xref: /freebsd/share/man/man5/rc.conf.5 (revision 4e62c3cafa4c4e41efd6f87b7fe559cf819cf3e4)
1.\" Copyright (c) 1995
2.\"	Jordan K. Hubbard
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.Dd October 14, 2024
26.Dt RC.CONF 5
27.Os
28.Sh NAME
29.Nm rc.conf
30.Nd system configuration information
31.Sh DESCRIPTION
32The file
33.Nm
34contains descriptive information about the local host name, configuration
35details for any potential network interfaces and which services should be
36started up at system initial boot time.
37In new installations, the
38.Nm
39file is generally initialized by the system installation utility.
40.Pp
41The purpose of
42.Nm
43is not to run commands or perform system startup actions
44directly.
45Instead, it is included by the
46various generic startup scripts in
47.Pa /etc
48which conditionalize their
49internal actions according to the settings found there.
50.Pp
51The
52.Pa /etc/rc.conf
53file is included from the file
54.Pa /etc/defaults/rc.conf ,
55which specifies the default settings for all the available options.
56Options need only be specified in
57.Pa /etc/rc.conf
58when the system administrator wishes to override these defaults.
59The file
60.Pa /etc/defaults/vendor.conf
61allows vendors to override
62.Fx
63defaults.
64The file
65.Pa /etc/rc.conf.local
66is used to override settings in
67.Pa /etc/rc.conf
68for historical reasons.
69.Pp
70The sysrc(8) command provides a scripting interface to modify system
71config files.
72.Pp
73In addition to
74.Pa /etc/rc.conf.local
75you can also place smaller configuration files for each
76.Xr rc 8
77script in the
78.Pa /etc/rc.conf.d
79directory or
80.Ao Ar dir Ac Ns Pa /rc.conf.d
81directories (where
82.Ao Ar dir Ac
83is each entry specified in
84.Va local_startup ,
85but with any trailing
86.Pa /rc.d
87stripped),
88which will be included by the
89.Va load_rc_config
90function.
91For jail configurations you could use the file
92.Pa /etc/rc.conf.d/jail
93to store jail-specific configuration options.
94If
95.Va local_startup
96contains
97.Pa /usr/local/etc/rc.d
98and
99.Pa /opt/conf ,
100.Pa /usr/local/etc/rc.conf.d/jail
101and
102.Pa /opt/conf/rc.conf.d/jail
103will be loaded.
104If
105.Ao Ar dir Ac Ns Pa /rc.conf.d/ Ns Ao Ar name Ac
106is a directory then all of the files in the directory will be loaded.
107See also the
108.Va rc_conf_files
109variable below.
110.Pp
111Options are set with
112.Dq Ar name Ns Li = Ns Ar value
113assignments that use
114.Xr sh 1
115syntax.
116The following list provides a name and short description for each
117variable that can be set in the
118.Nm
119file:
120.Bl -tag -width indent-two
121.It Va rc_debug
122.Pq Vt bool
123If set to
124.Dq Li YES ,
125enable output of debug messages from rc scripts.
126This variable can be helpful in diagnosing mistakes when
127editing or integrating new scripts.
128Beware that this produces copious output to the terminal and
129.Xr syslog 3 .
130.It Va rc_info
131.Pq Vt bool
132If set to
133.Dq Li NO ,
134disable informational messages from the rc scripts.
135Informational messages are displayed when
136a condition that is not serious enough to warrant a warning or
137an error occurs.
138.It Va rc_startmsgs
139.Pq Vt bool
140If set to
141.Dq Li YES ,
142show
143.Dq Starting foo:
144when faststart is used (e.g., at boot time).
145.It Va early_late_divider
146.Pq Vt str
147The name of the script that should be used as the
148delimiter between the
149.Dq early
150and
151.Dq late
152stages of the boot process.
153The early stage should contain all the services needed to
154get the disks (local or remote) mounted so that the late
155stage can include scripts contained in the directories
156listed in the
157.Va local_startup
158variable (see below).
159Thus, the two likely candidates for this value are
160.Pa mountcritlocal
161for the typical system, and
162.Pa mountcritremote
163if the system needs remote file
164systems mounted to get access to the
165.Va local_startup
166directories; for example when
167.Pa /usr/local
168is NFS mounted.
169For
170.Pa rc.conf
171within a
172.Xr jail 8
173.Pa NETWORKING
174is likely to be an appropriate value.
175Extreme care should be taken when changing this value,
176and before changing it one should ensure that there are
177adequate provisions to recover from a failed boot
178(such as physical contact with the machine,
179or reliable remote console access).
180.It Va always_force_depends
181.Pq Vt bool
182Various
183.Pa rc.d
184scripts use the force_depend function to check whether required
185services are already running, and to start them if necessary.
186By default during boot time this check is bypassed if the
187required service is enabled in
188.Pa /etc/rc.conf[.local] .
189Setting this option will bypass that check at boot time and
190always test whether or not the service is actually running.
191Enabling this option is likely to increase your boot time if
192services are enabled that utilize the force_depend check.
193.It Ao Ar name Ac Ns Va _chroot
194.Pq Vt str
195.Xr chroot 8
196to this directory before running the service.
197.It Ao Ar name Ac Ns Va _cpuset
198.Pq Vt str
199A list of CPUs to run the service on.
200Passed to
201.Xr cpuset 1
202using the
203.Fl l
204flag.
205.It Ao Ar name Ac Ns Va _fib
206.Pq Vt int
207The
208.Xr setfib 1
209value to run the service under.
210.It Ao Ar name Ac Ns Va _group
211.Pq Vt str
212Run the chrooted service under this system group.
213Unlike the
214.Ao Ar name Ac Ns Va _user
215setting, this setting has no effect if the service is not chrooted.
216.It Ao Ar name Ac Ns Va _limits
217.Pq Vt str
218Resource limits to apply to the service using
219.Xr limits 1 .
220By default, resource limits are based on the login class defined in
221.Ao Ar name Ac Ns Va _login_class .
222.It Ao Ar name Ac Ns Va _login_class
223.Pq Vt str
224Login class to be used with
225.Ao Ar name Ac Ns Va _limits .
226Defaults to
227.Dq Li daemon .
228.It Ao Ar name Ac Ns Va _nice
229.Pq Vt int
230The
231.Xr nice 1
232value to run the service under.
233.It Ao Ar name Ac Ns Va _oomprotect
234.Pq Vt str
235Use
236.Xr protect 1
237to prevent the service from being killed when swap space
238is exhausted.
239Use
240.Dq Li YES
241to protect only the service itself, and
242.Dq Li ALL
243to protect the service and all its child processes.
244.Pp
245Please note that rc scripts which redefine
246.Dl ${argument}_cmd
247.Pq see Xr rc.subr 8
248such as PostgreSQL will not inherit the OOM killer protection.
249.Pp
250This variable has no effect on services running within a
251.Xr jail 8 .
252.It Ao Ar name Ac Ns Va _setup
253.Pq Vt str
254Run the specified setup script right before starting the actual service
255command.
256Useful for automatic configuration file generation.
257.It Ao Ar name Ac Ns Va _umask
258.Pq Vt int
259Run the service using this
260.Xr umask 1
261value.
262.It Ao Ar name Ac Ns Va _user
263.Pq Vt str
264Run the service under this user account.
265.It Ao Ar name Ac Ns Va _svcj
266.Pq Vt bool
267If set to
268.Dq Li YES ,
269auto-jail the service with inherited filesystem and other
270jail properties depending on
271.Ao Ar name Ac Ns Va _svcj_options .
272.It Ao Ar name Ac Ns Va _svcj_options
273.Pq Vt str
274A list of jail properties for the service.
275See
276.Sx SERVICE JAILS
277for a list of valid properties.
278.It Va apm_enable
279.Pq Vt bool
280If set to
281.Dq Li YES ,
282enable support for Automatic Power Management with
283the
284.Xr apm 8
285command.
286.It Va apmd_enable
287.Pq Vt bool
288Run
289.Xr apmd 8
290to handle APM event from userland.
291This also enables support for APM.
292.It Va apmd_flags
293.Pq Vt str
294If
295.Va apmd_enable
296is set to
297.Dq Li YES ,
298these are the flags to pass to the
299.Xr apmd 8
300daemon.
301.It Va devd_enable
302.Pq Vt bool
303Run
304.Xr devd 8
305to handle device added, removed or unknown events from the kernel.
306.It Va ddb_enable
307.Pq Vt bool
308Run
309.Xr ddb 8
310to install
311.Xr ddb 4
312scripts at boot time.
313.It Va ddb_config
314.Pq Vt str
315Configuration file for
316.Xr ddb 8 .
317Default
318.Pa /etc/ddb.conf .
319.It Va devmatch_enable
320.Pq Vt bool
321If set to
322.Dq Li NO ,
323disable auto-loading of kernel modules with
324.Xr devmatch 8 .
325.It Va devmatch_blocklist
326.Pq Vt str
327A whitespace-separated list of kernel modules to be ignored by
328.Xr devmatch 8 .
329In addition, the
330.Xr kenv 1
331.Va devmatch_blocklist
332is appended to this variable to allow disabling of
333.Xr devmatch 8
334loaded modules from the boot loader.
335.It Va devmatch_blacklist
336.Pq Vt str
337This variable is deprecated.
338Use
339.Va devmatch_blocklist
340instead.
341A whitespace-separated list of kernel modules to be ignored by
342.Xr devmatch 8 .
343.It Va kld_list
344.Pq Vt str
345A whitespace-separated list of kernel modules to load right after
346the local disks are mounted, without any
347.Pa .ko
348extension or path.
349.It Va kldxref_enable
350.Pq Vt bool
351Set to
352.Dq Li NO
353by default.
354Set to
355.Dq Li YES
356to automatically rebuild
357.Pa linker.hints
358files with
359.Xr kldxref 8
360at boot time.
361.It Va kldxref_clobber
362.Pq Vt bool
363Set to
364.Dq Li NO
365by default.
366If
367.Va kldxref_enable
368is true,
369setting to
370.Dq Li YES
371will overwrite existing
372.Pa linker.hints
373files at boot time.
374Otherwise,
375only missing
376.Pa linker.hints
377files are generated.
378.It Va kldxref_module_path
379.Pq Vt str
380Empty by default.
381A semi-colon
382.Pq Ql \&;
383delimited list of paths containing
384.Xr kld 4
385modules.
386If empty,
387the contents of the
388.Va kern.module_path
389.Xr sysctl 8
390are used.
391.It Va powerd_enable
392.Pq Vt bool
393If set to
394.Dq Li YES ,
395enable the system power control facility with the
396.Xr powerd 8
397daemon.
398.It Va powerd_flags
399.Pq Vt str
400If
401.Va powerd_enable
402is set to
403.Dq Li YES ,
404these are the flags to pass to the
405.Xr powerd 8
406daemon.
407.It Va svcj_all_enable
408Enable auto-jailing of all services which are not explicitly
409excluded.
410See
411.Sx SERVICE JAILS
412for more info.
413.It Va tmpmfs
414Controls the creation of a
415.Pa /tmp
416memory file system.
417Always happens if set to
418.Dq Li YES
419and never happens if set to
420.Dq Li NO .
421If set to anything else, a memory file system is created if
422.Pa /tmp
423is not writable.
424.It Va tmpsize
425Controls the size of a created
426.Pa /tmp
427memory file system.
428.It Va tmpmfs_flags
429Extra options passed to the
430.Xr mdmfs 8
431utility when the memory file system for
432.Pa /tmp
433is created.
434The default is
435.Dq Li "-S" ,
436which inhibits the use of softupdates on
437.Pa /tmp
438so that file system space is freed without delay
439after file truncation or deletion.
440See
441.Xr mdmfs 8
442for other options you can use in
443.Va tmpmfs_flags .
444.It Va varmfs
445Controls the creation of a
446.Pa /var
447memory file system.
448Always happens if set to
449.Dq Li YES
450and never happens if set to
451.Dq Li NO .
452If set to anything else, a memory file system is created if
453.Pa /var
454is not writable.
455.It Va varsize
456Controls the size of a created
457.Pa /var
458memory file system.
459.It Va varmfs_flags
460Extra options passed to the
461.Xr mdmfs 8
462utility when the memory file system for
463.Pa /var
464is created.
465The default is
466.Dq Li "-S" ,
467which inhibits the use of softupdates on
468.Pa /var
469so that file system space is freed without delay
470after file truncation or deletion.
471See
472.Xr mdmfs 8
473for other options you can use in
474.Va varmfs_flags .
475.It Va populate_var
476Controls the automatic population of the
477.Pa /var
478file system.
479Always happens if set to
480.Dq Li YES
481and never happens if set to
482.Dq Li NO .
483If set to anything else, a memory file system is created if
484.Pa /var
485is not writable.
486Note that this process requires access to certain commands in
487.Pa /usr
488before
489.Pa /usr
490is mounted on normal systems.
491.It Va cleanvar_enable
492.Pq Vt bool
493Clean the
494.Pa /var
495directory.
496.It Va var_run_enable
497.Pq Vt bool
498Set to "YES" to enable saving of the
499.Pa /var/run
500directory structure into an mtree file at shutdown and the reload of the
501.Pa /var/run
502directory structure at boot.
503.It Va var_run_autosave
504.Pq Vt bool
505In some cases it may be undesirable to save
506.Pa /var/run
507at shutdown.
508When set to "NO"
509.Pa /var/run
510is loaded at reboot but not saved at shutdown.
511Typically in this scenario
512.Ql service var_run save
513would be performed to save a copy of the
514.Pa /var/run
515directory structure once, to be reloaded during all subsequent reboots.
516.It Va var_run_mtree
517.Pq Vt str
518Where to save the
519.Pa /var/run
520mtree.
521The default location is
522.Pa /var/db/mtree/BSD.var-run.mtree .
523.It Va local_startup
524.Pq Vt str
525List of directories to search for startup script files.
526.It Va script_name_sep
527.Pq Vt str
528The field separator to use for breaking down the list of startup script files
529into individual filenames.
530The default is a space.
531It is not necessary to change this unless there are startup scripts with names
532containing spaces.
533.It Va hostapd_enable
534.Pq Vt bool
535Set to
536.Dq Li YES
537to start
538.Xr hostapd 8
539at system boot time.
540.It Va hostname
541.Pq Vt str
542The fully qualified domain name (FQDN) of this host on the network.
543This should almost certainly be set to something meaningful, even if
544there is no network connection.
545If
546.Xr dhclient 8
547is used to set the hostname via DHCP,
548this variable should be set to an empty string.
549Within a
550.Xr jail 8
551the hostname is generally already set and this variable may be absent.
552If this value remains unset when the system is done booting
553your console login will display the default hostname of
554.Dq Amnesiac .
555.It Va nisdomainname
556.Pq Vt str
557The NIS domain name of this host, or
558.Dq Li NO
559if NIS is not used.
560.It Va hostid_enable
561.Pq Vt bool
562If set to
563.Dq Li NO ,
564disable the generation or saving of the
565.Pa hostid
566and
567.Pa machine-id
568files at system boot and shutdown.
569.It Va hostid_file
570.Pq Vt str
571Path to the
572.Pa hostid
573file, default
574.Pa /etc/hostid .
575.It Va hostid_uuidgen_flags
576.Pq Vt str
577Flags passed to
578.Xr uuidgen 1
579when generating a software host UUID.
580This is used only if the system cannot determine a hardware UUID.
581Set to
582.Dq Li -r
583by default.
584.It Va machine_id_file
585.Pq Vt str
586Path to the
587.Pa machine-id
588file, default
589.Pa /etc/machine-id .
590.It Va dhclient_program
591.Pq Vt str
592Path to the DHCP client program, defaulting to
593.Pa /sbin/dhclient .
594.It Va dhclient_flags
595.Pq Vt str
596Additional flags to pass to the DHCP client program.
597See the
598.Xr dhclient 8
599manpage for a description of the command line options available.
600.It Va dhclient_flags_ Ns Aq Ar iface
601Additional flags to pass to the DHCP client program running on
602.Ar iface
603only.
604When specified, this variable overrides
605.Va dhclient_flags .
606.It Va background_dhclient
607.Pq Vt bool
608Set to
609.Dq Li YES
610to start the DHCP client in background.
611This can cause trouble with applications depending on
612a working network, but it will provide a faster startup
613in many cases.
614.It Va background_dhclient_ Ns Aq Ar iface
615When specified, this variable overrides the
616.Va background_dhclient
617variable for interface
618.Ar iface
619only.
620.It Va dhclient_arpwait
621.Pq Vt bool
622Set to
623.Dq Li NO
624to stop
625.Xr dhclient 8
626from waiting for ARP resolution, to make the system boot faster.
627This may be done on networks where the DHCP server is certain to
628know whether an address is available.
629.It Va synchronous_dhclient
630.Pq Vt bool
631Set to
632.Dq Li YES
633to start
634.Xr dhclient 8
635synchronously at startup.
636This behavior can be overridden on a per-interface basis by replacing
637the
638.Dq Li DHCP
639keyword in the
640.Va ifconfig_ Ns Aq Ar interface
641variable with
642.Dq Li SYNCDHCP
643or
644.Dq Li NOSYNCDHCP .
645.It Va defaultroute_delay
646.Pq Vt int
647When set to a positive value, wait up to this long after configuring
648DHCP interfaces at startup to give the interfaces time to receive a lease.
649.It Va firewall_enable
650.Pq Vt bool
651Set to
652.Dq Li YES
653to load firewall rules at startup.
654If the kernel was not built with
655.Cd "options IPFIREWALL" ,
656the
657.Pa ipfw.ko
658kernel module will be loaded.
659See also
660.Va ipfilter_enable .
661.It Va firewall_script
662.Pq Vt str
663This variable specifies the full path to the firewall script to run.
664The default is
665.Pa /etc/rc.firewall .
666.It Va firewall_type
667.Pq Vt str
668Names the firewall type from the selection in
669.Pa /etc/rc.firewall ,
670or the file which contains the local firewall ruleset.
671Valid selections from
672.Pa /etc/rc.firewall
673are:
674.Pp
675.Bl -tag -width ".Li workstation" -compact
676.It Li open
677unrestricted IP access
678.It Li closed
679all IP services disabled, except via
680.Dq Li lo0
681.It Li client
682basic protection for a workstation
683.It Li workstation
684basic protection for a workstation using stateful firewalling
685.It Li simple
686basic protection for a LAN.
687.El
688.Pp
689If a filename is specified, the full path
690must be given.
691.Pp
692Most of the predefined rulesets define additional configuration variables.
693These are documented in
694.Pa /etc/rc.firewall .
695.It Va firewall_quiet
696.Pq Vt bool
697Set to
698.Dq Li YES
699to disable the display of firewall rules on the console during boot.
700.It Va firewall_logging
701.Pq Vt bool
702Set to
703.Dq Li YES
704to enable firewall event logging.
705This is equivalent to the
706.Dv IPFIREWALL_VERBOSE
707kernel option.
708.It Va firewall_logif
709.Pq Vt bool
710Set to
711.Dq Li YES
712to create pseudo interface
713.Li ipfw0
714for logging.
715For more details, see
716.Xr ipfw 8
717manual page.
718.It Va firewall_flags
719.Pq Vt str
720Flags passed to
721.Xr ipfw 8
722if
723.Va firewall_type
724specifies a filename.
725.It Va firewall_coscripts
726.Pq Vt str
727List of executables and/or rc scripts to run after firewall starts/stops.
728Default is empty.
729.\" ----- firewall_nat_enable setting --------------------------------
730.It Va firewall_nat_enable
731.Pq Vt bool
732The
733.Xr ipfw 8
734equivalent of
735.Va natd_enable .
736Setting this to
737.Dq Li YES
738will automatically load the
739.Xr ipfw 8
740NAT kernel module if
741.Va firewall_enable
742is also set to
743.Dq Li YES .
744.It Va firewall_nat_interface
745.Pq Vt str
746The
747.Xr ipfw 8
748equivalent of
749.Va natd_interface .
750This is the name of the public interface or IP address on which
751kernel NAT should run.
752.It Va firewall_nat_flags
753.Pq Vt str
754Additional configuration parameters for kernel NAT should be placed here.
755.It Va firewall_nat64_enable
756.Pq Vt bool
757Setting this to
758.Dq Li YES
759will automatically load the
760.Xr ipfw 8
761NAT64 kernel module if
762.Va firewall_enable
763is also set to
764.Dq Li YES .
765.It Va firewall_nptv6_enable
766.Pq Vt bool
767Setting this to
768.Dq Li YES
769will automatically load the
770.Xr ipfw 8
771NPTv6 kernel module if
772.Va firewall_enable
773is also set to
774.Dq Li YES .
775.It Va firewall_pmod_enable
776.Pq Vt bool
777Setting this to
778.Dq Li YES
779will automatically load the
780.Xr ipfw 8
781pmod kernel module if
782.Va firewall_enable
783is also set to
784.Dq Li YES .
785.It Va dummynet_enable
786.Pq Vt bool
787Setting this to
788.Dq Li YES
789will automatically load the
790.Xr dummynet 4
791module if
792.Va firewall_enable
793is also set to
794.Dq Li YES .
795.\" -------------------------------------------------------------------
796.It Va ipfw_netflow_enable
797.Pq Vt bool
798Setting this to
799.Dq Li YES
800will enable netflow logging via
801.Xr ng_netflow 4 .
802.Pp
803By default a ipfw rule is inserted and all packets are duplicated with
804the ngtee command and netflow packets are sent to 127.0.0.1 on the netflow
805port using protocol version 5.
806.It Va ipfw_netflow_hook
807.Pq Vt int
808netflow hook name, must be numerical
809(default
810.Pa 9995 ) .
811.It Va ipfw_netflow_rule
812.Pq Vt int
813ipfw rule number
814(default
815.Pa 1000 ) .
816.It Va ipfw_netflow_ip
817.Pq Vt str
818Destination server ip for receiving netflow data
819(default
820.Pa 127.0.0.1 ) .
821.It Va ipfw_netflow_port
822.Pq Vt int
823Destination server port for receiving netflow data
824(default
825.Pa 9995 ) .
826.It Va ipfw_netflow_version
827.Pq Vt int
828Do not set for using version 5 of the netflow protocol, set it to 9 for using
829version 9.
830.It Va ipfw_netflow_fib
831.Pq Vt int
832Only match packet in FIB
833.Pa ipfw_netflow_fib
834(default is undefined meaning all FIBs).
835.It Va natd_program
836.Pq Vt str
837Path to
838.Xr natd 8 .
839.It Va natd_enable
840.Pq Vt bool
841Set to
842.Dq Li YES
843to enable
844.Xr natd 8 .
845.Va firewall_enable
846must also be set to
847.Dq Li YES ,
848and
849.Xr divert 4
850sockets must be enabled in the kernel.
851If the kernel was not built with
852.Cd "options IPDIVERT" ,
853the
854.Pa ipdivert.ko
855kernel module will be loaded.
856.It Va natd_interface
857.Pq Vt str
858This is the name of the public interface on which
859.Xr natd 8
860should run.
861The interface may be given as an interface name or as an IP address.
862.It Va natd_flags
863.Pq Vt str
864Additional
865.Xr natd 8
866flags should be placed here.
867The
868.Fl n
869or
870.Fl a
871flag is automatically added with the above
872.Va natd_interface
873as an argument.
874.\" ----- ipfilter_enable setting --------------------------------
875.It Va ipfilter_enable
876.Pq Vt bool
877Set to
878.Dq Li NO
879by default.
880Setting this to
881.Dq Li YES
882enables
883.Xr ipf 8
884packet filtering.
885.Pp
886Typical usage will require putting
887.Bd -literal
888ipfilter_enable="YES"
889ipnat_enable="YES"
890ipmon_enable="YES"
891ipfs_enable="YES"
892.Ed
893.Pp
894into
895.Pa /etc/rc.conf
896and editing
897.Pa /etc/ipf.rules
898and
899.Pa /etc/ipnat.rules
900appropriately.
901.Pp
902Note that
903.Va ipfilter_enable
904and
905.Va ipnat_enable
906can be enabled independently.
907.Va ipmon_enable
908and
909.Va ipfs_enable
910both require at least one of
911.Va ipfilter_enable
912and
913.Va ipnat_enable
914to be enabled.
915.Pp
916Having
917.Bd -literal
918options IPFILTER
919options IPFILTER_LOG
920options IPFILTER_DEFAULT_BLOCK
921.Ed
922.Pp
923in the kernel configuration file is a good idea, too.
924.\" ----- ipfilter_program setting ------------------------------
925.It Va ipfilter_program
926.Pq Vt str
927Path to
928.Xr ipf 8
929(default
930.Pa /sbin/ipf ) .
931.\" ----- ipfilter_rules setting --------------------------------
932.It Va ipfilter_rules
933.Pq Vt str
934Set to
935.Pa /etc/ipf.rules
936by default.
937This variable contains the name of the filter rule definition file.
938The file is expected to be readable for the
939.Xr ipf 8
940command to execute.
941.\" ----- ipfilter_flags setting --------------------------------
942.It Va ipfilter_flags
943.Pq Vt str
944Empty by default.
945This variable contains flags passed to the
946.Xr ipf 8
947program.
948.\" ----- ipnat_enable setting ----------------------------------
949.It Va ipnat_enable
950.Pq Vt bool
951Set to
952.Dq Li NO
953by default.
954Set it to
955.Dq Li YES
956to enable
957.Xr ipnat 8
958network address translation.
959See
960.Va ipfilter_enable
961for a detailed discussion.
962.\" ----- ipnat_program setting ---------------------------------
963.It Va ipnat_program
964.Pq Vt str
965Path to
966.Xr ipnat 8
967(default
968.Pa /sbin/ipnat ) .
969.\" ----- ipnat_rules setting -----------------------------------
970.It Va ipnat_rules
971.Pq Vt str
972Set to
973.Pa /etc/ipnat.rules
974by default.
975This variable contains the name of the file
976holding the network address translation definition.
977This file is expected to be readable for the
978.Xr ipnat 8
979command to execute.
980.\" ----- ipnat_flags setting -----------------------------------
981.It Va ipnat_flags
982.Pq Vt str
983Empty by default.
984This variable contains flags passed to the
985.Xr ipnat 8
986program.
987.\" ----- ipmon_enable setting ----------------------------------
988.It Va ipmon_enable
989.Pq Vt bool
990Set to
991.Dq Li NO
992by default.
993Set it to
994.Dq Li YES
995to enable
996.Xr ipmon 8
997monitoring (logging
998.Xr ipf 8
999and
1000.Xr ipnat 8
1001events).
1002Setting this variable needs setting
1003.Va ipfilter_enable
1004or
1005.Va ipnat_enable
1006too.
1007See
1008.Va ipfilter_enable
1009for a detailed discussion.
1010.\" ----- ipmon_program setting ---------------------------------
1011.It Va ipmon_program
1012.Pq Vt str
1013Path to
1014.Xr ipmon 8
1015(default
1016.Pa /sbin/ipmon ) .
1017.\" ----- ipmon_flags setting -----------------------------------
1018.It Va ipmon_flags
1019.Pq Vt str
1020Set to
1021.Dq Li -Ds
1022by default.
1023This variable contains flags passed to the
1024.Xr ipmon 8
1025program.
1026Another typical example would be
1027.Dq Fl D Pa /var/log/ipflog
1028to have
1029.Xr ipmon 8
1030log directly to a file bypassing
1031.Xr syslogd 8 .
1032Make sure to adjust
1033.Pa /etc/newsyslog.conf
1034in such case like this:
1035.Bd -literal
1036/var/log/ipflog  640  10  100  *  Z  /var/run/ipmon.pid
1037.Ed
1038.\" ----- ipfs_enable setting -----------------------------------
1039.It Va ipfs_enable
1040.Pq Vt bool
1041Set to
1042.Dq Li NO
1043by default.
1044Set it to
1045.Dq Li YES
1046to enable
1047.Xr ipfs 8
1048saving the filter and NAT state tables during shutdown
1049and reloading them during startup again.
1050Setting this variable needs setting
1051.Va ipfilter_enable
1052or
1053.Va ipnat_enable
1054to
1055.Dq Li YES
1056too.
1057See
1058.Va ipfilter_enable
1059for a detailed discussion.
1060Note that if
1061.Va kern_securelevel
1062is set to 3,
1063.Va ipfs_enable
1064cannot be used
1065because the raised securelevel will prevent
1066.Xr ipfs 8
1067from saving the state tables at shutdown time.
1068.\" ----- ipfs_program setting ----------------------------------
1069.It Va ipfs_program
1070.Pq Vt str
1071Path to
1072.Xr ipfs 8
1073(default
1074.Pa /sbin/ipfs ) .
1075.\" ----- ipfs_flags setting ------------------------------------
1076.It Va ipfs_flags
1077.Pq Vt str
1078Empty by default.
1079This variable contains flags passed to the
1080.Xr ipfs 8
1081program.
1082.\" ----- end of added ipf hook ---------------------------------
1083.It Va pf_enable
1084.Pq Vt bool
1085Set to
1086.Dq Li NO
1087by default.
1088Setting this to
1089.Dq Li YES
1090enables
1091.Xr pf 4
1092packet filtering.
1093.Pp
1094Typical usage will require putting
1095.Pp
1096.Dl pf_enable="YES"
1097.Pp
1098into
1099.Pa /etc/rc.conf
1100and editing
1101.Pa /etc/pf.conf
1102appropriately.
1103Adding
1104.Pp
1105.Dl "device pf"
1106.Pp
1107builds support for
1108.Xr pf 4
1109into the kernel, otherwise the
1110kernel module will be loaded.
1111.It Va pf_rules
1112.Pq Vt str
1113Path to
1114.Xr pf 4
1115ruleset configuration file
1116(default
1117.Pa /etc/pf.conf ) .
1118.It Va pf_program
1119.Pq Vt str
1120Path to
1121.Xr pfctl 8
1122(default
1123.Pa /sbin/pfctl ) .
1124.It Va pf_flags
1125.Pq Vt str
1126If
1127.Va pf_enable
1128is set to
1129.Dq Li YES ,
1130these flags are passed to the
1131.Xr pfctl 8
1132program when loading the ruleset.
1133.It Va pf_fallback_rules_enable
1134.Pq Vt bool
1135Set to
1136.Dq Li NO
1137by default.
1138Setting this to
1139.Dq Li YES
1140enables loading
1141.Va pf_fallback_rules_file
1142or
1143.Va pf_fallback_rules
1144in case of a problem when loading the ruleset in
1145.Va pf_rules .
1146.It Va pf_fallback_rules_file
1147.Pq Vt str
1148Path to a pf ruleset to load in case of failure when loading the
1149ruleset in
1150.Va pf_rules
1151(default
1152.Pa /etc/pf-fallback.conf ) .
1153.It Va pf_fallback_rules
1154.Pq Vt str
1155A pf ruleset to load in case of failure when loading the ruleset in
1156.Va pf_rules
1157and
1158.Va pf_fallback_rules_file
1159is not found.
1160Multiple rules can be set as follows:
1161.Bd -literal
1162pf_fallback_rules="\\
1163	block drop log all\\
1164	pass in quick on em0"
1165.Pp
1166.Ed
1167The default fallback rule is
1168.Dq block drop log all
1169.It Va pflog_enable
1170.Pq Vt bool
1171Set to
1172.Dq Li NO
1173by default.
1174Setting this to
1175.Dq Li YES
1176enables
1177.Xr pflogd 8
1178which logs packets from the
1179.Xr pf 4
1180packet filter.
1181.It Va pflog_logfile
1182.Pq Vt str
1183If
1184.Va pflog_enable
1185is set to
1186.Dq Li YES
1187this controls where
1188.Xr pflogd 8
1189stores the logfile
1190(default
1191.Pa /var/log/pflog ) .
1192Check
1193.Pa /etc/newsyslog.conf
1194to adjust logfile rotation for this.
1195.It Va pflog_program
1196.Pq Vt str
1197Path to
1198.Xr pflogd 8
1199(default
1200.Pa /sbin/pflogd ) .
1201.It Va pflog_flags
1202.Pq Vt str
1203Empty by default.
1204This variable contains additional flags passed to the
1205.Xr pflogd 8
1206program.
1207.It Va pflog_instances
1208.Pq Vt str
1209If logging to more than one
1210.Xr pflog 4
1211interface is desired,
1212.Va pflog_instances
1213is set to the list of
1214.Xr pflogd 8
1215instances that should be started at system boot time.
1216If
1217.Va pflog_instances
1218is set, for each whitespace-separated
1219.Ar element
1220in the list,
1221.Ao Ar element Ac Ns Va _dev
1222and
1223.Ao Ar element Ac Ns Va _logfile
1224elements are assumed to exist.
1225.Ao Ar element Ac Ns Va _dev
1226must contain the
1227.Xr pflog 4
1228interface to be watched by the named
1229.Xr pflogd 8
1230instance.
1231.Ao Ar element Ac Ns Va _logfile
1232must contain the name of the logfile that will be used by the
1233.Xr pflogd 8
1234instance.
1235.It Va ftpproxy_enable
1236.Pq Vt bool
1237Set to
1238.Dq Li NO
1239by default.
1240Setting this to
1241.Dq Li YES
1242enables
1243.Xr ftp-proxy 8
1244which supports the
1245.Xr pf 4
1246packet filter in translating ftp connections.
1247.It Va ftpproxy_flags
1248.Pq Vt str
1249Empty by default.
1250This variable contains additional flags passed to the
1251.Xr ftp-proxy 8
1252program.
1253.It Va ftpproxy_instances
1254.Pq Vt str
1255Empty by default.
1256If multiple instances of
1257.Xr ftp-proxy 8
1258are desired at boot time,
1259.Va ftpproxy_instances
1260should contain a whitespace-separated list of instance names.
1261For each
1262.Ar element
1263in the list, a variable named
1264.Ao Ar element Ac Ns Va _flags
1265should be defined, containing the command-line flags to be passed to the
1266.Xr ftp-proxy 8
1267instance.
1268.It Va pfsync_enable
1269.Pq Vt bool
1270Set to
1271.Dq Li NO
1272by default.
1273Setting this to
1274.Dq Li YES
1275enables exposing
1276.Xr pf 4
1277state changes to other hosts over the network by means of
1278.Xr pfsync 4 .
1279The
1280.Va pfsync_syncdev
1281variable
1282must also be set then.
1283.It Va pfsync_syncdev
1284.Pq Vt str
1285Empty by default.
1286This variable specifies the name of the network interface
1287.Xr pfsync 4
1288should operate through.
1289It must be set accordingly if
1290.Va pfsync_enable
1291is set to
1292.Dq Li YES .
1293.It Va pfsync_syncpeer
1294.Pq Vt str
1295Empty by default.
1296This variable is optional.
1297By default, state change messages are sent out on the synchronisation
1298interface using IP multicast packets.
1299The protocol is IP protocol 240, PFSYNC, and the multicast group used is
1300224.0.0.240.
1301When a peer address is specified using the
1302.Va pfsync_syncpeer
1303option, the peer address is used as a destination for the pfsync
1304traffic, and the traffic can then be protected using
1305.Xr ipsec 4 .
1306See the
1307.Xr pfsync 4
1308manpage for more details about using
1309.Xr ipsec 4
1310with
1311.Xr pfsync 4
1312interfaces.
1313.It Va pfsync_ifconfig
1314.Pq Vt str
1315Empty by default.
1316This variable can contain additional options to be passed to the
1317.Xr ifconfig 8
1318command used to set up
1319.Xr pfsync 4 .
1320.It Va tcp_extensions
1321.Pq Vt bool
1322Set to
1323.Dq Li YES
1324by default.
1325Setting this to
1326.Dq Li NO
1327disables certain TCP options as described by
1328.Rs
1329.%T "RFC 1323"
1330.Re
1331Setting this to
1332.Dq Li NO
1333might help remedy such problems with connections as randomly hanging
1334or other weird behavior.
1335Some network devices are known
1336to be broken with respect to these options.
1337.It Va log_in_vain
1338.Pq Vt int
1339Set to 0 by default.
1340The
1341.Xr sysctl 8
1342variables,
1343.Va net.inet.tcp.log_in_vain
1344and
1345.Va net.inet.udp.log_in_vain ,
1346as described in
1347.Xr tcp 4
1348and
1349.Xr udp 4 ,
1350are set to the given value.
1351.It Va tcp_keepalive
1352.Pq Vt bool
1353Set to
1354.Dq Li YES
1355by default.
1356Setting to
1357.Dq Li NO
1358will disable probing idle TCP connections to verify that the
1359peer is still up and reachable.
1360.It Va tcp_drop_synfin
1361.Pq Vt bool
1362Set to
1363.Dq Li NO
1364by default.
1365Setting to
1366.Dq Li YES
1367will cause the kernel to ignore TCP frames that have both
1368the SYN and FIN flags set.
1369This prevents OS fingerprinting, but may
1370break some legitimate applications.
1371.It Va icmp_drop_redirect
1372.Pq Vt bool
1373Set to
1374.Dq Li AUTO
1375by default.
1376This setting will be identical to
1377.Dq Li YES ,
1378if a dynamic routing daemon is enabled, because redirect processing may
1379cause performance issues for large routing tables.
1380If no such service is enabled, this setting behaves like a
1381.Dq Li NO .
1382Setting to
1383.Dq Li YES
1384will cause the kernel to ignore ICMP REDIRECT packets.
1385Setting to
1386.Dq Li NO
1387will cause the kernel to process ICMP REDIRECT packets.
1388Refer to
1389.Xr icmp 4
1390for more information.
1391.It Va icmp_log_redirect
1392.Pq Vt bool
1393Set to
1394.Dq Li NO
1395by default.
1396Setting to
1397.Dq Li YES
1398will cause the kernel to log ICMP REDIRECT packets.
1399Note that
1400the log messages are not rate-limited, so this option should only be used
1401for troubleshooting networks.
1402Refer to
1403.Xr icmp 4
1404for more information.
1405.It Va icmp_bmcastecho
1406.Pq Vt bool
1407Set to
1408.Dq Li YES
1409to respond to broadcast or multicast ICMP ping packets.
1410Refer to
1411.Xr icmp 4
1412for more information.
1413.It Va ip_portrange_first
1414.Pq Vt int
1415If not set to
1416.Dq Li NO ,
1417this is the first port in the default portrange.
1418Refer to
1419.Xr ip 4
1420for more information.
1421.It Va ip_portrange_last
1422.Pq Vt int
1423If not set to
1424.Dq Li NO ,
1425this is the last port in the default portrange.
1426Refer to
1427.Xr ip 4
1428for more information.
1429.It Va network_interfaces
1430.Pq Vt str
1431Set to the list of network interfaces to configure on this host or
1432.Dq Li AUTO
1433(the default) for all current interfaces.
1434Setting the
1435.Va network_interfaces
1436variable to anything other than the default is deprecated.
1437Interfaces that the administrator wishes to store configuration for,
1438but not start at boot should be configured with the
1439.Dq Li NOAUTO
1440keyword in their
1441.Va ifconfig_ Ns Aq Ar interface
1442variables as described below.
1443.Pp
1444An
1445.Va ifconfig_ Ns Aq Ar interface
1446variable is assumed to exist for each value of
1447.Ar interface .
1448When an interface name contains any of the characters
1449.Dq Li .-/+
1450they are translated to
1451.Dq Li _
1452before lookup.
1453For example, the interface
1454.Va em0.102
1455would be configured using the variable
1456.Va ifconfig_em0_102 .
1457.Pp
1458The variable can contain arguments to
1459.Xr ifconfig 8 ,
1460as well as special case-insensitive keywords described below.
1461Such keywords are removed before passing the value to
1462.Xr ifconfig 8
1463while the order of the other arguments is preserved.
1464.Pp
1465For example, to assign the IPv4 address 192.0.2.1/24 to the interface em0:
1466.Bd -literal
1467ifconfig_em0="inet 192.0.2.1/24 up"
1468.Ed
1469.Pp
1470If the variable
1471.Va ifconfig_ Ns Ao Ar interface Ac Ns Pa _ipv6
1472is set, then
1473.Va ifconfig_ Ns Aq Ar interface
1474does not need to be set unless an IPv4 address should also be assigned to
1475the interface.
1476.Pp
1477It is possible to add IP alias entries using
1478.Xr ifconfig 8
1479syntax with the address family keyword such as
1480.Li inet .
1481Assuming that the interface in question was
1482.Li em0 ,
1483it might look something like this:
1484.Bd -literal
1485ifconfig_em0_alias0="inet 127.0.0.253/32"
1486ifconfig_em0_alias1="inet 127.0.0.254/32"
1487.Ed
1488.Pp
1489It also possible to configure multiple IP addresses in Classless
1490Inter-Domain Routing
1491.Pq CIDR
1492address notation,
1493whose each address component can be a range like
1494.Li inet 192.0.2.5-23/24
1495or
1496.Li inet6 2001:db8:1-f::1/64 .
1497This notation allows address and prefix length part only,
1498not the other address modifiers.
1499Note that the maximum number of the generated addresses from a range
1500specification is limited to an integer value specified in
1501.Va netif_ipexpand_max
1502in
1503.Nm
1504because a small typo can unexpectedly generate a large number of addresses.
1505The default value is
1506.Li 2048 .
1507It can be increased by adding the following line into
1508.Nm :
1509.Bd -literal
1510netif_ipexpand_max="4096"
1511.Ed
1512.Pp
1513In the case of
1514.Li 192.0.2.5-23/24 ,
1515the address 192.0.2.5 will be configured with the prefix length /24 and the
1516addresses 192.0.2.6 to 192.0.2.23 with the non-conflicting prefix length /32 as
1517explained in the
1518.Xr ifconfig 8
1519alias section.
1520Note that this special CIDR handling is only for
1521.Li inet ,
1522not for the other address families such as
1523.Li inet6 .
1524.Pp
1525With the interface in question being
1526.Li em0 ,
1527an example could look like:
1528.Bd -literal
1529ifconfig_em0_alias2="inet 192.0.2.129/27"
1530ifconfig_em0_alias3="inet 192.0.2.1-5/28"
1531.Ed
1532.Pp
1533and so on.
1534.Pp
1535Note that deprecated
1536.Va ipv4_addrs_ Ns Aq Ar interface
1537variable was supported for IPv4 CIDR address notation.
1538The
1539.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1540variable replaces it, though
1541.Va ipv4_addrs_ Ns Aq Ar interface
1542is still supported for backward compatibility.
1543.Pp
1544For each
1545.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1546entry with an address family keyword,
1547its contents are passed to
1548.Xr ifconfig 8 .
1549Execution stops at the first unsuccessful access, so if
1550something like this is present:
1551.Bd -literal
1552ifconfig_em0_alias0="inet 127.0.0.251/32"
1553ifconfig_em0_alias1="inet 127.0.0.252/32"
1554ifconfig_em0_alias2="inet 127.0.0.253/32"
1555ifconfig_em0_alias4="inet 127.0.0.254/32"
1556.Ed
1557.Pp
1558Then note that alias4 would
1559.Em not
1560be added since the search would
1561stop with the missing
1562.Dq Li alias3
1563entry.
1564Because of this difficult to manage behavior,
1565there is
1566.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _aliases
1567variable, which has the same functionality as
1568.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1569and can have all of the entries in a variable like the following:
1570.Bd -literal
1571ifconfig_em0_aliases="\\
1572	inet 127.0.0.251/32 \\
1573	inet 127.0.0.252/32 \\
1574	inet 127.0.0.253/32 \\
1575	inet 127.0.0.254/32"
1576.Ed
1577.Pp
1578It also supports netmask notation for backward compatibility.
1579.Pp
1580If the
1581.Pa /etc/start_if . Ns Aq Ar interface
1582file is present, it is read and executed by the
1583.Xr sh 1
1584interpreter
1585before configuring the interface as specified in the
1586.Va ifconfig_ Ns Aq Ar interface
1587and
1588.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1589variables.
1590.Pp
1591If a
1592.Va vlans_ Ns Aq Ar interface
1593variable is set,
1594a
1595.Xr vlan 4
1596interface will be created for each item in the list with the
1597.Ar vlandev
1598argument set to
1599.Ar interface .
1600If a vlan interface's name is a number,
1601then that number is used as the vlan tag and the new vlan interface is
1602named
1603.Ar interface . Ns Ar tag .
1604Otherwise,
1605the vlan tag must be specified via a
1606.Va vlan
1607parameter in the
1608.Va create_args_ Ns Aq Ar interface
1609variable.
1610.Pp
1611To create a vlan device named
1612.Li em0.101
1613on
1614.Li em0
1615with the vlan tag 101 and the optional IPv4 address 192.0.2.1/24:
1616.Bd -literal
1617vlans_em0="101"
1618ifconfig_em0_101="inet 192.0.2.1/24"
1619.Ed
1620.Pp
1621To create a vlan device named
1622.Li myvlan
1623on
1624.Li em0
1625with the vlan tag 102:
1626.Bd -literal
1627vlans_em0="myvlan"
1628create_args_myvlan="vlan 102"
1629.Ed
1630.Pp
1631If a
1632.Va wlans_ Ns Aq Ar interface
1633variable is set,
1634an
1635.Xr wlan 4
1636interface will be created for each item in the list with the
1637.Ar wlandev
1638argument set to
1639.Ar interface .
1640Further wlan cloning arguments may be passed to the
1641.Xr ifconfig 8
1642.Cm create
1643command by setting the
1644.Va create_args_ Ns Aq Ar interface
1645variable.
1646One or more
1647.Xr wlan 4
1648devices must be created for each wireless device as of
1649.Fx 8.0 .
1650Debugging flags for
1651.Xr wlan 4
1652devices as set by
1653.Xr wlandebug 8
1654may be specified with an
1655.Va wlandebug_ Ns Aq Ar interface
1656variable.
1657The contents of this variable will be passed directly to
1658.Xr wlandebug 8 .
1659.Pp
1660If the
1661.Va ifconfig_ Ns Aq Ar interface
1662contains the keyword
1663.Dq Li NOAUTO
1664then the interface will not be configured
1665at boot or by
1666.Pa /etc/pccard_ether
1667when
1668.Va network_interfaces
1669is set to
1670.Dq Li AUTO .
1671.Pp
1672It is possible to bring up an interface with DHCP by adding
1673.Dq Li DHCP
1674to the
1675.Va ifconfig_ Ns Aq Ar interface
1676variable.
1677For instance, to initialize the
1678.Li em0
1679device via DHCP,
1680it is possible to use something like:
1681.Bd -literal
1682ifconfig_em0="DHCP"
1683.Ed
1684.Pp
1685If you want to configure your wireless interface with
1686.Xr wpa_supplicant 8
1687for use with WPA, EAP/LEAP or WEP, you need to add
1688.Dq Li WPA
1689to the
1690.Va ifconfig_ Ns Aq Ar interface
1691variable.
1692.Pp
1693On the other hand, if you want to configure your wireless interface with
1694.Xr hostapd 8 ,
1695you need to add
1696.Dq Li HOSTAP
1697to the
1698.Va ifconfig_ Ns Aq Ar interface
1699variable.
1700.Xr hostapd 8
1701will use the settings from
1702.Pa /etc/hostapd- Ns Ao Ar interface Ac Ns .conf
1703.Pp
1704Finally, you can add
1705.Xr ifconfig 8
1706options in this variable, in addition to the
1707.Pa /etc/start_if . Ns Aq Ar interface
1708file.
1709For instance, to configure an
1710.Xr ath 4
1711wireless device in station mode with an address obtained
1712via DHCP, using WPA authentication and 802.11b mode, it is
1713possible to use something like:
1714.Bd -literal
1715wlans_ath0="wlan0"
1716ifconfig_wlan0="DHCP WPA mode 11b"
1717.Ed
1718.Pp
1719In addition to the
1720.Va ifconfig_ Ns Aq Ar interface
1721form, a fallback variable
1722.Va ifconfig_DEFAULT
1723may be configured.
1724It will be used for all interfaces with no
1725.Va ifconfig_ Ns Aq Ar interface
1726variable.
1727.Pp
1728It is also possible to rename an interface by doing:
1729.Bd -literal
1730ifconfig_em0_name="net0"
1731ifconfig_net0="inet 192.0.2.1/24"
1732.Ed
1733.It Va ipv6_enable
1734.Pq Vt bool
1735This variable is deprecated.
1736Use
1737.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1738and
1739.Va ipv6_activate_all_interfaces
1740if necessary.
1741.Pp
1742If the variable is
1743.Dq Li YES ,
1744.Dq Li inet6 accept_rtadv
1745is added to all of
1746.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1747and the
1748.Va ipv6_activate_all_interfaces
1749is defined as
1750.Dq Li YES .
1751.It Va ipv6_prefer
1752.Pq Vt bool
1753This variable is deprecated.
1754Use
1755.Va ip6addrctl_policy
1756instead.
1757.Pp
1758If the variable is
1759.Dq Li YES ,
1760the default address selection policy table set by
1761.Xr ip6addrctl 8
1762will be IPv6-preferred.
1763.Pp
1764If the variable is
1765.Dq Li NO ,
1766the default address selection policy table set by
1767.Xr ip6addrctl 8
1768will be IPv4-preferred.
1769.It Va ipv6_activate_all_interfaces
1770.Pq Vt bool
1771This controls initial configuration on IPv6-capable
1772interfaces with no corresponding
1773.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1774variable.
1775Note that it is not always necessary to set this variable to
1776.Dq YES
1777to use IPv6 functionality on
1778.Fx .
1779In most cases, just configuring
1780.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1781variables works.
1782.Pp
1783If the variable is
1784.Dq Li NO ,
1785all interfaces which do not have a corresponding
1786.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1787variable will be marked as
1788.Dq Li IFDISABLED
1789at creation.
1790This means that all IPv6 functionality on that interface
1791is completely disabled to enforce a security policy.
1792If the variable is set to
1793.Dq YES ,
1794the flag will be cleared on all of the interfaces.
1795.Pp
1796In most cases, just defining an
1797.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1798for an IPv6-capable interface should be sufficient.
1799However, if an interface is added dynamically
1800.Pq by some tunneling protocols such as PPP, for example ,
1801it is often difficult to define the variable in advance.
1802In such a case, configuring the
1803.Dq Li IFDISABLED
1804flag can be disabled by setting this variable to
1805.Dq YES .
1806.Pp
1807For more details of the
1808.Dq Li IFDISABLED
1809flag and keywords
1810.Dq Li inet6 ifdisabled ,
1811see
1812.Xr ifconfig 8 .
1813.Pp
1814Default is
1815.Dq Li NO .
1816.It Va ipv6_privacy
1817.Pq Vt bool
1818If the variable is
1819.Dq Li YES
1820privacy addresses will be generated for each IPv6
1821interface as described in RFC 4941.
1822.It Va ipv6_network_interfaces
1823.Pq Vt str
1824This is the IPv6 equivalent of
1825.Va network_interfaces .
1826Normally manual configuration of this variable is not needed.
1827.It Va ipv6_cpe_wanif
1828.Pq Vt str
1829If the variable is set to an interface name,
1830the
1831.Xr ifconfig 8
1832options
1833.Dq inet6 -no_radr accept_rtadv
1834will be added to the specified interface automatically before evaluating
1835.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 ,
1836and two
1837.Xr sysctl 8
1838variables
1839.Va net.inet6.ip6.rfc6204w3
1840and
1841.Va net.inet6.ip6.no_radr
1842will be set to 1.
1843.Pp
1844This means the specified interface will accept ICMPv6 Router
1845Advertisement messages on that link and add the discovered
1846routers into the Default Router List.
1847While the other interfaces can still accept RA messages if the
1848.Dq inet6 accept_rtadv
1849option is specified, adding
1850routes into the Default Router List will be disabled by
1851.Dq inet6 no_radr
1852option by default.
1853See
1854.Xr ifconfig 8
1855for more details.
1856.Pp
1857Note that ICMPv6 Router Advertisement messages will be
1858accepted even when
1859.Va net.inet6.ip6.forwarding
1860is 1
1861.Pq packet forwarding is enabled
1862when
1863.Va net.inet6.ip6.rfc6204w3
1864is set to 1.
1865.Pp
1866Default is
1867.Dq Li NO .
1868.It Va ifconfig_ Ns Ao Ar interface Ac Ns _descr
1869.Pq Vt str
1870This assigns arbitrary description to an interface.
1871The
1872.Xr sysctl 8
1873variable
1874.Va net.ifdescr_maxlen
1875limits its length.
1876This static setting may be overridden by commands
1877started with dynamic interface configuration utilities
1878like
1879.Xr dhclient 8
1880hooks.
1881The description can be seen with
1882.Xr ifconfig 8
1883command and it may be exported with
1884.Xr bsnmpd 1
1885daemon using its MIB-2 module.
1886.It Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1887.Pq Vt str
1888IPv6 functionality on an interface should be configured by
1889.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 ,
1890instead of setting ifconfig parameters in
1891.Va ifconfig_ Ns Aq Ar interface .
1892If this variable is empty, all IPv6 configurations on the
1893specified interface by other variables such as
1894.Va ipv6_prefix_ Ns Ao Ar interface Ac
1895will be ignored.
1896.Pp
1897Aliases should be set by
1898.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1899with
1900.Dq Li inet6
1901keyword.
1902For example:
1903.Bd -literal
1904ifconfig_em0_ipv6="inet6 2001:db8:1::1 prefixlen 64"
1905ifconfig_em0_alias0="inet6 2001:db8:2::1 prefixlen 64"
1906.Ed
1907.Pp
1908Interfaces that have an
1909.Dq Li inet6 accept_rtadv
1910keyword in
1911.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1912setting will be automatically configured by SLAAC
1913.Pq StateLess Address AutoConfiguration
1914described in
1915.Rs
1916.%T "RFC 4862"
1917.Re
1918.Pp
1919Note that a link-local address will be automatically configured in
1920addition to the configured global-scope addresses because the IPv6
1921specifications require it on each link.
1922The address is calculated from the MAC address by using an algorithm
1923defined in
1924.Rs
1925.%T "RFC 4862"
1926.%O "Section 5.3"
1927.Re
1928.Pp
1929If only a link-local address is needed on the interface,
1930the following configuration can be used:
1931.Bd -literal
1932ifconfig_em0_ipv6="inet6 auto_linklocal"
1933.Ed
1934.Pp
1935A link-local address can also be configured manually.
1936This is useful for the default router address of an IPv6 router
1937so that it does not change when the network interface
1938card is replaced.
1939For example:
1940.Bd -literal
1941ifconfig_em0_ipv6="inet6 fe80::1 prefixlen 64"
1942.Ed
1943.It Va ipv6_prefix_ Ns Aq Ar interface
1944.Pq Vt str
1945If one or more prefixes are defined in
1946.Va ipv6_prefix_ Ns Aq Ar interface
1947addresses based on each prefix and the EUI-64 interface index will be
1948configured on that interface.
1949Note that this variable will be ignored when
1950.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1951is empty.
1952.Pp
1953For example, the following configuration
1954.Bd -literal
1955ipv6_prefix_em0="2001:db8:1:0 2001:db8:2:0"
1956.Ed
1957.Pp
1958is equivalent to the following:
1959.Bd -literal
1960ifconfig_em0_alias0="inet6 2001:db8:1:: eui64 prefixlen 64"
1961ifconfig_em0_alias1="inet6 2001:db8:1:: prefixlen 64 anycast"
1962ifconfig_em0_alias2="inet6 2001:db8:2:: eui64 prefixlen 64"
1963ifconfig_em0_alias3="inet6 2001:db8:2:: prefixlen 64 anycast"
1964.Ed
1965.Pp
1966These Subnet-Router anycast addresses will be added only when
1967.Va ipv6_gateway_enable
1968is YES.
1969.It Va ipv6_default_interface
1970.Pq Vt str
1971If not set to
1972.Dq Li NO ,
1973this is the default output interface for scoped addresses.
1974This works only with ipv6_gateway_enable="NO".
1975.It Va ip6addrctl_enable
1976.Pq Vt bool
1977This variable is to enable configuring default address selection policy table
1978.Pq RFC 3484 .
1979The table can be specified in another variable
1980.Va ip6addrctl_policy .
1981For
1982.Va ip6addrctl_policy
1983the following keywords can be specified:
1984.Dq Li ipv4_prefer ,
1985.Dq Li ipv6_prefer ,
1986or
1987.Dq Li AUTO .
1988.Pp
1989If
1990.Dq Li ipv4_prefer
1991or
1992.Dq Li ipv6_prefer
1993is specified,
1994.Xr ip6addrctl 8
1995installs a pre-defined policy table described in Section 10.3
1996.Pq IPv4-preferred
1997or 2.1
1998.Pq IPv6-preferred
1999of RFC 3484.
2000.Pp
2001If
2002.Dq Li AUTO
2003is specified, it attempts to read a file
2004.Pa /etc/ip6addrctl.conf
2005first.
2006If this file is found,
2007.Xr ip6addrctl 8
2008reads and installs it.
2009If not found, a policy is automatically set
2010according to
2011.Va ipv6_activate_all_interfaces
2012variable; if the variable is set to
2013.Dq Li YES
2014the IPv6-preferred one is used.
2015Otherwise IPv4-preferred.
2016.Pp
2017The default value of
2018.Va ip6addrctl_enable
2019and
2020.Va ip6addrctl_policy
2021are
2022.Dq Li YES
2023and
2024.Dq Li AUTO ,
2025respectively.
2026.It Va cloned_interfaces
2027.Pq Vt str
2028Set to the list of clonable network interfaces to create on this host.
2029Further cloning arguments may be passed to the
2030.Xr ifconfig 8
2031.Cm create
2032command for each interface by setting the
2033.Va create_args_ Ns Aq Ar interface
2034variable.
2035If an interface name is specified with
2036.Dq :sticky
2037keyword,
2038the interface will not be destroyed even when
2039.Pa rc.d/netif
2040script is invoked with
2041.Dq stop
2042argument.
2043This is useful when reconfiguring the interface without destroying it.
2044Entries in
2045.Va cloned_interfaces
2046are automatically appended to
2047.Va network_interfaces
2048for configuration.
2049.It Va cloned_interfaces_sticky
2050.Pq Vt bool
2051This variable is to globally enable functionality of
2052.Dq :sticky
2053keyword in
2054.Va cloned_interfaces
2055for all interfaces.
2056The default value is
2057.Dq NO .
2058Even if this variable is specified to
2059.Dq YES ,
2060.Dq :nosticky
2061keyword can be used to override it on per interface basis.
2062.It Va gif_interfaces
2063Set to the list of
2064.Xr gif 4
2065tunnel interfaces to configure on this host.
2066A
2067.Va gifconfig_ Ns Aq Ar interface
2068variable is assumed to exist for each value of
2069.Ar interface .
2070The value of this variable is used to configure the link layer of the
2071tunnel using the
2072.Cm tunnel
2073option to
2074.Xr ifconfig 8 .
2075Additionally, this option ensures that each listed interface is created
2076via the
2077.Cm create
2078option to
2079.Xr ifconfig 8
2080before attempting to configure it.
2081.Pp
2082For example, configure two
2083.Xr gif 4
2084interfaces with:
2085.Bd -literal
2086gif_interfaces="gif0 gif1"
2087gifconfig_gif0="100.64.0.1 100.64.0.2"
2088ifconfig_gif0="inet 10.0.0.1/30 10.0.0.2"
2089gifconfig_gif1="inet6 2a00::1 2a01::1"
2090ifconfig_gif1="inet 10.1.0.1/30 10.1.0.2"
2091.Ed
2092.It Va ppp_enable
2093.Pq Vt bool
2094If set to
2095.Dq Li YES ,
2096run the
2097.Xr ppp 8
2098daemon.
2099.It Va ppp_profile
2100.Pq Vt str
2101The name of the profile to use from
2102.Pa /etc/ppp/ppp.conf .
2103Also used for per-profile overrides of
2104.Va ppp_mode
2105and
2106.Va ppp_nat ,
2107and
2108.Va ppp_ Ns Ao Ar profile Ac Ns _unit .
2109When the profile name contains any of the characters
2110.Dq Li .-/+
2111they are translated to
2112.Dq Li _
2113for the proposes of the override variable names.
2114.It Va ppp_mode
2115.Pq Vt str
2116Mode in which to run the
2117.Xr ppp 8
2118daemon.
2119.It Va ppp_ Ns Ao Ar profile Ac Ns _mode
2120.Pq Vt str
2121Overrides the global
2122.Va ppp_mode
2123for
2124.Ar profile .
2125Accepted modes are
2126.Dq Li auto ,
2127.Dq Li ddial ,
2128.Dq Li direct
2129and
2130.Dq Li dedicated .
2131See the manual for a full description.
2132.It Va ppp_nat
2133.Pq Vt bool
2134If set to
2135.Dq Li YES ,
2136enables network address translation.
2137Used in conjunction with
2138.Va gateway_enable
2139allows hosts on private network addresses access to the Internet using
2140this host as a network address translating router.
2141Default is
2142.Dq Li YES .
2143.It Va ppp_ Ns Ao Ar profile Ac Ns _nat
2144.Pq Vt str
2145Overrides the global
2146.Va ppp_nat
2147for
2148.Ar profile .
2149.It Va ppp_ Ns Ao Ar profile Ac Ns _unit
2150.Pq Vt int
2151Set the unit number to be used for this profile.
2152See the manual description of
2153.Fl unit Ns Ar N
2154for details.
2155.It Va ppp_user
2156.Pq Vt str
2157The name of the user under which
2158.Xr ppp 8
2159should be started.
2160By
2161default,
2162.Xr ppp 8
2163is started as
2164.Dq Li root .
2165.It Va rc_conf_files
2166.Pq Vt str
2167This option is used to specify a list of files that will override
2168the settings in
2169.Pa /etc/defaults/rc.conf .
2170The files will be read in the order in which they are specified and should
2171include the full path to the file.
2172By default, the files specified are
2173.Pa /etc/rc.conf
2174and
2175.Pa /etc/rc.conf.local .
2176.It Va zfs_enable
2177.Pq Vt bool
2178If set to
2179.Dq Li YES ,
2180.Pa /etc/rc.d/zfs
2181will attempt to automatically mount ZFS file systems and initialize ZFS volumes
2182(ZVOLs).
2183.It Va zpool_reguid
2184.Pq Vt str
2185A space-separated list of ZFS pool names for which new pool GUIDs should be
2186assigned upon first boot.
2187This is useful when using a ZFS pool copied from a template, such as a virtual
2188machine image.
2189.It Va zpool_upgrade
2190.Pq Vt str
2191A space-separated list of ZFS pool names for which the version should be
2192upgraded upon first boot.
2193This is useful when using a ZFS pool generated by the
2194.Xr makefs 8
2195utility.
2196.It Va gptboot_enable
2197.Pq Vt bool
2198If set to
2199.Dq Li YES ,
2200.Pa /etc/rc.d/gptboot
2201will log if the system successfully (or not) booted from a GPT partition,
2202which had the
2203.Ar bootonce
2204attribute set using
2205.Xr gpart 8
2206utility.
2207.It Va geli_devices
2208.Pq Vt str
2209List of devices to automatically attach on boot.
2210Note that .eli devices from
2211.Pa /etc/fstab
2212are automatically appended to this list.
2213.It Va geli_groups
2214.Pq Vt str
2215List of groups containing devices to automatically attach on boot with the same
2216keyfiles and passphrase.
2217This must be accompanied with a corresponding
2218.Va geli_ Ns Ao Ar group Ac Ns Va _devices
2219variable.
2220.It Va geli_tries
2221.Pq Vt int
2222Number of times user is asked for the pass-phrase.
2223If empty, it will be taken from
2224.Va kern.geom.eli.tries
2225sysctl variable.
2226.It Va geli_default_flags
2227.Pq Vt str
2228Default flags to use by
2229.Xr geli 8
2230when configuring disk encryption.
2231Flags can be configured for every device separately by defining the
2232.Va geli_ Ns Ao Ar device Ac Ns Va _flags
2233variable, and for every group separately by defining the
2234.Va geli_ Ns Ao Ar group Ac Ns Va _flags
2235variable.
2236.It Va geli_autodetach
2237.Pq Vt str
2238Specifies if GELI devices should be marked for detach on last close after
2239file systems are mounted.
2240Default is
2241.Dq Li YES .
2242This can be changed for every device separately by defining the
2243.Va geli_ Ns Ao Ar device Ac Ns Va _autodetach
2244variable.
2245.It Va root_rw_mount
2246.Pq Vt bool
2247Set to
2248.Dq Li YES
2249by default.
2250After the file systems are checked at boot time, the root file system
2251is remounted as read-write if this is set to
2252.Dq Li YES .
2253Diskless systems that mount their root file system from a read-only remote
2254NFS share should set this to
2255.Dq Li NO
2256in their
2257.Pa rc.conf .
2258.It Va fsck_y_enable
2259.Pq Vt bool
2260If set to
2261.Dq Li YES ,
2262.Xr fsck 8
2263will be run with the
2264.Fl y
2265flag if the initial preen
2266of the file systems fails.
2267.It Va background_fsck
2268.Pq Vt bool
2269If set to
2270.Dq Li NO ,
2271the system will not attempt to run
2272.Xr fsck 8
2273in the background where possible.
2274.It Va background_fsck_delay
2275.Pq Vt int
2276The amount of time in seconds to sleep before starting a background
2277.Xr fsck 8 .
2278It defaults to sixty seconds to allow large applications such as
2279the X server to start before disk I/O bandwidth is monopolized by
2280.Xr fsck 8 .
2281If set to a negative number, the background file system check will be
2282delayed indefinitely to allow the administrator to run it at a more
2283convenient time.
2284For example it may be run from
2285.Xr cron 8
2286by adding a line like
2287.Pp
2288.Dl "0 4 * * * root /etc/rc.d/bgfsck forcestart"
2289.Pp
2290to
2291.Pa /etc/crontab .
2292.It Va netfs_types
2293.Pq Vt str
2294List of file system types that are network-based.
2295This list should generally not be modified by end users.
2296Use
2297.Va extra_netfs_types
2298instead.
2299.It Va extra_netfs_types
2300.Pq Vt str
2301If set to something other than
2302.Dq Li NO
2303(the default),
2304this variable extends the list of file system types
2305for which automatic mounting at startup by
2306.Xr rc 8
2307should be delayed until the network is initialized.
2308It should contain
2309a whitespace-separated list of network file system descriptor pairs,
2310each consisting of a file system type as passed to
2311.Xr mount 8
2312and a human-readable, one-word description,
2313joined with a colon
2314.Pq Ql \&: .
2315Extending the default list in this way is only necessary
2316when third party file system types are used.
2317.It Va syslogd_enable
2318.Pq Vt bool
2319If set to
2320.Dq Li YES ,
2321run the
2322.Xr syslogd 8
2323daemon.
2324Note, the
2325.Va syslogd_oomprotect
2326variable is set to
2327.Dq Li YES
2328by default in
2329.Pa /etc/defaults/rc.conf .
2330.It Va syslogd_program
2331.Pq Vt str
2332Path to
2333.Xr syslogd 8
2334(default
2335.Pa /usr/sbin/syslogd ) .
2336.It Va syslogd_flags
2337.Pq Vt str
2338If
2339.Va syslogd_enable
2340is set to
2341.Dq Li YES ,
2342these are the flags to pass to
2343.Xr syslogd 8 .
2344.It Va inetd_enable
2345.Pq Vt bool
2346If set to
2347.Dq Li YES ,
2348run the
2349.Xr inetd 8
2350daemon.
2351.It Va inetd_program
2352.Pq Vt str
2353Path to
2354.Xr inetd 8
2355(default
2356.Pa /usr/sbin/inetd ) .
2357.It Va inetd_flags
2358.Pq Vt str
2359If
2360.Va inetd_enable
2361is set to
2362.Dq Li YES ,
2363these are the flags to pass to
2364.Xr inetd 8 .
2365.It Va hastd_enable
2366.Pq Vt bool
2367If set to
2368.Dq Li YES ,
2369run the
2370.Xr hastd 8
2371daemon.
2372.It Va hastd_program
2373.Pq Vt str
2374Path to
2375.Xr hastd 8
2376(default
2377.Pa /sbin/hastd ) .
2378.It Va hastd_flags
2379.Pq Vt str
2380If
2381.Va hastd_enable
2382is set to
2383.Dq Li YES ,
2384these are the flags to pass to
2385.Xr hastd 8 .
2386.It Va local_unbound_enable
2387.Pq Vt bool
2388If set to
2389.Dq Li YES ,
2390run the
2391.Xr unbound 8
2392daemon as a local caching DNS resolver.
2393Note, the
2394.Va local_unbound_oomprotect
2395variable is set to
2396.Dq Li YES
2397by default in
2398.Pa /etc/defaults/rc.conf .
2399.It Va nscd_enable
2400.Pq Vt bool
2401Set to
2402.Dq Li YES
2403to start the
2404.Xr nscd 8
2405caching daemon for the
2406.Nm nsswitch
2407subsystem.
2408.It Va nscd_flags
2409.Pq Vt str
2410If
2411.Va nscd_enable
2412is set to
2413.Dq Li YES ,
2414these flags are passed to
2415.Xr nscd 8 .
2416.It Va kdc_enable
2417.Pq Vt bool
2418Set to
2419.Dq Li YES
2420to start a Kerberos 5 authentication server
2421at boot time.
2422.It Va kdc_program
2423.Pq Vt str
2424If
2425.Va kdc_enable
2426is set to
2427.Dq Li YES
2428this is the path to Kerberos 5 Authentication Server.
2429.It Va kdc_flags
2430.Pq Vt str
2431Empty by default.
2432This variable contains additional flags to be passed to the Kerberos 5
2433authentication server.
2434.It Va kadmind_enable
2435.Pq Vt bool
2436Set to
2437.Dq Li YES
2438to start
2439.Xr kadmind 8 ,
2440the Kerberos 5 Administration Daemon; set to
2441.Dq Li NO
2442on a slave server.
2443.It Va kadmind_program
2444.Pq Vt str
2445If
2446.Va kadmind_enable
2447is set to
2448.Dq Li YES
2449this is the path to Kerberos 5 Administration Daemon.
2450.It Va kpasswdd_enable
2451.Pq Vt bool
2452Set to
2453.Dq Li YES
2454to start
2455.Xr kpasswdd 8 ,
2456the Kerberos 5 Password-Changing Daemon; set to
2457.Dq Li NO
2458on a slave server.
2459.It Va kpasswdd_program
2460.Pq Vt str
2461If
2462.Va kpasswdd_enable
2463is set to
2464.Dq Li YES
2465this is the path to Kerberos 5 Password-Changing Daemon.
2466.It Va kfd_enable
2467.Pq Vt bool
2468Set to
2469.Dq Li YES
2470to start
2471.Xr kfd 8 ,
2472the Kerberos 5 ticket forwarding daemon, at the boot time.
2473.It Va kfd_program
2474.Pq Vt str
2475Path to
2476.Xr kfd 8
2477(default
2478.Pa /usr/libexec/kfd ) .
2479.It Va rwhod_enable
2480.Pq Vt bool
2481If set to
2482.Dq Li YES ,
2483run the
2484.Xr rwhod 8
2485daemon at boot time.
2486.It Va rwhod_flags
2487.Pq Vt str
2488If
2489.Va rwhod_enable
2490is set to
2491.Dq Li YES ,
2492these are the flags to pass to it.
2493.It Va update_motd
2494.Pq Vt bool
2495If set to
2496.Dq Li YES ,
2497.Pa /var/run/motd
2498will be updated at boot time to reflect the kernel release
2499being run.
2500If set to
2501.Dq Li NO ,
2502.Pa /var/run/motd
2503will not be updated.
2504.It Va nfs_client_enable
2505.Pq Vt bool
2506If set to
2507.Dq Li YES ,
2508run the NFS client daemons at boot time.
2509.It Va nfs_access_cache
2510.Pq Vt int
2511If
2512.Va nfs_client_enable
2513is set to
2514.Dq Li YES ,
2515this can be set to
2516.Dq Li 0
2517to disable NFS ACCESS RPC caching, or to the number of seconds for which
2518NFS ACCESS
2519results should be cached.
2520A value of 2-10 seconds will substantially reduce network
2521traffic for many NFS operations.
2522.It Va nfs_server_enable
2523.Pq Vt bool
2524If set to
2525.Dq Li YES ,
2526run the NFS server daemons at boot time.
2527.It Va nfs_server_flags
2528.Pq Vt str
2529If
2530.Va nfs_server_enable
2531is set to
2532.Dq Li YES ,
2533these are the flags to pass to the
2534.Xr nfsd 8
2535daemon.
2536.It Va nfsv4_server_enable
2537.Pq Vt bool
2538If
2539.Va nfs_server_enable
2540is set to
2541.Dq Li YES
2542and
2543.Va nfsv4_server_enable
2544is set to
2545.Dq Li YES ,
2546enable the server for NFSv4 as well as NFSv2 and NFSv3.
2547.It Va nfsv4_server_only
2548.Pq Vt bool
2549If
2550.Va nfs_server_enable
2551is set to
2552.Dq Li YES
2553and
2554.Va nfsv4_server_only
2555is set to
2556.Dq Li YES ,
2557enable the NFS server for NFSv4 only.
2558.It Va nfs_server_maxio
2559.Pq Vt int
2560value to set vfs.nfsd.srvmaxio to, which is the
2561maximum I/O size for the NFS server.
2562.It Va tlsclntd_enable
2563.Pq Vt bool
2564If set to
2565.Dq Li YES ,
2566run the
2567.Xr rpc.tlsclntd 8
2568daemon, which is needed for NFS-over-TLS NFS mounts.
2569.It Va tlsservd_enable
2570.Pq Vt bool
2571If set to
2572.Dq Li YES ,
2573run the
2574.Xr rpc.tlsservd 8
2575daemon, which is needed for the
2576.Xr nfsd 8
2577to support NFS-over-TLS NFS mounts.
2578.It Va nfsuserd_enable
2579.Pq Vt bool
2580If
2581.Va nfsuserd_enable
2582is set to
2583.Dq Li YES ,
2584run the nfsuserd daemon, which is needed for NFSv4 in order
2585to map between user/group names vs uid/gid numbers.
2586If
2587.Va nfsv4_server_enable
2588is set to
2589.Dq Li YES ,
2590this will be forced enabled.
2591.It Va nfsuserd_flags
2592.Pq Vt str
2593If
2594.Va nfsuserd_enable
2595is set to
2596.Dq Li YES ,
2597these are the flags to pass to the
2598.Xr nfsuserd 8
2599daemon.
2600.It Va nfscbd_enable
2601.Pq Vt bool
2602If
2603.Va nfscbd_enable
2604is set to
2605.Dq Li YES ,
2606run the nfscbd daemon, which enables callbacks/delegations for the NFSv4 client.
2607.It Va nfscbd_flags
2608.Pq Vt str
2609If
2610.Va nfscbd_enable
2611is set to
2612.Dq Li YES ,
2613these are the flags to pass to the
2614.Xr nfscbd 8
2615daemon.
2616.It Va mountd_enable
2617.Pq Vt bool
2618If set to
2619.Dq Li YES ,
2620and no
2621.Va nfs_server_enable
2622is set, start
2623.Xr mountd 8 ,
2624but not
2625.Xr nfsd 8
2626daemon.
2627It is commonly needed to run CFS without real NFS used.
2628.It Va mountd_flags
2629.Pq Vt str
2630If
2631.Va mountd_enable
2632is set to
2633.Dq Li YES ,
2634these are the flags to pass to the
2635.Xr mountd 8
2636daemon.
2637.It Va weak_mountd_authentication
2638.Pq Vt bool
2639If set to
2640.Dq Li YES ,
2641allow services like PCNFSD to make non-privileged mount
2642requests.
2643.It Va nfs_reserved_port_only
2644.Pq Vt bool
2645If set to
2646.Dq Li YES ,
2647provide NFS services only on a secure port.
2648.It Va nfs_bufpackets
2649.Pq Vt int
2650If set to a number, indicates the number of packets worth of
2651socket buffer space to reserve on an NFS client.
2652The kernel default is typically 4.
2653Using a higher number may be
2654useful on gigabit networks to improve performance.
2655The minimum value is
26562 and the maximum is 64.
2657.It Va rpc_lockd_enable
2658.Pq Vt bool
2659If set to
2660.Dq Li YES
2661and also an NFS server or client, run
2662.Xr rpc.lockd 8
2663at boot time.
2664.It Va rpc_lockd_flags
2665.Pq Vt str
2666If
2667.Va rpc_lockd_enable
2668is set to
2669.Dq Li YES ,
2670these are the flags to pass to the
2671.Xr rpc.lockd 8
2672daemon.
2673.It Va rpc_statd_enable
2674.Pq Vt bool
2675If set to
2676.Dq Li YES
2677and also an NFS server or client, run
2678.Xr rpc.statd 8
2679at boot time.
2680.It Va rpc_statd_flags
2681.Pq Vt str
2682If
2683.Va rpc_statd_enable
2684is set to
2685.Dq Li YES ,
2686these are the flags to pass to the
2687.Xr rpc.statd 8
2688daemon.
2689.It Va rpcbind_program
2690.Pq Vt str
2691Path to
2692.Xr rpcbind 8
2693(default
2694.Pa /usr/sbin/rpcbind ) .
2695.It Va rpcbind_enable
2696.Pq Vt bool
2697If set to
2698.Dq Li YES ,
2699run the
2700.Xr rpcbind 8
2701service at boot time.
2702.It Va rpcbind_flags
2703.Pq Vt str
2704If
2705.Va rpcbind_enable
2706is set to
2707.Dq Li YES ,
2708these are the flags to pass to the
2709.Xr rpcbind 8
2710daemon.
2711.It Va keyserv_enable
2712.Pq Vt bool
2713If set to
2714.Dq Li YES ,
2715run the
2716.Xr keyserv 8
2717daemon on boot for running Secure RPC.
2718.It Va keyserv_flags
2719.Pq Vt str
2720If
2721.Va keyserv_enable
2722is set to
2723.Dq Li YES ,
2724these are the flags to pass to
2725.Xr keyserv 8
2726daemon.
2727.It Va pppoed_enable
2728.Pq Vt bool
2729If set to
2730.Dq Li YES ,
2731run the
2732.Xr pppoed 8
2733daemon at boot time to provide PPP over Ethernet services.
2734.It Va pppoed_ Ns Aq Ar provider
2735.Pq Vt str
2736.Xr pppoed 8
2737listens to requests to this
2738.Ar provider
2739and ultimately runs
2740.Xr ppp 8
2741with a
2742.Ar system
2743argument of the same name.
2744.It Va pppoed_flags
2745.Pq Vt str
2746Additional flags to pass to
2747.Xr pppoed 8 .
2748.It Va pppoed_interface
2749.Pq Vt str
2750The network interface to run
2751.Xr pppoed 8
2752on.
2753This is mandatory when
2754.Va pppoed_enable
2755is set to
2756.Dq Li YES .
2757.It Va ntpdate_enable
2758.Pq Vt bool
2759If set to
2760.Dq Li YES ,
2761run
2762.Xr ntpdate 8
2763at system startup.
2764This command is intended to
2765synchronize the system clock only
2766.Em once
2767from some standard reference.
2768.Pp
2769Note that the use of the
2770.Va ntpd_sync_on_start
2771variable is a preferred alternative to the
2772.Xr ntpdate 8
2773utility as
2774.Xr ntpdate 8
2775is to be retired from the NTP distribution.
2776.It Va ntpdate_config
2777.Pq Vt str
2778Configuration file for
2779.Xr ntpdate 8 .
2780Default
2781.Pa /etc/ntp.conf .
2782.It Va ntpdate_hosts
2783.Pq Vt str
2784A whitespace-separated list of NTP servers to synchronize with at startup.
2785The default is to use the servers listed in
2786.Va ntpdate_config ,
2787if that file exists.
2788.It Va ntpdate_program
2789.Pq Vt str
2790Path to
2791.Xr ntpdate 8
2792(default
2793.Pa /usr/sbin/ntpdate ) .
2794.It Va ntpdate_flags
2795.Pq Vt str
2796If
2797.Va ntpdate_enable
2798is set to
2799.Dq Li YES ,
2800these are the flags to pass to the
2801.Xr ntpdate 8
2802command (typically a hostname).
2803.It Va ntpd_enable
2804.Pq Vt bool
2805If set to
2806.Dq Li YES ,
2807run the
2808.Xr ntpd 8
2809command at boot time.
2810.It Va ntpd_program
2811.Pq Vt str
2812Path to
2813.Xr ntpd 8
2814(default
2815.Pa /usr/sbin/ntpd ) .
2816.It Va ntpd_config
2817.Pq Vt str
2818Path to
2819.Xr ntpd 8
2820configuration file.
2821Default
2822.Pa /etc/ntp.conf .
2823.It Va ntpd_flags
2824.Pq Vt str
2825If
2826.Va ntpd_enable
2827is set to
2828.Dq Li YES ,
2829these are the flags to pass to the
2830.Xr ntpd 8
2831daemon.
2832.It Va ntpd_sync_on_start
2833.Pq Vt bool
2834If set to
2835.Dq Li YES ,
2836.Xr ntpd 8
2837is run with the
2838.Fl g
2839flag, which syncs the system's clock on startup.
2840See
2841.Xr ntpd 8
2842for more information regarding the
2843.Fl g
2844option.
2845This is a preferred alternative to using
2846.Xr ntpdate 8
2847or specifying the
2848.Va ntpdate_enable
2849variable.
2850.It Va nis_client_enable
2851.Pq Vt bool
2852If set to
2853.Dq Li YES ,
2854run the
2855.Xr ypbind 8
2856service at system boot time.
2857.It Va nis_client_flags
2858.Pq Vt str
2859If
2860.Va nis_client_enable
2861is set to
2862.Dq Li YES ,
2863these are the flags to pass to the
2864.Xr ypbind 8
2865service.
2866.It Va nis_ypldap_enable
2867.Pq Vt bool
2868If set to
2869.Dq Li YES ,
2870run the
2871.Xr ypldap 8
2872daemon at system boot time.
2873.It Va nis_ypldap_flags
2874.Pq Vt str
2875If
2876.Va nis.ypldap_enable
2877is set to
2878.Dq Li YES ,
2879these are the flags to pass to the
2880.Xr ypldap 8
2881daemon.
2882.It Va nis_ypset_enable
2883.Pq Vt bool
2884If set to
2885.Dq Li YES ,
2886run the
2887.Xr ypset 8
2888daemon at system boot time.
2889.It Va nis_ypset_flags
2890.Pq Vt str
2891If
2892.Va nis_ypset_enable
2893is set to
2894.Dq Li YES ,
2895these are the flags to pass to the
2896.Xr ypset 8
2897daemon.
2898.It Va nis_server_enable
2899.Pq Vt bool
2900If set to
2901.Dq Li YES ,
2902run the
2903.Xr ypserv 8
2904daemon at system boot time.
2905.It Va nis_server_flags
2906.Pq Vt str
2907If
2908.Va nis_server_enable
2909is set to
2910.Dq Li YES ,
2911these are the flags to pass to the
2912.Xr ypserv 8
2913daemon.
2914.It Va nis_ypxfrd_enable
2915.Pq Vt bool
2916If set to
2917.Dq Li YES ,
2918run the
2919.Xr rpc.ypxfrd 8
2920daemon at system boot time.
2921.It Va nis_ypxfrd_flags
2922.Pq Vt str
2923If
2924.Va nis_ypxfrd_enable
2925is set to
2926.Dq Li YES ,
2927these are the flags to pass to the
2928.Xr rpc.ypxfrd 8
2929daemon.
2930.It Va nis_yppasswdd_enable
2931.Pq Vt bool
2932If set to
2933.Dq Li YES ,
2934run the
2935.Xr rpc.yppasswdd 8
2936daemon at system boot time.
2937.It Va nis_yppasswdd_flags
2938.Pq Vt str
2939If
2940.Va nis_yppasswdd_enable
2941is set to
2942.Dq Li YES ,
2943these are the flags to pass to the
2944.Xr rpc.yppasswdd 8
2945daemon.
2946.It Va rpc_ypupdated_enable
2947.Pq Vt bool
2948If set to
2949.Dq Li YES ,
2950run the
2951.Nm rpc.ypupdated
2952daemon at system boot time.
2953.It Va bsnmpd_enable
2954.Pq Vt bool
2955If set to
2956.Dq Li YES ,
2957run the
2958.Xr bsnmpd 1
2959daemon at system boot time.
2960Be sure to understand the security implications of running an SNMP daemon
2961on your host.
2962.It Va bsnmpd_flags
2963.Pq Vt str
2964If
2965.Va bsnmpd_enable
2966is set to
2967.Dq Li YES ,
2968these are the flags to pass to the
2969.Xr bsnmpd 1
2970daemon.
2971.It Va defaultrouter
2972.Pq Vt str
2973If not set to
2974.Dq Li NO ,
2975create a default route to this host name or IP address
2976(use an IP address if this router is also required to get to the
2977name server!).
2978.It Va defaultrouter_fibN
2979.Pq Vt str
2980If not set to
2981.Dq Li NO ,
2982create a default route in FIB N to this host name or IP address.
2983.It Va ipv6_defaultrouter
2984.Pq Vt str
2985The IPv6 equivalent of
2986.Va defaultrouter .
2987.It Va ipv6_defaultrouter_fibN
2988.Pq Vt str
2989The IPv6 equivalent of
2990.Va defaultrouter_fibN .
2991.It Va static_arp_pairs
2992.Pq Vt str
2993Set to the list of static ARP pairs that are to be added at system
2994boot time.
2995For each whitespace separated
2996.Ar element
2997in the value, a
2998.Va static_arp_ Ns Aq Ar element
2999variable is assumed to exist whose contents will later be passed to a
3000.Dq Nm arp Cm -S
3001operation.
3002For example
3003.Bd -literal
3004static_arp_pairs="gw"
3005static_arp_gw="192.168.1.1 00:01:02:03:04:05"
3006.Ed
3007.It Va static_ndp_pairs
3008.Pq Vt str
3009Set to the list of static NDP pairs that are to be added at system
3010boot time.
3011For each whitespace separated
3012.Ar element
3013in the value, a
3014.Va static_ndp_ Ns Aq Ar element
3015variable is assumed to exist whose contents will later be passed to a
3016.Dq Nm ndp Cm -s
3017operation.
3018For example
3019.Bd -literal
3020static_ndp_pairs="gw"
3021static_ndp_gw="2001:db8:3::1 00:01:02:03:04:05"
3022.Ed
3023.It Va static_routes
3024.Pq Vt str
3025Set to the list of static routes that are to be added at system
3026boot time.
3027If not set to
3028.Dq Li NO
3029then for each whitespace separated
3030.Ar element
3031in the value, a
3032.Va route_ Ns Aq Ar element
3033variable is assumed to exist
3034whose contents will later be passed to a
3035.Dq Nm route Cm add
3036operation.
3037For example:
3038.Bd -literal
3039static_routes="ext mcast:gif0 gif0local:gif0"
3040route_ext="-net 10.0.0.0/24 -gateway 192.168.0.1"
3041route_mcast="-net 224.0.0.0/4 -iface gif0"
3042route_gif0local="-host 169.254.1.1 -iface lo0"
3043.Ed
3044.Pp
3045When an
3046.Ar element
3047is in the form of
3048.Li name:ifname ,
3049the route is specific to the interface
3050.Li ifname .
3051.It Va ipv6_static_routes
3052.Pq Vt str
3053The IPv6 equivalent of
3054.Va static_routes .
3055If not set to
3056.Dq Li NO
3057then for each whitespace separated
3058.Ar element
3059in the value, a
3060.Va ipv6_route_ Ns Aq Ar element
3061variable is assumed to exist
3062whose contents will later be passed to a
3063.Dq Nm route Cm add Fl inet6
3064operation.
3065.It Va gateway_enable
3066.Pq Vt bool
3067If set to
3068.Dq Li YES ,
3069configure host to act as an IP router, e.g.\& to forward packets
3070between interfaces.
3071.It Va ipv6_gateway_enable
3072.Pq Vt bool
3073The IPv6 equivalent of
3074.Va gateway_enable .
3075.It Va routed_enable
3076.Pq Vt bool
3077If set to
3078.Dq Li YES ,
3079run a routing daemon of some sort, based on the
3080settings of
3081.Va routed_program
3082and
3083.Va routed_flags .
3084.It Va route6d_enable
3085.Pq Vt bool
3086The IPv6 equivalent of
3087.Va routed_enable .
3088If set to
3089.Dq Li YES ,
3090run a routing daemon of some sort, based on the
3091settings of
3092.Va route6d_program
3093and
3094.Va route6d_flags .
3095.It Va routed_program
3096.Pq Vt str
3097If
3098.Va routed_enable
3099is set to
3100.Dq Li YES ,
3101this is the name of the routing daemon to use.
3102The default is
3103.Xr routed 8 .
3104.It Va route6d_program
3105.Pq Vt str
3106The IPv6 equivalent of
3107.Va routed_program .
3108The default is
3109.Xr route6d 8 .
3110.It Va routed_flags
3111.Pq Vt str
3112If
3113.Va routed_enable
3114is set to
3115.Dq Li YES ,
3116these are the flags to pass to the routing daemon.
3117.It Va route6d_flags
3118.Pq Vt str
3119The IPv6 equivalent of
3120.Va routed_flags .
3121.It Va rtadvd_enable
3122.Pq Vt bool
3123If set to
3124.Dq Li YES ,
3125run the
3126.Xr rtadvd 8
3127daemon at boot time.
3128The
3129.Xr rtadvd 8
3130utility sends ICMPv6 Router Advertisement messages to
3131the interfaces specified in
3132.Va rtadvd_interfaces .
3133This should only be enabled with great care.
3134You may want to fine-tune
3135.Xr rtadvd.conf 5 .
3136.It Va rtadvd_interfaces
3137.Pq Vt str
3138If
3139.Va rtadvd_enable
3140is set to
3141.Dq Li YES
3142this is the list of interfaces to use.
3143.It Va arpproxy_all
3144.Pq Vt bool
3145If set to
3146.Dq Li YES ,
3147enable global proxy ARP.
3148.It Va forward_sourceroute
3149.Pq Vt bool
3150If set to
3151.Dq Li YES
3152and
3153.Va gateway_enable
3154is also set to
3155.Dq Li YES ,
3156source-routed packets are forwarded.
3157.It Va accept_sourceroute
3158.Pq Vt bool
3159If set to
3160.Dq Li YES ,
3161the system will accept source-routed packets directed at it.
3162.It Va rarpd_enable
3163.Pq Vt bool
3164If set to
3165.Dq Li YES ,
3166run the
3167.Xr rarpd 8
3168daemon at system boot time.
3169.It Va rarpd_flags
3170.Pq Vt str
3171If
3172.Va rarpd_enable
3173is set to
3174.Dq Li YES ,
3175these are the flags to pass to the
3176.Xr rarpd 8
3177daemon.
3178.It Va bootparamd_enable
3179.Pq Vt bool
3180If set to
3181.Dq Li YES ,
3182run the
3183.Xr bootparamd 8
3184daemon at system boot time.
3185.It Va bootparamd_flags
3186.Pq Vt str
3187If
3188.Va bootparamd_enable
3189is set to
3190.Dq Li YES ,
3191these are the flags to pass to the
3192.Xr bootparamd 8
3193daemon.
3194.It Va stf_interface_ipv4addr
3195.Pq Vt str
3196If not set to
3197.Dq Li NO ,
3198this is the local IPv4 address for 6to4 (IPv6 over IPv4 tunneling
3199interface).
3200Specify this entry to enable the 6to4 interface.
3201.It Va stf_interface_ipv4plen
3202.Pq Vt int
3203Prefix length for 6to4 IPv4 addresses, to limit peer address range.
3204An effective value is 0-31.
3205.It Va stf_interface_ipv6_ifid
3206.Pq Vt str
3207IPv6 interface ID for
3208.Xr stf 4 .
3209This can be set to
3210.Dq Li AUTO .
3211.It Va stf_interface_ipv6_slaid
3212.Pq Vt str
3213IPv6 Site Level Aggregator for
3214.Xr stf 4 .
3215.It Va ipv6_ipv4mapping
3216.Pq Vt bool
3217If set to
3218.Dq Li YES
3219this enables IPv4 mapped IPv6 address communication (like
3220.Li ::ffff:a.b.c.d ) .
3221.It Va rtsold_enable
3222.Pq Vt bool
3223Set to
3224.Dq Li YES
3225to enable the
3226.Xr rtsold 8
3227daemon to send ICMPv6 Router Solicitation messages.
3228.It Va rtsold_flags
3229.Pq Vt str
3230If
3231.Va rtsold_enable
3232is set to
3233.Dq Li YES ,
3234these are the flags to pass to
3235.Xr rtsold 8 .
3236.It Va rtsol_flags
3237.Pq Vt str
3238For interfaces configured with the
3239.Dq Li inet6 accept_rtadv
3240keyword, these are the flags to pass to
3241.Xr rtsol 8 .
3242.Pp
3243Note that
3244.Va rtsold_enable
3245is mutually exclusive to
3246.Va rtsol_flags ;
3247.Va rtsold_enable
3248takes precedence.
3249.It Va keybell
3250.Pq Vt str
3251The keyboard bell sound.
3252Set to
3253.Dq Li normal ,
3254.Dq Li visual ,
3255.Dq Li off ,
3256or
3257.Dq Li NO
3258if the default behavior is desired.
3259For details, refer to the
3260.Xr kbdcontrol 1
3261manpage.
3262.It Va keyboard
3263.Pq Vt str
3264If set to a non-null string, the virtual console's keyboard input is
3265set to this device.
3266.It Va keymap
3267.Pq Vt str
3268If set to
3269.Dq Li NO ,
3270no keymap is installed, otherwise the value is used to install
3271the keymap file found in
3272.Pa /usr/share/syscons/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd
3273(if using
3274.Xr syscons 4 ) or
3275.Pa /usr/share/vt/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd
3276(if using
3277.Xr vt 4 ) .
3278.It Va keyrate
3279.Pq Vt str
3280The keyboard repeat speed.
3281Set to
3282.Dq Li slow ,
3283.Dq Li normal ,
3284.Dq Li fast ,
3285or
3286.Dq Li NO
3287if the default behavior is desired.
3288.It Va keychange
3289.Pq Vt str
3290If not set to
3291.Dq Li NO ,
3292attempt to program the function keys with the value.
3293The value should
3294be a single string of the form:
3295.Dq Ar funkey_number new_value Op Ar funkey_number new_value ... .
3296.It Va cursor
3297.Pq Vt str
3298Can be set to the value of
3299.Dq Li normal ,
3300.Dq Li blink ,
3301.Dq Li destructive ,
3302or
3303.Dq Li NO
3304to set the cursor behavior explicitly or choose the default behavior.
3305.It Va scrnmap
3306.Pq Vt str
3307If set to
3308.Dq Li NO ,
3309no screen map is installed, otherwise the value is used to install
3310the screen map file in
3311.Pa /usr/share/syscons/scrnmaps/ Ns Aq Ar value .
3312This parameter is ignored when using
3313.Xr vt 4
3314as the console driver.
3315.It Va font8x16
3316.Pq Vt str
3317If set to
3318.Dq Li NO ,
3319the default 8x16 font value is used for screen size requests, otherwise
3320the value in
3321.Pa /usr/share/syscons/fonts/ Ns Aq Ar value
3322or
3323.Pa /usr/share/vt/fonts/ Ns Aq Ar value
3324is used (depending on the console driver being used).
3325.It Va font8x14
3326.Pq Vt str
3327If set to
3328.Dq Li NO ,
3329the default 8x14 font value is used for screen size requests, otherwise
3330the value in
3331.Pa /usr/share/syscons/fonts/ Ns Aq Ar value
3332or
3333.Pa /usr/share/vt/fonts/ Ns Aq Ar value
3334is used (depending on the console driver being used).
3335.It Va font8x8
3336.Pq Vt str
3337If set to
3338.Dq Li NO ,
3339the default 8x8 font value is used for screen size requests, otherwise
3340the value in
3341.Pa /usr/share/syscons/fonts/ Ns Aq Ar value
3342or
3343.Pa /usr/share/vt/fonts/ Ns Aq Ar value
3344is used (depending on the console driver being used).
3345.It Va blanktime
3346.Pq Vt int
3347If set to
3348.Dq Li NO ,
3349the default screen blanking interval is used, otherwise it is set
3350to
3351.Ar value
3352seconds.
3353.It Va saver
3354.Pq Vt str
3355If not set to
3356.Dq Li NO ,
3357this is the actual screen saver to use
3358.Li ( blank , snake , daemon ,
3359etc).
3360.It Va moused_nondefault_enable
3361.Pq Vt str
3362If set to
3363.Dq Li NO ,
3364the mouse device specified on
3365the command line is not automatically treated as enabled by the
3366.Pa /etc/rc.d/moused
3367script.
3368Having this variable set to
3369.Dq Li YES
3370allows a
3371.Xr usb 4
3372mouse,
3373for example,
3374to be enabled as soon as it is plugged in.
3375.It Va moused_enable
3376.Pq Vt str
3377If set to
3378.Dq Li YES ,
3379the
3380.Xr moused 8
3381daemon is started for doing cut/paste selection on the console.
3382.It Va moused_type
3383.Pq Vt str
3384This is the protocol type of the mouse connected to this host.
3385This variable must be set if
3386.Va moused_enable
3387is set to
3388.Dq Li YES ,
3389but defaults to
3390.Dq Li auto
3391as the
3392.Xr moused 8
3393daemon
3394is able to detect the appropriate mouse type automatically in many cases.
3395Set this variable to
3396one from the following list if the automatic detection fails.
3397.Pp
3398If the mouse is attached to the PS/2 mouse port, choose
3399.Dq Li auto
3400or
3401.Dq Li ps/2 ,
3402regardless of the brand and model of the mouse.
3403Likewise, if the
3404mouse is attached to the bus mouse port, choose
3405.Dq Li auto
3406or
3407.Dq Li busmouse .
3408All other protocols are for serial mice and will not work with
3409the PS/2 and bus mice.
3410If this is a USB mouse,
3411.Dq Li auto
3412is the only protocol type which will work.
3413.Pp
3414.Bl -tag -width ".Li x10mouseremote" -compact
3415.It Li microsoft
3416Microsoft mouse (serial)
3417.It Li intellimouse
3418Microsoft IntelliMouse (serial)
3419.It Li mousesystems
3420Mouse systems Corp.\& mouse (serial)
3421.It Li mmseries
3422MM Series mouse (serial)
3423.It Li logitech
3424Logitech mouse (serial)
3425.It Li busmouse
3426A bus mouse
3427.It Li mouseman
3428Logitech MouseMan and TrackMan (serial)
3429.It Li glidepoint
3430ALPS GlidePoint (serial)
3431.It Li thinkingmouse
3432Kensington ThinkingMouse (serial)
3433.It Li ps/2
3434PS/2 mouse
3435.It Li mmhittab
3436MM HitTablet (serial)
3437.It Li x10mouseremote
3438X10 MouseRemote (serial)
3439.It Li versapad
3440Interlink VersaPad (serial)
3441.El
3442.Pp
3443Even if the mouse is not in the above list, it may be compatible
3444with one in the list.
3445Refer to the manual page for
3446.Xr moused 8
3447for compatibility information.
3448.Pp
3449It should also be noted that while this is enabled, any
3450other client of the mouse (such as an X server) should access
3451the mouse through the virtual mouse device,
3452.Pa /dev/sysmouse ,
3453and configure it as a
3454.Dq Li sysmouse
3455type mouse, since all
3456mouse data is converted to this single canonical format when
3457using
3458.Xr moused 8 .
3459If the client program does not support the
3460.Dq Li sysmouse
3461type,
3462specify the
3463.Dq Li mousesystems
3464type.
3465It is the second preferred type.
3466.It Va moused_port
3467.Pq Vt str
3468If
3469.Va moused_enable
3470is set to
3471.Dq Li YES ,
3472this is the actual port the mouse is on.
3473It might be
3474.Pa /dev/cuau0
3475for a COM1 serial mouse, or
3476.Pa /dev/psm0
3477for a PS/2 mouse, for example.
3478.It Va moused_flags
3479.Pq Vt str
3480If
3481.Va moused_flags
3482is set, its value is used as an additional set of flags to pass to the
3483.Xr moused 8
3484daemon.
3485.It Va "moused_" Ns Ar XXX Ns Va "_flags"
3486When
3487.Va moused_nondefault_enable
3488is enabled, and a
3489.Xr moused 8
3490daemon is started for a non-default port, the
3491.Va "moused_" Ns Ar XXX Ns Va "_flags"
3492set of options has precedence over and replaces the default
3493.Va moused_flags
3494(where
3495.Ar XXX
3496is the name of the non-default port, i.e.,\&
3497.Ar ums0 ) .
3498By setting
3499.Va "moused_" Ns Ar XXX Ns Va "_flags"
3500it is possible to set up a different set of default flags for each
3501.Xr moused 8
3502instance.
3503For example, you can use
3504.Dq Li "-3"
3505for the default
3506.Va moused_flags
3507to make your laptop's touchpad more comfortable to use,
3508but an empty set of options for
3509.Va moused_ums0_flags
3510when your
3511.Xr usb 4
3512mouse has three or more buttons.
3513.It Va mousechar_start
3514.Pq Vt int
3515If set to
3516.Dq Li NO ,
3517the default mouse cursor character range
3518.Li 0xd0 Ns - Ns Li 0xd3
3519is used,
3520otherwise the range start is set
3521to
3522.Ar value
3523character, see
3524.Xr vidcontrol 1 .
3525Use if the default range is occupied in the language code table.
3526.It Va allscreens_flags
3527.Pq Vt str
3528If set,
3529.Xr vidcontrol 1
3530is run with these options for each of the virtual terminals
3531.Pq Pa /dev/ttyv* .
3532For example,
3533.Dq Fl m Cm on
3534will enable the mouse pointer on all virtual terminals
3535if
3536.Va moused_enable
3537is set to
3538.Dq Li YES .
3539.It Va allscreens_kbdflags
3540.Pq Vt str
3541If set,
3542.Xr kbdcontrol 1
3543is run with these options for each of the virtual terminals
3544.Pq Pa /dev/ttyv* .
3545For example,
3546.Dq Fl h Li 200
3547will set the
3548.Xr syscons 4
3549or
3550.Xr vt 4
3551scrollback (history) buffer to 200 lines.
3552.It Va cron_enable
3553.Pq Vt bool
3554If set to
3555.Dq Li YES ,
3556run the
3557.Xr cron 8
3558daemon at system boot time.
3559.It Va cron_program
3560.Pq Vt str
3561Path to
3562.Xr cron 8
3563(default
3564.Pa /usr/sbin/cron ) .
3565.It Va cron_flags
3566.Pq Vt str
3567If
3568.Va cron_enable
3569is set to
3570.Dq Li YES ,
3571these are the flags to pass to
3572.Xr cron 8 .
3573.It Va cron_dst
3574.Pq Vt bool
3575If set to
3576.Dq Li YES ,
3577enable the special handling of transitions to and from the
3578Daylight Saving Time in
3579.Xr cron 8
3580(equivalent to using the flag
3581.Fl s ) .
3582.It Va lpd_program
3583.Pq Vt str
3584Path to
3585.Xr lpd 8
3586(default
3587.Pa /usr/sbin/lpd ) .
3588.It Va lpd_enable
3589.Pq Vt bool
3590If set to
3591.Dq Li YES ,
3592run the
3593.Xr lpd 8
3594daemon at system boot time.
3595.It Va lpd_flags
3596.Pq Vt str
3597If
3598.Va lpd_enable
3599is set to
3600.Dq Li YES ,
3601these are the flags to pass to the
3602.Xr lpd 8
3603daemon.
3604.It Va chkprintcap_enable
3605.Pq Vt bool
3606If set to
3607.Dq Li YES ,
3608run the
3609.Xr chkprintcap 8
3610command before starting the
3611.Xr lpd 8
3612daemon.
3613.It Va chkprintcap_flags
3614.Pq Vt str
3615If
3616.Va lpd_enable
3617and
3618.Va chkprintcap_enable
3619are set to
3620.Dq Li YES ,
3621these are the flags to pass to the
3622.Xr chkprintcap 8
3623program.
3624The default is
3625.Dq Li -d ,
3626which causes missing directories to be created.
3627.It Va dumpdev
3628.Pq Vt str
3629Indicates the device (usually a swap partition) to which a crash dump
3630should be written in the event of a system crash.
3631If the value of this variable is
3632.Dq Li AUTO ,
3633the first suitable swap device listed in
3634.Pa /etc/fstab
3635will be used as dump device.
3636Otherwise, the value of this variable is passed as the argument to
3637.Xr dumpon 8
3638and
3639.Xr savecore 8 .
3640To disable crash dumps, set this variable to
3641.Dq Li NO .
3642.It Va dumpon_flags
3643.Pq Vt str
3644Flags to pass to
3645.Xr dumpon 8
3646when configuring
3647.Va dumpdev
3648as the system dump device.
3649.It Va dumpdir
3650.Pq Vt str
3651When the system reboots after a crash and a crash dump is found on the
3652device specified by the
3653.Va dumpdev
3654variable,
3655.Xr savecore 8
3656will save that crash dump and a copy of the kernel to the directory
3657specified by the
3658.Va dumpdir
3659variable.
3660The default value is
3661.Pa /var/crash .
3662Set to
3663.Dq Li NO
3664to not run
3665.Xr savecore 8
3666at boot time when
3667.Va dumpdir
3668is set.
3669.It Va savecore_enable
3670.Pq Vt bool
3671If set to
3672.Dq Li NO ,
3673disable automatic extraction of the crash dump from the
3674.Va dumpdev .
3675.It Va savecore_flags
3676.Pq Vt str
3677If crash dumps are enabled, these are the flags to pass to the
3678.Xr savecore 8
3679utility.
3680.It Va quota_enable
3681.Pq Vt bool
3682Set to
3683.Dq Li YES
3684to turn on user and group disk quotas on system startup via the
3685.Xr quotaon 8
3686command for all file systems marked as having quotas enabled in
3687.Pa /etc/fstab .
3688The kernel must be built with
3689.Cd "options QUOTA"
3690for disk quotas to function.
3691.It Va check_quotas
3692.Pq Vt bool
3693Set to
3694.Dq Li YES
3695to enable user and group disk quota checking via the
3696.Xr quotacheck 8
3697command.
3698.It Va quotacheck_flags
3699.Pq Vt str
3700If
3701.Va quota_enable
3702is set to
3703.Dq Li YES ,
3704and
3705.Va check_quotas
3706is set to
3707.Dq Li YES ,
3708these are the flags to pass to the
3709.Xr quotacheck 8
3710utility.
3711The default is
3712.Dq Li "-a" ,
3713which checks quotas for all file systems with quotas enabled in
3714.Pa /etc/fstab .
3715.It Va quotaon_flags
3716.Pq Vt str
3717If
3718.Va quota_enable
3719is set to
3720.Dq Li YES ,
3721these are the flags to pass to the
3722.Xr quotaon 8
3723utility.
3724The default is
3725.Dq Li "-a" ,
3726which enables quotas for all file systems with quotas enabled in
3727.Pa /etc/fstab .
3728.It Va quotaoff_flags
3729.Pq Vt str
3730If
3731.Va quota_enable
3732is set to
3733.Dq Li YES ,
3734these are the flags to pass to the
3735.Xr quotaoff 8
3736utility when shutting down the quota system.
3737The default is
3738.Dq Li "-a" ,
3739which disables quotas for all file systems with quotas enabled in
3740.Pa /etc/fstab .
3741.It Va accounting_enable
3742.Pq Vt bool
3743Set to
3744.Dq Li YES
3745to enable system accounting through the
3746.Xr accton 8
3747facility.
3748.It Va firstboot_sentinel
3749.Pq Vt str
3750This variable specifies the full path to a
3751.Dq first boot
3752sentinel file.
3753If a file exists with this path,
3754.Pa rc.d
3755scripts with the
3756.Dq firstboot
3757keyword will be run on startup and the sentinel file will be deleted
3758after the boot process completes.
3759The sentinel file must be located on a writable file system which is
3760mounted no later than
3761.Va early_late_divider
3762to function properly.
3763The default is
3764.Pa /firstboot .
3765.It Va linux_enable
3766.Pq Vt bool
3767Set to
3768.Dq Li YES
3769to enable Linux/ELF binary emulation at system initial
3770boot time.
3771.It Va sysvipc_enable
3772.Pq Vt bool
3773If set to
3774.Dq Li YES ,
3775load System V IPC primitives at boot time.
3776.It Va clear_tmp_enable
3777.Pq Vt bool
3778Set to
3779.Dq Li YES
3780to have
3781.Pa /tmp
3782cleaned at startup.
3783.It Va clear_tmp_X
3784.Pq Vt bool
3785Set to
3786.Dq Li NO
3787to disable removing of X11 lock files,
3788and the removal and (secure) recreation
3789of the various socket directories for X11
3790related programs.
3791.It Va ldconfig_paths
3792.Pq Vt str
3793Set to the list of shared library paths to use with
3794.Xr ldconfig 8 .
3795NOTE:
3796.Pa /lib
3797and
3798.Pa /usr/lib
3799will always be added first, so they need not appear in this list.
3800.It Va ldconfig32_paths
3801.Pq Vt str
3802Set to the list of 32-bit compatibility shared library paths to
3803use with
3804.Xr ldconfig 8 .
3805.It Va ldconfig_insecure
3806.Pq Vt bool
3807The
3808.Xr ldconfig 8
3809utility normally refuses to use directories
3810which are writable by anyone except root.
3811Set this variable to
3812.Dq Li YES
3813to disable that security check during system startup.
3814.It Va ldconfig_local_dirs
3815.Pq Vt str
3816Set to the list of local
3817.Xr ldconfig 8
3818directories.
3819The names of all files in the directories listed will be
3820passed as arguments to
3821.Xr ldconfig 8 .
3822.It Va ldconfig_local32_dirs
3823.Pq Vt str
3824Set to the list of local 32-bit compatibility
3825.Xr ldconfig 8
3826directories.
3827The names of all files in the directories listed will be
3828passed as arguments to
3829.Dq Nm ldconfig Fl 32 .
3830.It Va kern_securelevel_enable
3831.Pq Vt bool
3832Set to
3833.Dq Li YES
3834to set the kernel security level at system startup.
3835.It Va kern_securelevel
3836.Pq Vt int
3837The kernel security level to set at startup.
3838The allowed range of
3839.Ar value
3840ranges from \-1 (the compile time default) to 3 (the
3841most secure).
3842See
3843.Xr security 7
3844for the list of possible security levels and their effect
3845on system operation.
3846.It Va sshd_program
3847.Pq Vt str
3848Path to the SSH server program
3849.Pa ( /usr/sbin/sshd
3850is the default).
3851.It Va sshd_enable
3852.Pq Vt bool
3853Set to
3854.Dq Li YES
3855to start
3856.Xr sshd 8
3857at system boot time.
3858Note, the
3859.Va sshd_oomprotect
3860variable is set to
3861.Dq Li YES
3862by default in
3863.Pa /etc/defaults/rc.conf .
3864.It Va sshd_flags
3865.Pq Vt str
3866If
3867.Va sshd_enable
3868is set to
3869.Dq Li YES ,
3870these are the flags to pass to the
3871.Xr sshd 8
3872daemon.
3873.It Va ftpd_program
3874.Pq Vt str
3875Path to the FTP server program
3876.Pa ( /usr/libexec/ftpd
3877is the default).
3878.It Va ftpd_enable
3879.Pq Vt bool
3880Set to
3881.Dq Li YES
3882to start
3883.Xr ftpd 8
3884as a stand-alone daemon at system boot time.
3885.It Va ftpd_flags
3886.Pq Vt str
3887If
3888.Va ftpd_enable
3889is set to
3890.Dq Li YES ,
3891these are the additional flags to pass to the
3892.Xr ftpd 8
3893daemon.
3894.It Va watchdogd_enable
3895.Pq Vt bool
3896If set to
3897.Dq Li YES ,
3898start the
3899.Xr watchdogd 8
3900daemon at boot time.
3901This requires that the kernel have been compiled with a
3902.Xr watchdog 4
3903compatible device.
3904.It Va watchdogd_flags
3905.Pq Vt str
3906If
3907.Va watchdogd_enable
3908is set to
3909.Dq Li YES ,
3910these are the flags passed to the
3911.Xr watchdogd 8
3912daemon.
3913.It Va watchdogd_timeout
3914.Pq Vt int
3915If
3916.Va watchdogd_enable
3917is set to
3918.Dq Li YES ,
3919this is a timeout that will be used by the
3920.Xr watchdogd 8
3921daemon.
3922If this option is set, it overrides
3923.Fl t
3924in
3925.Va watchdogd_flags .
3926.It Va watchdogd_shutdown_timeout
3927.Pq Vt int
3928If
3929.Va watchdogd_enable
3930is set to
3931.Dq Li YES ,
3932this is a timeout that will be set by the
3933.Xr watchdogd 8
3934daemon when it exits during the system shutdown.
3935This timeout will not be set when returning to the single-user mode
3936or when the watchdogd service is stopped individually using the
3937.Xr service 8
3938command or the rc.d script.
3939Note that the timeout will be applied if
3940.Xr watchdogd 8
3941is stopped outside of
3942.Xr rc 8
3943framework.
3944If this option is set, it overrides
3945.Fl x
3946in
3947.Va watchdogd_flags .
3948.It Va devfs_rulesets
3949.Pq Vt str
3950List of files containing sets of rules for
3951.Xr devfs 8 .
3952.It Va devfs_system_ruleset
3953.Pq Vt str
3954Rule name(s) to apply to the system
3955.Pa /dev
3956itself.
3957.It Va devfs_set_rulesets
3958.Pq Vt str
3959Pairs of already-mounted
3960.Pa dev
3961directories and rulesets that should be applied to them.
3962For example: /mount/dev=ruleset_name
3963.It Va devfs_load_rulesets
3964.Pq Vt bool
3965If set, always load the default rulesets listed in
3966.Va devfs_rulesets .
3967.It Va performance_cx_lowest
3968.Pq Vt str
3969CPU idle state to use while on AC power.
3970The string
3971.Dq Li LOW
3972indicates that
3973.Xr acpi 4
3974should use the lowest power state available while
3975.Dq Li HIGH
3976indicates that the lowest latency state (less power savings) should be used.
3977.It Va performance_cpu_freq
3978.Pq Vt str
3979CPU clock frequency to use while on AC power.
3980The string
3981.Dq Li LOW
3982indicates that
3983.Xr cpufreq 4
3984should use the lowest frequency available while
3985.Dq Li HIGH
3986indicates that the highest frequency (less power savings) should be used.
3987.It Va economy_cx_lowest
3988.Pq Vt str
3989CPU idle state to use when off AC power.
3990The string
3991.Dq Li LOW
3992indicates that
3993.Xr acpi 4
3994should use the lowest power state available while
3995.Dq Li HIGH
3996indicates that the lowest latency state (less power savings) should be used.
3997.It Va economy_cpu_freq
3998.Pq Vt str
3999CPU clock frequency to use when off AC power.
4000The string
4001.Dq Li LOW
4002indicates that
4003.Xr cpufreq 4
4004should use the lowest frequency available while
4005.Dq Li HIGH
4006indicates that the highest frequency (less power savings) should be used.
4007.It Va jail_enable
4008.Pq Vt bool
4009If set to
4010.Dq Li NO ,
4011any configured jails will not be started.
4012.It Va jail_conf
4013.Pq Vt str
4014The configuration filename used by
4015.Xr jail 8
4016utility.
4017The default value is
4018.Pa /etc/jail.conf .
4019.Pa /etc/jail\&. Ns Ao Va jname Ac Ns Pa .conf
4020and
4021.Pa /etc/jail.conf.d/ Ns Ao Va jname Ac Ns Pa .conf
4022will also be used if
4023.Ao Va jname Ac
4024is set in
4025.Va jail_list .
4026.It Va jail_parallel_start
4027.Pq Vt bool
4028If set to
4029.Dq Li YES ,
4030all configured jails will be started in the background (in parallel).
4031.It Va jail_flags
4032.Pq Vt str
4033Unset by default.
4034When set, use as default value for
4035.Va jail_ Ns Ao Ar jname Ac Ns Va _flags
4036for every jail in
4037.Va jail_list .
4038.It Va jail_list
4039.Pq Vt str
4040A space-delimited list of jail names.
4041When left empty, all of the
4042.Xr jail 8
4043instances defined in the configuration file are started.
4044The names specified in this list control the jail startup order.
4045.Xr jail 8
4046instances missing from
4047.Va jail_list
4048must be started manually.
4049Note that a jail's
4050.Va depend
4051parameter in the configuration file may override this list.
4052.It Va jail_reverse_stop
4053.Pq Vt bool
4054When set to
4055.Dq Li YES ,
4056all configured jails in
4057.Va jail_list
4058are stopped in reverse order.
4059.It Va jail_ Ns * variables
4060Note that older releases supported per-jail configuration via
4061.Nm
4062variables.
4063For example,
4064hostname of a jail named
4065.Li vjail
4066was able to be set by
4067.Li jail_vjail_hostname .
4068These per-jail configuration variables are now obsolete in favor of
4069.Xr jail 8
4070configuration file.
4071For backward compatibility,
4072when per-jail configuration variables are defined,
4073.Xr jail 8
4074configuration files are created as
4075.Pa /var/run/jail . Ns Ao Ar jname Ac Ns Pa .conf
4076and used.
4077.Pp
4078The following per-jail parameters are handled by
4079.Pa rc.d/jail
4080script out of their corresponding
4081.Nm
4082variables.
4083In addition to them, parameters in
4084.Va jail_ Ns Ao Ar jname Ac Ns Va _parameters
4085will be added to the configuration file.
4086They must be a semi-colon
4087.Pq Ql \&;
4088delimited list of
4089.Dq key=value .
4090For more details,
4091see
4092.Xr jail 8
4093manual page.
4094.Bl  -tag -width "host.hostname" -offset indent
4095.It Li path
4096set from
4097.Va jail_ Ns Ao Ar jname Ac Ns Va _rootdir
4098.It Li host.hostname
4099set from
4100.Va jail_ Ns Ao Ar jname Ac Ns Va _hostname
4101.It Li exec.consolelog
4102set from
4103.Va jail_ Ns Ao Ar jname Ac Ns Va _consolelog .
4104The default value is
4105.Pa /var/log/jail_ Ns Ao Ar jname Ac Ns Pa _console.log .
4106.It Li interface
4107set from
4108.Va jail_ Ns Ao Ar jname Ac Ns Va _interface .
4109.It Li vnet.interface
4110set from
4111.Va jail_ Ns Ao Ar jname Ac Ns Va _vnet_interface .
4112This implies
4113.Li vnet
4114parameter will be enabled and cannot be specified with
4115.Va jail_ Ns Ao Ar jname Ac Ns Va _interface ,
4116.Va jail_ Ns Ao Ar jname Ac Ns Va _ip
4117and/or
4118.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
4119at the same time.
4120.It Li fstab
4121set from
4122.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab
4123.It Li mount
4124set from
4125.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable .
4126.It Li exec.fib
4127set from
4128.Va jail_ Ns Ao Ar jname Ac Ns Va _fib
4129.It Li exec.start
4130set from
4131.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start .
4132The parameter name was
4133.Li command
4134in some older releases.
4135.It Li exec.prestart
4136set from
4137.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart
4138.It Li exec.poststart
4139set from
4140.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart
4141.It Li exec.stop
4142set from
4143.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop
4144.It Li exec.prestop
4145set from
4146.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop
4147.It Li exec.poststop
4148set from
4149.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop
4150.It Li ip4.addr
4151set if
4152.Va jail_ Ns Ao Ar jname Ac Ns Va _ip
4153or
4154.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
4155contain IPv4 addresses
4156.It Li ip6.addr
4157set if
4158.Va jail_ Ns Ao Ar jname Ac Ns Va _ip
4159or
4160.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
4161contain IPv6 addresses
4162.It Li allow.mount
4163set from
4164.Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable
4165.It Li mount.devfs
4166set from
4167.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable
4168.It Li devfs_ruleset
4169set from
4170.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset .
4171This must be an integer,
4172not a string.
4173.It Li mount.fdescfs
4174set from
4175.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable
4176.It Li allow.set_hostname
4177set from
4178.Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow
4179.It Li allow.rawsocket
4180set from
4181.Va jail_ Ns Ao Ar jname Ac Ns Va _socket_unixiproute_only
4182.It Li allow.sysvipc
4183set from
4184.Va jail_ Ns Ao Ar jname Ac Ns Va _sysvipc_allow
4185.El
4186.\" -----------------------------------------------------
4187.It Va harvest_mask
4188.Pq Vt int
4189Set to a bit-mask
4190representing the entropy sources
4191you wish to harvest.
4192Refer to
4193.Xr random 4
4194for more information.
4195.It Va entropy_dir
4196.Pq Vt str
4197Set to
4198.Dq Li NO
4199to disable caching entropy via
4200.Xr cron 8 .
4201Otherwise set to the directory
4202in which the entropy files are stored.
4203To be useful,
4204there must be
4205a system cron job
4206that regularly writes and rotates
4207files here.
4208All files found
4209will be used at boot time.
4210The default is
4211.Pa /var/db/entropy .
4212.It Va entropy_file
4213.Pq Vt str
4214Set to
4215.Dq Li NO
4216to disable caching entropy through reboots.
4217Otherwise set to the name
4218of a file used to store cached entropy.
4219This file should be located
4220on a file system that is readable
4221before all the volumes specified in
4222.Xr fstab 5
4223are mounted.
4224By default,
4225.Pa /entropy
4226is used,
4227but if
4228.Pa /var/db/entropy-file
4229is found it will also be used.
4230This will be of some use to
4231.Xr bsdinstall 8 .
4232.It Va entropy_boot_file
4233.Pq Vt str
4234Set to
4235.Dq Li NO
4236to disable
4237very early caching entropy
4238through reboots.
4239Otherwise set to the filename
4240used to read
4241very early reboot cached entropy.
4242This file should be located where
4243.Xr loader 8
4244can read it.
4245See also
4246.Xr loader.conf 5 .
4247The default location is
4248.Pa /boot/entropy .
4249.It Va entropy_save_sz
4250.Pq Vt int
4251Size of the entropy cache files saved by
4252.Nm save-entropy
4253periodically.
4254.It Va entropy_save_num
4255.Pq Vt int
4256Number of entropy cache files to save by
4257.Nm save-entropy
4258periodically.
4259.It Va ipsec_enable
4260.Pq Vt bool
4261Set to
4262.Dq Li YES
4263to run
4264.Xr setkey 8
4265on
4266.Va ipsec_file
4267at boot time.
4268.It Va ipsec_file
4269.Pq Vt str
4270Configuration file for
4271.Xr setkey 8 .
4272.It Va dmesg_enable
4273.Pq Vt bool
4274Set to
4275.Dq Li YES
4276to save
4277.Xr dmesg 8
4278to
4279.Pa /var/run/dmesg.boot
4280on boot.
4281.It Va rcshutdown_timeout
4282.Pq Vt int
4283If set, start a watchdog timer in the background which will terminate
4284.Pa rc.shutdown
4285if
4286.Xr shutdown 8
4287has not completed within the specified time (in seconds).
4288Notice that in addition to this soft timeout,
4289.Xr init 8
4290also applies a hard timeout for the execution of
4291.Pa rc.shutdown .
4292This is configured via
4293.Xr sysctl 8
4294variable
4295.Va kern.init_shutdown_timeout
4296and defaults to 120 seconds.
4297Setting the value of
4298.Va rcshutdown_timeout
4299to more than 120 seconds will have no effect until the
4300.Xr sysctl 8
4301variable
4302.Va kern.init_shutdown_timeout
4303is also increased.
4304.It Va virecover_enable
4305.Pq Vt bool
4306Set to
4307.Dq Li NO
4308to prevent the system from trying to
4309recover prematurely terminated
4310.Xr vi 1
4311sessions.
4312.It Va ugidfw_enable
4313.Pq Vt bool
4314Set to
4315.Dq Li YES
4316to load the
4317.Xr mac_bsdextended 4
4318module upon system initialization and load a default
4319ruleset file.
4320.It Va bsdextended_script
4321.Pq Vt str
4322The default
4323.Xr mac_bsdextended 4
4324ruleset file to load.
4325The default value of this variable is
4326.Pa /etc/rc.bsdextended .
4327.It Va newsyslog_enable
4328.Pq Vt bool
4329If set to
4330.Dq Li YES ,
4331run
4332.Xr newsyslog 8
4333command at startup.
4334.It Va newsyslog_flags
4335.Pq Vt str
4336If
4337.Va newsyslog_enable
4338is set to
4339.Dq Li YES ,
4340these are the flags to pass to the
4341.Xr newsyslog 8
4342program.
4343The default is
4344.Dq Li -CN ,
4345which causes log files flagged with a
4346.Cm C
4347to be created.
4348.It Va mdconfig_md Ns Aq Ar X
4349.Pq Vt str
4350Arguments to
4351.Xr mdconfig 8
4352for
4353.Xr md 4
4354device
4355.Ar X .
4356At minimum a
4357.Fl t Ar type
4358must be specified and either a
4359.Fl s Ar size
4360for malloc or swap backed
4361.Xr md 4
4362devices or a
4363.Fl f Ar file
4364for vnode backed
4365.Xr md 4
4366devices.
4367Note that
4368.Va mdconfig_md Ns Aq Ar X
4369variables are evaluated until one variable is unset or null.
4370.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _newfs
4371.Pq Vt str
4372Optional arguments passed to
4373.Xr newfs 8
4374to initialize
4375.Xr md 4
4376device
4377.Ar X .
4378.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _owner
4379.Pq Vt str
4380An ownership specification passed to
4381.Xr chown 8
4382after the specified
4383.Xr md 4
4384device
4385.Ar X
4386has been mounted.
4387Both the
4388.Xr md 4
4389device and the mount point will be changed.
4390.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _perms
4391.Pq Vt str
4392A mode string passed to
4393.Xr chmod 1
4394after the specified
4395.Xr md 4
4396device
4397.Ar X
4398has been mounted.
4399Both the
4400.Xr md 4
4401device and the mount point will be changed.
4402.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _files
4403.Pq Vt str
4404Files to be copied to the mount point of the
4405.Xr md 4
4406device
4407.Ar X
4408after it has been mounted.
4409.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _cmd
4410.Pq Vt str
4411Command to execute after the specified
4412.Xr md 4
4413device
4414.Ar X
4415has been mounted.
4416Note that the command is passed to
4417.Ic eval
4418and that both
4419.Va _dev
4420and
4421.Va _mp
4422variables can be used to reference respectively the
4423.Xr md 4
4424device and the mount point.
4425Assuming that the
4426.Xr md 4
4427device is
4428.Li md0 ,
4429one could set the following:
4430.Bd -literal
4431mdconfig_md0_cmd="tar xfzC /var/file.tgz \e${_mp}"
4432.Ed
4433.It Va autobridge_interfaces
4434.Pq Vt str
4435Set to the list of bridge interfaces that will have newly arriving interfaces
4436checked against to be automatically added.
4437If not set to
4438.Dq Li NO
4439then for each whitespace separated
4440.Ar element
4441in the value, a
4442.Va autobridge_ Ns Aq Ar element
4443variable is assumed to exist which has a whitespace separated list of interface
4444names to match, these names can use wildcards.
4445For example:
4446.Bd -literal
4447autobridge_interfaces="bridge0"
4448autobridge_bridge0="tap* dc0 vlan[345]"
4449.Ed
4450.It Va mixer_enable
4451.Pq Vt bool
4452If set to
4453.Dq Li YES ,
4454enable support for sound mixer.
4455.It Va hcsecd_enable
4456.Pq Vt bool
4457If set to
4458.Dq Li YES ,
4459enable Bluetooth security daemon.
4460.It Va hcsecd_config
4461.Pq Vt str
4462Configuration file for
4463.Xr hcsecd 8 .
4464Default
4465.Pa /etc/bluetooth/hcsecd.conf .
4466.It Va sdpd_enable
4467.Pq Vt bool
4468If set to
4469.Dq Li YES ,
4470enable Bluetooth Service Discovery Protocol daemon.
4471.It Va sdpd_control
4472.Pq Vt str
4473Path to
4474.Xr sdpd 8
4475control socket.
4476Default
4477.Pa /var/run/sdp .
4478.It Va sdpd_groupname
4479.Pq Vt str
4480Sets
4481.Xr sdpd 8
4482group to run as after it initializes.
4483Default
4484.Dq Li nobody .
4485.It Va sdpd_username
4486.Pq Vt str
4487Sets
4488.Xr sdpd 8
4489user to run as after it initializes.
4490Default
4491.Dq Li nobody .
4492.It Va bthidd_enable
4493.Pq Vt bool
4494If set to
4495.Dq Li YES ,
4496enable Bluetooth Human Interface Device daemon.
4497.It Va bthidd_config
4498.Pq Vt str
4499Configuration file for
4500.Xr bthidd 8 .
4501Default
4502.Pa /etc/bluetooth/bthidd.conf .
4503.It Va bthidd_hids
4504.Pq Vt str
4505Path to a file, where
4506.Xr bthidd 8
4507will store information about known HID devices.
4508Default
4509.Pa /var/db/bthidd.hids .
4510.It Va rfcomm_pppd_server_enable
4511.Pq Vt bool
4512If set to
4513.Dq Li YES ,
4514enable Bluetooth RFCOMM PPP wrapper daemon.
4515.It Va rfcomm_pppd_server_profile
4516.Pq Vt str
4517The name of the profile to use from
4518.Pa /etc/ppp/ppp.conf .
4519Multiple profiles can be specified here.
4520Also used to specify per-profile overrides.
4521When the profile name contains any of the characters
4522.Dq Li .-/+
4523they are translated to
4524.Dq Li _
4525for the proposes of the override variable names.
4526.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _bdaddr
4527.Pq Vt str
4528Overrides local address to listen on.
4529By default
4530.Xr rfcomm_pppd 8
4531will listen on
4532.Dq Li ANY
4533address.
4534The address can be specified as BD_ADDR or name.
4535.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _channel
4536.Pq Vt str
4537Overrides local RFCOMM channel to listen on.
4538By default
4539.Xr rfcomm_pppd 8
4540will listen on RFCOMM channel 1.
4541Must set properly if multiple profiles used in the same time.
4542.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_sp
4543.Pq Vt bool
4544Tells
4545.Xr rfcomm_pppd 8
4546if it should register Serial Port service on the specified RFCOMM channel.
4547Default
4548.Dq Li NO .
4549.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_dun
4550.Pq Vt bool
4551Tells
4552.Xr rfcomm_pppd 8
4553if it should register Dial-Up Networking service on the specified
4554RFCOMM channel.
4555Default
4556.Dq Li NO .
4557.It Va ubthidhci_enable
4558.Pq Vt bool
4559If set to
4560.Dq Li YES ,
4561change the USB Bluetooth controller from HID mode to HCI mode.
4562You also need to specify the location of USB Bluetooth controller with the
4563.Va ubthidhci_busnum
4564and
4565.Va ubthidhci_addr
4566variables.
4567.It Va ubthidhci_busnum
4568Bus number where the USB Bluetooth controller is located.
4569Check the output of
4570.Xr usbconfig 8
4571on your system to find this information.
4572.It Va ubthidhci_addr
4573Bus address of the USB Bluetooth controller.
4574Check the output of
4575.Xr usbconfig 8
4576on your system to find this information.
4577.It Va utx_enable
4578.Pq Vt bool
4579Set to
4580.Dq Li YES
4581to enable user accounting through the
4582.Xr utx 8
4583facility.
4584.It Va netwait_enable
4585.Pq Vt bool
4586If set to
4587.Dq Li YES ,
4588delays the start of network-reliant services until
4589.Va netwait_if
4590is up and ICMP packets to a destination defined in
4591.Va netwait_ip
4592are flowing.
4593Link state is examined first, followed by
4594.Dq Li pinging
4595an IP address to verify network usability.
4596If no destination can be reached or timeouts are exceeded,
4597network services are started anyway with no guarantee that
4598the network is usable.
4599Use of this variable requires both
4600.Va netwait_ip
4601and
4602.Va netwait_if
4603to be set.
4604.It Va netwait_ip
4605.Pq Vt str
4606Empty by default.
4607This variable contains a space-delimited list of IP addresses to
4608.Xr ping 8 .
4609DNS hostnames should not be used as resolution is not guaranteed
4610to be functional at this point.
4611If multiple IP addresses are specified,
4612each will be tried until one is successful or the list is exhausted.
4613.It Va netwait_timeout
4614.Pq Vt int
4615Indicates the total number of seconds to perform a
4616.Dq Li ping
4617against each IP address in
4618.Va netwait_ip ,
4619at a rate of one ping per second.
4620If any of the pings are successful,
4621full network connectivity is considered reliable.
4622The default is 60.
4623.It Va netwait_if
4624.Pq Vt str
4625Empty by default.
4626Defines the name of the network interface on which watch for link.
4627.Xr ifconfig 8
4628is used to monitor the interface, looking for
4629.Dq Li status: no carrier .
4630Once gone, the link is considered up.
4631This can be a
4632.Xr vlan 4
4633interface if desired.
4634.It Va netwait_if_timeout
4635.Pq Vt int
4636Defines the total number of seconds to wait for link to become usable,
4637polled at a 1-second interval.
4638The default is 30.
4639.It Va rctl_enable
4640.Pq Vt bool
4641If set to
4642.Dq Li YES ,
4643load
4644.Xr rctl 8
4645rules from the defined ruleset.
4646The kernel must be built with
4647.Cd "options RACCT"
4648and
4649.Cd "options RCTL" .
4650.It Va rctl_rules
4651.Pq Vt str
4652Set to
4653.Pa /etc/rctl.conf
4654by default.
4655This variables contains the
4656.Xr rctl.conf 5
4657ruleset to load for
4658.Xr rctl 8 .
4659.It Va iovctl_files
4660.Pq Vt str
4661A space-separated list of configuration files used by
4662.Xr iovctl 8 .
4663The default value is an empty string.
4664.It Va autofs_enable
4665.Pq Vt bool
4666If set to
4667.Dq Li YES ,
4668start the
4669.Xr automount 8
4670utility and the
4671.Xr automountd 8
4672and
4673.Xr autounmountd 8
4674daemons at boot time.
4675.It Va automount_flags
4676.Pq Vt str
4677If
4678.Va autofs_enable
4679is set to
4680.Dq Li YES ,
4681these are the flags to pass to the
4682.Xr automount 8
4683program.
4684By default no flags are passed.
4685.It Va automountd_flags
4686.Pq Vt str
4687If
4688.Va autofs_enable
4689is set to
4690.Dq Li YES ,
4691these are the flags to pass to the
4692.Xr automountd 8
4693daemon.
4694By default no flags are passed.
4695.It Va autounmountd_flags
4696.Pq Vt str
4697If
4698.Va autofs_enable
4699is set to
4700.Dq Li YES ,
4701these are the flags to pass to the
4702.Xr autounmountd 8
4703daemon.
4704By default no flags are passed.
4705.It Va ctld_enable
4706.Pq Vt bool
4707If set to
4708.Dq Li YES ,
4709start the
4710.Xr ctld 8
4711daemon at boot time.
4712.It Va iscsid_enable
4713.Pq Vt bool
4714If set to
4715.Dq Li YES ,
4716start the
4717.Xr iscsid 8
4718daemon at boot time.
4719.It Va iscsictl_enable
4720.Pq Vt bool
4721If set to
4722.Dq Li YES ,
4723start the
4724.Xr iscsictl 8
4725utility at boot time.
4726.It Va iscsictl_flags
4727.Pq Vt str
4728If
4729.Va iscsictl_enable
4730is set to
4731.Dq Li YES ,
4732these are the flags to pass to the
4733.Xr iscsictl 8
4734program.
4735The default is
4736.Dq Li -Aa ,
4737which configures sessions based on the
4738.Pa /etc/iscsi.conf
4739configuration file.
4740.It Va cfumass_enable
4741.Pq Vt bool
4742If set to
4743.Dq Li YES ,
4744create and export an USB LUN using
4745.Xr cfumass 4
4746at boot time.
4747.It Va cfumass_dir
4748.Pq Vt str
4749The directory where the files exported by USB LUN are located.
4750The default directory is
4751.Pa /var/cfumass .
4752.It Va service_delete_empty
4753.Pq Vt bool
4754If set to
4755.Dq Li YES ,
4756.Ql Li service delete
4757removes empty
4758.Dq Li rc.conf.d
4759files.
4760.It Va zfs_bootonce_activate
4761.Pq Vt bool
4762If set to
4763.Dq Li YES ,
4764and a boot environment marked bootonce is successfully booted,
4765it will be made permanently active.
4766.It Va zfskeys_enable
4767.Pq Vt bool
4768If set to
4769.Dq Li YES ,
4770enable auto-loading of encryption keys for encrypted ZFS datasets.
4771For every dataset the script will first load the appropriate encryption key
4772and then attempt to unlock the dataset.
4773.Pp
4774The script operates only on datasets which are encrypted with
4775ZFS native encryption
4776and have a ZFS
4777.Dq Li keylocation
4778dataset property beginning with
4779.Dq Li file:// .
4780.It Va zfskeys_datasets
4781.Pq Vt str
4782A whitespace-separated list of ZFS datasets to unlock.
4783The list is empty by default,
4784which means that the script will attempt to unlock all datasets.
4785.It Va zfskeys_timeout
4786.Pq Vt int
4787Define the total number of seconds to wait for the zfskeys script
4788to unlock an encrypted dataset.
4789The default is 10.
4790.It Va sendmail_enable
4791.Pq Vt str
4792If set to
4793.Dq Li YES ,
4794run the
4795.Xr sendmail 8
4796daemon at system boot time.
4797If set to
4798.Dq Li NO ,
4799do not run a
4800.Xr sendmail 8
4801daemon to listen for incoming network mail.
4802This does not preclude a
4803.Xr sendmail 8
4804daemon listening on the SMTP port of the loopback interface.
4805The
4806.Dq Li NONE
4807option sets each
4808.Va sendmail_enable ,
4809.Va sendmail_submit_enable ,
4810.Va sendmail_outbound_enable ,
4811.Va sendmail_msp_queue_enable
4812to
4813.Dq Li NO .
4814.It Va sendmail_cert_create
4815.Pq Vt str
4816If
4817.Va sendmail_enable
4818is set to
4819.Dq Li YES ,
4820create a signed certificate
4821.Pa /etc/mail/certs/host.cert
4822representing
4823.Pa /etc/mail/certs/host.key
4824by the CA certificate in
4825.Pa /etc/mail/certs/cacert.pem .
4826This will enable connecting hosts to negotiate STARTTLS allowing incoming
4827email to be encrypted in transit.
4828.Xr sendmail 8
4829needs to be configured to use these generated files.
4830The default configuration in
4831.Pa /etc/mail/freebsd.mc
4832has the required options in it.
4833.It Va sendmail_cert_cn
4834.Pq Vt str
4835If
4836.Va sendmail_enable
4837is set to
4838.Dq Li YES
4839and
4840.Va sendmail_cert_create
4841is set to
4842.Dq Li YES ,
4843this is the Common Name (CN) of the certificate that will be created.
4844If
4845.Va sendmail_cert_cn
4846is not set, the system's hostname will be used.
4847If there is no hostname set,
4848.Dq Li amnesiac
4849will be used.
4850.It Va sendmail_flags
4851.Pq Vt str
4852If
4853.Va sendmail_enable
4854is set to
4855.Dq Li YES ,
4856these are the flags to pass to the
4857.Xr sendmail 8
4858daemon.
4859.It Va sendmail_submit_enable
4860.Pq Vt bool
4861If set to
4862.Dq Li YES
4863and
4864.Va sendmail_enable
4865is set to
4866.Dq Li NO ,
4867run
4868.Xr sendmail 8
4869using
4870.Va sendmail_submit_flags
4871instead of
4872.Va sendmail_flags .
4873This is intended to allow local mail submission via
4874a localhost-only listening SMTP service required for running
4875.Xr sendmail 8
4876as a non-set-user-ID binary.
4877Note that this does not work inside
4878.Xr jail 2
4879systems, as jails do not allow binding to just the localhost interface.
4880.It Va sendmail_submit_flags
4881.Pq Vt str
4882If
4883.Va sendmail_enable
4884is set to
4885.Dq Li NO
4886and
4887.Va sendmail_submit_enable
4888is set to
4889.Dq Li YES ,
4890these are the flags to pass to the
4891.Xr sendmail 8
4892daemon.
4893.It Va sendmail_outbound_enable
4894.Pq Vt bool
4895If set to
4896.Dq Li YES
4897and both
4898.Va sendmail_enable
4899and
4900.Va sendmail_submit_enable
4901are set to
4902.Dq Li NO ,
4903run
4904.Xr sendmail 8
4905using
4906.Va sendmail_outbound_flags
4907instead of
4908.Va sendmail_flags .
4909This is intended to allow local mail queue management
4910for systems that do not offer a listening SMTP service.
4911.It Va sendmail_outbound_flags
4912.Pq Vt str
4913If both
4914.Va sendmail_enable
4915and
4916.Va sendmail_submit_enable
4917are set to
4918.Dq Li NO
4919and
4920.Va sendmail_outbound_enable
4921is set to
4922.Dq Li YES ,
4923these are the flags to pass to the
4924.Xr sendmail 8
4925daemon.
4926.It Va sendmail_msp_queue_enable
4927.Pq Vt bool
4928If set to
4929.Dq Li YES ,
4930start a client (MSP) queue runner
4931.Xr sendmail 8
4932daemon at system boot time.
4933As of sendmail 8.12, a separate queue is used for command line
4934submissions.
4935The client queue runner ensures that nothing is
4936left behind in the submission queue.
4937.It Va sendmail_msp_queue_flags
4938.Pq Vt str
4939If
4940.Va sendmail_msp_queue_enable
4941is set to
4942daemon.
4943.Dq Li YES ,
4944these are the flags to pass to the
4945.Xr sendmail 8
4946.El
4947.Sh SERVICE JAILS
4948The service jails part of the rc system automatically puts a service
4949into a jail.
4950This jail inherits the filesystem and various other parts of the
4951parent (if you allow child-jails in your jails, service jails
4952can be used in jails) depending on the content of the
4953.Ao Ar name Ac Ns Va _svcj_options
4954variable.
4955Typically this variable is set inside rc scripts, but it can be
4956overriden in the rc config.
4957Valid options for
4958.Ao Ar name Ac Ns Va _svcj_options
4959are:
4960.Bl -tag -width indent-two
4961.It mlock
4962Allows to lock memory pages into the physical memory.
4963.It netv4
4964Inherit the IPv4 address and allows to open reserved ports.
4965This can not be combined with
4966.Pa netv6 .
4967.It netv6
4968Inherit the IPv6 address and allows to open reserved ports.
4969This can not be combined with
4970.Pa netv4 .
4971.It net_basic
4972Inherits the IPv4 and IPv6 addresses and allows to open
4973reserved ports.
4974.It net_raw
4975Allow to open raw sockets.
4976This option can be combined with
4977.Pa netv4 ,
4978.Pa netv6 ,
4979.Pa net_basic .
4980.It net_all
4981Inherits the IPv4 and IPv6 addresses, allows to open reserved
4982ports, allows to open raw sockets, and allows to open sockets
4983of protocol stacks that have not had jail functionality added
4984to them.
4985.It nfsd
4986Allows to run nfsd and affiliated daemons.
4987.It sysvipc
4988Inherits the SysV semaphores, SysV shared memory and
4989SysV messages from the host or the parent jail.
4990.It sysvipcnew
4991Creates a new namespace for SysV semaphores, SysV shared memory
4992and SysV messages for this particular service jail.
4993.It vmm
4994Allows access to
4995.Xr vmm 4 .
4996This option is only available when
4997.Xr vmm 4
4998is enabled in the kernel.
4999.El
5000
5001All non-network options can be combined with all other options.
5002From the SysV options only one option can be specified.
5003
5004If the
5005.Ao Ar name Ac Ns Va _svcj
5006variable is set to
5007.Dq Li YES ,
5008this particular service is started in a
5009service jail named
5010.Va svcj- Ns Ar name .
5011
5012The
5013.Va svcj_all_enable
5014variable allows to enable service jails for all services of the
5015system at once.
5016Services which have
5017.Ao Ar name Ac Ns Va _svcj
5018set to
5019.Dq Li NO
5020are excluded.
5021Some services may set
5022.Ao Ar name Ac Ns Va _svcj
5023to
5024.Dq Li NO
5025in the script to either prevent service jails for this
5026service at all, or may set it to
5027.Dq Li NO
5028if it is not set in the
5029rc config, to exclude it from
5030.Va svcj_all_enable
5031but allow to explicitely enable it.
5032The sshd service for example would not see other jails, if
5033it would run as a service jail.
5034This may or may not be what is needed, and as such it is
5035excluded from
5036.Va svcj_all_enable
5037but can be enabled via setting
5038.Va sshd_svcj
5039to
5040.Dq Li YES .
5041.Sh FILES
5042.Bl -tag -width "/etc/defaults/rc.conf" -compact
5043.It Pa /etc/defaults/rc.conf
5044.It Pa /etc/defaults/vendor.conf
5045.It Pa /etc/rc.conf
5046.It Pa /etc/rc.conf.local
5047.It Pa /etc/rc.conf.d/
5048.El
5049.Sh SEE ALSO
5050.Xr chmod 1 ,
5051.Xr cpuset 1 ,
5052.Xr gdb 1 Pq Pa ports/devel/gdb ,
5053.Xr kbdcontrol 1 ,
5054.Xr limits 1 ,
5055.Xr protect 1 ,
5056.Xr sh 1 ,
5057.Xr umask 1 ,
5058.Xr uuidgen 1 ,
5059.Xr vi 1 ,
5060.Xr vidcontrol 1 ,
5061.Xr bridge 4 ,
5062.Xr dummynet 4 ,
5063.Xr ip 4 ,
5064.Xr ipf 4 ,
5065.Xr ipfw 4 ,
5066.Xr ipnat 4 ,
5067.Xr kld 4 ,
5068.Xr pf 4 ,
5069.Xr pflog 4 ,
5070.Xr pfsync 4 ,
5071.Xr tcp 4 ,
5072.Xr udp 4 ,
5073.Xr exports 5 ,
5074.Xr fstab 5 ,
5075.Xr ipf 5 ,
5076.Xr ipnat 5 ,
5077.Xr jail.conf 5 ,
5078.Xr loader.conf 5 ,
5079.Xr login.conf 5 ,
5080.Xr motd 5 ,
5081.Xr newsyslog.conf 5 ,
5082.Xr pf.conf 5 ,
5083.Xr firewall 7 ,
5084.Xr growfs 7 ,
5085.Xr security 7 ,
5086.Xr tuning 7 ,
5087.Xr accton 8 ,
5088.Xr apm 8 ,
5089.Xr bsdinstall 8 ,
5090.Xr bthidd 8 ,
5091.Xr chkprintcap 8 ,
5092.Xr chown 8 ,
5093.Xr cron 8 ,
5094.Xr devfs 8 ,
5095.Xr dhclient 8 ,
5096.Xr ftpd 8 ,
5097.Xr geli 8 ,
5098.Xr hcsecd 8 ,
5099.Xr ifconfig 8 ,
5100.Xr inetd 8 ,
5101.Xr iovctl 8 ,
5102.Xr ipf 8 ,
5103.Xr ipfw 8 ,
5104.Xr ipnat 8 ,
5105.Xr jail 8 ,
5106.Xr kldxref 8 ,
5107.Xr loader 8 ,
5108.Xr lpd 8 ,
5109.Xr makewhatis 8 ,
5110.Xr mdconfig 8 ,
5111.Xr mdmfs 8 ,
5112.Xr mixer 8 ,
5113.Xr mountd 8 ,
5114.Xr moused 8 ,
5115.Xr newfs 8 ,
5116.Xr newsyslog 8 ,
5117.Xr nfsd 8 ,
5118.Xr ntpd 8 ,
5119.Xr ntpdate 8 ,
5120.Xr pfctl 8 ,
5121.Xr pflogd 8 ,
5122.Xr ping 8 ,
5123.Xr powerd 8 ,
5124.Xr quotacheck 8 ,
5125.Xr quotaon 8 ,
5126.Xr rc 8 ,
5127.Xr rc.subr 8 ,
5128.Xr rcorder 8 ,
5129.Xr rfcomm_pppd 8 ,
5130.Xr route 8 ,
5131.Xr route6d 8 ,
5132.Xr routed 8 ,
5133.Xr rpc.lockd 8 ,
5134.Xr rpc.statd 8 ,
5135.Xr rpc.tlsclntd 8 ,
5136.Xr rpc.tlsservd 8 ,
5137.Xr rpcbind 8 ,
5138.Xr rwhod 8 ,
5139.Xr savecore 8 ,
5140.Xr sdpd 8 ,
5141.Xr sendmail 8 ,
5142.Xr service 8 ,
5143.Xr sshd 8 ,
5144.Xr swapon 8 ,
5145.Xr sysctl 8 ,
5146.Xr syslogd 8 ,
5147.Xr sysrc 8 ,
5148.Xr unbound 8 ,
5149.Xr usbconfig 8 ,
5150.Xr utx 8 ,
5151.Xr wlandebug 8 ,
5152.Xr yp 8 ,
5153.Xr ypbind 8 ,
5154.Xr ypserv 8 ,
5155.Xr ypset 8
5156.Sh HISTORY
5157The
5158.Nm
5159file appeared in
5160.Fx 2.2.2 .
5161.Sh AUTHORS
5162.An Jordan K. Hubbard .
5163