlan tag and the new vlan interface is
1594named
1595.Ar interface . Ns Ar tag .
1596Otherwise,
1597the vlan tag must be specified via a
1598.Va vlan
1599parameter in the
1600.Va create_args_ Ns Aq Ar interface
1601variable.
1602.Pp
1603To create a vlan device named
1604.Li em0.101
1605on
1606.Li em0
1607with the vlan tag 101 and the optional IPv4 address 192.0.2.1/24:
1608.Bd -literal
1609vlans_em0="101"
1610ifconfig_em0_101="inet 192.0.2.1/24"
1611.Ed
1612.Pp
1613To create a vlan device named
1614.Li myvlan
1615on
1616.Li em0
1617with the vlan tag 102:
1618.Bd -literal
1619vlans_em0="myvlan"
1620create_args_myvlan="vlan 102"
1621.Ed
1622.Pp
1623If a
1624.Va wlans_ Ns Aq Ar interface
1625variable is set,
1626an
1627.Xr wlan 4
1628interface will be created for each item in the list with the
1629.Ar wlandev
1630argument set to
1631.Ar interface .
1632Further wlan cloning arguments may be passed to the
1633.Xr ifconfig 8
1634.Cm create
1635command by setting the
1636.Va create_args_ Ns Aq Ar interface
1637variable.
1638One or more
1639.Xr wlan 4
1640devices must be created for each wireless device as of
1641.Fx 8.0 .
1642Debugging flags for
1643.Xr wlan 4
1644devices as set by
1645.Xr wlandebug 8
1646may be specified with an
1647.Va wlandebug_ Ns Aq Ar interface
1648variable.
1649The contents of this variable will be passed directly to
1650.Xr wlandebug 8 .
1651.Pp
1652If the
1653.Va ifconfig_ Ns Aq Ar interface
1654contains the keyword
1655.Dq Li NOAUTO
1656then the interface will not be configured
1657at boot or by
1658.Pa /etc/pccard_ether
1659when
1660.Va network_interfaces
1661is set to
1662.Dq Li AUTO .
1663.Pp
1664It is possible to bring up an interface with DHCP by adding
1665.Dq Li DHCP
1666to the
1667.Va ifconfig_ Ns Aq Ar interface
1668variable.
1669For instance, to initialize the
1670.Li em0
1671device via DHCP,
1672it is possible to use something like:
1673.Bd -literal
1674ifconfig_em0="DHCP"
1675.Ed
1676.Pp
1677If you want to configure your wireless interface with
1678.Xr wpa_supplicant 8
1679for use with WPA, EAP/LEAP or WEP, you need to add
1680.Dq Li WPA
1681to the
1682.Va ifconfig_ Ns Aq Ar interface
1683variable.
1684.Pp
1685On the other hand, if you want to configure your wireless interface with
1686.Xr hostapd 8 ,
1687you need to add
1688.Dq Li HOSTAP
1689to the
1690.Va ifconfig_ Ns Aq Ar interface
1691variable.
1692.Xr hostapd 8
1693will use the settings from
1694.Pa /etc/hostapd- Ns Ao Ar interface Ac Ns .conf
1695.Pp
1696Finally, you can add
1697.Xr ifconfig 8
1698options in this variable, in addition to the
1699.Pa /etc/start_if . Ns Aq Ar interface
1700file.
1701For instance, to configure an
1702.Xr ath 4
1703wireless device in station mode with an address obtained
1704via DHCP, using WPA authentication and 802.11b mode, it is
1705possible to use something like:
1706.Bd -literal
1707wlans_ath0="wlan0"
1708ifconfig_wlan0="DHCP WPA mode 11b"
1709.Ed
1710.Pp
1711In addition to the
1712.Va ifconfig_ Ns Aq Ar interface
1713form, a fallback variable
1714.Va ifconfig_DEFAULT
1715may be configured.
1716It will be used for all interfaces with no
1717.Va ifconfig_ Ns Aq Ar interface
1718variable.
1719.Pp
1720It is also possible to rename an interface by doing:
1721.Bd -literal
1722ifconfig_em0_name="net0"
1723ifconfig_net0="inet 192.0.2.1/24"
1724.Ed
1725.It Va ipv6_enable
1726.Pq Vt bool
1727This variable is deprecated.
1728Use
1729.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1730and
1731.Va ipv6_activate_all_interfaces
1732if necessary.
1733.Pp
1734If the variable is
1735.Dq Li YES ,
1736.Dq Li inet6 accept_rtadv
1737is added to all of
1738.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1739and the
1740.Va ipv6_activate_all_interfaces
1741is defined as
1742.Dq Li YES .
1743.It Va ipv6_prefer
1744.Pq Vt bool
1745This variable is deprecated.
1746Use
1747.Va ip6addrctl_policy
1748instead.
1749.Pp
1750If the variable is
1751.Dq Li YES ,
1752the default address selection policy table set by
1753.Xr ip6addrctl 8
1754will be IPv6-preferred.
1755.Pp
1756If the variable is
1757.Dq Li NO ,
1758the default address selection policy table set by
1759.Xr ip6addrctl 8
1760will be IPv4-preferred.
1761.It Va ipv6_activate_all_interfaces
1762.Pq Vt bool
1763This controls initial configuration on IPv6-capable
1764interfaces with no corresponding
1765.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1766variable.
1767Note that it is not always necessary to set this variable to
1768.Dq YES
1769to use IPv6 functionality on
1770.Fx .
1771In most cases, just configuring
1772.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1773variables works.
1774.Pp
1775If the variable is
1776.Dq Li NO ,
1777all interfaces which do not have a corresponding
1778.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1779variable will be marked as
1780.Dq Li IFDISABLED
1781at creation.
1782This means that all IPv6 functionality on that interface
1783is completely disabled to enforce a security policy.
1784If the variable is set to
1785.Dq YES ,
1786the flag will be cleared on all of the interfaces.
1787.Pp
1788In most cases, just defining an
1789.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1790for an IPv6-capable interface should be sufficient.
1791However, if an interface is added dynamically
1792.Pq by some tunneling protocols such as PPP, for example ,
1793it is often difficult to define the variable in advance.
1794In such a case, configuring the
1795.Dq Li IFDISABLED
1796flag can be disabled by setting this variable to
1797.Dq YES .
1798.Pp
1799For more details of the
1800.Dq Li IFDISABLED
1801flag and keywords
1802.Dq Li inet6 ifdisabled ,
1803see
1804.Xr ifconfig 8 .
1805.Pp
1806Default is
1807.Dq Li NO .
1808.It Va ipv6_privacy
1809.Pq Vt bool
1810If the variable is
1811.Dq Li YES
1812privacy addresses will be generated for each IPv6
1813interface as described in RFC 4941.
1814.It Va ipv6_network_interfaces
1815.Pq Vt str
1816This is the IPv6 equivalent of
1817.Va network_interfaces .
1818Normally manual configuration of this variable is not needed.
1819.It Va ipv6_cpe_wanif
1820.Pq Vt str
1821If the variable is set to an interface name,
1822the
1823.Xr ifconfig 8
1824options
1825.Dq inet6 -no_radr accept_rtadv
1826will be added to the specified interface automatically before evaluating
1827.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 ,
1828and two
1829.Xr sysctl 8
1830variables
1831.Va net.inet6.ip6.rfc6204w3
1832and
1833.Va net.inet6.ip6.no_radr
1834will be set to 1.
1835.Pp
1836This means the specified interface will accept ICMPv6 Router
1837Advertisement messages on that link and add the discovered
1838routers into the Default Router List.
1839While the other interfaces can still accept RA messages if the
1840.Dq inet6 accept_rtadv
1841option is specified, adding
1842routes into the Default Router List will be disabled by
1843.Dq inet6 no_radr
1844option by default.
1845See
1846.Xr ifconfig 8
1847for more details.
1848.Pp
1849Note that ICMPv6 Router Advertisement messages will be
1850accepted even when
1851.Va net.inet6.ip6.forwarding
1852is 1
1853.Pq packet forwarding is enabled
1854when
1855.Va net.inet6.ip6.rfc6204w3
1856is set to 1.
1857.Pp
1858Default is
1859.Dq Li NO .
1860.It Va ifconfig_ Ns Ao Ar interface Ac Ns _descr
1861.Pq Vt str
1862This assigns arbitrary description to an interface.
1863The
1864.Xr sysctl 8
1865variable
1866.Va net.ifdescr_maxlen
1867limits its length.
1868This static setting may be overridden by commands
1869started with dynamic interface configuration utilities
1870like
1871.Xr dhclient 8
1872hooks.
1873The description can be seen with
1874.Xr ifconfig 8
1875command and it may be exported with
1876.Xr bsnmpd 1
1877daemon using its MIB-2 module.
1878.It Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1879.Pq Vt str
1880IPv6 functionality on an interface should be configured by
1881.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 ,
1882instead of setting ifconfig parameters in
1883.Va ifconfig_ Ns Aq Ar interface .
1884If this variable is empty, all IPv6 configurations on the
1885specified interface by other variables such as
1886.Va ipv6_prefix_ Ns Ao Ar interface Ac
1887will be ignored.
1888.Pp
1889Aliases should be set by
1890.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1891with
1892.Dq Li inet6
1893keyword.
1894For example:
1895.Bd -literal
1896ifconfig_em0_ipv6="inet6 2001:db8:1::1 prefixlen 64"
1897ifconfig_em0_alias0="inet6 2001:db8:2::1 prefixlen 64"
1898.Ed
1899.Pp
1900Interfaces that have an
1901.Dq Li inet6 accept_rtadv
1902keyword in
1903.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1904setting will be automatically configured by SLAAC
1905.Pq StateLess Address AutoConfiguration
1906described in
1907.Rs
1908.%T "RFC 4862"
1909.Re
1910.Pp
1911Note that a link-local address will be automatically configured in
1912addition to the configured global-scope addresses because the IPv6
1913specifications require it on each link.
1914The address is calculated from the MAC address by using an algorithm
1915defined in
1916.Rs
1917.%T "RFC 4862"
1918.%O "Section 5.3"
1919.Re
1920.Pp
1921If only a link-local address is needed on the interface,
1922the following configuration can be used:
1923.Bd -literal
1924ifconfig_em0_ipv6="inet6 auto_linklocal"
1925.Ed
1926.Pp
1927A link-local address can also be configured manually.
1928This is useful for the default router address of an IPv6 router
1929so that it does not change when the network interface
1930card is replaced.
1931For example:
1932.Bd -literal
1933ifconfig_em0_ipv6="inet6 fe80::1 prefixlen 64"
1934.Ed
1935.It Va ipv6_prefix_ Ns Aq Ar interface
1936.Pq Vt str
1937If one or more prefixes are defined in
1938.Va ipv6_prefix_ Ns Aq Ar interface
1939addresses based on each prefix and the EUI-64 interface index will be
1940configured on that interface.
1941Note that this variable will be ignored when
1942.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1943is empty.
1944.Pp
1945For example, the following configuration
1946.Bd -literal
1947ipv6_prefix_em0="2001:db8:1:0 2001:db8:2:0"
1948.Ed
1949.Pp
1950is equivalent to the following:
1951.Bd -literal
1952ifconfig_em0_alias0="inet6 2001:db8:1:: eui64 prefixlen 64"
1953ifconfig_em0_alias1="inet6 2001:db8:1:: prefixlen 64 anycast"
1954ifconfig_em0_alias2="inet6 2001:db8:2:: eui64 prefixlen 64"
1955ifconfig_em0_alias3="inet6 2001:db8:2:: prefixlen 64 anycast"
1956.Ed
1957.Pp
1958These Subnet-Router anycast addresses will be added only when
1959.Va ipv6_gateway_enable
1960is YES.
1961.It Va ipv6_default_interface
1962.Pq Vt str
1963If not set to
1964.Dq Li NO ,
1965this is the default output interface for scoped addresses.
1966This works only with ipv6_gateway_enable="NO".
1967.It Va ip6addrctl_enable
1968.Pq Vt bool
1969This variable is to enable configuring default address selection policy table
1970.Pq RFC 3484 .
1971The table can be specified in another variable
1972.Va ip6addrctl_policy .
1973For
1974.Va ip6addrctl_policy
1975the following keywords can be specified:
1976.Dq Li ipv4_prefer ,
1977.Dq Li ipv6_prefer ,
1978or
1979.Dq Li AUTO .
1980.Pp
1981If
1982.Dq Li ipv4_prefer
1983or
1984.Dq Li ipv6_prefer
1985is specified,
1986.Xr ip6addrctl 8
1987installs a pre-defined policy table described in Section 10.3
1988.Pq IPv4-preferred
1989or 2.1
1990.Pq IPv6-preferred
1991of RFC 3484.
1992.Pp
1993If
1994.Dq Li AUTO
1995is specified, it attempts to read a file
1996.Pa /etc/ip6addrctl.conf
1997first.
1998If this file is found,
1999.Xr ip6addrctl 8
2000reads and installs it.
2001If not found, a policy is automatically set
2002according to
2003.Va ipv6_activate_all_interfaces
2004variable; if the variable is set to
2005.Dq Li YES
2006the IPv6-preferred one is used.
2007Otherwise IPv4-preferred.
2008.Pp
2009The default value of
2010.Va ip6addrctl_enable
2011and
2012.Va ip6addrctl_policy
2013are
2014.Dq Li YES
2015and
2016.Dq Li AUTO ,
2017respectively.
2018.It Va cloned_interfaces
2019.Pq Vt str
2020Set to the list of clonable network interfaces to create on this host.
2021Further cloning arguments may be passed to the
2022.Xr ifconfig 8
2023.Cm create
2024command for each interface by setting the
2025.Va create_args_ Ns Aq Ar interface
2026variable.
2027If an interface name is specified with
2028.Dq :sticky
2029keyword,
2030the interface will not be destroyed even when
2031.Pa rc.d/netif
2032script is invoked with
2033.Dq stop
2034argument.
2035This is useful when reconfiguring the interface without destroying it.
2036Entries in
2037.Va cloned_interfaces
2038are automatically appended to
2039.Va network_interfaces
2040for configuration.
2041.It Va cloned_interfaces_sticky
2042.Pq Vt bool
2043This variable is to globally enable functionality of
2044.Dq :sticky
2045keyword in
2046.Va cloned_interfaces
2047for all interfaces.
2048The default value is
2049.Dq NO .
2050Even if this variable is specified to
2051.Dq YES ,
2052.Dq :nosticky
2053keyword can be used to override it on per interface basis.
2054.It Va gif_interfaces
2055Set to the list of
2056.Xr gif 4
2057tunnel interfaces to configure on this host.
2058A
2059.Va gifconfig_ Ns Aq Ar interface
2060variable is assumed to exist for each value of
2061.Ar interface .
2062The value of this variable is used to configure the link layer of the
2063tunnel using the
2064.Cm tunnel
2065option to
2066.Xr ifconfig 8 .
2067Additionally, this option ensures that each listed interface is created
2068via the
2069.Cm create
2070option to
2071.Xr ifconfig 8
2072before attempting to configure it.
2073.Pp
2074For example, configure two
2075.Xr gif 4
2076interfaces with:
2077.Bd -literal
2078gif_interfaces="gif0 gif1"
2079gifconfig_gif0="100.64.0.1 100.64.0.2"
2080ifconfig_gif0="inet 10.0.0.1/30 10.0.0.2"
2081gifconfig_gif1="inet6 2a00::1 2a01::1"
2082ifconfig_gif1="inet 10.1.0.1/30 10.1.0.2"
2083.Ed
2084.It Va ppp_enable
2085.Pq Vt bool
2086If set to
2087.Dq Li YES ,
2088run the
2089.Xr ppp 8
2090daemon.
2091.It Va ppp_profile
2092.Pq Vt str
2093The name of the profile to use from
2094.Pa /etc/ppp/ppp.conf .
2095Also used for per-profile overrides of
2096.Va ppp_mode
2097and
2098.Va ppp_nat ,
2099and
2100.Va ppp_ Ns Ao Ar profile Ac Ns _unit .
2101When the profile name contains any of the characters
2102.Dq Li .-/+
2103they are translated to
2104.Dq Li _
2105for the proposes of the override variable names.
2106.It Va ppp_mode
2107.Pq Vt str
2108Mode in which to run the
2109.Xr ppp 8
2110daemon.
2111.It Va ppp_ Ns Ao Ar profile Ac Ns _mode
2112.Pq Vt str
2113Overrides the global
2114.Va ppp_mode
2115for
2116.Ar profile .
2117Accepted modes are
2118.Dq Li auto ,
2119.Dq Li ddial ,
2120.Dq Li direct
2121and
2122.Dq Li dedicated .
2123See the manual for a full description.
2124.It Va ppp_nat
2125.Pq Vt bool
2126If set to
2127.Dq Li YES ,
2128enables network address translation.
2129Used in conjunction with
2130.Va gateway_enable
2131allows hosts on private network addresses access to the Internet using
2132this host as a network address translating router.
2133Default is
2134.Dq Li YES .
2135.It Va ppp_ Ns Ao Ar profile Ac Ns _nat
2136.Pq Vt str
2137Overrides the global
2138.Va ppp_nat
2139for
2140.Ar profile .
2141.It Va ppp_ Ns Ao Ar profile Ac Ns _unit
2142.Pq Vt int
2143Set the unit number to be used for this profile.
2144See the manual description of
2145.Fl unit Ns Ar N
2146for details.
2147.It Va ppp_user
2148.Pq Vt str
2149The name of the user under which
2150.Xr ppp 8
2151should be started.
2152By
2153default,
2154.Xr ppp 8
2155is started as
2156.Dq Li root .
2157.It Va rc_conf_files
2158.Pq Vt str
2159This option is used to specify a list of files that will override
2160the settings in
2161.Pa /etc/defaults/rc.conf .
2162The files will be read in the order in which they are specified and should
2163include the full path to the file.
2164By default, the files specified are
2165.Pa /etc/rc.conf
2166and
2167.Pa /etc/rc.conf.local .
2168.It Va zfs_enable
2169.Pq Vt bool
2170If set to
2171.Dq Li YES ,
2172.Pa /etc/rc.d/zfs
2173will attempt to automatically mount ZFS file systems and initialize ZFS volumes
2174(ZVOLs).
2175.It Va zpool_reguid
2176.Pq Vt str
2177A space-separated list of ZFS pool names for which new pool GUIDs should be
2178assigned upon first boot.
2179This is useful when using a ZFS pool copied from a template, such as a virtual
2180machine image.
2181.It Va zpool_upgrade
2182.Pq Vt str
2183A space-separated list of ZFS pool names for which the version should be
2184upgraded upon first boot.
2185This is useful when using a ZFS pool generated by the
2186.Xr makefs 8
2187utility.
2188.It Va gptboot_enable
2189.Pq Vt bool
2190If set to
2191.Dq Li YES ,
2192.Pa /etc/rc.d/gptboot
2193will log if the system successfully (or not) booted from a GPT partition,
2194which had the
2195.Ar bootonce
2196attribute set using
2197.Xr gpart 8
2198utility.
2199.It Va geli_devices
2200.Pq Vt str
2201List of devices to automatically attach on boot.
2202Note that .eli devices from
2203.Pa /etc/fstab
2204are automatically appended to this list.
2205.It Va geli_groups
2206.Pq Vt str
2207List of groups containing devices to automatically attach on boot with the same
2208keyfiles and passphrase.
2209This must be accompanied with a corresponding
2210.Va geli_ Ns Ao Ar group Ac Ns Va _devices
2211variable.
2212.It Va geli_tries
2213.Pq Vt int
2214Number of times user is asked for the pass-phrase.
2215If empty, it will be taken from
2216.Va kern.geom.eli.tries
2217sysctl variable.
2218.It Va geli_default_flags
2219.Pq Vt str
2220Default flags to use by
2221.Xr geli 8
2222when configuring disk encryption.
2223Flags can be configured for every device separately by defining the
2224.Va geli_ Ns Ao Ar device Ac Ns Va _flags
2225variable, and for every group separately by defining the
2226.Va geli_ Ns Ao Ar group Ac Ns Va _flags
2227variable.
2228.It Va geli_autodetach
2229.Pq Vt str
2230Specifies if GELI devices should be marked for detach on last close after
2231file systems are mounted.
2232Default is
2233.Dq Li YES .
2234This can be changed for every device separately by defining the
2235.Va geli_ Ns Ao Ar device Ac Ns Va _autodetach
2236variable.
2237.It Va root_rw_mount
2238.Pq Vt bool
2239Set to
2240.Dq Li YES
2241by default.
2242After the file systems are checked at boot time, the root file system
2243is remounted as read-write if this is set to
2244.Dq Li YES .
2245Diskless systems that mount their root file system from a read-only remote
2246NFS share should set this to
2247.Dq Li NO
2248in their
2249.Pa rc.conf .
2250.It Va fsck_y_enable
2251.Pq Vt bool
2252If set to
2253.Dq Li YES ,
2254.Xr fsck 8
2255will be run with the
2256.Fl y
2257flag if the initial preen
2258of the file systems fails.
2259.It Va background_fsck
2260.Pq Vt bool
2261If set to
2262.Dq Li NO ,
2263the system will not attempt to run
2264.Xr fsck 8
2265in the background where possible.
2266.It Va background_fsck_delay
2267.Pq Vt int
2268The amount of time in seconds to sleep before starting a background
2269.Xr fsck 8 .
2270It defaults to sixty seconds to allow large applications such as
2271the X server to start before disk I/O bandwidth is monopolized by
2272.Xr fsck 8 .
2273If set to a negative number, the background file system check will be
2274delayed indefinitely to allow the administrator to run it at a more
2275convenient time.
2276For example it may be run from
2277.Xr cron 8
2278by adding a line like
2279.Pp
2280.Dl "0 4 * * * root /etc/rc.d/bgfsck forcestart"
2281.Pp
2282to
2283.Pa /etc/crontab .
2284.It Va netfs_types
2285.Pq Vt str
2286List of file system types that are network-based.
2287This list should generally not be modified by end users.
2288Use
2289.Va extra_netfs_types
2290instead.
2291.It Va extra_netfs_types
2292.Pq Vt str
2293If set to something other than
2294.Dq Li NO
2295(the default),
2296this variable extends the list of file system types
2297for which automatic mounting at startup by
2298.Xr rc 8
2299should be delayed until the network is initialized.
2300It should contain
2301a whitespace-separated list of network file system descriptor pairs,
2302each consisting of a file system type as passed to
2303.Xr mount 8
2304and a human-readable, one-word description,
2305joined with a colon
2306.Pq Ql \&: .
2307Extending the default list in this way is only necessary
2308when third party file system types are used.
2309.It Va syslogd_enable
2310.Pq Vt bool
2311If set to
2312.Dq Li YES ,
2313run the
2314.Xr syslogd 8
2315daemon.
2316Note, the
2317.Va syslogd_oomprotect
2318variable is set to
2319.Dq Li YES
2320by default in
2321.Pa /etc/defaults/rc.conf .
2322.It Va syslogd_program
2323.Pq Vt str
2324Path to
2325.Xr syslogd 8
2326(default
2327.Pa /usr/sbin/syslogd ) .
2328.It Va syslogd_flags
2329.Pq Vt str
2330If
2331.Va syslogd_enable
2332is set to
2333.Dq Li YES ,
2334these are the flags to pass to
2335.Xr syslogd 8 .
2336.It Va inetd_enable
2337.Pq Vt bool
2338If set to
2339.Dq Li YES ,
2340run the
2341.Xr inetd 8
2342daemon.
2343.It Va inetd_program
2344.Pq Vt str
2345Path to
2346.Xr inetd 8
2347(default
2348.Pa /usr/sbin/inetd ) .
2349.It Va inetd_flags
2350.Pq Vt str
2351If
2352.Va inetd_enable
2353is set to
2354.Dq Li YES ,
2355these are the flags to pass to
2356.Xr inetd 8 .
2357.It Va hastd_enable
2358.Pq Vt bool
2359If set to
2360.Dq Li YES ,
2361run the
2362.Xr hastd 8
2363daemon.
2364.It Va hastd_program
2365.Pq Vt str
2366Path to
2367.Xr hastd 8
2368(default
2369.Pa /sbin/hastd ) .
2370.It Va hastd_flags
2371.Pq Vt str
2372If
2373.Va hastd_enable
2374is set to
2375.Dq Li YES ,
2376these are the flags to pass to
2377.Xr hastd 8 .
2378.It Va local_unbound_enable
2379.Pq Vt bool
2380If set to
2381.Dq Li YES ,
2382run the
2383.Xr unbound 8
2384daemon as a local caching DNS resolver.
2385Note, the
2386.Va local_unbound_oomprotect
2387variable is set to
2388.Dq Li YES
2389by default in
2390.Pa /etc/defaults/rc.conf .
2391.It Va nscd_enable
2392.Pq Vt bool
2393Set to
2394.Dq Li YES
2395to start the
2396.Xr nscd 8
2397caching daemon for the
2398.Nm nsswitch
2399subsystem.
2400.It Va nscd_flags
2401.Pq Vt str
2402If
2403.Va nscd_enable
2404is set to
2405.Dq Li YES ,
2406these flags are passed to
2407.Xr nscd 8 .
2408.It Va kdc_enable
2409.Pq Vt bool
2410Set to
2411.Dq Li YES
2412to start a Kerberos 5 authentication server
2413at boot time.
2414.It Va kdc_program
2415.Pq Vt str
2416If
2417.Va kdc_enable
2418is set to
2419.Dq Li YES
2420this is the path to Kerberos 5 Authentication Server.
2421.It Va kdc_flags
2422.Pq Vt str
2423Empty by default.
2424This variable contains additional flags to be passed to the Kerberos 5
2425authentication server.
2426.It Va kadmind_enable
2427.Pq Vt bool
2428Set to
2429.Dq Li YES
2430to start
2431.Xr kadmind 8 ,
2432the Kerberos 5 Administration Daemon; set to
2433.Dq Li NO
2434on a slave server.
2435.It Va kadmind_program
2436.Pq Vt str
2437If
2438.Va kadmind_enable
2439is set to
2440.Dq Li YES
2441this is the path to Kerberos 5 Administration Daemon.
2442.It Va kpasswdd_enable
2443.Pq Vt bool
2444Set to
2445.Dq Li YES
2446to start
2447.Xr kpasswdd 8 ,
2448the Kerberos 5 Password-Changing Daemon; set to
2449.Dq Li NO
2450on a slave server.
2451.It Va kpasswdd_program
2452.Pq Vt str
2453If
2454.Va kpasswdd_enable
2455is set to
2456.Dq Li YES
2457this is the path to Kerberos 5 Password-Changing Daemon.
2458.It Va kfd_enable
2459.Pq Vt bool
2460Set to
2461.Dq Li YES
2462to start
2463.Xr kfd 8 ,
2464the Kerberos 5 ticket forwarding daemon, at the boot time.
2465.It Va kfd_program
2466.Pq Vt str
2467Path to
2468.Xr kfd 8
2469(default
2470.Pa /usr/libexec/kfd ) .
2471.It Va rwhod_enable
2472.Pq Vt bool
2473If set to
2474.Dq Li YES ,
2475run the
2476.Xr rwhod 8
2477daemon at boot time.
2478.It Va rwhod_flags
2479.Pq Vt str
2480If
2481.Va rwhod_enable
2482is set to
2483.Dq Li YES ,
2484these are the flags to pass to it.
2485.It Va update_motd
2486.Pq Vt bool
2487If set to
2488.Dq Li YES ,
2489.Pa /var/run/motd
2490will be updated at boot time to reflect the kernel release
2491being run.
2492If set to
2493.Dq Li NO ,
2494.Pa /var/run/motd
2495will not be updated.
2496.It Va nfs_client_enable
2497.Pq Vt bool
2498If set to
2499.Dq Li YES ,
2500run the NFS client daemons at boot time.
2501.It Va nfs_access_cache
2502.Pq Vt int
2503If
2504.Va nfs_client_enable
2505is set to
2506.Dq Li YES ,
2507this can be set to
2508.Dq Li 0
2509to disable NFS ACCESS RPC caching, or to the number of seconds for which
2510NFS ACCESS
2511results should be cached.
2512A value of 2-10 seconds will substantially reduce network
2513traffic for many NFS operations.
2514.It Va nfs_server_enable
2515.Pq Vt bool
2516If set to
2517.Dq Li YES ,
2518run the NFS server daemons at boot time.
2519.It Va nfs_server_flags
2520.Pq Vt str
2521If
2522.Va nfs_server_enable
2523is set to
2524.Dq Li YES ,
2525these are the flags to pass to the
2526.Xr nfsd 8
2527daemon.
2528.It Va nfsv4_server_enable
2529.Pq Vt bool
2530If
2531.Va nfs_server_enable
2532is set to
2533.Dq Li YES
2534and
2535.Va nfsv4_server_enable
2536is set to
2537.Dq Li YES ,
2538enable the server for NFSv4 as well as NFSv2 and NFSv3.
2539.It Va nfsv4_server_only
2540.Pq Vt bool
2541If
2542.Va nfs_server_enable
2543is set to
2544.Dq Li YES
2545and
2546.Va nfsv4_server_only
2547is set to
2548.Dq Li YES ,
2549enable the NFS server for NFSv4 only.
2550.It Va nfs_server_maxio
2551.Pq Vt int
2552value to set vfs.nfsd.srvmaxio to, which is the
2553maximum I/O size for the NFS server.
2554.It Va tlsclntd_enable
2555.Pq Vt bool
2556If set to
2557.Dq Li YES ,
2558run the
2559.Xr rpc.tlsclntd 8
2560daemon, which is needed for NFS-over-TLS NFS mounts.
2561.It Va tlsservd_enable
2562.Pq Vt bool
2563If set to
2564.Dq Li YES ,
2565run the
2566.Xr rpc.tlsservd 8
2567daemon, which is needed for the
2568.Xr nfsd 8
2569to support NFS-over-TLS NFS mounts.
2570.It Va nfsuserd_enable
2571.Pq Vt bool
2572If
2573.Va nfsuserd_enable
2574is set to
2575.Dq Li YES ,
2576run the nfsuserd daemon, which is needed for NFSv4 in order
2577to map between user/group names vs uid/gid numbers.
2578If
2579.Va nfsv4_server_enable
2580is set to
2581.Dq Li YES ,
2582this will be forced enabled.
2583.It Va nfsuserd_flags
2584.Pq Vt str
2585If
2586.Va nfsuserd_enable
2587is set to
2588.Dq Li YES ,
2589these are the flags to pass to the
2590.Xr nfsuserd 8
2591daemon.
2592.It Va nfscbd_enable
2593.Pq Vt bool
2594If
2595.Va nfscbd_enable
2596is set to
2597.Dq Li YES ,
2598run the nfscbd daemon, which enables callbacks/delegations for the NFSv4 client.
2599.It Va nfscbd_flags
2600.Pq Vt str
2601If
2602.Va nfscbd_enable
2603is set to
2604.Dq Li YES ,
2605these are the flags to pass to the
2606.Xr nfscbd 8
2607daemon.
2608.It Va mountd_enable
2609.Pq Vt bool
2610If set to
2611.Dq Li YES ,
2612and no
2613.Va nfs_server_enable
2614is set, start
2615.Xr mountd 8 ,
2616but not
2617.Xr nfsd 8
2618daemon.
2619It is commonly needed to run CFS without real NFS used.
2620.It Va mountd_flags
2621.Pq Vt str
2622If
2623.Va mountd_enable
2624is set to
2625.Dq Li YES ,
2626these are the flags to pass to the
2627.Xr mountd 8
2628daemon.
2629.It Va weak_mountd_authentication
2630.Pq Vt bool
2631If set to
2632.Dq Li YES ,
2633allow services like PCNFSD to make non-privileged mount
2634requests.
2635.It Va nfs_reserved_port_only
2636.Pq Vt bool
2637If set to
2638.Dq Li YES ,
2639provide NFS services only on a secure port.
2640.It Va nfs_bufpackets
2641.Pq Vt int
2642If set to a number, indicates the number of packets worth of
2643socket buffer space to reserve on an NFS client.
2644The kernel default is typically 4.
2645Using a higher number may be
2646useful on gigabit networks to improve performance.
2647The minimum value is
26482 and the maximum is 64.
2649.It Va rpc_lockd_enable
2650.Pq Vt bool
2651If set to
2652.Dq Li YES
2653and also an NFS server or client, run
2654.Xr rpc.lockd 8
2655at boot time.
2656.It Va rpc_lockd_flags
2657.Pq Vt str
2658If
2659.Va rpc_lockd_enable
2660is set to
2661.Dq Li YES ,
2662these are the flags to pass to the
2663.Xr rpc.lockd 8
2664daemon.
2665.It Va rpc_statd_enable
2666.Pq Vt bool
2667If set to
2668.Dq Li YES
2669and also an NFS server or client, run
2670.Xr rpc.statd 8
2671at boot time.
2672.It Va rpc_statd_flags
2673.Pq Vt str
2674If
2675.Va rpc_statd_enable
2676is set to
2677.Dq Li YES ,
2678these are the flags to pass to the
2679.Xr rpc.statd 8
2680daemon.
2681.It Va rpcbind_program
2682.Pq Vt str
2683Path to
2684.Xr rpcbind 8
2685(default
2686.Pa /usr/sbin/rpcbind ) .
2687.It Va rpcbind_enable
2688.Pq Vt bool
2689If set to
2690.Dq Li YES ,
2691run the
2692.Xr rpcbind 8
2693service at boot time.
2694.It Va rpcbind_flags
2695.Pq Vt str
2696If
2697.Va rpcbind_enable
2698is set to
2699.Dq Li YES ,
2700these are the flags to pass to the
2701.Xr rpcbind 8
2702daemon.
2703.It Va keyserv_enable
2704.Pq Vt bool
2705If set to
2706.Dq Li YES ,
2707run the
2708.Xr keyserv 8
2709daemon on boot for running Secure RPC.
2710.It Va keyserv_flags
2711.Pq Vt str
2712If
2713.Va keyserv_enable
2714is set to
2715.Dq Li YES ,
2716these are the flags to pass to
2717.Xr keyserv 8
2718daemon.
2719.It Va pppoed_enable
2720.Pq Vt bool
2721If set to
2722.Dq Li YES ,
2723run the
2724.Xr pppoed 8
2725daemon at boot time to provide PPP over Ethernet services.
2726.It Va pppoed_ Ns Aq Ar provider
2727.Pq Vt str
2728.Xr pppoed 8
2729listens to requests to this
2730.Ar provider
2731and ultimately runs
2732.Xr ppp 8
2733with a
2734.Ar system
2735argument of the same name.
2736.It Va pppoed_flags
2737.Pq Vt str
2738Additional flags to pass to
2739.Xr pppoed 8 .
2740.It Va pppoed_interface
2741.Pq Vt str
2742The network interface to run
2743.Xr pppoed 8
2744on.
2745This is mandatory when
2746.Va pppoed_enable
2747is set to
2748.Dq Li YES .
2749.It Va ntpdate_enable
2750.Pq Vt bool
2751If set to
2752.Dq Li YES ,
2753run
2754.Xr ntpdate 8
2755at system startup.
2756This command is intended to
2757synchronize the system clock only
2758.Em once
2759from some standard reference.
2760.Pp
2761Note that the use of the
2762.Va ntpd_sync_on_start
2763variable is a preferred alternative to the
2764.Xr ntpdate 8
2765utility as
2766.Xr ntpdate 8
2767is to be retired from the NTP distribution.
2768.It Va ntpdate_config
2769.Pq Vt str
2770Configuration file for
2771.Xr ntpdate 8 .
2772Default
2773.Pa /etc/ntp.conf .
2774.It Va ntpdate_hosts
2775.Pq Vt str
2776A whitespace-separated list of NTP servers to synchronize with at startup.
2777The default is to use the servers listed in
2778.Va ntpdate_config ,
2779if that file exists.
2780.It Va ntpdate_program
2781.Pq Vt str
2782Path to
2783.Xr ntpdate 8
2784(default
2785.Pa /usr/sbin/ntpdate ) .
2786.It Va ntpdate_flags
2787.Pq Vt str
2788If
2789.Va ntpdate_enable
2790is set to
2791.Dq Li YES ,
2792these are the flags to pass to the
2793.Xr ntpdate 8
2794command (typically a hostname).
2795.It Va ntpd_enable
2796.Pq Vt bool
2797If set to
2798.Dq Li YES ,
2799run the
2800.Xr ntpd 8
2801command at boot time.
2802.It Va ntpd_program
2803.Pq Vt str
2804Path to
2805.Xr ntpd 8
2806(default
2807.Pa /usr/sbin/ntpd ) .
2808.It Va ntpd_config
2809.Pq Vt str
2810Path to
2811.Xr ntpd 8
2812configuration file.
2813Default
2814.Pa /etc/ntp.conf .
2815.It Va ntpd_flags
2816.Pq Vt str
2817If
2818.Va ntpd_enable
2819is set to
2820.Dq Li YES ,
2821these are the flags to pass to the
2822.Xr ntpd 8
2823daemon.
2824.It Va ntpd_sync_on_start
2825.Pq Vt bool
2826If set to
2827.Dq Li YES ,
2828.Xr ntpd 8
2829is run with the
2830.Fl g
2831flag, which syncs the system's clock on startup.
2832See
2833.Xr ntpd 8
2834for more information regarding the
2835.Fl g
2836option.
2837This is a preferred alternative to using
2838.Xr ntpdate 8
2839or specifying the
2840.Va ntpdate_enable
2841variable.
2842.It Va nis_client_enable
2843.Pq Vt bool
2844If set to
2845.Dq Li YES ,
2846run the
2847.Xr ypbind 8
2848service at system boot time.
2849.It Va nis_client_flags
2850.Pq Vt str
2851If
2852.Va nis_client_enable
2853is set to
2854.Dq Li YES ,
2855these are the flags to pass to the
2856.Xr ypbind 8
2857service.
2858.It Va nis_ypldap_enable
2859.Pq Vt bool
2860If set to
2861.Dq Li YES ,
2862run the
2863.Xr ypldap 8
2864daemon at system boot time.
2865.It Va nis_ypldap_flags
2866.Pq Vt str
2867If
2868.Va nis.ypldap_enable
2869is set to
2870.Dq Li YES ,
2871these are the flags to pass to the
2872.Xr ypldap 8
2873daemon.
2874.It Va nis_ypset_enable
2875.Pq Vt bool
2876If set to
2877.Dq Li YES ,
2878run the
2879.Xr ypset 8
2880daemon at system boot time.
2881.It Va nis_ypset_flags
2882.Pq Vt str
2883If
2884.Va nis_ypset_enable
2885is set to
2886.Dq Li YES ,
2887these are the flags to pass to the
2888.Xr ypset 8
2889daemon.
2890.It Va nis_server_enable
2891.Pq Vt bool
2892If set to
2893.Dq Li YES ,
2894run the
2895.Xr ypserv 8
2896daemon at system boot time.
2897.It Va nis_server_flags
2898.Pq Vt str
2899If
2900.Va nis_server_enable
2901is set to
2902.Dq Li YES ,
2903these are the flags to pass to the
2904.Xr ypserv 8
2905daemon.
2906.It Va nis_ypxfrd_enable
2907.Pq Vt bool
2908If set to
2909.Dq Li YES ,
2910run the
2911.Xr rpc.ypxfrd 8
2912daemon at system boot time.
2913.It Va nis_ypxfrd_flags
2914.Pq Vt str
2915If
2916.Va nis_ypxfrd_enable
2917is set to
2918.Dq Li YES ,
2919these are the flags to pass to the
2920.Xr rpc.ypxfrd 8
2921daemon.
2922.It Va nis_yppasswdd_enable
2923.Pq Vt bool
2924If set to
2925.Dq Li YES ,
2926run the
2927.Xr rpc.yppasswdd 8
2928daemon at system boot time.
2929.It Va nis_yppasswdd_flags
2930.Pq Vt str
2931If
2932.Va nis_yppasswdd_enable
2933is set to
2934.Dq Li YES ,
2935these are the flags to pass to the
2936.Xr rpc.yppasswdd 8
2937daemon.
2938.It Va rpc_ypupdated_enable
2939.Pq Vt bool
2940If set to
2941.Dq Li YES ,
2942run the
2943.Nm rpc.ypupdated
2944daemon at system boot time.
2945.It Va bsnmpd_enable
2946.Pq Vt bool
2947If set to
2948.Dq Li YES ,
2949run the
2950.Xr bsnmpd 1
2951daemon at system boot time.
2952Be sure to understand the security implications of running an SNMP daemon
2953on your host.
2954.It Va bsnmpd_flags
2955.Pq Vt str
2956If
2957.Va bsnmpd_enable
2958is set to
2959.Dq Li YES ,
2960these are the flags to pass to the
2961.Xr bsnmpd 1
2962daemon.
2963.It Va defaultrouter
2964.Pq Vt str
2965If not set to
2966.Dq Li NO ,
2967create a default route to this host name or IP address
2968(use an IP address if this router is also required to get to the
2969name server!).
2970.It Va defaultrouter_fibN
2971.Pq Vt str
2972If not set to
2973.Dq Li NO ,
2974create a default route in FIB N to this host name or IP address.
2975.It Va ipv6_defaultrouter
2976.Pq Vt str
2977The IPv6 equivalent of
2978.Va defaultrouter .
2979.It Va ipv6_defaultrouter_fibN
2980.Pq Vt str
2981The IPv6 equivalent of
2982.Va defaultrouter_fibN .
2983.It Va static_arp_pairs
2984.Pq Vt str
2985Set to the list of static ARP pairs that are to be added at system
2986boot time.
2987For each whitespace separated
2988.Ar element
2989in the value, a
2990.Va static_arp_ Ns Aq Ar element
2991variable is assumed to exist whose contents will later be passed to a
2992.Dq Nm arp Cm -S
2993operation.
2994For example
2995.Bd -literal
2996static_arp_pairs="gw"
2997static_arp_gw="192.168.1.1 00:01:02:03:04:05"
2998.Ed
2999.It Va static_ndp_pairs
3000.Pq Vt str
3001Set to the list of static NDP pairs that are to be added at system
3002boot time.
3003For each whitespace separated
3004.Ar element
3005in the value, a
3006.Va static_ndp_ Ns Aq Ar element
3007variable is assumed to exist whose contents will later be passed to a
3008.Dq Nm ndp Cm -s
3009operation.
3010For example
3011.Bd -literal
3012static_ndp_pairs="gw"
3013static_ndp_gw="2001:db8:3::1 00:01:02:03:04:05"
3014.Ed
3015.It Va static_routes
3016.Pq Vt str
3017Set to the list of static routes that are to be added at system
3018boot time.
3019If not set to
3020.Dq Li NO
3021then for each whitespace separated
3022.Ar element
3023in the value, a
3024.Va route_ Ns Aq Ar element
3025variable is assumed to exist
3026whose contents will later be passed to a
3027.Dq Nm route Cm add
3028operation.
3029For example:
3030.Bd -literal
3031static_routes="ext mcast:gif0 gif0local:gif0"
3032route_ext="-net 10.0.0.0/24 -gateway 192.168.0.1"
3033route_mcast="-net 224.0.0.0/4 -iface gif0"
3034route_gif0local="-host 169.254.1.1 -iface lo0"
3035.Ed
3036.Pp
3037When an
3038.Ar element
3039is in the form of
3040.Li name:ifname ,
3041the route is specific to the interface
3042.Li ifname .
3043.It Va ipv6_static_routes
3044.Pq Vt str
3045The IPv6 equivalent of
3046.Va static_routes .
3047If not set to
3048.Dq Li NO
3049then for each whitespace separated
3050.Ar element
3051in the value, a
3052.Va ipv6_route_ Ns Aq Ar element
3053variable is assumed to exist
3054whose contents will later be passed to a
3055.Dq Nm route Cm add Fl inet6
3056operation.
3057.It Va gateway_enable
3058.Pq Vt bool
3059If set to
3060.Dq Li YES ,
3061configure host to act as an IP router, e.g.\& to forward packets
3062between interfaces.
3063.It Va ipv6_gateway_enable
3064.Pq Vt bool
3065The IPv6 equivalent of
3066.Va gateway_enable .
3067.It Va routed_enable
3068.Pq Vt bool
3069If set to
3070.Dq Li YES ,
3071run a routing daemon of some sort, based on the
3072settings of
3073.Va routed_program
3074and
3075.Va routed_flags .
3076.It Va route6d_enable
3077.Pq Vt bool
3078The IPv6 equivalent of
3079.Va routed_enable .
3080If set to
3081.Dq Li YES ,
3082run a routing daemon of some sort, based on the
3083settings of
3084.Va route6d_program
3085and
3086.Va route6d_flags .
3087.It Va routed_program
3088.Pq Vt str
3089If
3090.Va routed_enable
3091is set to
3092.Dq Li YES ,
3093this is the name of the routing daemon to use.
3094The default is
3095.Xr routed 8 .
3096.It Va route6d_program
3097.Pq Vt str
3098The IPv6 equivalent of
3099.Va routed_program .
3100The default is
3101.Xr route6d 8 .
3102.It Va routed_flags
3103.Pq Vt str
3104If
3105.Va routed_enable
3106is set to
3107.Dq Li YES ,
3108these are the flags to pass to the routing daemon.
3109.It Va route6d_flags
3110.Pq Vt str
3111The IPv6 equivalent of
3112.Va routed_flags .
3113.It Va rtadvd_enable
3114.Pq Vt bool
3115If set to
3116.Dq Li YES ,
3117run the
3118.Xr rtadvd 8
3119daemon at boot time.
3120The
3121.Xr rtadvd 8
3122utility sends ICMPv6 Router Advertisement messages to
3123the interfaces specified in
3124.Va rtadvd_interfaces .
3125This should only be enabled with great care.
3126You may want to fine-tune
3127.Xr rtadvd.conf 5 .
3128.It Va rtadvd_interfaces
3129.Pq Vt str
3130If
3131.Va rtadvd_enable
3132is set to
3133.Dq Li YES
3134this is the list of interfaces to use.
3135.It Va arpproxy_all
3136.Pq Vt bool
3137If set to
3138.Dq Li YES ,
3139enable global proxy ARP.
3140.It Va forward_sourceroute
3141.Pq Vt bool
3142If set to
3143.Dq Li YES
3144and
3145.Va gateway_enable
3146is also set to
3147.Dq Li YES ,
3148source-routed packets are forwarded.
3149.It Va accept_sourceroute
3150.Pq Vt bool
3151If set to
3152.Dq Li YES ,
3153the system will accept source-routed packets directed at it.
3154.It Va rarpd_enable
3155.Pq Vt bool
3156If set to
3157.Dq Li YES ,
3158run the
3159.Xr rarpd 8
3160daemon at system boot time.
3161.It Va rarpd_flags
3162.Pq Vt str
3163If
3164.Va rarpd_enable
3165is set to
3166.Dq Li YES ,
3167these are the flags to pass to the
3168.Xr rarpd 8
3169daemon.
3170.It Va bootparamd_enable
3171.Pq Vt bool
3172If set to
3173.Dq Li YES ,
3174run the
3175.Xr bootparamd 8
3176daemon at system boot time.
3177.It Va bootparamd_flags
3178.Pq Vt str
3179If
3180.Va bootparamd_enable
3181is set to
3182.Dq Li YES ,
3183these are the flags to pass to the
3184.Xr bootparamd 8
3185daemon.
3186.It Va stf_interface_ipv4addr
3187.Pq Vt str
3188If not set to
3189.Dq Li NO ,
3190this is the local IPv4 address for 6to4 (IPv6 over IPv4 tunneling
3191interface).
3192Specify this entry to enable the 6to4 interface.
3193.It Va stf_interface_ipv4plen
3194.Pq Vt int
3195Prefix length for 6to4 IPv4 addresses, to limit peer address range.
3196An effective value is 0-31.
3197.It Va stf_interface_ipv6_ifid
3198.Pq Vt str
3199IPv6 interface ID for
3200.Xr stf 4 .
3201This can be set to
3202.Dq Li AUTO .
3203.It Va stf_interface_ipv6_slaid
3204.Pq Vt str
3205IPv6 Site Level Aggregator for
3206.Xr stf 4 .
3207.It Va ipv6_ipv4mapping
3208.Pq Vt bool
3209If set to
3210.Dq Li YES
3211this enables IPv4 mapped IPv6 address communication (like
3212.Li ::ffff:a.b.c.d ) .
3213.It Va rtsold_enable
3214.Pq Vt bool
3215Set to
3216.Dq Li YES
3217to enable the
3218.Xr rtsold 8
3219daemon to send ICMPv6 Router Solicitation messages.
3220.It Va rtsold_flags
3221.Pq Vt str
3222If
3223.Va rtsold_enable
3224is set to
3225.Dq Li YES ,
3226these are the flags to pass to
3227.Xr rtsold 8 .
3228.It Va rtsol_flags
3229.Pq Vt str
3230For interfaces configured with the
3231.Dq Li inet6 accept_rtadv
3232keyword, these are the flags to pass to
3233.Xr rtsol 8 .
3234.Pp
3235Note that
3236.Va rtsold_enable
3237is mutually exclusive to
3238.Va rtsol_flags ;
3239.Va rtsold_enable
3240takes precedence.
3241.It Va keybell
3242.Pq Vt str
3243The keyboard bell sound.
3244Set to
3245.Dq Li normal ,
3246.Dq Li visual ,
3247.Dq Li off ,
3248or
3249.Dq Li NO
3250if the default behavior is desired.
3251For details, refer to the
3252.Xr kbdcontrol 1
3253manpage.
3254.It Va keyboard
3255.Pq Vt str
3256If set to a non-null string, the virtual console's keyboard input is
3257set to this device.
3258.It Va keymap
3259.Pq Vt str
3260If set to
3261.Dq Li NO ,
3262no keymap is installed, otherwise the value is used to install
3263the keymap file found in
3264.Pa /usr/share/syscons/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd
3265(if using
3266.Xr syscons 4 ) or
3267.Pa /usr/share/vt/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd
3268(if using
3269.Xr vt 4 ) .
3270.It Va keyrate
3271.Pq Vt str
3272The keyboard repeat speed.
3273Set to
3274.Dq Li slow ,
3275.Dq Li normal ,
3276.Dq Li fast ,
3277or
3278.Dq Li NO
3279if the default behavior is desired.
3280.It Va keychange
3281.Pq Vt str
3282If not set to
3283.Dq Li NO ,
3284attempt to program the function keys with the value.
3285The value should
3286be a single string of the form:
3287.Dq Ar funkey_number new_value Op Ar funkey_number new_value ... .
3288.It Va cursor
3289.Pq Vt str
3290Can be set to the value of
3291.Dq Li normal ,
3292.Dq Li blink ,
3293.Dq Li destructive ,
3294or
3295.Dq Li NO
3296to set the cursor behavior explicitly or choose the default behavior.
3297.It Va scrnmap
3298.Pq Vt str
3299If set to
3300.Dq Li NO ,
3301no screen map is installed, otherwise the value is used to install
3302the screen map file in
3303.Pa /usr/share/syscons/scrnmaps/ Ns Aq Ar value .
3304This parameter is ignored when using
3305.Xr vt 4
3306as the console driver.
3307.It Va font8x16
3308.Pq Vt str
3309If set to
3310.Dq Li NO ,
3311the default 8x16 font value is used for screen size requests, otherwise
3312the value in
3313.Pa /usr/share/syscons/fonts/ Ns Aq Ar value
3314or
3315.Pa /usr/share/vt/fonts/ Ns Aq Ar value
3316is used (depending on the console driver being used).
3317.It Va font8x14
3318.Pq Vt str
3319If set to
3320.Dq Li NO ,
3321the default 8x14 font value is used for screen size requests, otherwise
3322the value in
3323.Pa /usr/share/syscons/fonts/ Ns Aq Ar value
3324or
3325.Pa /usr/share/vt/fonts/ Ns Aq Ar value
3326is used (depending on the console driver being used).
3327.It Va font8x8
3328.Pq Vt str
3329If set to
3330.Dq Li NO ,
3331the default 8x8 font value is used for screen size requests, otherwise
3332the value in
3333.Pa /usr/share/syscons/fonts/ Ns Aq Ar value
3334or
3335.Pa /usr/share/vt/fonts/ Ns Aq Ar value
3336is used (depending on the console driver being used).
3337.It Va blanktime
3338.Pq Vt int
3339If set to
3340.Dq Li NO ,
3341the default screen blanking interval is used, otherwise it is set
3342to
3343.Ar value
3344seconds.
3345.It Va saver
3346.Pq Vt str
3347If not set to
3348.Dq Li NO ,
3349this is the actual screen saver to use
3350.Li ( blank , snake , daemon ,
3351etc).
3352.It Va moused_nondefault_enable
3353.Pq Vt str
3354If set to
3355.Dq Li NO ,
3356the mouse device specified on
3357the command line is not automatically treated as enabled by the
3358.Pa /etc/rc.d/moused
3359script.
3360Having this variable set to
3361.Dq Li YES
3362allows a
3363.Xr usb 4
3364mouse,
3365for example,
3366to be enabled as soon as it is plugged in.
3367.It Va moused_enable
3368.Pq Vt str
3369If set to
3370.Dq Li YES ,
3371the
3372.Xr moused 8
3373daemon is started for doing cut/paste selection on the console.
3374.It Va moused_type
3375.Pq Vt str
3376This is the protocol type of the mouse connected to this host.
3377This variable must be set if
3378.Va moused_enable
3379is set to
3380.Dq Li YES ,
3381but defaults to
3382.Dq Li auto
3383as the
3384.Xr moused 8
3385daemon
3386is able to detect the appropriate mouse type automatically in many cases.
3387Set this variable to
3388one from the following list if the automatic detection fails.
3389.Pp
3390If the mouse is attached to the PS/2 mouse port, choose
3391.Dq Li auto
3392or
3393.Dq Li ps/2 ,
3394regardless of the brand and model of the mouse.
3395Likewise, if the
3396mouse is attached to the bus mouse port, choose
3397.Dq Li auto
3398or
3399.Dq Li busmouse .
3400All other protocols are for serial mice and will not work with
3401the PS/2 and bus mice.
3402If this is a USB mouse,
3403.Dq Li auto
3404is the only protocol type which will work.
3405.Pp
3406.Bl -tag -width ".Li x10mouseremote" -compact
3407.It Li microsoft
3408Microsoft mouse (serial)
3409.It Li intellimouse
3410Microsoft IntelliMouse (serial)
3411.It Li mousesystems
3412Mouse systems Corp.\& mouse (serial)
3413.It Li mmseries
3414MM Series mouse (serial)
3415.It Li logitech
3416Logitech mouse (serial)
3417.It Li busmouse
3418A bus mouse
3419.It Li mouseman
3420Logitech MouseMan and TrackMan (serial)
3421.It Li glidepoint
3422ALPS GlidePoint (serial)
3423.It Li thinkingmouse
3424Kensington ThinkingMouse (serial)
3425.It Li ps/2
3426PS/2 mouse
3427.It Li mmhittab
3428MM HitTablet (serial)
3429.It Li x10mouseremote
3430X10 MouseRemote (serial)
3431.It Li versapad
3432Interlink VersaPad (serial)
3433.El
3434.Pp
3435Even if the mouse is not in the above list, it may be compatible
3436with one in the list.
3437Refer to the manual page for
3438.Xr moused 8
3439for compatibility information.
3440.Pp
3441It should also be noted that while this is enabled, any
3442other client of the mouse (such as an X server) should access
3443the mouse through the virtual mouse device,
3444.Pa /dev/sysmouse ,
3445and configure it as a
3446.Dq Li sysmouse
3447type mouse, since all
3448mouse data is converted to this single canonical format when
3449using
3450.Xr moused 8 .
3451If the client program does not support the
3452.Dq Li sysmouse
3453type,
3454specify the
3455.Dq Li mousesystems
3456type.
3457It is the second preferred type.
3458.It Va moused_port
3459.Pq Vt str
3460If
3461.Va moused_enable
3462is set to
3463.Dq Li YES ,
3464this is the actual port the mouse is on.
3465It might be
3466.Pa /dev/cuau0
3467for a COM1 serial mouse, or
3468.Pa /dev/psm0
3469for a PS/2 mouse, for example.
3470.It Va moused_flags
3471.Pq Vt str
3472If
3473.Va moused_flags
3474is set, its value is used as an additional set of flags to pass to the
3475.Xr moused 8
3476daemon.
3477.It Va "moused_" Ns Ar XXX Ns Va "_flags"
3478When
3479.Va moused_nondefault_enable
3480is enabled, and a
3481.Xr moused 8
3482daemon is started for a non-default port, the
3483.Va "moused_" Ns Ar XXX Ns Va "_flags"
3484set of options has precedence over and replaces the default
3485.Va moused_flags
3486(where
3487.Ar XXX
3488is the name of the non-default port, i.e.,\&
3489.Ar ums0 ) .
3490By setting
3491.Va "moused_" Ns Ar XXX Ns Va "_flags"
3492it is possible to set up a different set of default flags for each
3493.Xr moused 8
3494instance.
3495For example, you can use
3496.Dq Li "-3"
3497for the default
3498.Va moused_flags
3499to make your laptop's touchpad more comfortable to use,
3500but an empty set of options for
3501.Va moused_ums0_flags
3502when your
3503.Xr usb 4
3504mouse has three or more buttons.
3505.It Va mousechar_start
3506.Pq Vt int
3507If set to
3508.Dq Li NO ,
3509the default mouse cursor character range
3510.Li 0xd0 Ns - Ns Li 0xd3
3511is used,
3512otherwise the range start is set
3513to
3514.Ar value
3515character, see
3516.Xr vidcontrol 1 .
3517Use if the default range is occupied in the language code table.
3518.It Va allscreens_flags
3519.Pq Vt str
3520If set,
3521.Xr vidcontrol 1
3522is run with these options for each of the virtual terminals
3523.Pq Pa /dev/ttyv* .
3524For example,
3525.Dq Fl m Cm on
3526will enable the mouse pointer on all virtual terminals
3527if
3528.Va moused_enable
3529is set to
3530.Dq Li YES .
3531.It Va allscreens_kbdflags
3532.Pq Vt str
3533If set,
3534.Xr kbdcontrol 1
3535is run with these options for each of the virtual terminals
3536.Pq Pa /dev/ttyv* .
3537For example,
3538.Dq Fl h Li 200
3539will set the
3540.Xr syscons 4
3541or
3542.Xr vt 4
3543scrollback (history) buffer to 200 lines.
3544.It Va cron_enable
3545.Pq Vt bool
3546If set to
3547.Dq Li YES ,
3548run the
3549.Xr cron 8
3550daemon at system boot time.
3551.It Va cron_program
3552.Pq Vt str
3553Path to
3554.Xr cron 8
3555(default
3556.Pa /usr/sbin/cron ) .
3557.It Va cron_flags
3558.Pq Vt str
3559If
3560.Va cron_enable
3561is set to
3562.Dq Li YES ,
3563these are the flags to pass to
3564.Xr cron 8 .
3565.It Va cron_dst
3566.Pq Vt bool
3567If set to
3568.Dq Li YES ,
3569enable the special handling of transitions to and from the
3570Daylight Saving Time in
3571.Xr cron 8
3572(equivalent to using the flag
3573.Fl s ) .
3574.It Va lpd_program
3575.Pq Vt str
3576Path to
3577.Xr lpd 8
3578(default
3579.Pa /usr/sbin/lpd ) .
3580.It Va lpd_enable
3581.Pq Vt bool
3582If set to
3583.Dq Li YES ,
3584run the
3585.Xr lpd 8
3586daemon at system boot time.
3587.It Va lpd_flags
3588.Pq Vt str
3589If
3590.Va lpd_enable
3591is set to
3592.Dq Li YES ,
3593these are the flags to pass to the
3594.Xr lpd 8
3595daemon.
3596.It Va chkprintcap_enable
3597.Pq Vt bool
3598If set to
3599.Dq Li YES ,
3600run the
3601.Xr chkprintcap 8
3602command before starting the
3603.Xr lpd 8
3604daemon.
3605.It Va chkprintcap_flags
3606.Pq Vt str
3607If
3608.Va lpd_enable
3609and
3610.Va chkprintcap_enable
3611are set to
3612.Dq Li YES ,
3613these are the flags to pass to the
3614.Xr chkprintcap 8
3615program.
3616The default is
3617.Dq Li -d ,
3618which causes missing directories to be created.
3619.It Va dumpdev
3620.Pq Vt str
3621Indicates the device (usually a swap partition) to which a crash dump
3622should be written in the event of a system crash.
3623If the value of this variable is
3624.Dq Li AUTO ,
3625the first suitable swap device listed in
3626.Pa /etc/fstab
3627will be used as dump device.
3628Otherwise, the value of this variable is passed as the argument to
3629.Xr dumpon 8
3630and
3631.Xr savecore 8 .
3632To disable crash dumps, set this variable to
3633.Dq Li NO .
3634.It Va dumpon_flags
3635.Pq Vt str
3636Flags to pass to
3637.Xr dumpon 8
3638when configuring
3639.Va dumpdev
3640as the system dump device.
3641.It Va dumpdir
3642.Pq Vt str
3643When the system reboots after a crash and a crash dump is found on the
3644device specified by the
3645.Va dumpdev
3646variable,
3647.Xr savecore 8
3648will save that crash dump and a copy of the kernel to the directory
3649specified by the
3650.Va dumpdir
3651variable.
3652The default value is
3653.Pa /var/crash .
3654Set to
3655.Dq Li NO
3656to not run
3657.Xr savecore 8
3658at boot time when
3659.Va dumpdir
3660is set.
3661.It Va savecore_enable
3662.Pq Vt bool
3663If set to
3664.Dq Li NO ,
3665disable automatic extraction of the crash dump from the
3666.Va dumpdev .
3667.It Va savecore_flags
3668.Pq Vt str
3669If crash dumps are enabled, these are the flags to pass to the
3670.Xr savecore 8
3671utility.
3672.It Va quota_enable
3673.Pq Vt bool
3674Set to
3675.Dq Li YES
3676to turn on user and group disk quotas on system startup via the
3677.Xr quotaon 8
3678command for all file systems marked as having quotas enabled in
3679.Pa /etc/fstab .
3680The kernel must be built with
3681.Cd "options QUOTA"
3682for disk quotas to function.
3683.It Va check_quotas
3684.Pq Vt bool
3685Set to
3686.Dq Li YES
3687to enable user and group disk quota checking via the
3688.Xr quotacheck 8
3689command.
3690.It Va quotacheck_flags
3691.Pq Vt str
3692If
3693.Va quota_enable
3694is set to
3695.Dq Li YES ,
3696and
3697.Va check_quotas
3698is set to
3699.Dq Li YES ,
3700these are the flags to pass to the
3701.Xr quotacheck 8
3702utility.
3703The default is
3704.Dq Li "-a" ,
3705which checks quotas for all file systems with quotas enabled in
3706.Pa /etc/fstab .
3707.It Va quotaon_flags
3708.Pq Vt str
3709If
3710.Va quota_enable
3711is set to
3712.Dq Li YES ,
3713these are the flags to pass to the
3714.Xr quotaon 8
3715utility.
3716The default is
3717.Dq Li "-a" ,
3718which enables quotas for all file systems with quotas enabled in
3719.Pa /etc/fstab .
3720.It Va quotaoff_flags
3721.Pq Vt str
3722If
3723.Va quota_enable
3724is set to
3725.Dq Li YES ,
3726these are the flags to pass to the
3727.Xr quotaoff 8
3728utility when shutting down the quota system.
3729The default is
3730.Dq Li "-a" ,
3731which disables quotas for all file systems with quotas enabled in
3732.Pa /etc/fstab .
3733.It Va accounting_enable
3734.Pq Vt bool
3735Set to
3736.Dq Li YES
3737to enable system accounting through the
3738.Xr accton 8
3739facility.
3740.It Va firstboot_sentinel
3741.Pq Vt str
3742This variable specifies the full path to a
3743.Dq first boot
3744sentinel file.
3745If a file exists with this path,
3746.Pa rc.d
3747scripts with the
3748.Dq firstboot
3749keyword will be run on startup and the sentinel file will be deleted
3750after the boot process completes.
3751The sentinel file must be located on a writable file system which is
3752mounted no later than
3753.Va early_late_divider
3754to function properly.
3755The default is
3756.Pa /firstboot .
3757.It Va linux_enable
3758.Pq Vt bool
3759Set to
3760.Dq Li YES
3761to enable Linux/ELF binary emulation at system initial
3762boot time.
3763.It Va sysvipc_enable
3764.Pq Vt bool
3765If set to
3766.Dq Li YES ,
3767load System V IPC primitives at boot time.
3768.It Va clear_tmp_enable
3769.Pq Vt bool
3770Set to
3771.Dq Li YES
3772to have
3773.Pa /tmp
3774cleaned at startup.
3775.It Va clear_tmp_X
3776.Pq Vt bool
3777Set to
3778.Dq Li NO
3779to disable removing of X11 lock files,
3780and the removal and (secure) recreation
3781of the various socket directories for X11
3782related programs.
3783.It Va ldconfig_paths
3784.Pq Vt str
3785Set to the list of shared library paths to use with
3786.Xr ldconfig 8 .
3787NOTE:
3788.Pa /lib
3789and
3790.Pa /usr/lib
3791will always be added first, so they need not appear in this list.
3792.It Va ldconfig32_paths
3793.Pq Vt str
3794Set to the list of 32-bit compatibility shared library paths to
3795use with
3796.Xr ldconfig 8 .
3797.It Va ldconfig_insecure
3798.Pq Vt bool
3799The
3800.Xr ldconfig 8
3801utility normally refuses to use directories
3802which are writable by anyone except root.
3803Set this variable to
3804.Dq Li YES
3805to disable that security check during system startup.
3806.It Va ldconfig_local_dirs
3807.Pq Vt str
3808Set to the list of local
3809.Xr ldconfig 8
3810directories.
3811The names of all files in the directories listed will be
3812passed as arguments to
3813.Xr ldconfig 8 .
3814.It Va ldconfig_local32_dirs
3815.Pq Vt str
3816Set to the list of local 32-bit compatibility
3817.Xr ldconfig 8
3818directories.
3819The names of all files in the directories listed will be
3820passed as arguments to
3821.Dq Nm ldconfig Fl 32 .
3822.It Va kern_securelevel_enable
3823.Pq Vt bool
3824Set to
3825.Dq Li YES
3826to set the kernel security level at system startup.
3827.It Va kern_securelevel
3828.Pq Vt int
3829The kernel security level to set at startup.
3830The allowed range of
3831.Ar value
3832ranges from \-1 (the compile time default) to 3 (the
3833most secure).
3834See
3835.Xr security 7
3836for the list of possible security levels and their effect
3837on system operation.
3838.It Va sshd_program
3839.Pq Vt str
3840Path to the SSH server program
3841.Pa ( /usr/sbin/sshd
3842is the default).
3843.It Va sshd_enable
3844.Pq Vt bool
3845Set to
3846.Dq Li YES
3847to start
3848.Xr sshd 8
3849at system boot time.
3850Note, the
3851.Va sshd_oomprotect
3852variable is set to
3853.Dq Li YES
3854by default in
3855.Pa /etc/defaults/rc.conf .
3856.It Va sshd_flags
3857.Pq Vt str
3858If
3859.Va sshd_enable
3860is set to
3861.Dq Li YES ,
3862these are the flags to pass to the
3863.Xr sshd 8
3864daemon.
3865.It Va ftpd_program
3866.Pq Vt str
3867Path to the FTP server program
3868.Pa ( /usr/libexec/ftpd
3869is the default).
3870.It Va ftpd_enable
3871.Pq Vt bool
3872Set to
3873.Dq Li YES
3874to start
3875.Xr ftpd 8
3876as a stand-alone daemon at system boot time.
3877.It Va ftpd_flags
3878.Pq Vt str
3879If
3880.Va ftpd_enable
3881is set to
3882.Dq Li YES ,
3883these are the additional flags to pass to the
3884.Xr ftpd 8
3885daemon.
3886.It Va watchdogd_enable
3887.Pq Vt bool
3888If set to
3889.Dq Li YES ,
3890start the
3891.Xr watchdogd 8
3892daemon at boot time.
3893This requires that the kernel have been compiled with a
3894.Xr watchdog 4
3895compatible device.
3896.It Va watchdogd_flags
3897.Pq Vt str
3898If
3899.Va watchdogd_enable
3900is set to
3901.Dq Li YES ,
3902these are the flags passed to the
3903.Xr watchdogd 8
3904daemon.
3905.It Va watchdogd_timeout
3906.Pq Vt int
3907If
3908.Va watchdogd_enable
3909is set to
3910.Dq Li YES ,
3911this is a timeout that will be used by the
3912.Xr watchdogd 8
3913daemon.
3914If this option is set, it overrides
3915.Fl t
3916in
3917.Va watchdogd_flags .
3918.It Va watchdogd_shutdown_timeout
3919.Pq Vt int
3920If
3921.Va watchdogd_enable
3922is set to
3923.Dq Li YES ,
3924this is a timeout that will be set by the
3925.Xr watchdogd 8
3926daemon when it exits during the system shutdown.
3927This timeout will not be set when returning to the single-user mode
3928or when the watchdogd service is stopped individually using the
3929.Xr service 8
3930command or the rc.d script.
3931Note that the timeout will be applied if
3932.Xr watchdogd 8
3933is stopped outside of
3934.Xr rc 8
3935framework.
3936If this option is set, it overrides
3937.Fl x
3938in
3939.Va watchdogd_flags .
3940.It Va devfs_rulesets
3941.Pq Vt str
3942List of files containing sets of rules for
3943.Xr devfs 8 .
3944.It Va devfs_system_ruleset
3945.Pq Vt str
3946Rule name(s) to apply to the system
3947.Pa /dev
3948itself.
3949.It Va devfs_set_rulesets
3950.Pq Vt str
3951Pairs of already-mounted
3952.Pa dev
3953directories and rulesets that should be applied to them.
3954For example: /mount/dev=ruleset_name
3955.It Va devfs_load_rulesets
3956.Pq Vt bool
3957If set, always load the default rulesets listed in
3958.Va devfs_rulesets .
3959.It Va performance_cx_lowest
3960.Pq Vt str
3961CPU idle state to use while on AC power.
3962The string
3963.Dq Li LOW
3964indicates that
3965.Xr acpi 4
3966should use the lowest power state available while
3967.Dq Li HIGH
3968indicates that the lowest latency state (less power savings) should be used.
3969.It Va performance_cpu_freq
3970.Pq Vt str
3971CPU clock frequency to use while on AC power.
3972The string
3973.Dq Li LOW
3974indicates that
3975.Xr cpufreq 4
3976should use the lowest frequency available while
3977.Dq Li HIGH
3978indicates that the highest frequency (less power savings) should be used.
3979.It Va economy_cx_lowest
3980.Pq Vt str
3981CPU idle state to use when off AC power.
3982The string
3983.Dq Li LOW
3984indicates that
3985.Xr acpi 4
3986should use the lowest power state available while
3987.Dq Li HIGH
3988indicates that the lowest latency state (less power savings) should be used.
3989.It Va economy_cpu_freq
3990.Pq Vt str
3991CPU clock frequency to use when off AC power.
3992The string
3993.Dq Li LOW
3994indicates that
3995.Xr cpufreq 4
3996should use the lowest frequency available while
3997.Dq Li HIGH
3998indicates that the highest frequency (less power savings) should be used.
3999.It Va jail_enable
4000.Pq Vt bool
4001If set to
4002.Dq Li NO ,
4003any configured jails will not be started.
4004.It Va jail_conf
4005.Pq Vt str
4006The configuration filename used by
4007.Xr jail 8
4008utility.
4009The default value is
4010.Pa /etc/jail.conf .
4011.Pa /etc/jail\&. Ns Ao Va jname Ac Ns Pa .conf
4012and
4013.Pa /etc/jail.conf.d/ Ns Ao Va jname Ac Ns Pa .conf
4014will also be used if
4015.Ao Va jname Ac
4016is set in
4017.Va jail_list .
4018.It Va jail_parallel_start
4019.Pq Vt bool
4020If set to
4021.Dq Li YES ,
4022all configured jails will be started in the background (in parallel).
4023.It Va jail_flags
4024.Pq Vt str
4025Unset by default.
4026When set, use as default value for
4027.Va jail_ Ns Ao Ar jname Ac Ns Va _flags
4028for every jail in
4029.Va jail_list .
4030.It Va jail_list
4031.Pq Vt str
4032A space-delimited list of jail names.
4033When left empty, all of the
4034.Xr jail 8
4035instances defined in the configuration file are started.
4036The names specified in this list control the jail startup order.
4037.Xr jail 8
4038instances missing from
4039.Va jail_list
4040must be started manually.
4041Note that a jail's
4042.Va depend
4043parameter in the configuration file may override this list.
4044.It Va jail_reverse_stop
4045.Pq Vt bool
4046When set to
4047.Dq Li YES ,
4048all configured jails in
4049.Va jail_list
4050are stopped in reverse order.
4051.It Va jail_ Ns * variables
4052Note that older releases supported per-jail configuration via
4053.Nm
4054variables.
4055For example,
4056hostname of a jail named
4057.Li vjail
4058was able to be set by
4059.Li jail_vjail_hostname .
4060These per-jail configuration variables are now obsolete in favor of
4061.Xr jail 8
4062configuration file.
4063For backward compatibility,
4064when per-jail configuration variables are defined,
4065.Xr jail 8
4066configuration files are created as
4067.Pa /var/run/jail . Ns Ao Ar jname Ac Ns Pa .conf
4068and used.
4069.Pp
4070The following per-jail parameters are handled by
4071.Pa rc.d/jail
4072script out of their corresponding
4073.Nm
4074variables.
4075In addition to them, parameters in
4076.Va jail_ Ns Ao Ar jname Ac Ns Va _parameters
4077will be added to the configuration file.
4078They must be a semi-colon
4079.Pq Ql \&;
4080delimited list of
4081.Dq key=value .
4082For more details,
4083see
4084.Xr jail 8
4085manual page.
4086.Bl  -tag -width "host.hostname" -offset indent
4087.It Li path
4088set from
4089.Va jail_ Ns Ao Ar jname Ac Ns Va _rootdir
4090.It Li host.hostname
4091set from
4092.Va jail_ Ns Ao Ar jname Ac Ns Va _hostname
4093.It Li exec.consolelog
4094set from
4095.Va jail_ Ns Ao Ar jname Ac Ns Va _consolelog .
4096The default value is
4097.Pa /var/log/jail_ Ns Ao Ar jname Ac Ns Pa _console.log .
4098.It Li interface
4099set from
4100.Va jail_ Ns Ao Ar jname Ac Ns Va _interface .
4101.It Li vnet.interface
4102set from
4103.Va jail_ Ns Ao Ar jname Ac Ns Va _vnet_interface .
4104This implies
4105.Li vnet
4106parameter will be enabled and cannot be specified with
4107.Va jail_ Ns Ao Ar jname Ac Ns Va _interface ,
4108.Va jail_ Ns Ao Ar jname Ac Ns Va _ip
4109and/or
4110.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
4111at the same time.
4112.It Li fstab
4113set from
4114.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab
4115.It Li mount
4116set from
4117.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable .
4118.It Li exec.fib
4119set from
4120.Va jail_ Ns Ao Ar jname Ac Ns Va _fib
4121.It Li exec.start
4122set from
4123.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start .
4124The parameter name was
4125.Li command
4126in some older releases.
4127.It Li exec.prestart
4128set from
4129.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart
4130.It Li exec.poststart
4131set from
4132.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart
4133.It Li exec.stop
4134set from
4135.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop
4136.It Li exec.prestop
4137set from
4138.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop
4139.It Li exec.poststop
4140set from
4141.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop
4142.It Li ip4.addr
4143set if
4144.Va jail_ Ns Ao Ar jname Ac Ns Va _ip
4145or
4146.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
4147contain IPv4 addresses
4148.It Li ip6.addr
4149set if
4150.Va jail_ Ns Ao Ar jname Ac Ns Va _ip
4151or
4152.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
4153contain IPv6 addresses
4154.It Li allow.mount
4155set from
4156.Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable
4157.It Li mount.devfs
4158set from
4159.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable
4160.It Li devfs_ruleset
4161set from
4162.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset .
4163This must be an integer,
4164not a string.
4165.It Li mount.fdescfs
4166set from
4167.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable
4168.It Li allow.set_hostname
4169set from
4170.Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow
4171.It Li allow.rawsocket
4172set from
4173.Va jail_ Ns Ao Ar jname Ac Ns Va _socket_unixiproute_only
4174.It Li allow.sysvipc
4175set from
4176.Va jail_ Ns Ao Ar jname Ac Ns Va _sysvipc_allow
4177.El
4178.\" -----------------------------------------------------
4179.It Va harvest_mask
4180.Pq Vt int
4181Set to a bit-mask
4182representing the entropy sources
4183you wish to harvest.
4184Refer to
4185.Xr random 4
4186for more information.
4187.It Va entropy_dir
4188.Pq Vt str
4189Set to
4190.Dq Li NO
4191to disable caching entropy via
4192.Xr cron 8 .
4193Otherwise set to the directory
4194in which the entropy files are stored.
4195To be useful,
4196there must be
4197a system cron job
4198that regularly writes and rotates
4199files here.
4200All files found
4201will be used at boot time.
4202The default is
4203.Pa /var/db/entropy .
4204.It Va entropy_file
4205.Pq Vt str
4206Set to
4207.Dq Li NO
4208to disable caching entropy through reboots.
4209Otherwise set to the name
4210of a file used to store cached entropy.
4211This file should be located
4212on a file system that is readable
4213before all the volumes specified in
4214.Xr fstab 5
4215are mounted.
4216By default,
4217.Pa /entropy
4218is used,
4219but if
4220.Pa /var/db/entropy-file
4221is found it will also be used.
4222This will be of some use to
4223.Xr bsdinstall 8 .
4224.It Va entropy_boot_file
4225.Pq Vt str
4226Set to
4227.Dq Li NO
4228to disable
4229very early caching entropy
4230through reboots.
4231Otherwise set to the filename
4232used to read
4233very early reboot cached entropy.
4234This file should be located where
4235.Xr loader 8
4236can read it.
4237See also
4238.Xr loader.conf 5 .
4239The default location is
4240.Pa /boot/entropy .
4241.It Va entropy_save_sz
4242.Pq Vt int
4243Size of the entropy cache files saved by
4244.Nm save-entropy
4245periodically.
4246.It Va entropy_save_num
4247.Pq Vt int
4248Number of entropy cache files to save by
4249.Nm save-entropy
4250periodically.
4251.It Va ipsec_enable
4252.Pq Vt bool
4253Set to
4254.Dq Li YES
4255to run
4256.Xr setkey 8
4257on
4258.Va ipsec_file
4259at boot time.
4260.It Va ipsec_file
4261.Pq Vt str
4262Configuration file for
4263.Xr setkey 8 .
4264.It Va dmesg_enable
4265.Pq Vt bool
4266Set to
4267.Dq Li YES
4268to save
4269.Xr dmesg 8
4270to
4271.Pa /var/run/dmesg.boot
4272on boot.
4273.It Va rcshutdown_timeout
4274.Pq Vt int
4275If set, start a watchdog timer in the background which will terminate
4276.Pa rc.shutdown
4277if
4278.Xr shutdown 8
4279has not completed within the specified time (in seconds).
4280Notice that in addition to this soft timeout,
4281.Xr init 8
4282also applies a hard timeout for the execution of
4283.Pa rc.shutdown .
4284This is configured via
4285.Xr sysctl 8
4286variable
4287.Va kern.init_shutdown_timeout
4288and defaults to 120 seconds.
4289Setting the value of
4290.Va rcshutdown_timeout
4291to more than 120 seconds will have no effect until the
4292.Xr sysctl 8
4293variable
4294.Va kern.init_shutdown_timeout
4295is also increased.
4296.It Va virecover_enable
4297.Pq Vt bool
4298Set to
4299.Dq Li NO
4300to prevent the system from trying to
4301recover prematurely terminated
4302.Xr vi 1
4303sessions.
4304.It Va ugidfw_enable
4305.Pq Vt bool
4306Set to
4307.Dq Li YES
4308to load the
4309.Xr mac_bsdextended 4
4310module upon system initialization and load a default
4311ruleset file.
4312.It Va bsdextended_script
4313.Pq Vt str
4314The default
4315.Xr mac_bsdextended 4
4316ruleset file to load.
4317The default value of this variable is
4318.Pa /etc/rc.bsdextended .
4319.It Va newsyslog_enable
4320.Pq Vt bool
4321If set to
4322.Dq Li YES ,
4323run
4324.Xr newsyslog 8
4325command at startup.
4326.It Va newsyslog_flags
4327.Pq Vt str
4328If
4329.Va newsyslog_enable
4330is set to
4331.Dq Li YES ,
4332these are the flags to pass to the
4333.Xr newsyslog 8
4334program.
4335The default is
4336.Dq Li -CN ,
4337which causes log files flagged with a
4338.Cm C
4339to be created.
4340.It Va mdconfig_md Ns Aq Ar X
4341.Pq Vt str
4342Arguments to
4343.Xr mdconfig 8
4344for
4345.Xr md 4
4346device
4347.Ar X .
4348At minimum a
4349.Fl t Ar type
4350must be specified and either a
4351.Fl s Ar size
4352for malloc or swap backed
4353.Xr md 4
4354devices or a
4355.Fl f Ar file
4356for vnode backed
4357.Xr md 4
4358devices.
4359Note that
4360.Va mdconfig_md Ns Aq Ar X
4361variables are evaluated until one variable is unset or null.
4362.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _newfs
4363.Pq Vt str
4364Optional arguments passed to
4365.Xr newfs 8
4366to initialize
4367.Xr md 4
4368device
4369.Ar X .
4370.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _owner
4371.Pq Vt str
4372An ownership specification passed to
4373.Xr chown 8
4374after the specified
4375.Xr md 4
4376device
4377.Ar X
4378has been mounted.
4379Both the
4380.Xr md 4
4381device and the mount point will be changed.
4382.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _perms
4383.Pq Vt str
4384A mode string passed to
4385.Xr chmod 1
4386after the specified
4387.Xr md 4
4388device
4389.Ar X
4390has been mounted.
4391Both the
4392.Xr md 4
4393device and the mount point will be changed.
4394.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _files
4395.Pq Vt str
4396Files to be copied to the mount point of the
4397.Xr md 4
4398device
4399.Ar X
4400after it has been mounted.
4401.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _cmd
4402.Pq Vt str
4403Command to execute after the specified
4404.Xr md 4
4405device
4406.Ar X
4407has been mounted.
4408Note that the command is passed to
4409.Ic eval
4410and that both
4411.Va _dev
4412and
4413.Va _mp
4414variables can be used to reference respectively the
4415.Xr md 4
4416device and the mount point.
4417Assuming that the
4418.Xr md 4
4419device is
4420.Li md0 ,
4421one could set the following:
4422.Bd -literal
4423mdconfig_md0_cmd="tar xfzC /var/file.tgz \e${_mp}"
4424.Ed
4425.It Va autobridge_interfaces
4426.Pq Vt str
4427Set to the list of bridge interfaces that will have newly arriving interfaces
4428checked against to be automatically added.
4429If not set to
4430.Dq Li NO
4431then for each whitespace separated
4432.Ar element
4433in the value, a
4434.Va autobridge_ Ns Aq Ar element
4435variable is assumed to exist which has a whitespace separated list of interface
4436names to match, these names can use wildcards.
4437For example:
4438.Bd -literal
4439autobridge_interfaces="bridge0"
4440autobridge_bridge0="tap* dc0 vlan[345]"
4441.Ed
4442.It Va mixer_enable
4443.Pq Vt bool
4444If set to
4445.Dq Li YES ,
4446enable support for sound mixer.
4447.It Va hcsecd_enable
4448.Pq Vt bool
4449If set to
4450.Dq Li YES ,
4451enable Bluetooth security daemon.
4452.It Va hcsecd_config
4453.Pq Vt str
4454Configuration file for
4455.Xr hcsecd 8 .
4456Default
4457.Pa /etc/bluetooth/hcsecd.conf .
4458.It Va sdpd_enable
4459.Pq Vt bool
4460If set to
4461.Dq Li YES ,
4462enable Bluetooth Service Discovery Protocol daemon.
4463.It Va sdpd_control
4464.Pq Vt str
4465Path to
4466.Xr sdpd 8
4467control socket.
4468Default
4469.Pa /var/run/sdp .
4470.It Va sdpd_groupname
4471.Pq Vt str
4472Sets
4473.Xr sdpd 8
4474group to run as after it initializes.
4475Default
4476.Dq Li nobody .
4477.It Va sdpd_username
4478.Pq Vt str
4479Sets
4480.Xr sdpd 8
4481user to run as after it initializes.
4482Default
4483.Dq Li nobody .
4484.It Va bthidd_enable
4485.Pq Vt bool
4486If set to
4487.Dq Li YES ,
4488enable Bluetooth Human Interface Device daemon.
4489.It Va bthidd_config
4490.Pq Vt str
4491Configuration file for
4492.Xr bthidd 8 .
4493Default
4494.Pa /etc/bluetooth/bthidd.conf .
4495.It Va bthidd_hids
4496.Pq Vt str
4497Path to a file, where
4498.Xr bthidd 8
4499will store information about known HID devices.
4500Default
4501.Pa /var/db/bthidd.hids .
4502.It Va rfcomm_pppd_server_enable
4503.Pq Vt bool
4504If set to
4505.Dq Li YES ,
4506enable Bluetooth RFCOMM PPP wrapper daemon.
4507.It Va rfcomm_pppd_server_profile
4508.Pq Vt str
4509The name of the profile to use from
4510.Pa /etc/ppp/ppp.conf .
4511Multiple profiles can be specified here.
4512Also used to specify per-profile overrides.
4513When the profile name contains any of the characters
4514.Dq Li .-/+
4515they are translated to
4516.Dq Li _
4517for the proposes of the override variable names.
4518.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _bdaddr
4519.Pq Vt str
4520Overrides local address to listen on.
4521By default
4522.Xr rfcomm_pppd 8
4523will listen on
4524.Dq Li ANY
4525address.
4526The address can be specified as BD_ADDR or name.
4527.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _channel
4528.Pq Vt str
4529Overrides local RFCOMM channel to listen on.
4530By default
4531.Xr rfcomm_pppd 8
4532will listen on RFCOMM channel 1.
4533Must set properly if multiple profiles used in the same time.
4534.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_sp
4535.Pq Vt bool
4536Tells
4537.Xr rfcomm_pppd 8
4538if it should register Serial Port service on the specified RFCOMM channel.
4539Default
4540.Dq Li NO .
4541.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_dun
4542.Pq Vt bool
4543Tells
4544.Xr rfcomm_pppd 8
4545if it should register Dial-Up Networking service on the specified
4546RFCOMM channel.
4547Default
4548.Dq Li NO .
4549.It Va ubthidhci_enable
4550.Pq Vt bool
4551If set to
4552.Dq Li YES ,
4553change the USB Bluetooth controller from HID mode to HCI mode.
4554You also need to specify the location of USB Bluetooth controller with the
4555.Va ubthidhci_busnum
4556and
4557.Va ubthidhci_addr
4558variables.
4559.It Va ubthidhci_busnum
4560Bus number where the USB Bluetooth controller is located.
4561Check the output of
4562.Xr usbconfig 8
4563on your system to find this information.
4564.It Va ubthidhci_addr
4565Bus address of the USB Bluetooth controller.
4566Check the output of
4567.Xr usbconfig 8
4568on your system to find this information.
4569.It Va utx_enable
4570.Pq Vt bool
4571Set to
4572.Dq Li YES
4573to enable user accounting through the
4574.Xr utx 8
4575facility.
4576.It Va netwait_enable
4577.Pq Vt bool
4578If set to
4579.Dq Li YES ,
4580delays the start of network-reliant services until
4581.Va netwait_if
4582is up and ICMP packets to a destination defined in
4583.Va netwait_ip
4584are flowing.
4585Link state is examined first, followed by
4586.Dq Li pinging
4587an IP address to verify network usability.
4588If no destination can be reached or timeouts are exceeded,
4589network services are started anyway with no guarantee that
4590the network is usable.
4591Use of this variable requires both
4592.Va netwait_ip
4593and
4594.Va netwait_if
4595to be set.
4596.It Va netwait_ip
4597.Pq Vt str
4598Empty by default.
4599This variable contains a space-delimited list of IP addresses to
4600.Xr ping 8 .
4601DNS hostnames should not be used as resolution is not guaranteed
4602to be functional at this point.
4603If multiple IP addresses are specified,
4604each will be tried until one is successful or the list is exhausted.
4605.It Va netwait_timeout
4606.Pq Vt int
4607Indicates the total number of seconds to perform a
4608.Dq Li ping
4609against each IP address in
4610.Va netwait_ip ,
4611at a rate of one ping per second.
4612If any of the pings are successful,
4613full network connectivity is considered reliable.
4614The default is 60.
4615.It Va netwait_if
4616.Pq Vt str
4617Empty by default.
4618Defines the name of the network interface on which watch for link.
4619.Xr ifconfig 8
4620is used to monitor the interface, looking for
4621.Dq Li status: no carrier .
4622Once gone, the link is considered up.
4623This can be a
4624.Xr vlan 4
4625interface if desired.
4626.It Va netwait_if_timeout
4627.Pq Vt int
4628Defines the total number of seconds to wait for link to become usable,
4629polled at a 1-second interval.
4630The default is 30.
4631.It Va rctl_enable
4632.Pq Vt bool
4633If set to
4634.Dq Li YES ,
4635load
4636.Xr rctl 8
4637rules from the defined ruleset.
4638The kernel must be built with
4639.Cd "options RACCT"
4640and
4641.Cd "options RCTL" .
4642.It Va rctl_rules
4643.Pq Vt str
4644Set to
4645.Pa /etc/rctl.conf
4646by default.
4647This variables contains the
4648.Xr rctl.conf 5
4649ruleset to load for
4650.Xr rctl 8 .
4651.It Va iovctl_files
4652.Pq Vt str
4653A space-separated list of configuration files used by
4654.Xr iovctl 8 .
4655The default value is an empty string.
4656.It Va autofs_enable
4657.Pq Vt bool
4658If set to
4659.Dq Li YES ,
4660start the
4661.Xr automount 8
4662utility and the
4663.Xr automountd 8
4664and
4665.Xr autounmountd 8
4666daemons at boot time.
4667.It Va automount_flags
4668.Pq Vt str
4669If
4670.Va autofs_enable
4671is set to
4672.Dq Li YES ,
4673these are the flags to pass to the
4674.Xr automount 8
4675program.
4676By default no flags are passed.
4677.It Va automountd_flags
4678.Pq Vt str
4679If
4680.Va autofs_enable
4681is set to
4682.Dq Li YES ,
4683these are the flags to pass to the
4684.Xr automountd 8
4685daemon.
4686By default no flags are passed.
4687.It Va autounmountd_flags
4688.Pq Vt str
4689If
4690.Va autofs_enable
4691is set to
4692.Dq Li YES ,
4693these are the flags to pass to the
4694.Xr autounmountd 8
4695daemon.
4696By default no flags are passed.
4697.It Va ctld_enable
4698.Pq Vt bool
4699If set to
4700.Dq Li YES ,
4701start the
4702.Xr ctld 8
4703daemon at boot time.
4704.It Va iscsid_enable
4705.Pq Vt bool
4706If set to
4707.Dq Li YES ,
4708start the
4709.Xr iscsid 8
4710daemon at boot time.
4711.It Va iscsictl_enable
4712.Pq Vt bool
4713If set to
4714.Dq Li YES ,
4715start the
4716.Xr iscsictl 8
4717utility at boot time.
4718.It Va iscsictl_flags
4719.Pq Vt str
4720If
4721.Va iscsictl_enable
4722is set to
4723.Dq Li YES ,
4724these are the flags to pass to the
4725.Xr iscsictl 8
4726program.
4727The default is
4728.Dq Li -Aa ,
4729which configures sessions based on the
4730.Pa /etc/iscsi.conf
4731configuration file.
4732.It Va cfumass_enable
4733.Pq Vt bool
4734If set to
4735.Dq Li YES ,
4736create and export an USB LUN using
4737.Xr cfumass 4
4738at boot time.
4739.It Va cfumass_dir
4740.Pq Vt str
4741The directory where the files exported by USB LUN are located.
4742The default directory is
4743.Pa /var/cfumass .
4744.It Va service_delete_empty
4745.Pq Vt bool
4746If set to
4747.Dq Li YES ,
4748.Ql Li service delete
4749removes empty
4750.Dq Li rc.conf.d
4751files.
4752.It Va zfs_bootonce_activate
4753.Pq Vt bool
4754If set to
4755.Dq Li YES ,
4756and a boot environment marked bootonce is successfully booted,
4757it will be made permanently active.
4758.It Va zfskeys_enable
4759.Pq Vt bool
4760If set to
4761.Dq Li YES ,
4762enable auto-loading of encryption keys for encrypted ZFS datasets.
4763For every dataset the script will first load the appropriate encryption key
4764and then attempt to unlock the dataset.
4765.Pp
4766The script operates only on datasets which are encrypted with
4767ZFS native encryption
4768and have a ZFS
4769.Dq Li keylocation
4770dataset property beginning with
4771.Dq Li file:// .
4772.It Va zfskeys_datasets
4773.Pq Vt str
4774A whitespace-separated list of ZFS datasets to unlock.
4775The list is empty by default,
4776which means that the script will attempt to unlock all datasets.
4777.It Va zfskeys_timeout
4778.Pq Vt int
4779Define the total number of seconds to wait for the zfskeys script
4780to unlock an encrypted dataset.
4781The default is 10.
4782.It Va sendmail_enable
4783.Pq Vt str
4784If set to
4785.Dq Li YES ,
4786run the
4787.Xr sendmail 8
4788daemon at system boot time.
4789If set to
4790.Dq Li NO ,
4791do not run a
4792.Xr sendmail 8
4793daemon to listen for incoming network mail.
4794This does not preclude a
4795.Xr sendmail 8
4796daemon listening on the SMTP port of the loopback interface.
4797The
4798.Dq Li NONE
4799option sets each
4800.Va sendmail_enable ,
4801.Va sendmail_submit_enable ,
4802.Va sendmail_outbound_enable ,
4803.Va sendmail_msp_queue_enable
4804to
4805.Dq Li NO .
4806.It Va sendmail_cert_create
4807.Pq Vt str
4808If
4809.Va sendmail_enable
4810is set to
4811.Dq Li YES ,
4812create a signed certificate
4813.Pa /etc/mail/certs/host.cert
4814representing
4815.Pa /etc/mail/certs/host.key
4816by the CA certificate in
4817.Pa /etc/mail/certs/cacert.pem .
4818This will enable connecting hosts to negotiate STARTTLS allowing incoming
4819email to be encrypted in transit.
4820.Xr sendmail 8
4821needs to be configured to use these generated files.
4822The default configuration in
4823.Pa /etc/mail/freebsd.mc
4824has the required options in it.
4825.It Va sendmail_cert_cn
4826.Pq Vt str
4827If
4828.Va sendmail_enable
4829is set to
4830.Dq Li YES
4831and
4832.Va sendmail_cert_create
4833is set to
4834.Dq Li YES ,
4835this is the Common Name (CN) of the certificate that will be created.
4836If
4837.Va sendmail_cert_cn
4838is not set, the system's hostname will be used.
4839If there is no hostname set,
4840.Dq Li amnesiac
4841will be used.
4842.It Va sendmail_flags
4843.Pq Vt str
4844If
4845.Va sendmail_enable
4846is set to
4847.Dq Li YES ,
4848these are the flags to pass to the
4849.Xr sendmail 8
4850daemon.
4851.It Va sendmail_submit_enable
4852.Pq Vt bool
4853If set to
4854.Dq Li YES
4855and
4856.Va sendmail_enable
4857is set to
4858.Dq Li NO ,
4859run
4860.Xr sendmail 8
4861using
4862.Va sendmail_submit_flags
4863instead of
4864.Va sendmail_flags .
4865This is intended to allow local mail submission via
4866a localhost-only listening SMTP service required for running
4867.Xr sendmail 8
4868as a non-set-user-ID binary.
4869Note that this does not work inside
4870.Xr jail 2
4871systems, as jails do not allow binding to just the localhost interface.
4872.It Va sendmail_submit_flags
4873.Pq Vt str
4874If
4875.Va sendmail_enable
4876is set to
4877.Dq Li NO
4878and
4879.Va sendmail_submit_enable
4880is set to
4881.Dq Li YES ,
4882these are the flags to pass to the
4883.Xr sendmail 8
4884daemon.
4885.It Va sendmail_outbound_enable
4886.Pq Vt bool
4887If set to
4888.Dq Li YES
4889and both
4890.Va sendmail_enable
4891and
4892.Va sendmail_submit_enable
4893are set to
4894.Dq Li NO ,
4895run
4896.Xr sendmail 8
4897using
4898.Va sendmail_outbound_flags
4899instead of
4900.Va sendmail_flags .
4901This is intended to allow local mail queue management
4902for systems that do not offer a listening SMTP service.
4903.It Va sendmail_outbound_flags
4904.Pq Vt str
4905If both
4906.Va sendmail_enable
4907and
4908.Va sendmail_submit_enable
4909are set to
4910.Dq Li NO
4911and
4912.Va sendmail_outbound_enable
4913is set to
4914.Dq Li YES ,
4915these are the flags to pass to the
4916.Xr sendmail 8
4917daemon.
4918.It Va sendmail_msp_queue_enable
4919.Pq Vt bool
4920If set to
4921.Dq Li YES ,
4922start a client (MSP) queue runner
4923.Xr sendmail 8
4924daemon at system boot time.
4925As of sendmail 8.12, a separate queue is used for command line
4926submissions.
4927The client queue runner ensures that nothing is
4928left behind in the submission queue.
4929.It Va sendmail_msp_queue_flags
4930.Pq Vt str
4931If
4932.Va sendmail_msp_queue_enable
4933is set to
4934daemon.
4935.Dq Li YES ,
4936these are the flags to pass to the
4937.Xr sendmail 8
4938.El
4939.Sh SERVICE JAILS
4940The service jails part of the rc system automatically puts a service
4941into a jail.
4942This jail inherits the filesystem and various other parts of the
4943parent (if you allow child-jails in your jails, service jails
4944can be used in jails) depending on the content of the
4945.Ao Ar name Ac Ns Va _svcj_options
4946variable.
4947Typically this variable is set inside rc scripts, but it can be
4948overriden in the rc config.
4949Valid options for
4950.Ao Ar name Ac Ns Va _svcj_options
4951are:
4952.Bl -tag -width indent-two
4953.It mlock
4954Allows to lock memory pages into the physical memory.
4955.It netv4
4956Inherit the IPv4 address and allows to open reserved ports.
4957This can not be combined with
4958.Pa netv6 .
4959.It netv6
4960Inherit the IPv6 address and allows to open reserved ports.
4961This can not be combined with
4962.Pa netv4 .
4963.It net_basic
4964Inherits the IPv4 and IPv6 addresses and allows to open
4965reserved ports.
4966.It net_raw
4967Allow to open raw sockets.
4968This option can be combined with
4969.Pa netv4 ,
4970.Pa netv6 ,
4971.Pa net_basic .
4972.It net_all
4973Inherits the IPv4 and IPv6 addresses, allows to open reserved
4974ports, allows to open raw sockets, and allows to open sockets
4975of protocol stacks that have not had jail functionality added
4976to them.
4977.It nfsd
4978Allows to run nfsd and affiliated daemons.
4979.It sysvipc
4980Inherits the SysV semaphores, SysV shared memory and
4981SysV messages from the host or the parent jail.
4982.It sysvipcnew
4983Creates a new namespace for SysV semaphores, SysV shared memory
4984and SysV messages for this particular service jail.
4985.It vmm
4986Allows access to
4987.Xr vmm 4 .
4988This option is only available when
4989.Xr vmm 4
4990is enabled in the kernel.
4991.El
4992
4993All non-network options can be combined with all other options.
4994From the SysV options only one option can be specified.
4995
4996If the
4997.Ao Ar name Ac Ns Va _svcj
4998variable is set to
4999.Dq Li YES ,
5000this particular service is started in a
5001service jail named
5002.Va svcj- Ns Ar name Ac .
5003
5004The
5005.Va svcj_all_enable
5006variable allows to enable service jails for all services of the
5007system at once.
5008Services which have
5009.Ao Ar name Ac Ns Va _svcj
5010set to
5011.Dq Li NO
5012are excluded.
5013Some services may set
5014.Ao Ar name Ac Ns Va _svcj
5015to
5016.Dq Li NO
5017in the script to either prevent service jails for this
5018service at all, or may set it to
5019.Dq Li NO
5020if it is not set in the
5021rc config, to exclude it from
5022.Va svcj_all_enable
5023but allow to explicitely enable it.
5024The sshd service for example would not see other jails, if
5025it would run as a service jail.
5026This may or may not be what is needed, and as such it is
5027excluded from
5028.Va svcj_all_enable
5029but can be enabled via setting
5030.Va sshd_svcj
5031to
5032.Dq Li YES .
5033.El
5034.Sh FILES
5035.Bl -tag -width "/etc/defaults/rc.conf" -compact
5036.It Pa /etc/defaults/rc.conf
5037.It Pa /etc/defaults/vendor.conf
5038.It Pa /etc/rc.conf
5039.It Pa /etc/rc.conf.local
5040.It Pa /etc/rc.conf.d/
5041.El
5042.Sh SEE ALSO
5043.Xr chmod 1 ,
5044.Xr cpuset 1 ,
5045.Xr gdb 1 Pq Pa ports/devel/gdb ,
5046.Xr kbdcontrol 1 ,
5047.Xr limits 1 ,
5048.Xr protect 1 ,
5049.Xr sh 1 ,
5050.Xr umask 1 ,
5051.Xr uuidgen 1 ,
5052.Xr vi 1 ,
5053.Xr vidcontrol 1 ,
5054.Xr bridge 4 ,
5055.Xr dummynet 4 ,
5056.Xr ip 4 ,
5057.Xr ipf 4 ,
5058.Xr ipfw 4 ,
5059.Xr ipnat 4 ,
5060.Xr kld 4 ,
5061.Xr pf 4 ,
5062.Xr pflog 4 ,
5063.Xr pfsync 4 ,
5064.Xr tcp 4 ,
5065.Xr udp 4 ,
5066.Xr exports 5 ,
5067.Xr fstab 5 ,
5068.Xr ipf 5 ,
5069.Xr ipnat 5 ,
5070.Xr jail.conf 5 ,
5071.Xr loader.conf 5 ,
5072.Xr login.conf 5 ,
5073.Xr motd 5 ,
5074.Xr newsyslog.conf 5 ,
5075.Xr pf.conf 5 ,
5076.Xr firewall 7 ,
5077.Xr growfs 7 ,
5078.Xr security 7 ,
5079.Xr tuning 7 ,
5080.Xr accton 8 ,
5081.Xr apm 8 ,
5082.Xr bsdinstall 8 ,
5083.Xr bthidd 8 ,
5084.Xr chkprintcap 8 ,
5085.Xr chown 8 ,
5086.Xr cron 8 ,
5087.Xr devfs 8 ,
5088.Xr dhclient 8 ,
5089.Xr ftpd 8 ,
5090.Xr geli 8 ,
5091.Xr hcsecd 8 ,
5092.Xr ifconfig 8 ,
5093.Xr inetd 8 ,
5094.Xr iovctl 8 ,
5095.Xr ipf 8 ,
5096.Xr ipfw 8 ,
5097.Xr ipnat 8 ,
5098.Xr jail 8 ,
5099.Xr kldxref 8 ,
5100.Xr loader 8 ,
5101.Xr lpd 8 ,
5102.Xr makewhatis 8 ,
5103.Xr mdconfig 8 ,
5104.Xr mdmfs 8 ,
5105.Xr mixer 8 ,
5106.Xr mountd 8 ,
5107.Xr moused 8 ,
5108.Xr newfs 8 ,
5109.Xr newsyslog 8 ,
5110.Xr nfsd 8 ,
5111.Xr ntpd 8 ,
5112.Xr ntpdate 8 ,
5113.Xr pfctl 8 ,
5114.Xr pflogd 8 ,
5115.Xr ping 8 ,
5116.Xr powerd 8 ,
5117.Xr quotacheck 8 ,
5118.Xr quotaon 8 ,
5119.Xr rc 8 ,
5120.Xr rc.subr 8 ,
5121.Xr rcorder 8 ,
5122.Xr rfcomm_pppd 8 ,
5123.Xr route 8 ,
5124.Xr route6d 8 ,
5125.Xr routed 8 ,
5126.Xr rpc.lockd 8 ,
5127.Xr rpc.statd 8 ,
5128.Xr rpc.tlsclntd 8 ,
5129.Xr rpc.tlsservd 8 ,
5130.Xr rpcbind 8 ,
5131.Xr rwhod 8 ,
5132.Xr savecore 8 ,
5133.Xr sdpd 8 ,
5134.Xr sendmail 8 ,
5135.Xr service 8 ,
5136.Xr sshd 8 ,
5137.Xr swapon 8 ,
5138.Xr sysctl 8 ,
5139.Xr syslogd 8 ,
5140.Xr sysrc 8 ,
5141.Xr unbound 8 ,
5142.Xr usbconfig 8 ,
5143.Xr utx 8 ,
5144.Xr wlandebug 8 ,
5145.Xr yp 8 ,
5146.Xr ypbind 8 ,
5147.Xr ypserv 8 ,
5148.Xr ypset 8
5149.Sh HISTORY
5150The
5151.Nm
5152file appeared in
5153.Fx 2.2.2 .
5154.Sh AUTHORS
5155.An Jordan K. Hubbard .
5156