xref: /freebsd/share/man/man5/rc.conf.5 (revision 53bb5613a8a15363718b6e6de8d965bf9a2c5469)
1.\" Copyright (c) 1995
2.\"	Jordan K. Hubbard
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.Dd May 22, 2024
26.Dt RC.CONF 5
27.Os
28.Sh NAME
29.Nm rc.conf
30.Nd system configuration information
31.Sh DESCRIPTION
32The file
33.Nm
34contains descriptive information about the local host name, configuration
35details for any potential network interfaces and which services should be
36started up at system initial boot time.
37In new installations, the
38.Nm
39file is generally initialized by the system installation utility.
40.Pp
41The purpose of
42.Nm
43is not to run commands or perform system startup actions
44directly.
45Instead, it is included by the
46various generic startup scripts in
47.Pa /etc
48which conditionalize their
49internal actions according to the settings found there.
50.Pp
51The
52.Pa /etc/rc.conf
53file is included from the file
54.Pa /etc/defaults/rc.conf ,
55which specifies the default settings for all the available options.
56Options need only be specified in
57.Pa /etc/rc.conf
58when the system administrator wishes to override these defaults.
59The file
60.Pa /etc/defaults/vendor.conf
61allows vendors to override
62.Fx
63defaults.
64The file
65.Pa /etc/rc.conf.local
66is used to override settings in
67.Pa /etc/rc.conf
68for historical reasons.
69.Pp
70The sysrc(8) command provides a scripting interface to modify system
71config files.
72.Pp
73In addition to
74.Pa /etc/rc.conf.local
75you can also place smaller configuration files for each
76.Xr rc 8
77script in the
78.Pa /etc/rc.conf.d
79directory or
80.Ao Ar dir Ac Ns Pa /rc.conf.d
81directories (where
82.Ao Ar dir Ac
83is each entry specified in
84.Va local_startup ,
85but with any trailing
86.Pa /rc.d
87stripped),
88which will be included by the
89.Va load_rc_config
90function.
91For jail configurations you could use the file
92.Pa /etc/rc.conf.d/jail
93to store jail-specific configuration options.
94If
95.Va local_startup
96contains
97.Pa /usr/local/etc/rc.d
98and
99.Pa /opt/conf ,
100.Pa /usr/local/etc/rc.conf.d/jail
101and
102.Pa /opt/conf/rc.conf.d/jail
103will be loaded.
104If
105.Ao Ar dir Ac Ns Pa /rc.conf.d/ Ns Ao Ar name Ac
106is a directory,
107all of the files in the directory will be loaded.
108Also see the
109.Va rc_conf_files
110variable below.
111.Pp
112Options are set with
113.Dq Ar name Ns Li = Ns Ar value
114assignments that use
115.Xr sh 1
116syntax.
117The following list provides a name and short description for each
118variable that can be set in the
119.Nm
120file:
121.Bl -tag -width indent-two
122.It Va rc_debug
123.Pq Vt bool
124If set to
125.Dq Li YES ,
126enable output of debug messages from rc scripts.
127This variable can be helpful in diagnosing mistakes when
128editing or integrating new scripts.
129Beware that this produces copious output to the terminal and
130.Xr syslog 3 .
131.It Va rc_info
132.Pq Vt bool
133If set to
134.Dq Li NO ,
135disable informational messages from the rc scripts.
136Informational messages are displayed when
137a condition that is not serious enough to warrant a warning or
138an error occurs.
139.It Va rc_startmsgs
140.Pq Vt bool
141If set to
142.Dq Li YES ,
143show
144.Dq Starting foo:
145when faststart is used (e.g., at boot time).
146.It Va early_late_divider
147.Pq Vt str
148The name of the script that should be used as the
149delimiter between the
150.Dq early
151and
152.Dq late
153stages of the boot process.
154The early stage should contain all the services needed to
155get the disks (local or remote) mounted so that the late
156stage can include scripts contained in the directories
157listed in the
158.Va local_startup
159variable (see below).
160Thus, the two likely candidates for this value are
161.Pa mountcritlocal
162for the typical system, and
163.Pa mountcritremote
164if the system needs remote file
165systems mounted to get access to the
166.Va local_startup
167directories; for example when
168.Pa /usr/local
169is NFS mounted.
170For
171.Pa rc.conf
172within a
173.Xr jail 8
174.Pa NETWORKING
175is likely to be an appropriate value.
176Extreme care should be taken when changing this value,
177and before changing it one should ensure that there are
178adequate provisions to recover from a failed boot
179(such as physical contact with the machine,
180or reliable remote console access).
181.It Va always_force_depends
182.Pq Vt bool
183Various
184.Pa rc.d
185scripts use the force_depend function to check whether required
186services are already running, and to start them if necessary.
187By default during boot time this check is bypassed if the
188required service is enabled in
189.Pa /etc/rc.conf[.local] .
190Setting this option will bypass that check at boot time and
191always test whether or not the service is actually running.
192Enabling this option is likely to increase your boot time if
193services are enabled that utilize the force_depend check.
194.It Ao Ar name Ac Ns Va _chroot
195.Pq Vt str
196.Xr chroot 8
197to this directory before running the service.
198.It Ao Ar name Ac Ns Va _cpuset
199.Pq Vt str
200A list of CPUs to run the service on.
201Passed to
202.Xr cpuset 1
203using the
204.Fl l
205flag.
206.It Ao Ar name Ac Ns Va _fib
207.Pq Vt int
208The
209.Xr setfib 1
210value to run the service under.
211.It Ao Ar name Ac Ns Va _group
212.Pq Vt str
213Run the chrooted service under this system group.
214Unlike the
215.Ao Ar name Ac Ns Va _user
216setting, this setting has no effect if the service is not chrooted.
217.It Ao Ar name Ac Ns Va _limits
218.Pq Vt str
219Resource limits to apply to the service using
220.Xr limits 1 .
221By default, resource limits are based on the login class defined in
222.Ao Ar name Ac Ns Va _login_class .
223.It Ao Ar name Ac Ns Va _login_class
224.Pq Vt str
225Login class to be used with
226.Ao Ar name Ac Ns Va _limits .
227Defaults to
228.Dq Li daemon .
229.It Ao Ar name Ac Ns Va _nice
230.Pq Vt int
231The
232.Xr nice 1
233value to run the service under.
234.It Ao Ar name Ac Ns Va _oomprotect
235.Pq Vt str
236Use
237.Xr protect 1
238to prevent the service from being killed when swap space
239is exhausted.
240Use
241.Dq Li YES
242to protect only the service itself, and
243.Dq Li ALL
244to protect the service and all its child processes.
245.Pp
246Please note that rc scripts which redefine
247.Dl ${argument}_cmd
248.Pq see Xr rc.subr 8
249such as PostgreSQL will not inherit the OOM killer protection.
250.Pp
251This variable has no effect on services running within a
252.Xr jail 8 .
253.It Ao Ar name Ac Ns Va _setup
254.Pq Vt str
255Run the specified setup script right before starting the actual service
256command.
257Useful for automatic configuration file generation.
258.It Ao Ar name Ac Ns Va _umask
259.Pq Vt int
260Run the service using this
261.Xr umask 1
262value.
263.It Ao Ar name Ac Ns Va _user
264.Pq Vt str
265Run the service under this user account.
266.It Ao Ar name Ac Ns Va _svcj
267.Pq Vt bool
268If set to
269.Dq Li YES ,
270auto-jail the service with inherited filesystem and other
271jail properties depending on
272.Ao Ar name Ac Ns Va _svcj_options .
273.It Ao Ar name Ac Ns Va _svcj_options
274.Pq Vt str
275A list of jail properties for the service.
276See
277.Sx SERVICE JAILS
278for a list of valid properties.
279.It Va apm_enable
280.Pq Vt bool
281If set to
282.Dq Li YES ,
283enable support for Automatic Power Management with
284the
285.Xr apm 8
286command.
287.It Va apmd_enable
288.Pq Vt bool
289Run
290.Xr apmd 8
291to handle APM event from userland.
292This also enables support for APM.
293.It Va apmd_flags
294.Pq Vt str
295If
296.Va apmd_enable
297is set to
298.Dq Li YES ,
299these are the flags to pass to the
300.Xr apmd 8
301daemon.
302.It Va devd_enable
303.Pq Vt bool
304Run
305.Xr devd 8
306to handle device added, removed or unknown events from the kernel.
307.It Va ddb_enable
308.Pq Vt bool
309Run
310.Xr ddb 8
311to install
312.Xr ddb 4
313scripts at boot time.
314.It Va ddb_config
315.Pq Vt str
316Configuration file for
317.Xr ddb 8 .
318Default
319.Pa /etc/ddb.conf .
320.It Va devmatch_enable
321.Pq Vt bool
322If set to
323.Dq Li NO ,
324disable auto-loading of kernel modules with
325.Xr devmatch 8 .
326.It Va devmatch_blocklist
327.Pq Vt str
328A whitespace-separated list of kernel modules to be ignored by
329.Xr devmatch 8 .
330In addition, the
331.Xr kenv 1
332.Va devmatch_blocklist
333is appended to this variable to allow disabling of
334.Xr devmatch 8
335loaded modules from the boot loader.
336.It Va devmatch_blacklist
337.Pq Vt str
338This variable is deprecated.
339Use
340.Va devmatch_blocklist
341instead.
342A whitespace-separated list of kernel modules to be ignored by
343.Xr devmatch 8 .
344.It Va kld_list
345.Pq Vt str
346A whitespace-separated list of kernel modules to load right after
347the local disks are mounted, without any
348.Pa .ko
349extension or path.
350.It Va kldxref_enable
351.Pq Vt bool
352Set to
353.Dq Li NO
354by default.
355Set to
356.Dq Li YES
357to automatically rebuild
358.Pa linker.hints
359files with
360.Xr kldxref 8
361at boot time.
362.It Va kldxref_clobber
363.Pq Vt bool
364Set to
365.Dq Li NO
366by default.
367If
368.Va kldxref_enable
369is true,
370setting to
371.Dq Li YES
372will overwrite existing
373.Pa linker.hints
374files at boot time.
375Otherwise,
376only missing
377.Pa linker.hints
378files are generated.
379.It Va kldxref_module_path
380.Pq Vt str
381Empty by default.
382A semi-colon
383.Pq Ql \&;
384delimited list of paths containing
385.Xr kld 4
386modules.
387If empty,
388the contents of the
389.Va kern.module_path
390.Xr sysctl 8
391are used.
392.It Va powerd_enable
393.Pq Vt bool
394If set to
395.Dq Li YES ,
396enable the system power control facility with the
397.Xr powerd 8
398daemon.
399.It Va powerd_flags
400.Pq Vt str
401If
402.Va powerd_enable
403is set to
404.Dq Li YES ,
405these are the flags to pass to the
406.Xr powerd 8
407daemon.
408.It Va svcj_all_enable
409Enable auto-jailing of all services which are not explicitly
410excluded.
411See
412.Sx SERVICE JAILS
413for more info.
414.It Va tmpmfs
415Controls the creation of a
416.Pa /tmp
417memory file system.
418Always happens if set to
419.Dq Li YES
420and never happens if set to
421.Dq Li NO .
422If set to anything else, a memory file system is created if
423.Pa /tmp
424is not writable.
425.It Va tmpsize
426Controls the size of a created
427.Pa /tmp
428memory file system.
429.It Va tmpmfs_flags
430Extra options passed to the
431.Xr mdmfs 8
432utility when the memory file system for
433.Pa /tmp
434is created.
435The default is
436.Dq Li "-S" ,
437which inhibits the use of softupdates on
438.Pa /tmp
439so that file system space is freed without delay
440after file truncation or deletion.
441See
442.Xr mdmfs 8
443for other options you can use in
444.Va tmpmfs_flags .
445.It Va varmfs
446Controls the creation of a
447.Pa /var
448memory file system.
449Always happens if set to
450.Dq Li YES
451and never happens if set to
452.Dq Li NO .
453If set to anything else, a memory file system is created if
454.Pa /var
455is not writable.
456.It Va varsize
457Controls the size of a created
458.Pa /var
459memory file system.
460.It Va varmfs_flags
461Extra options passed to the
462.Xr mdmfs 8
463utility when the memory file system for
464.Pa /var
465is created.
466The default is
467.Dq Li "-S" ,
468which inhibits the use of softupdates on
469.Pa /var
470so that file system space is freed without delay
471after file truncation or deletion.
472See
473.Xr mdmfs 8
474for other options you can use in
475.Va varmfs_flags .
476.It Va populate_var
477Controls the automatic population of the
478.Pa /var
479file system.
480Always happens if set to
481.Dq Li YES
482and never happens if set to
483.Dq Li NO .
484If set to anything else, a memory file system is created if
485.Pa /var
486is not writable.
487Note that this process requires access to certain commands in
488.Pa /usr
489before
490.Pa /usr
491is mounted on normal systems.
492.It Va cleanvar_enable
493.Pq Vt bool
494Clean the
495.Pa /var
496directory.
497.It Va var_run_enable
498.Pq Vt bool
499Set to "YES" to enable saving of the
500.Pa /var/run
501directory structure into an mtree file at shutdown and the reload of the
502.Pa /var/run
503directory structure at boot.
504.It Va var_run_autosave
505.Pq Vt bool
506In some cases it may be undesirable to save
507.Pa /var/run
508at shutdown.
509When set to "NO"
510.Pa /var/run
511is loaded at reboot but not saved at shutdown.
512Typically in this scenario
513.Ql service var_run save
514would be performed to save a copy of the
515.Pa /var/run
516directory structure once, to be reloaded during all subsequent reboots.
517.It Va var_run_mtree
518.Pq Vt str
519Where to save the
520.Pa /var/run
521mtree.
522The default location is
523.Pa /var/db/mtree/BSD.var-run.mtree .
524.It Va local_startup
525.Pq Vt str
526List of directories to search for startup script files.
527.It Va script_name_sep
528.Pq Vt str
529The field separator to use for breaking down the list of startup script files
530into individual filenames.
531The default is a space.
532It is not necessary to change this unless there are startup scripts with names
533containing spaces.
534.It Va hostapd_enable
535.Pq Vt bool
536Set to
537.Dq Li YES
538to start
539.Xr hostapd 8
540at system boot time.
541.It Va hostname
542.Pq Vt str
543The fully qualified domain name (FQDN) of this host on the network.
544This should almost certainly be set to something meaningful, even if
545there is no network connection.
546If
547.Xr dhclient 8
548is used to set the hostname via DHCP,
549this variable should be set to an empty string.
550Within a
551.Xr jail 8
552the hostname is generally already set and this variable may be absent.
553If this value remains unset when the system is done booting
554your console login will display the default hostname of
555.Dq Amnesiac .
556.It Va nisdomainname
557.Pq Vt str
558The NIS domain name of this host, or
559.Dq Li NO
560if NIS is not used.
561.It Va hostid_enable
562.Pq Vt bool
563If set to
564.Dq Li NO ,
565disable the generation or saving of the
566.Pa hostid
567and
568.Pa machine-id
569files at system boot and shutdown.
570.It Va hostid_file
571.Pq Vt str
572Path to the
573.Pa hostid
574file, default
575.Pa /etc/hostid .
576.It Va hostid_uuidgen_flags
577.Pq Vt str
578Flags passed to
579.Xr uuidgen 1
580when generating a software host UUID.
581This is used only if the system cannot determine a hardware UUID.
582Set to
583.Dq Li -r
584by default.
585.It Va machine_id_file
586.Pq Vt str
587Path to the
588.Pa machine-id
589file, default
590.Pa /etc/machine-id .
591.It Va dhclient_program
592.Pq Vt str
593Path to the DHCP client program, defaulting to
594.Pa /sbin/dhclient .
595.It Va dhclient_flags
596.Pq Vt str
597Additional flags to pass to the DHCP client program.
598See the
599.Xr dhclient 8
600manpage for a description of the command line options available.
601.It Va dhclient_flags_ Ns Aq Ar iface
602Additional flags to pass to the DHCP client program running on
603.Ar iface
604only.
605When specified, this variable overrides
606.Va dhclient_flags .
607.It Va background_dhclient
608.Pq Vt bool
609Set to
610.Dq Li YES
611to start the DHCP client in background.
612This can cause trouble with applications depending on
613a working network, but it will provide a faster startup
614in many cases.
615.It Va background_dhclient_ Ns Aq Ar iface
616When specified, this variable overrides the
617.Va background_dhclient
618variable for interface
619.Ar iface
620only.
621.It Va dhclient_arpwait
622.Pq Vt bool
623Set to
624.Dq Li NO
625to stop
626.Xr dhclient 8
627from waiting for ARP resolution, to make the system boot faster.
628This may be done on networks where the DHCP server is certain to
629know whether an address is available.
630.It Va synchronous_dhclient
631.Pq Vt bool
632Set to
633.Dq Li YES
634to start
635.Xr dhclient 8
636synchronously at startup.
637This behavior can be overridden on a per-interface basis by replacing
638the
639.Dq Li DHCP
640keyword in the
641.Va ifconfig_ Ns Aq Ar interface
642variable with
643.Dq Li SYNCDHCP
644or
645.Dq Li NOSYNCDHCP .
646.It Va defaultroute_delay
647.Pq Vt int
648When set to a positive value, wait up to this long after configuring
649DHCP interfaces at startup to give the interfaces time to receive a lease.
650.It Va firewall_enable
651.Pq Vt bool
652Set to
653.Dq Li YES
654to load firewall rules at startup.
655If the kernel was not built with
656.Cd "options IPFIREWALL" ,
657the
658.Pa ipfw.ko
659kernel module will be loaded.
660See also
661.Va ipfilter_enable .
662.It Va firewall_script
663.Pq Vt str
664This variable specifies the full path to the firewall script to run.
665The default is
666.Pa /etc/rc.firewall .
667.It Va firewall_type
668.Pq Vt str
669Names the firewall type from the selection in
670.Pa /etc/rc.firewall ,
671or the file which contains the local firewall ruleset.
672Valid selections from
673.Pa /etc/rc.firewall
674are:
675.Pp
676.Bl -tag -width ".Li workstation" -compact
677.It Li open
678unrestricted IP access
679.It Li closed
680all IP services disabled, except via
681.Dq Li lo0
682.It Li client
683basic protection for a workstation
684.It Li workstation
685basic protection for a workstation using stateful firewalling
686.It Li simple
687basic protection for a LAN.
688.El
689.Pp
690If a filename is specified, the full path
691must be given.
692.Pp
693Most of the predefined rulesets define additional configuration variables.
694These are documented in
695.Pa /etc/rc.firewall .
696.It Va firewall_quiet
697.Pq Vt bool
698Set to
699.Dq Li YES
700to disable the display of firewall rules on the console during boot.
701.It Va firewall_logging
702.Pq Vt bool
703Set to
704.Dq Li YES
705to enable firewall event logging.
706This is equivalent to the
707.Dv IPFIREWALL_VERBOSE
708kernel option.
709.It Va firewall_logif
710.Pq Vt bool
711Set to
712.Dq Li YES
713to create pseudo interface
714.Li ipfw0
715for logging.
716For more details, see
717.Xr ipfw 8
718manual page.
719.It Va firewall_flags
720.Pq Vt str
721Flags passed to
722.Xr ipfw 8
723if
724.Va firewall_type
725specifies a filename.
726.It Va firewall_coscripts
727.Pq Vt str
728List of executables and/or rc scripts to run after firewall starts/stops.
729Default is empty.
730.\" ----- firewall_nat_enable setting --------------------------------
731.It Va firewall_nat_enable
732.Pq Vt bool
733The
734.Xr ipfw 8
735equivalent of
736.Va natd_enable .
737Setting this to
738.Dq Li YES
739will automatically load the
740.Xr ipfw 8
741NAT kernel module if
742.Va firewall_enable
743is also set to
744.Dq Li YES .
745.It Va firewall_nat_interface
746.Pq Vt str
747The
748.Xr ipfw 8
749equivalent of
750.Va natd_interface .
751This is the name of the public interface or IP address on which
752kernel NAT should run.
753.It Va firewall_nat_flags
754.Pq Vt str
755Additional configuration parameters for kernel NAT should be placed here.
756.It Va firewall_nat64_enable
757.Pq Vt bool
758Setting this to
759.Dq Li YES
760will automatically load the
761.Xr ipfw 8
762NAT64 kernel module if
763.Va firewall_enable
764is also set to
765.Dq Li YES .
766.It Va firewall_nptv6_enable
767.Pq Vt bool
768Setting this to
769.Dq Li YES
770will automatically load the
771.Xr ipfw 8
772NPTv6 kernel module if
773.Va firewall_enable
774is also set to
775.Dq Li YES .
776.It Va firewall_pmod_enable
777.Pq Vt bool
778Setting this to
779.Dq Li YES
780will automatically load the
781.Xr ipfw 8
782pmod kernel module if
783.Va firewall_enable
784is also set to
785.Dq Li YES .
786.It Va dummynet_enable
787.Pq Vt bool
788Setting this to
789.Dq Li YES
790will automatically load the
791.Xr dummynet 4
792module if
793.Va firewall_enable
794is also set to
795.Dq Li YES .
796.\" -------------------------------------------------------------------
797.It Va ipfw_netflow_enable
798.Pq Vt bool
799Setting this to
800.Dq Li YES
801will enable netflow logging via
802.Xr ng_netflow 4 .
803.Pp
804By default a ipfw rule is inserted and all packets are duplicated with
805the ngtee command and netflow packets are sent to 127.0.0.1 on the netflow
806port using protocol version 5.
807.It Va ipfw_netflow_hook
808.Pq Vt int
809netflow hook name, must be numerical
810(default
811.Pa 9995 ) .
812.It Va ipfw_netflow_rule
813.Pq Vt int
814ipfw rule number
815(default
816.Pa 1000 ) .
817.It Va ipfw_netflow_ip
818.Pq Vt str
819Destination server ip for receiving netflow data
820(default
821.Pa 127.0.0.1 ) .
822.It Va ipfw_netflow_port
823.Pq Vt int
824Destination server port for receiving netflow data
825(default
826.Pa 9995 ) .
827.It Va ipfw_netflow_version
828.Pq Vt int
829Do not set for using version 5 of the netflow protocol, set it to 9 for using
830version 9.
831.It Va ipfw_netflow_fib
832.Pq Vt int
833Only match packet in FIB
834.Pa ipfw_netflow_fib
835(default is undefined meaning all FIBs).
836.It Va natd_program
837.Pq Vt str
838Path to
839.Xr natd 8 .
840.It Va natd_enable
841.Pq Vt bool
842Set to
843.Dq Li YES
844to enable
845.Xr natd 8 .
846.Va firewall_enable
847must also be set to
848.Dq Li YES ,
849and
850.Xr divert 4
851sockets must be enabled in the kernel.
852If the kernel was not built with
853.Cd "options IPDIVERT" ,
854the
855.Pa ipdivert.ko
856kernel module will be loaded.
857.It Va natd_interface
858.Pq Vt str
859This is the name of the public interface on which
860.Xr natd 8
861should run.
862The interface may be given as an interface name or as an IP address.
863.It Va natd_flags
864.Pq Vt str
865Additional
866.Xr natd 8
867flags should be placed here.
868The
869.Fl n
870or
871.Fl a
872flag is automatically added with the above
873.Va natd_interface
874as an argument.
875.\" ----- ipfilter_enable setting --------------------------------
876.It Va ipfilter_enable
877.Pq Vt bool
878Set to
879.Dq Li NO
880by default.
881Setting this to
882.Dq Li YES
883enables
884.Xr ipf 8
885packet filtering.
886.Pp
887Typical usage will require putting
888.Bd -literal
889ipfilter_enable="YES"
890ipnat_enable="YES"
891ipmon_enable="YES"
892ipfs_enable="YES"
893.Ed
894.Pp
895into
896.Pa /etc/rc.conf
897and editing
898.Pa /etc/ipf.rules
899and
900.Pa /etc/ipnat.rules
901appropriately.
902.Pp
903Note that
904.Va ipfilter_enable
905and
906.Va ipnat_enable
907can be enabled independently.
908.Va ipmon_enable
909and
910.Va ipfs_enable
911both require at least one of
912.Va ipfilter_enable
913and
914.Va ipnat_enable
915to be enabled.
916.Pp
917Having
918.Bd -literal
919options IPFILTER
920options IPFILTER_LOG
921options IPFILTER_DEFAULT_BLOCK
922.Ed
923.Pp
924in the kernel configuration file is a good idea, too.
925.\" ----- ipfilter_program setting ------------------------------
926.It Va ipfilter_program
927.Pq Vt str
928Path to
929.Xr ipf 8
930(default
931.Pa /sbin/ipf ) .
932.\" ----- ipfilter_rules setting --------------------------------
933.It Va ipfilter_rules
934.Pq Vt str
935Set to
936.Pa /etc/ipf.rules
937by default.
938This variable contains the name of the filter rule definition file.
939The file is expected to be readable for the
940.Xr ipf 8
941command to execute.
942.\" ----- ipfilter_flags setting --------------------------------
943.It Va ipfilter_flags
944.Pq Vt str
945Empty by default.
946This variable contains flags passed to the
947.Xr ipf 8
948program.
949.\" ----- ipnat_enable setting ----------------------------------
950.It Va ipnat_enable
951.Pq Vt bool
952Set to
953.Dq Li NO
954by default.
955Set it to
956.Dq Li YES
957to enable
958.Xr ipnat 8
959network address translation.
960See
961.Va ipfilter_enable
962for a detailed discussion.
963.\" ----- ipnat_program setting ---------------------------------
964.It Va ipnat_program
965.Pq Vt str
966Path to
967.Xr ipnat 8
968(default
969.Pa /sbin/ipnat ) .
970.\" ----- ipnat_rules setting -----------------------------------
971.It Va ipnat_rules
972.Pq Vt str
973Set to
974.Pa /etc/ipnat.rules
975by default.
976This variable contains the name of the file
977holding the network address translation definition.
978This file is expected to be readable for the
979.Xr ipnat 8
980command to execute.
981.\" ----- ipnat_flags setting -----------------------------------
982.It Va ipnat_flags
983.Pq Vt str
984Empty by default.
985This variable contains flags passed to the
986.Xr ipnat 8
987program.
988.\" ----- ipmon_enable setting ----------------------------------
989.It Va ipmon_enable
990.Pq Vt bool
991Set to
992.Dq Li NO
993by default.
994Set it to
995.Dq Li YES
996to enable
997.Xr ipmon 8
998monitoring (logging
999.Xr ipf 8
1000and
1001.Xr ipnat 8
1002events).
1003Setting this variable needs setting
1004.Va ipfilter_enable
1005or
1006.Va ipnat_enable
1007too.
1008See
1009.Va ipfilter_enable
1010for a detailed discussion.
1011.\" ----- ipmon_program setting ---------------------------------
1012.It Va ipmon_program
1013.Pq Vt str
1014Path to
1015.Xr ipmon 8
1016(default
1017.Pa /sbin/ipmon ) .
1018.\" ----- ipmon_flags setting -----------------------------------
1019.It Va ipmon_flags
1020.Pq Vt str
1021Set to
1022.Dq Li -Ds
1023by default.
1024This variable contains flags passed to the
1025.Xr ipmon 8
1026program.
1027Another typical example would be
1028.Dq Fl D Pa /var/log/ipflog
1029to have
1030.Xr ipmon 8
1031log directly to a file bypassing
1032.Xr syslogd 8 .
1033Make sure to adjust
1034.Pa /etc/newsyslog.conf
1035in such case like this:
1036.Bd -literal
1037/var/log/ipflog  640  10  100  *  Z  /var/run/ipmon.pid
1038.Ed
1039.\" ----- ipfs_enable setting -----------------------------------
1040.It Va ipfs_enable
1041.Pq Vt bool
1042Set to
1043.Dq Li NO
1044by default.
1045Set it to
1046.Dq Li YES
1047to enable
1048.Xr ipfs 8
1049saving the filter and NAT state tables during shutdown
1050and reloading them during startup again.
1051Setting this variable needs setting
1052.Va ipfilter_enable
1053or
1054.Va ipnat_enable
1055to
1056.Dq Li YES
1057too.
1058See
1059.Va ipfilter_enable
1060for a detailed discussion.
1061Note that if
1062.Va kern_securelevel
1063is set to 3,
1064.Va ipfs_enable
1065cannot be used
1066because the raised securelevel will prevent
1067.Xr ipfs 8
1068from saving the state tables at shutdown time.
1069.\" ----- ipfs_program setting ----------------------------------
1070.It Va ipfs_program
1071.Pq Vt str
1072Path to
1073.Xr ipfs 8
1074(default
1075.Pa /sbin/ipfs ) .
1076.\" ----- ipfs_flags setting ------------------------------------
1077.It Va ipfs_flags
1078.Pq Vt str
1079Empty by default.
1080This variable contains flags passed to the
1081.Xr ipfs 8
1082program.
1083.\" ----- end of added ipf hook ---------------------------------
1084.It Va pf_enable
1085.Pq Vt bool
1086Set to
1087.Dq Li NO
1088by default.
1089Setting this to
1090.Dq Li YES
1091enables
1092.Xr pf 4
1093packet filtering.
1094.Pp
1095Typical usage will require putting
1096.Pp
1097.Dl pf_enable="YES"
1098.Pp
1099into
1100.Pa /etc/rc.conf
1101and editing
1102.Pa /etc/pf.conf
1103appropriately.
1104Adding
1105.Pp
1106.Dl "device pf"
1107.Pp
1108builds support for
1109.Xr pf 4
1110into the kernel, otherwise the
1111kernel module will be loaded.
1112.It Va pf_rules
1113.Pq Vt str
1114Path to
1115.Xr pf 4
1116ruleset configuration file
1117(default
1118.Pa /etc/pf.conf ) .
1119.It Va pf_program
1120.Pq Vt str
1121Path to
1122.Xr pfctl 8
1123(default
1124.Pa /sbin/pfctl ) .
1125.It Va pf_flags
1126.Pq Vt str
1127If
1128.Va pf_enable
1129is set to
1130.Dq Li YES ,
1131these flags are passed to the
1132.Xr pfctl 8
1133program when loading the ruleset.
1134.It Va pf_fallback_rules_enable
1135.Pq Vt bool
1136Set to
1137.Dq Li NO
1138by default.
1139Setting this to
1140.Dq Li YES
1141enables loading
1142.Va pf_fallback_rules_file
1143or
1144.Va pf_fallback_rules
1145in case of a problem when loading the ruleset in
1146.Va pf_rules .
1147.It Va pf_fallback_rules_file
1148.Pq Vt str
1149Path to a pf ruleset to load in case of failure when loading the
1150ruleset in
1151.Va pf_rules
1152(default
1153.Pa /etc/pf-fallback.conf ) .
1154.It Va pf_fallback_rules
1155.Pq Vt str
1156A pf ruleset to load in case of failure when loading the ruleset in
1157.Va pf_rules
1158and
1159.Va pf_fallback_rules_file
1160is not found.
1161Multiple rules can be set as follows:
1162.Bd -literal
1163pf_fallback_rules="\\
1164	block drop log all\\
1165	pass in quick on em0"
1166.Pp
1167.Ed
1168The default fallback rule is
1169.Dq block drop log all
1170.It Va pflog_enable
1171.Pq Vt bool
1172Set to
1173.Dq Li NO
1174by default.
1175Setting this to
1176.Dq Li YES
1177enables
1178.Xr pflogd 8
1179which logs packets from the
1180.Xr pf 4
1181packet filter.
1182.It Va pflog_logfile
1183.Pq Vt str
1184If
1185.Va pflog_enable
1186is set to
1187.Dq Li YES
1188this controls where
1189.Xr pflogd 8
1190stores the logfile
1191(default
1192.Pa /var/log/pflog ) .
1193Check
1194.Pa /etc/newsyslog.conf
1195to adjust logfile rotation for this.
1196.It Va pflog_program
1197.Pq Vt str
1198Path to
1199.Xr pflogd 8
1200(default
1201.Pa /sbin/pflogd ) .
1202.It Va pflog_flags
1203.Pq Vt str
1204Empty by default.
1205This variable contains additional flags passed to the
1206.Xr pflogd 8
1207program.
1208.It Va pflog_instances
1209.Pq Vt str
1210If logging to more than one
1211.Xr pflog 4
1212interface is desired,
1213.Va pflog_instances
1214is set to the list of
1215.Xr pflogd 8
1216instances that should be started at system boot time.
1217If
1218.Va pflog_instances
1219is set, for each whitespace-separated
1220.Ar element
1221in the list,
1222.Ao Ar element Ac Ns Va _dev
1223and
1224.Ao Ar element Ac Ns Va _logfile
1225elements are assumed to exist.
1226.Ao Ar element Ac Ns Va _dev
1227must contain the
1228.Xr pflog 4
1229interface to be watched by the named
1230.Xr pflogd 8
1231instance.
1232.Ao Ar element Ac Ns Va _logfile
1233must contain the name of the logfile that will be used by the
1234.Xr pflogd 8
1235instance.
1236.It Va ftpproxy_enable
1237.Pq Vt bool
1238Set to
1239.Dq Li NO
1240by default.
1241Setting this to
1242.Dq Li YES
1243enables
1244.Xr ftp-proxy 8
1245which supports the
1246.Xr pf 4
1247packet filter in translating ftp connections.
1248.It Va ftpproxy_flags
1249.Pq Vt str
1250Empty by default.
1251This variable contains additional flags passed to the
1252.Xr ftp-proxy 8
1253program.
1254.It Va ftpproxy_instances
1255.Pq Vt str
1256Empty by default.
1257If multiple instances of
1258.Xr ftp-proxy 8
1259are desired at boot time,
1260.Va ftpproxy_instances
1261should contain a whitespace-separated list of instance names.
1262For each
1263.Ar element
1264in the list, a variable named
1265.Ao Ar element Ac Ns Va _flags
1266should be defined, containing the command-line flags to be passed to the
1267.Xr ftp-proxy 8
1268instance.
1269.It Va pfsync_enable
1270.Pq Vt bool
1271Set to
1272.Dq Li NO
1273by default.
1274Setting this to
1275.Dq Li YES
1276enables exposing
1277.Xr pf 4
1278state changes to other hosts over the network by means of
1279.Xr pfsync 4 .
1280The
1281.Va pfsync_syncdev
1282variable
1283must also be set then.
1284.It Va pfsync_syncdev
1285.Pq Vt str
1286Empty by default.
1287This variable specifies the name of the network interface
1288.Xr pfsync 4
1289should operate through.
1290It must be set accordingly if
1291.Va pfsync_enable
1292is set to
1293.Dq Li YES .
1294.It Va pfsync_syncpeer
1295.Pq Vt str
1296Empty by default.
1297This variable is optional.
1298By default, state change messages are sent out on the synchronisation
1299interface using IP multicast packets.
1300The protocol is IP protocol 240, PFSYNC, and the multicast group used is
1301224.0.0.240.
1302When a peer address is specified using the
1303.Va pfsync_syncpeer
1304option, the peer address is used as a destination for the pfsync
1305traffic, and the traffic can then be protected using
1306.Xr ipsec 4 .
1307See the
1308.Xr pfsync 4
1309manpage for more details about using
1310.Xr ipsec 4
1311with
1312.Xr pfsync 4
1313interfaces.
1314.It Va pfsync_ifconfig
1315.Pq Vt str
1316Empty by default.
1317This variable can contain additional options to be passed to the
1318.Xr ifconfig 8
1319command used to set up
1320.Xr pfsync 4 .
1321.It Va tcp_extensions
1322.Pq Vt bool
1323Set to
1324.Dq Li YES
1325by default.
1326Setting this to
1327.Dq Li NO
1328disables certain TCP options as described by
1329.Rs
1330.%T "RFC 1323"
1331.Re
1332Setting this to
1333.Dq Li NO
1334might help remedy such problems with connections as randomly hanging
1335or other weird behavior.
1336Some network devices are known
1337to be broken with respect to these options.
1338.It Va log_in_vain
1339.Pq Vt int
1340Set to 0 by default.
1341The
1342.Xr sysctl 8
1343variables,
1344.Va net.inet.tcp.log_in_vain
1345and
1346.Va net.inet.udp.log_in_vain ,
1347as described in
1348.Xr tcp 4
1349and
1350.Xr udp 4 ,
1351are set to the given value.
1352.It Va tcp_keepalive
1353.Pq Vt bool
1354Set to
1355.Dq Li YES
1356by default.
1357Setting to
1358.Dq Li NO
1359will disable probing idle TCP connections to verify that the
1360peer is still up and reachable.
1361.It Va tcp_drop_synfin
1362.Pq Vt bool
1363Set to
1364.Dq Li NO
1365by default.
1366Setting to
1367.Dq Li YES
1368will cause the kernel to ignore TCP frames that have both
1369the SYN and FIN flags set.
1370This prevents OS fingerprinting, but may
1371break some legitimate applications.
1372.It Va icmp_drop_redirect
1373.Pq Vt bool
1374Set to
1375.Dq Li AUTO
1376by default.
1377This setting will be identical to
1378.Dq Li YES ,
1379if a dynamic routing daemon is enabled, because redirect processing may
1380cause performance issues for large routing tables.
1381If no such service is enabled, this setting behaves like a
1382.Dq Li NO .
1383Setting to
1384.Dq Li YES
1385will cause the kernel to ignore ICMP REDIRECT packets.
1386Setting to
1387.Dq Li NO
1388will cause the kernel to process ICMP REDIRECT packets.
1389Refer to
1390.Xr icmp 4
1391for more information.
1392.It Va icmp_log_redirect
1393.Pq Vt bool
1394Set to
1395.Dq Li NO
1396by default.
1397Setting to
1398.Dq Li YES
1399will cause the kernel to log ICMP REDIRECT packets.
1400Note that
1401the log messages are not rate-limited, so this option should only be used
1402for troubleshooting networks.
1403Refer to
1404.Xr icmp 4
1405for more information.
1406.It Va icmp_bmcastecho
1407.Pq Vt bool
1408Set to
1409.Dq Li YES
1410to respond to broadcast or multicast ICMP ping packets.
1411Refer to
1412.Xr icmp 4
1413for more information.
1414.It Va ip_portrange_first
1415.Pq Vt int
1416If not set to
1417.Dq Li NO ,
1418this is the first port in the default portrange.
1419Refer to
1420.Xr ip 4
1421for more information.
1422.It Va ip_portrange_last
1423.Pq Vt int
1424If not set to
1425.Dq Li NO ,
1426this is the last port in the default portrange.
1427Refer to
1428.Xr ip 4
1429for more information.
1430.It Va network_interfaces
1431.Pq Vt str
1432Set to the list of network interfaces to configure on this host or
1433.Dq Li AUTO
1434(the default) for all current interfaces.
1435Setting the
1436.Va network_interfaces
1437variable to anything other than the default is deprecated.
1438Interfaces that the administrator wishes to store configuration for,
1439but not start at boot should be configured with the
1440.Dq Li NOAUTO
1441keyword in their
1442.Va ifconfig_ Ns Aq Ar interface
1443variables as described below.
1444.Pp
1445An
1446.Va ifconfig_ Ns Aq Ar interface
1447variable is assumed to exist for each value of
1448.Ar interface .
1449When an interface name contains any of the characters
1450.Dq Li .-/+
1451they are translated to
1452.Dq Li _
1453before lookup.
1454For example, the interface
1455.Va em0.102
1456would be configured using the variable
1457.Va ifconfig_em0_102 .
1458.Pp
1459The variable can contain arguments to
1460.Xr ifconfig 8 ,
1461as well as special case-insensitive keywords described below.
1462Such keywords are removed before passing the value to
1463.Xr ifconfig 8
1464while the order of the other arguments is preserved.
1465.Pp
1466For example, to assign the IPv4 address 192.0.2.1/24 to the interface em0:
1467.Bd -literal
1468ifconfig_em0="inet 192.0.2.1/24 up"
1469.Ed
1470.Pp
1471If the variable
1472.Va ifconfig_ Ns Ao Ar interface Ac Ns Pa _ipv6
1473is set, then
1474.Va ifconfig_ Ns Aq Ar interface
1475does not need to be set unless an IPv4 address should also be assigned to
1476the interface.
1477.Pp
1478It is possible to add IP alias entries using
1479.Xr ifconfig 8
1480syntax with the address family keyword such as
1481.Li inet .
1482Assuming that the interface in question was
1483.Li em0 ,
1484it might look something like this:
1485.Bd -literal
1486ifconfig_em0_alias0="inet 127.0.0.253/32"
1487ifconfig_em0_alias1="inet 127.0.0.254/32"
1488.Ed
1489.Pp
1490It also possible to configure multiple IP addresses in Classless
1491Inter-Domain Routing
1492.Pq CIDR
1493address notation,
1494whose each address component can be a range like
1495.Li inet 192.0.2.5-23/24
1496or
1497.Li inet6 2001:db8:1-f::1/64 .
1498This notation allows address and prefix length part only,
1499not the other address modifiers.
1500Note that the maximum number of the generated addresses from a range
1501specification is limited to an integer value specified in
1502.Va netif_ipexpand_max
1503in
1504.Nm
1505because a small typo can unexpectedly generate a large number of addresses.
1506The default value is
1507.Li 2048 .
1508It can be increased by adding the following line into
1509.Nm :
1510.Bd -literal
1511netif_ipexpand_max="4096"
1512.Ed
1513.Pp
1514In the case of
1515.Li 192.0.2.5-23/24 ,
1516the address 192.0.2.5 will be configured with the prefix length /24 and the
1517addresses 192.0.2.6 to 192.0.2.23 with the non-conflicting prefix length /32 as
1518explained in the
1519.Xr ifconfig 8
1520alias section.
1521Note that this special CIDR handling is only for
1522.Li inet ,
1523not for the other address families such as
1524.Li inet6 .
1525.Pp
1526With the interface in question being
1527.Li em0 ,
1528an example could look like:
1529.Bd -literal
1530ifconfig_em0_alias2="inet 192.0.2.129/27"
1531ifconfig_em0_alias3="inet 192.0.2.1-5/28"
1532.Ed
1533.Pp
1534and so on.
1535.Pp
1536Note that deprecated
1537.Va ipv4_addrs_ Ns Aq Ar interface
1538variable was supported for IPv4 CIDR address notation.
1539The
1540.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1541variable replaces it, though
1542.Va ipv4_addrs_ Ns Aq Ar interface
1543is still supported for backward compatibility.
1544.Pp
1545For each
1546.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1547entry with an address family keyword,
1548its contents are passed to
1549.Xr ifconfig 8 .
1550Execution stops at the first unsuccessful access, so if
1551something like this is present:
1552.Bd -literal
1553ifconfig_em0_alias0="inet 127.0.0.251/32"
1554ifconfig_em0_alias1="inet 127.0.0.252/32"
1555ifconfig_em0_alias2="inet 127.0.0.253/32"
1556ifconfig_em0_alias4="inet 127.0.0.254/32"
1557.Ed
1558.Pp
1559Then note that alias4 would
1560.Em not
1561be added since the search would
1562stop with the missing
1563.Dq Li alias3
1564entry.
1565Because of this difficult to manage behavior,
1566there is
1567.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _aliases
1568variable, which has the same functionality as
1569.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1570and can have all of the entries in a variable like the following:
1571.Bd -literal
1572ifconfig_em0_aliases="\\
1573	inet 127.0.0.251/32 \\
1574	inet 127.0.0.252/32 \\
1575	inet 127.0.0.253/32 \\
1576	inet 127.0.0.254/32"
1577.Ed
1578.Pp
1579It also supports netmask notation for backward compatibility.
1580.Pp
1581If the
1582.Pa /etc/start_if . Ns Aq Ar interface
1583file is present, it is read and executed by the
1584.Xr sh 1
1585interpreter
1586before configuring the interface as specified in the
1587.Va ifconfig_ Ns Aq Ar interface
1588and
1589.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1590variables.
1591.Pp
1592If a
1593.Va vlans_ Ns Aq Ar interface
1594variable is set,
1595a
1596.Xr vlan 4
1597interface will be created for each item in the list with the
1598.Ar vlandev
1599argument set to
1600.Ar interface .
1601If a vlan interface's name is a number,
1602then that number is used as the vlan tag and the new vlan interface is
1603named
1604.Ar interface . Ns Ar tag .
1605Otherwise,
1606the vlan tag must be specified via a
1607.Va vlan
1608parameter in the
1609.Va create_args_ Ns Aq Ar interface
1610variable.
1611.Pp
1612To create a vlan device named
1613.Li em0.101
1614on
1615.Li em0
1616with the vlan tag 101 and the optional IPv4 address 192.0.2.1/24:
1617.Bd -literal
1618vlans_em0="101"
1619ifconfig_em0_101="inet 192.0.2.1/24"
1620.Ed
1621.Pp
1622To create a vlan device named
1623.Li myvlan
1624on
1625.Li em0
1626with the vlan tag 102:
1627.Bd -literal
1628vlans_em0="myvlan"
1629create_args_myvlan="vlan 102"
1630.Ed
1631.Pp
1632If a
1633.Va wlans_ Ns Aq Ar interface
1634variable is set,
1635an
1636.Xr wlan 4
1637interface will be created for each item in the list with the
1638.Ar wlandev
1639argument set to
1640.Ar interface .
1641Further wlan cloning arguments may be passed to the
1642.Xr ifconfig 8
1643.Cm create
1644command by setting the
1645.Va create_args_ Ns Aq Ar interface
1646variable.
1647One or more
1648.Xr wlan 4
1649devices must be created for each wireless device as of
1650.Fx 8.0 .
1651Debugging flags for
1652.Xr wlan 4
1653devices as set by
1654.Xr wlandebug 8
1655may be specified with an
1656.Va wlandebug_ Ns Aq Ar interface
1657variable.
1658The contents of this variable will be passed directly to
1659.Xr wlandebug 8 .
1660.Pp
1661If the
1662.Va ifconfig_ Ns Aq Ar interface
1663contains the keyword
1664.Dq Li NOAUTO
1665then the interface will not be configured
1666at boot or by
1667.Pa /etc/pccard_ether
1668when
1669.Va network_interfaces
1670is set to
1671.Dq Li AUTO .
1672.Pp
1673It is possible to bring up an interface with DHCP by adding
1674.Dq Li DHCP
1675to the
1676.Va ifconfig_ Ns Aq Ar interface
1677variable.
1678For instance, to initialize the
1679.Li em0
1680device via DHCP,
1681it is possible to use something like:
1682.Bd -literal
1683ifconfig_em0="DHCP"
1684.Ed
1685.Pp
1686If you want to configure your wireless interface with
1687.Xr wpa_supplicant 8
1688for use with WPA, EAP/LEAP or WEP, you need to add
1689.Dq Li WPA
1690to the
1691.Va ifconfig_ Ns Aq Ar interface
1692variable.
1693.Pp
1694On the other hand, if you want to configure your wireless interface with
1695.Xr hostapd 8 ,
1696you need to add
1697.Dq Li HOSTAP
1698to the
1699.Va ifconfig_ Ns Aq Ar interface
1700variable.
1701.Xr hostapd 8
1702will use the settings from
1703.Pa /etc/hostapd- Ns Ao Ar interface Ac Ns .conf
1704.Pp
1705Finally, you can add
1706.Xr ifconfig 8
1707options in this variable, in addition to the
1708.Pa /etc/start_if . Ns Aq Ar interface
1709file.
1710For instance, to configure an
1711.Xr ath 4
1712wireless device in station mode with an address obtained
1713via DHCP, using WPA authentication and 802.11b mode, it is
1714possible to use something like:
1715.Bd -literal
1716wlans_ath0="wlan0"
1717ifconfig_wlan0="DHCP WPA mode 11b"
1718.Ed
1719.Pp
1720In addition to the
1721.Va ifconfig_ Ns Aq Ar interface
1722form, a fallback variable
1723.Va ifconfig_DEFAULT
1724may be configured.
1725It will be used for all interfaces with no
1726.Va ifconfig_ Ns Aq Ar interface
1727variable.
1728.Pp
1729It is also possible to rename an interface by doing:
1730.Bd -literal
1731ifconfig_em0_name="net0"
1732ifconfig_net0="inet 192.0.2.1/24"
1733.Ed
1734.It Va ipv6_enable
1735.Pq Vt bool
1736This variable is deprecated.
1737Use
1738.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1739and
1740.Va ipv6_activate_all_interfaces
1741if necessary.
1742.Pp
1743If the variable is
1744.Dq Li YES ,
1745.Dq Li inet6 accept_rtadv
1746is added to all of
1747.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1748and the
1749.Va ipv6_activate_all_interfaces
1750is defined as
1751.Dq Li YES .
1752.It Va ipv6_prefer
1753.Pq Vt bool
1754This variable is deprecated.
1755Use
1756.Va ip6addrctl_policy
1757instead.
1758.Pp
1759If the variable is
1760.Dq Li YES ,
1761the default address selection policy table set by
1762.Xr ip6addrctl 8
1763will be IPv6-preferred.
1764.Pp
1765If the variable is
1766.Dq Li NO ,
1767the default address selection policy table set by
1768.Xr ip6addrctl 8
1769will be IPv4-preferred.
1770.It Va ipv6_activate_all_interfaces
1771.Pq Vt bool
1772This controls initial configuration on IPv6-capable
1773interfaces with no corresponding
1774.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1775variable.
1776Note that it is not always necessary to set this variable to
1777.Dq YES
1778to use IPv6 functionality on
1779.Fx .
1780In most cases, just configuring
1781.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1782variables works.
1783.Pp
1784If the variable is
1785.Dq Li NO ,
1786all interfaces which do not have a corresponding
1787.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1788variable will be marked as
1789.Dq Li IFDISABLED
1790at creation.
1791This means that all IPv6 functionality on that interface
1792is completely disabled to enforce a security policy.
1793If the variable is set to
1794.Dq YES ,
1795the flag will be cleared on all of the interfaces.
1796.Pp
1797In most cases, just defining an
1798.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1799for an IPv6-capable interface should be sufficient.
1800However, if an interface is added dynamically
1801.Pq by some tunneling protocols such as PPP, for example ,
1802it is often difficult to define the variable in advance.
1803In such a case, configuring the
1804.Dq Li IFDISABLED
1805flag can be disabled by setting this variable to
1806.Dq YES .
1807.Pp
1808For more details of the
1809.Dq Li IFDISABLED
1810flag and keywords
1811.Dq Li inet6 ifdisabled ,
1812see
1813.Xr ifconfig 8 .
1814.Pp
1815Default is
1816.Dq Li NO .
1817.It Va ipv6_privacy
1818.Pq Vt bool
1819If the variable is
1820.Dq Li YES
1821privacy addresses will be generated for each IPv6
1822interface as described in RFC 4941.
1823.It Va ipv6_network_interfaces
1824.Pq Vt str
1825This is the IPv6 equivalent of
1826.Va network_interfaces .
1827Normally manual configuration of this variable is not needed.
1828.It Va ipv6_cpe_wanif
1829.Pq Vt str
1830If the variable is set to an interface name,
1831the
1832.Xr ifconfig 8
1833options
1834.Dq inet6 -no_radr accept_rtadv
1835will be added to the specified interface automatically before evaluating
1836.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 ,
1837and two
1838.Xr sysctl 8
1839variables
1840.Va net.inet6.ip6.rfc6204w3
1841and
1842.Va net.inet6.ip6.no_radr
1843will be set to 1.
1844.Pp
1845This means the specified interface will accept ICMPv6 Router
1846Advertisement messages on that link and add the discovered
1847routers into the Default Router List.
1848While the other interfaces can still accept RA messages if the
1849.Dq inet6 accept_rtadv
1850option is specified, adding
1851routes into the Default Router List will be disabled by
1852.Dq inet6 no_radr
1853option by default.
1854See
1855.Xr ifconfig 8
1856for more details.
1857.Pp
1858Note that ICMPv6 Router Advertisement messages will be
1859accepted even when
1860.Va net.inet6.ip6.forwarding
1861is 1
1862.Pq packet forwarding is enabled
1863when
1864.Va net.inet6.ip6.rfc6204w3
1865is set to 1.
1866.Pp
1867Default is
1868.Dq Li NO .
1869.It Va ifconfig_ Ns Ao Ar interface Ac Ns _descr
1870.Pq Vt str
1871This assigns arbitrary description to an interface.
1872The
1873.Xr sysctl 8
1874variable
1875.Va net.ifdescr_maxlen
1876limits its length.
1877This static setting may be overridden by commands
1878started with dynamic interface configuration utilities
1879like
1880.Xr dhclient 8
1881hooks.
1882The description can be seen with
1883.Xr ifconfig 8
1884command and it may be exported with
1885.Xr bsnmpd 1
1886daemon using its MIB-2 module.
1887.It Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1888.Pq Vt str
1889IPv6 functionality on an interface should be configured by
1890.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 ,
1891instead of setting ifconfig parameters in
1892.Va ifconfig_ Ns Aq Ar interface .
1893If this variable is empty, all IPv6 configurations on the
1894specified interface by other variables such as
1895.Va ipv6_prefix_ Ns Ao Ar interface Ac
1896will be ignored.
1897.Pp
1898Aliases should be set by
1899.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n
1900with
1901.Dq Li inet6
1902keyword.
1903For example:
1904.Bd -literal
1905ifconfig_em0_ipv6="inet6 2001:db8:1::1 prefixlen 64"
1906ifconfig_em0_alias0="inet6 2001:db8:2::1 prefixlen 64"
1907.Ed
1908.Pp
1909Interfaces that have an
1910.Dq Li inet6 accept_rtadv
1911keyword in
1912.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1913setting will be automatically configured by SLAAC
1914.Pq StateLess Address AutoConfiguration
1915described in
1916.Rs
1917.%T "RFC 4862"
1918.Re
1919.Pp
1920Note that a link-local address will be automatically configured in
1921addition to the configured global-scope addresses because the IPv6
1922specifications require it on each link.
1923The address is calculated from the MAC address by using an algorithm
1924defined in
1925.Rs
1926.%T "RFC 4862"
1927.%O "Section 5.3"
1928.Re
1929.Pp
1930If only a link-local address is needed on the interface,
1931the following configuration can be used:
1932.Bd -literal
1933ifconfig_em0_ipv6="inet6 auto_linklocal"
1934.Ed
1935.Pp
1936A link-local address can also be configured manually.
1937This is useful for the default router address of an IPv6 router
1938so that it does not change when the network interface
1939card is replaced.
1940For example:
1941.Bd -literal
1942ifconfig_em0_ipv6="inet6 fe80::1 prefixlen 64"
1943.Ed
1944.It Va ipv6_prefix_ Ns Aq Ar interface
1945.Pq Vt str
1946If one or more prefixes are defined in
1947.Va ipv6_prefix_ Ns Aq Ar interface
1948addresses based on each prefix and the EUI-64 interface index will be
1949configured on that interface.
1950Note that this variable will be ignored when
1951.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
1952is empty.
1953.Pp
1954For example, the following configuration
1955.Bd -literal
1956ipv6_prefix_em0="2001:db8:1:0 2001:db8:2:0"
1957.Ed
1958.Pp
1959is equivalent to the following:
1960.Bd -literal
1961ifconfig_em0_alias0="inet6 2001:db8:1:: eui64 prefixlen 64"
1962ifconfig_em0_alias1="inet6 2001:db8:1:: prefixlen 64 anycast"
1963ifconfig_em0_alias2="inet6 2001:db8:2:: eui64 prefixlen 64"
1964ifconfig_em0_alias3="inet6 2001:db8:2:: prefixlen 64 anycast"
1965.Ed
1966.Pp
1967These Subnet-Router anycast addresses will be added only when
1968.Va ipv6_gateway_enable
1969is YES.
1970.It Va ipv6_default_interface
1971.Pq Vt str
1972If not set to
1973.Dq Li NO ,
1974this is the default output interface for scoped addresses.
1975This works only with ipv6_gateway_enable="NO".
1976.It Va ip6addrctl_enable
1977.Pq Vt bool
1978This variable is to enable configuring default address selection policy table
1979.Pq RFC 3484 .
1980The table can be specified in another variable
1981.Va ip6addrctl_policy .
1982For
1983.Va ip6addrctl_policy
1984the following keywords can be specified:
1985.Dq Li ipv4_prefer ,
1986.Dq Li ipv6_prefer ,
1987or
1988.Dq Li AUTO .
1989.Pp
1990If
1991.Dq Li ipv4_prefer
1992or
1993.Dq Li ipv6_prefer
1994is specified,
1995.Xr ip6addrctl 8
1996installs a pre-defined policy table described in Section 10.3
1997.Pq IPv4-preferred
1998or 2.1
1999.Pq IPv6-preferred
2000of RFC 3484.
2001.Pp
2002If
2003.Dq Li AUTO
2004is specified, it attempts to read a file
2005.Pa /etc/ip6addrctl.conf
2006first.
2007If this file is found,
2008.Xr ip6addrctl 8
2009reads and installs it.
2010If not found, a policy is automatically set
2011according to
2012.Va ipv6_activate_all_interfaces
2013variable; if the variable is set to
2014.Dq Li YES
2015the IPv6-preferred one is used.
2016Otherwise IPv4-preferred.
2017.Pp
2018The default value of
2019.Va ip6addrctl_enable
2020and
2021.Va ip6addrctl_policy
2022are
2023.Dq Li YES
2024and
2025.Dq Li AUTO ,
2026respectively.
2027.It Va cloned_interfaces
2028.Pq Vt str
2029Set to the list of clonable network interfaces to create on this host.
2030Further cloning arguments may be passed to the
2031.Xr ifconfig 8
2032.Cm create
2033command for each interface by setting the
2034.Va create_args_ Ns Aq Ar interface
2035variable.
2036If an interface name is specified with
2037.Dq :sticky
2038keyword,
2039the interface will not be destroyed even when
2040.Pa rc.d/netif
2041script is invoked with
2042.Dq stop
2043argument.
2044This is useful when reconfiguring the interface without destroying it.
2045Entries in
2046.Va cloned_interfaces
2047are automatically appended to
2048.Va network_interfaces
2049for configuration.
2050.It Va cloned_interfaces_sticky
2051.Pq Vt bool
2052This variable is to globally enable functionality of
2053.Dq :sticky
2054keyword in
2055.Va cloned_interfaces
2056for all interfaces.
2057The default value is
2058.Dq NO .
2059Even if this variable is specified to
2060.Dq YES ,
2061.Dq :nosticky
2062keyword can be used to override it on per interface basis.
2063.It Va gif_interfaces
2064Set to the list of
2065.Xr gif 4
2066tunnel interfaces to configure on this host.
2067A
2068.Va gifconfig_ Ns Aq Ar interface
2069variable is assumed to exist for each value of
2070.Ar interface .
2071The value of this variable is used to configure the link layer of the
2072tunnel using the
2073.Cm tunnel
2074option to
2075.Xr ifconfig 8 .
2076Additionally, this option ensures that each listed interface is created
2077via the
2078.Cm create
2079option to
2080.Xr ifconfig 8
2081before attempting to configure it.
2082.Pp
2083For example, configure two
2084.Xr gif 4
2085interfaces with:
2086.Bd -literal
2087gif_interfaces="gif0 gif1"
2088gifconfig_gif0="100.64.0.1 100.64.0.2"
2089ifconfig_gif0="inet 10.0.0.1/30 10.0.0.2"
2090gifconfig_gif1="inet6 2a00::1 2a01::1"
2091ifconfig_gif1="inet 10.1.0.1/30 10.1.0.2"
2092.Ed
2093.It Va ppp_enable
2094.Pq Vt bool
2095If set to
2096.Dq Li YES ,
2097run the
2098.Xr ppp 8
2099daemon.
2100.It Va ppp_profile
2101.Pq Vt str
2102The name of the profile to use from
2103.Pa /etc/ppp/ppp.conf .
2104Also used for per-profile overrides of
2105.Va ppp_mode
2106and
2107.Va ppp_nat ,
2108and
2109.Va ppp_ Ns Ao Ar profile Ac Ns _unit .
2110When the profile name contains any of the characters
2111.Dq Li .-/+
2112they are translated to
2113.Dq Li _
2114for the proposes of the override variable names.
2115.It Va ppp_mode
2116.Pq Vt str
2117Mode in which to run the
2118.Xr ppp 8
2119daemon.
2120.It Va ppp_ Ns Ao Ar profile Ac Ns _mode
2121.Pq Vt str
2122Overrides the global
2123.Va ppp_mode
2124for
2125.Ar profile .
2126Accepted modes are
2127.Dq Li auto ,
2128.Dq Li ddial ,
2129.Dq Li direct
2130and
2131.Dq Li dedicated .
2132See the manual for a full description.
2133.It Va ppp_nat
2134.Pq Vt bool
2135If set to
2136.Dq Li YES ,
2137enables network address translation.
2138Used in conjunction with
2139.Va gateway_enable
2140allows hosts on private network addresses access to the Internet using
2141this host as a network address translating router.
2142Default is
2143.Dq Li YES .
2144.It Va ppp_ Ns Ao Ar profile Ac Ns _nat
2145.Pq Vt str
2146Overrides the global
2147.Va ppp_nat
2148for
2149.Ar profile .
2150.It Va ppp_ Ns Ao Ar profile Ac Ns _unit
2151.Pq Vt int
2152Set the unit number to be used for this profile.
2153See the manual description of
2154.Fl unit Ns Ar N
2155for details.
2156.It Va ppp_user
2157.Pq Vt str
2158The name of the user under which
2159.Xr ppp 8
2160should be started.
2161By
2162default,
2163.Xr ppp 8
2164is started as
2165.Dq Li root .
2166.It Va rc_conf_files
2167.Pq Vt str
2168This option is used to specify a list of files that will override
2169the settings in
2170.Pa /etc/defaults/rc.conf .
2171The files will be read in the order in which they are specified and should
2172include the full path to the file.
2173By default, the files specified are
2174.Pa /etc/rc.conf
2175and
2176.Pa /etc/rc.conf.local .
2177.It Va zfs_enable
2178.Pq Vt bool
2179If set to
2180.Dq Li YES ,
2181.Pa /etc/rc.d/zfs
2182will attempt to automatically mount ZFS file systems and initialize ZFS volumes
2183(ZVOLs).
2184.It Va zpool_reguid
2185.Pq Vt str
2186A space-separated list of ZFS pool names for which new pool GUIDs should be
2187assigned upon first boot.
2188This is useful when using a ZFS pool copied from a template, such as a virtual
2189machine image.
2190.It Va zpool_upgrade
2191.Pq Vt str
2192A space-separated list of ZFS pool names for which the version should be
2193upgraded upon first boot.
2194This is useful when using a ZFS pool generated by the
2195.Xr makefs 8
2196utility.
2197.It Va gptboot_enable
2198.Pq Vt bool
2199If set to
2200.Dq Li YES ,
2201.Pa /etc/rc.d/gptboot
2202will log if the system successfully (or not) booted from a GPT partition,
2203which had the
2204.Ar bootonce
2205attribute set using
2206.Xr gpart 8
2207utility.
2208.It Va geli_devices
2209.Pq Vt str
2210List of devices to automatically attach on boot.
2211Note that .eli devices from
2212.Pa /etc/fstab
2213are automatically appended to this list.
2214.It Va geli_groups
2215.Pq Vt str
2216List of groups containing devices to automatically attach on boot with the same
2217keyfiles and passphrase.
2218This must be accompanied with a corresponding
2219.Va geli_ Ns Ao Ar group Ac Ns Va _devices
2220variable.
2221.It Va geli_tries
2222.Pq Vt int
2223Number of times user is asked for the pass-phrase.
2224If empty, it will be taken from
2225.Va kern.geom.eli.tries
2226sysctl variable.
2227.It Va geli_default_flags
2228.Pq Vt str
2229Default flags to use by
2230.Xr geli 8
2231when configuring disk encryption.
2232Flags can be configured for every device separately by defining the
2233.Va geli_ Ns Ao Ar device Ac Ns Va _flags
2234variable, and for every group separately by defining the
2235.Va geli_ Ns Ao Ar group Ac Ns Va _flags
2236variable.
2237.It Va geli_autodetach
2238.Pq Vt str
2239Specifies if GELI devices should be marked for detach on last close after
2240file systems are mounted.
2241Default is
2242.Dq Li YES .
2243This can be changed for every device separately by defining the
2244.Va geli_ Ns Ao Ar device Ac Ns Va _autodetach
2245variable.
2246.It Va root_rw_mount
2247.Pq Vt bool
2248Set to
2249.Dq Li YES
2250by default.
2251After the file systems are checked at boot time, the root file system
2252is remounted as read-write if this is set to
2253.Dq Li YES .
2254Diskless systems that mount their root file system from a read-only remote
2255NFS share should set this to
2256.Dq Li NO
2257in their
2258.Pa rc.conf .
2259.It Va fsck_y_enable
2260.Pq Vt bool
2261If set to
2262.Dq Li YES ,
2263.Xr fsck 8
2264will be run with the
2265.Fl y
2266flag if the initial preen
2267of the file systems fails.
2268.It Va background_fsck
2269.Pq Vt bool
2270If set to
2271.Dq Li NO ,
2272the system will not attempt to run
2273.Xr fsck 8
2274in the background where possible.
2275.It Va background_fsck_delay
2276.Pq Vt int
2277The amount of time in seconds to sleep before starting a background
2278.Xr fsck 8 .
2279It defaults to sixty seconds to allow large applications such as
2280the X server to start before disk I/O bandwidth is monopolized by
2281.Xr fsck 8 .
2282If set to a negative number, the background file system check will be
2283delayed indefinitely to allow the administrator to run it at a more
2284convenient time.
2285For example it may be run from
2286.Xr cron 8
2287by adding a line like
2288.Pp
2289.Dl "0 4 * * * root /etc/rc.d/bgfsck forcestart"
2290.Pp
2291to
2292.Pa /etc/crontab .
2293.It Va netfs_types
2294.Pq Vt str
2295List of file system types that are network-based.
2296This list should generally not be modified by end users.
2297Use
2298.Va extra_netfs_types
2299instead.
2300.It Va extra_netfs_types
2301.Pq Vt str
2302If set to something other than
2303.Dq Li NO
2304(the default),
2305this variable extends the list of file system types
2306for which automatic mounting at startup by
2307.Xr rc 8
2308should be delayed until the network is initialized.
2309It should contain
2310a whitespace-separated list of network file system descriptor pairs,
2311each consisting of a file system type as passed to
2312.Xr mount 8
2313and a human-readable, one-word description,
2314joined with a colon
2315.Pq Ql \&: .
2316Extending the default list in this way is only necessary
2317when third party file system types are used.
2318.It Va syslogd_enable
2319.Pq Vt bool
2320If set to
2321.Dq Li YES ,
2322run the
2323.Xr syslogd 8
2324daemon.
2325Note, the
2326.Va syslogd_oomprotect
2327variable is set to
2328.Dq Li YES
2329by default in
2330.Pa /etc/defaults/rc.conf .
2331.It Va syslogd_program
2332.Pq Vt str
2333Path to
2334.Xr syslogd 8
2335(default
2336.Pa /usr/sbin/syslogd ) .
2337.It Va syslogd_flags
2338.Pq Vt str
2339If
2340.Va syslogd_enable
2341is set to
2342.Dq Li YES ,
2343these are the flags to pass to
2344.Xr syslogd 8 .
2345.It Va inetd_enable
2346.Pq Vt bool
2347If set to
2348.Dq Li YES ,
2349run the
2350.Xr inetd 8
2351daemon.
2352.It Va inetd_program
2353.Pq Vt str
2354Path to
2355.Xr inetd 8
2356(default
2357.Pa /usr/sbin/inetd ) .
2358.It Va inetd_flags
2359.Pq Vt str
2360If
2361.Va inetd_enable
2362is set to
2363.Dq Li YES ,
2364these are the flags to pass to
2365.Xr inetd 8 .
2366.It Va hastd_enable
2367.Pq Vt bool
2368If set to
2369.Dq Li YES ,
2370run the
2371.Xr hastd 8
2372daemon.
2373.It Va hastd_program
2374.Pq Vt str
2375Path to
2376.Xr hastd 8
2377(default
2378.Pa /sbin/hastd ) .
2379.It Va hastd_flags
2380.Pq Vt str
2381If
2382.Va hastd_enable
2383is set to
2384.Dq Li YES ,
2385these are the flags to pass to
2386.Xr hastd 8 .
2387.It Va local_unbound_enable
2388.Pq Vt bool
2389If set to
2390.Dq Li YES ,
2391run the
2392.Xr unbound 8
2393daemon as a local caching DNS resolver.
2394Note, the
2395.Va local_unbound_oomprotect
2396variable is set to
2397.Dq Li YES
2398by default in
2399.Pa /etc/defaults/rc.conf .
2400.It Va nscd_enable
2401.Pq Vt bool
2402Set to
2403.Dq Li YES
2404to start the
2405.Xr nscd 8
2406caching daemon for the
2407.Nm nsswitch
2408subsystem.
2409.It Va nscd_flags
2410.Pq Vt str
2411If
2412.Va nscd_enable
2413is set to
2414.Dq Li YES ,
2415these flags are passed to
2416.Xr nscd 8 .
2417.It Va kdc_enable
2418.Pq Vt bool
2419Set to
2420.Dq Li YES
2421to start a Kerberos 5 authentication server
2422at boot time.
2423.It Va kdc_program
2424.Pq Vt str
2425If
2426.Va kdc_enable
2427is set to
2428.Dq Li YES
2429this is the path to Kerberos 5 Authentication Server.
2430.It Va kdc_flags
2431.Pq Vt str
2432Empty by default.
2433This variable contains additional flags to be passed to the Kerberos 5
2434authentication server.
2435.It Va kadmind_enable
2436.Pq Vt bool
2437Set to
2438.Dq Li YES
2439to start
2440.Xr kadmind 8 ,
2441the Kerberos 5 Administration Daemon; set to
2442.Dq Li NO
2443on a slave server.
2444.It Va kadmind_program
2445.Pq Vt str
2446If
2447.Va kadmind_enable
2448is set to
2449.Dq Li YES
2450this is the path to Kerberos 5 Administration Daemon.
2451.It Va kpasswdd_enable
2452.Pq Vt bool
2453Set to
2454.Dq Li YES
2455to start
2456.Xr kpasswdd 8 ,
2457the Kerberos 5 Password-Changing Daemon; set to
2458.Dq Li NO
2459on a slave server.
2460.It Va kpasswdd_program
2461.Pq Vt str
2462If
2463.Va kpasswdd_enable
2464is set to
2465.Dq Li YES
2466this is the path to Kerberos 5 Password-Changing Daemon.
2467.It Va kfd_enable
2468.Pq Vt bool
2469Set to
2470.Dq Li YES
2471to start
2472.Xr kfd 8 ,
2473the Kerberos 5 ticket forwarding daemon, at the boot time.
2474.It Va kfd_program
2475.Pq Vt str
2476Path to
2477.Xr kfd 8
2478(default
2479.Pa /usr/libexec/kfd ) .
2480.It Va rwhod_enable
2481.Pq Vt bool
2482If set to
2483.Dq Li YES ,
2484run the
2485.Xr rwhod 8
2486daemon at boot time.
2487.It Va rwhod_flags
2488.Pq Vt str
2489If
2490.Va rwhod_enable
2491is set to
2492.Dq Li YES ,
2493these are the flags to pass to it.
2494.It Va update_motd
2495.Pq Vt bool
2496If set to
2497.Dq Li YES ,
2498.Pa /var/run/motd
2499will be updated at boot time to reflect the kernel release
2500being run.
2501If set to
2502.Dq Li NO ,
2503.Pa /var/run/motd
2504will not be updated.
2505.It Va nfs_client_enable
2506.Pq Vt bool
2507If set to
2508.Dq Li YES ,
2509run the NFS client daemons at boot time.
2510.It Va nfs_access_cache
2511.Pq Vt int
2512If
2513.Va nfs_client_enable
2514is set to
2515.Dq Li YES ,
2516this can be set to
2517.Dq Li 0
2518to disable NFS ACCESS RPC caching, or to the number of seconds for which
2519NFS ACCESS
2520results should be cached.
2521A value of 2-10 seconds will substantially reduce network
2522traffic for many NFS operations.
2523.It Va nfs_server_enable
2524.Pq Vt bool
2525If set to
2526.Dq Li YES ,
2527run the NFS server daemons at boot time.
2528.It Va nfs_server_flags
2529.Pq Vt str
2530If
2531.Va nfs_server_enable
2532is set to
2533.Dq Li YES ,
2534these are the flags to pass to the
2535.Xr nfsd 8
2536daemon.
2537.It Va nfsv4_server_enable
2538.Pq Vt bool
2539If
2540.Va nfs_server_enable
2541is set to
2542.Dq Li YES
2543and
2544.Va nfsv4_server_enable
2545is set to
2546.Dq Li YES ,
2547enable the server for NFSv4 as well as NFSv2 and NFSv3.
2548.It Va nfsv4_server_only
2549.Pq Vt bool
2550If
2551.Va nfs_server_enable
2552is set to
2553.Dq Li YES
2554and
2555.Va nfsv4_server_only
2556is set to
2557.Dq Li YES ,
2558enable the NFS server for NFSv4 only.
2559.It Va nfs_server_maxio
2560.Pq Vt int
2561value to set vfs.nfsd.srvmaxio to, which is the
2562maximum I/O size for the NFS server.
2563.It Va tlsclntd_enable
2564.Pq Vt bool
2565If set to
2566.Dq Li YES ,
2567run the
2568.Xr rpc.tlsclntd 8
2569daemon, which is needed for NFS-over-TLS NFS mounts.
2570.It Va tlsservd_enable
2571.Pq Vt bool
2572If set to
2573.Dq Li YES ,
2574run the
2575.Xr rpc.tlsservd 8
2576daemon, which is needed for the
2577.Xr nfsd 8
2578to support NFS-over-TLS NFS mounts.
2579.It Va nfsuserd_enable
2580.Pq Vt bool
2581If
2582.Va nfsuserd_enable
2583is set to
2584.Dq Li YES ,
2585run the nfsuserd daemon, which is needed for NFSv4 in order
2586to map between user/group names vs uid/gid numbers.
2587If
2588.Va nfsv4_server_enable
2589is set to
2590.Dq Li YES ,
2591this will be forced enabled.
2592.It Va nfsuserd_flags
2593.Pq Vt str
2594If
2595.Va nfsuserd_enable
2596is set to
2597.Dq Li YES ,
2598these are the flags to pass to the
2599.Xr nfsuserd 8
2600daemon.
2601.It Va nfscbd_enable
2602.Pq Vt bool
2603If
2604.Va nfscbd_enable
2605is set to
2606.Dq Li YES ,
2607run the nfscbd daemon, which enables callbacks/delegations for the NFSv4 client.
2608.It Va nfscbd_flags
2609.Pq Vt str
2610If
2611.Va nfscbd_enable
2612is set to
2613.Dq Li YES ,
2614these are the flags to pass to the
2615.Xr nfscbd 8
2616daemon.
2617.It Va mountd_enable
2618.Pq Vt bool
2619If set to
2620.Dq Li YES ,
2621and no
2622.Va nfs_server_enable
2623is set, start
2624.Xr mountd 8 ,
2625but not
2626.Xr nfsd 8
2627daemon.
2628It is commonly needed to run CFS without real NFS used.
2629.It Va mountd_flags
2630.Pq Vt str
2631If
2632.Va mountd_enable
2633is set to
2634.Dq Li YES ,
2635these are the flags to pass to the
2636.Xr mountd 8
2637daemon.
2638.It Va weak_mountd_authentication
2639.Pq Vt bool
2640If set to
2641.Dq Li YES ,
2642allow services like PCNFSD to make non-privileged mount
2643requests.
2644.It Va nfs_reserved_port_only
2645.Pq Vt bool
2646If set to
2647.Dq Li YES ,
2648provide NFS services only on a secure port.
2649.It Va nfs_bufpackets
2650.Pq Vt int
2651If set to a number, indicates the number of packets worth of
2652socket buffer space to reserve on an NFS client.
2653The kernel default is typically 4.
2654Using a higher number may be
2655useful on gigabit networks to improve performance.
2656The minimum value is
26572 and the maximum is 64.
2658.It Va rpc_lockd_enable
2659.Pq Vt bool
2660If set to
2661.Dq Li YES
2662and also an NFS server or client, run
2663.Xr rpc.lockd 8
2664at boot time.
2665.It Va rpc_lockd_flags
2666.Pq Vt str
2667If
2668.Va rpc_lockd_enable
2669is set to
2670.Dq Li YES ,
2671these are the flags to pass to the
2672.Xr rpc.lockd 8
2673daemon.
2674.It Va rpc_statd_enable
2675.Pq Vt bool
2676If set to
2677.Dq Li YES
2678and also an NFS server or client, run
2679.Xr rpc.statd 8
2680at boot time.
2681.It Va rpc_statd_flags
2682.Pq Vt str
2683If
2684.Va rpc_statd_enable
2685is set to
2686.Dq Li YES ,
2687these are the flags to pass to the
2688.Xr rpc.statd 8
2689daemon.
2690.It Va rpcbind_program
2691.Pq Vt str
2692Path to
2693.Xr rpcbind 8
2694(default
2695.Pa /usr/sbin/rpcbind ) .
2696.It Va rpcbind_enable
2697.Pq Vt bool
2698If set to
2699.Dq Li YES ,
2700run the
2701.Xr rpcbind 8
2702service at boot time.
2703.It Va rpcbind_flags
2704.Pq Vt str
2705If
2706.Va rpcbind_enable
2707is set to
2708.Dq Li YES ,
2709these are the flags to pass to the
2710.Xr rpcbind 8
2711daemon.
2712.It Va keyserv_enable
2713.Pq Vt bool
2714If set to
2715.Dq Li YES ,
2716run the
2717.Xr keyserv 8
2718daemon on boot for running Secure RPC.
2719.It Va keyserv_flags
2720.Pq Vt str
2721If
2722.Va keyserv_enable
2723is set to
2724.Dq Li YES ,
2725these are the flags to pass to
2726.Xr keyserv 8
2727daemon.
2728.It Va pppoed_enable
2729.Pq Vt bool
2730If set to
2731.Dq Li YES ,
2732run the
2733.Xr pppoed 8
2734daemon at boot time to provide PPP over Ethernet services.
2735.It Va pppoed_ Ns Aq Ar provider
2736.Pq Vt str
2737.Xr pppoed 8
2738listens to requests to this
2739.Ar provider
2740and ultimately runs
2741.Xr ppp 8
2742with a
2743.Ar system
2744argument of the same name.
2745.It Va pppoed_flags
2746.Pq Vt str
2747Additional flags to pass to
2748.Xr pppoed 8 .
2749.It Va pppoed_interface
2750.Pq Vt str
2751The network interface to run
2752.Xr pppoed 8
2753on.
2754This is mandatory when
2755.Va pppoed_enable
2756is set to
2757.Dq Li YES .
2758.It Va ntpdate_enable
2759.Pq Vt bool
2760If set to
2761.Dq Li YES ,
2762run
2763.Xr ntpdate 8
2764at system startup.
2765This command is intended to
2766synchronize the system clock only
2767.Em once
2768from some standard reference.
2769.Pp
2770Note that the use of the
2771.Va ntpd_sync_on_start
2772variable is a preferred alternative to the
2773.Xr ntpdate 8
2774utility as
2775.Xr ntpdate 8
2776is to be retired from the NTP distribution.
2777.It Va ntpdate_config
2778.Pq Vt str
2779Configuration file for
2780.Xr ntpdate 8 .
2781Default
2782.Pa /etc/ntp.conf .
2783.It Va ntpdate_hosts
2784.Pq Vt str
2785A whitespace-separated list of NTP servers to synchronize with at startup.
2786The default is to use the servers listed in
2787.Va ntpdate_config ,
2788if that file exists.
2789.It Va ntpdate_program
2790.Pq Vt str
2791Path to
2792.Xr ntpdate 8
2793(default
2794.Pa /usr/sbin/ntpdate ) .
2795.It Va ntpdate_flags
2796.Pq Vt str
2797If
2798.Va ntpdate_enable
2799is set to
2800.Dq Li YES ,
2801these are the flags to pass to the
2802.Xr ntpdate 8
2803command (typically a hostname).
2804.It Va ntpd_enable
2805.Pq Vt bool
2806If set to
2807.Dq Li YES ,
2808run the
2809.Xr ntpd 8
2810command at boot time.
2811.It Va ntpd_program
2812.Pq Vt str
2813Path to
2814.Xr ntpd 8
2815(default
2816.Pa /usr/sbin/ntpd ) .
2817.It Va ntpd_config
2818.Pq Vt str
2819Path to
2820.Xr ntpd 8
2821configuration file.
2822Default
2823.Pa /etc/ntp.conf .
2824.It Va ntpd_flags
2825.Pq Vt str
2826If
2827.Va ntpd_enable
2828is set to
2829.Dq Li YES ,
2830these are the flags to pass to the
2831.Xr ntpd 8
2832daemon.
2833.It Va ntpd_sync_on_start
2834.Pq Vt bool
2835If set to
2836.Dq Li YES ,
2837.Xr ntpd 8
2838is run with the
2839.Fl g
2840flag, which syncs the system's clock on startup.
2841See
2842.Xr ntpd 8
2843for more information regarding the
2844.Fl g
2845option.
2846This is a preferred alternative to using
2847.Xr ntpdate 8
2848or specifying the
2849.Va ntpdate_enable
2850variable.
2851.It Va nis_client_enable
2852.Pq Vt bool
2853If set to
2854.Dq Li YES ,
2855run the
2856.Xr ypbind 8
2857service at system boot time.
2858.It Va nis_client_flags
2859.Pq Vt str
2860If
2861.Va nis_client_enable
2862is set to
2863.Dq Li YES ,
2864these are the flags to pass to the
2865.Xr ypbind 8
2866service.
2867.It Va nis_ypldap_enable
2868.Pq Vt bool
2869If set to
2870.Dq Li YES ,
2871run the
2872.Xr ypldap 8
2873daemon at system boot time.
2874.It Va nis_ypldap_flags
2875.Pq Vt str
2876If
2877.Va nis.ypldap_enable
2878is set to
2879.Dq Li YES ,
2880these are the flags to pass to the
2881.Xr ypldap 8
2882daemon.
2883.It Va nis_ypset_enable
2884.Pq Vt bool
2885If set to
2886.Dq Li YES ,
2887run the
2888.Xr ypset 8
2889daemon at system boot time.
2890.It Va nis_ypset_flags
2891.Pq Vt str
2892If
2893.Va nis_ypset_enable
2894is set to
2895.Dq Li YES ,
2896these are the flags to pass to the
2897.Xr ypset 8
2898daemon.
2899.It Va nis_server_enable
2900.Pq Vt bool
2901If set to
2902.Dq Li YES ,
2903run the
2904.Xr ypserv 8
2905daemon at system boot time.
2906.It Va nis_server_flags
2907.Pq Vt str
2908If
2909.Va nis_server_enable
2910is set to
2911.Dq Li YES ,
2912these are the flags to pass to the
2913.Xr ypserv 8
2914daemon.
2915.It Va nis_ypxfrd_enable
2916.Pq Vt bool
2917If set to
2918.Dq Li YES ,
2919run the
2920.Xr rpc.ypxfrd 8
2921daemon at system boot time.
2922.It Va nis_ypxfrd_flags
2923.Pq Vt str
2924If
2925.Va nis_ypxfrd_enable
2926is set to
2927.Dq Li YES ,
2928these are the flags to pass to the
2929.Xr rpc.ypxfrd 8
2930daemon.
2931.It Va nis_yppasswdd_enable
2932.Pq Vt bool
2933If set to
2934.Dq Li YES ,
2935run the
2936.Xr rpc.yppasswdd 8
2937daemon at system boot time.
2938.It Va nis_yppasswdd_flags
2939.Pq Vt str
2940If
2941.Va nis_yppasswdd_enable
2942is set to
2943.Dq Li YES ,
2944these are the flags to pass to the
2945.Xr rpc.yppasswdd 8
2946daemon.
2947.It Va rpc_ypupdated_enable
2948.Pq Vt bool
2949If set to
2950.Dq Li YES ,
2951run the
2952.Nm rpc.ypupdated
2953daemon at system boot time.
2954.It Va bsnmpd_enable
2955.Pq Vt bool
2956If set to
2957.Dq Li YES ,
2958run the
2959.Xr bsnmpd 1
2960daemon at system boot time.
2961Be sure to understand the security implications of running an SNMP daemon
2962on your host.
2963.It Va bsnmpd_flags
2964.Pq Vt str
2965If
2966.Va bsnmpd_enable
2967is set to
2968.Dq Li YES ,
2969these are the flags to pass to the
2970.Xr bsnmpd 1
2971daemon.
2972.It Va defaultrouter
2973.Pq Vt str
2974If not set to
2975.Dq Li NO ,
2976create a default route to this host name or IP address
2977(use an IP address if this router is also required to get to the
2978name server!).
2979.It Va defaultrouter_fibN
2980.Pq Vt str
2981If not set to
2982.Dq Li NO ,
2983create a default route in FIB N to this host name or IP address.
2984.It Va ipv6_defaultrouter
2985.Pq Vt str
2986The IPv6 equivalent of
2987.Va defaultrouter .
2988.It Va ipv6_defaultrouter_fibN
2989.Pq Vt str
2990The IPv6 equivalent of
2991.Va defaultrouter_fibN .
2992.It Va static_arp_pairs
2993.Pq Vt str
2994Set to the list of static ARP pairs that are to be added at system
2995boot time.
2996For each whitespace separated
2997.Ar element
2998in the value, a
2999.Va static_arp_ Ns Aq Ar element
3000variable is assumed to exist whose contents will later be passed to a
3001.Dq Nm arp Cm -S
3002operation.
3003For example
3004.Bd -literal
3005static_arp_pairs="gw"
3006static_arp_gw="192.168.1.1 00:01:02:03:04:05"
3007.Ed
3008.It Va static_ndp_pairs
3009.Pq Vt str
3010Set to the list of static NDP pairs that are to be added at system
3011boot time.
3012For each whitespace separated
3013.Ar element
3014in the value, a
3015.Va static_ndp_ Ns Aq Ar element
3016variable is assumed to exist whose contents will later be passed to a
3017.Dq Nm ndp Cm -s
3018operation.
3019For example
3020.Bd -literal
3021static_ndp_pairs="gw"
3022static_ndp_gw="2001:db8:3::1 00:01:02:03:04:05"
3023.Ed
3024.It Va static_routes
3025.Pq Vt str
3026Set to the list of static routes that are to be added at system
3027boot time.
3028If not set to
3029.Dq Li NO
3030then for each whitespace separated
3031.Ar element
3032in the value, a
3033.Va route_ Ns Aq Ar element
3034variable is assumed to exist
3035whose contents will later be passed to a
3036.Dq Nm route Cm add
3037operation.
3038For example:
3039.Bd -literal
3040static_routes="ext mcast:gif0 gif0local:gif0"
3041route_ext="-net 10.0.0.0/24 -gateway 192.168.0.1"
3042route_mcast="-net 224.0.0.0/4 -iface gif0"
3043route_gif0local="-host 169.254.1.1 -iface lo0"
3044.Ed
3045.Pp
3046When an
3047.Ar element
3048is in the form of
3049.Li name:ifname ,
3050the route is specific to the interface
3051.Li ifname .
3052.It Va ipv6_static_routes
3053.Pq Vt str
3054The IPv6 equivalent of
3055.Va static_routes .
3056If not set to
3057.Dq Li NO
3058then for each whitespace separated
3059.Ar element
3060in the value, a
3061.Va ipv6_route_ Ns Aq Ar element
3062variable is assumed to exist
3063whose contents will later be passed to a
3064.Dq Nm route Cm add Fl inet6
3065operation.
3066.It Va gateway_enable
3067.Pq Vt bool
3068If set to
3069.Dq Li YES ,
3070configure host to act as an IP router, e.g.\& to forward packets
3071between interfaces.
3072.It Va ipv6_gateway_enable
3073.Pq Vt bool
3074The IPv6 equivalent of
3075.Va gateway_enable .
3076.It Va routed_enable
3077.Pq Vt bool
3078If set to
3079.Dq Li YES ,
3080run a routing daemon of some sort, based on the
3081settings of
3082.Va routed_program
3083and
3084.Va routed_flags .
3085.It Va route6d_enable
3086.Pq Vt bool
3087The IPv6 equivalent of
3088.Va routed_enable .
3089If set to
3090.Dq Li YES ,
3091run a routing daemon of some sort, based on the
3092settings of
3093.Va route6d_program
3094and
3095.Va route6d_flags .
3096.It Va routed_program
3097.Pq Vt str
3098If
3099.Va routed_enable
3100is set to
3101.Dq Li YES ,
3102this is the name of the routing daemon to use.
3103The default is
3104.Xr routed 8 .
3105.It Va route6d_program
3106.Pq Vt str
3107The IPv6 equivalent of
3108.Va routed_program .
3109The default is
3110.Xr route6d 8 .
3111.It Va routed_flags
3112.Pq Vt str
3113If
3114.Va routed_enable
3115is set to
3116.Dq Li YES ,
3117these are the flags to pass to the routing daemon.
3118.It Va route6d_flags
3119.Pq Vt str
3120The IPv6 equivalent of
3121.Va routed_flags .
3122.It Va rtadvd_enable
3123.Pq Vt bool
3124If set to
3125.Dq Li YES ,
3126run the
3127.Xr rtadvd 8
3128daemon at boot time.
3129The
3130.Xr rtadvd 8
3131utility sends ICMPv6 Router Advertisement messages to
3132the interfaces specified in
3133.Va rtadvd_interfaces .
3134This should only be enabled with great care.
3135You may want to fine-tune
3136.Xr rtadvd.conf 5 .
3137.It Va rtadvd_interfaces
3138.Pq Vt str
3139If
3140.Va rtadvd_enable
3141is set to
3142.Dq Li YES
3143this is the list of interfaces to use.
3144.It Va arpproxy_all
3145.Pq Vt bool
3146If set to
3147.Dq Li YES ,
3148enable global proxy ARP.
3149.It Va forward_sourceroute
3150.Pq Vt bool
3151If set to
3152.Dq Li YES
3153and
3154.Va gateway_enable
3155is also set to
3156.Dq Li YES ,
3157source-routed packets are forwarded.
3158.It Va accept_sourceroute
3159.Pq Vt bool
3160If set to
3161.Dq Li YES ,
3162the system will accept source-routed packets directed at it.
3163.It Va rarpd_enable
3164.Pq Vt bool
3165If set to
3166.Dq Li YES ,
3167run the
3168.Xr rarpd 8
3169daemon at system boot time.
3170.It Va rarpd_flags
3171.Pq Vt str
3172If
3173.Va rarpd_enable
3174is set to
3175.Dq Li YES ,
3176these are the flags to pass to the
3177.Xr rarpd 8
3178daemon.
3179.It Va bootparamd_enable
3180.Pq Vt bool
3181If set to
3182.Dq Li YES ,
3183run the
3184.Xr bootparamd 8
3185daemon at system boot time.
3186.It Va bootparamd_flags
3187.Pq Vt str
3188If
3189.Va bootparamd_enable
3190is set to
3191.Dq Li YES ,
3192these are the flags to pass to the
3193.Xr bootparamd 8
3194daemon.
3195.It Va stf_interface_ipv4addr
3196.Pq Vt str
3197If not set to
3198.Dq Li NO ,
3199this is the local IPv4 address for 6to4 (IPv6 over IPv4 tunneling
3200interface).
3201Specify this entry to enable the 6to4 interface.
3202.It Va stf_interface_ipv4plen
3203.Pq Vt int
3204Prefix length for 6to4 IPv4 addresses, to limit peer address range.
3205An effective value is 0-31.
3206.It Va stf_interface_ipv6_ifid
3207.Pq Vt str
3208IPv6 interface ID for
3209.Xr stf 4 .
3210This can be set to
3211.Dq Li AUTO .
3212.It Va stf_interface_ipv6_slaid
3213.Pq Vt str
3214IPv6 Site Level Aggregator for
3215.Xr stf 4 .
3216.It Va ipv6_ipv4mapping
3217.Pq Vt bool
3218If set to
3219.Dq Li YES
3220this enables IPv4 mapped IPv6 address communication (like
3221.Li ::ffff:a.b.c.d ) .
3222.It Va rtsold_enable
3223.Pq Vt bool
3224Set to
3225.Dq Li YES
3226to enable the
3227.Xr rtsold 8
3228daemon to send ICMPv6 Router Solicitation messages.
3229.It Va rtsold_flags
3230.Pq Vt str
3231If
3232.Va rtsold_enable
3233is set to
3234.Dq Li YES ,
3235these are the flags to pass to
3236.Xr rtsold 8 .
3237.It Va rtsol_flags
3238.Pq Vt str
3239For interfaces configured with the
3240.Dq Li inet6 accept_rtadv
3241keyword, these are the flags to pass to
3242.Xr rtsol 8 .
3243.Pp
3244Note that
3245.Va rtsold_enable
3246is mutually exclusive to
3247.Va rtsol_flags ;
3248.Va rtsold_enable
3249takes precedence.
3250.It Va keybell
3251.Pq Vt str
3252The keyboard bell sound.
3253Set to
3254.Dq Li normal ,
3255.Dq Li visual ,
3256.Dq Li off ,
3257or
3258.Dq Li NO
3259if the default behavior is desired.
3260For details, refer to the
3261.Xr kbdcontrol 1
3262manpage.
3263.It Va keyboard
3264.Pq Vt str
3265If set to a non-null string, the virtual console's keyboard input is
3266set to this device.
3267.It Va keymap
3268.Pq Vt str
3269If set to
3270.Dq Li NO ,
3271no keymap is installed, otherwise the value is used to install
3272the keymap file found in
3273.Pa /usr/share/syscons/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd
3274(if using
3275.Xr syscons 4 ) or
3276.Pa /usr/share/vt/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd
3277(if using
3278.Xr vt 4 ) .
3279.It Va keyrate
3280.Pq Vt str
3281The keyboard repeat speed.
3282Set to
3283.Dq Li slow ,
3284.Dq Li normal ,
3285.Dq Li fast ,
3286or
3287.Dq Li NO
3288if the default behavior is desired.
3289.It Va keychange
3290.Pq Vt str
3291If not set to
3292.Dq Li NO ,
3293attempt to program the function keys with the value.
3294The value should
3295be a single string of the form:
3296.Dq Ar funkey_number new_value Op Ar funkey_number new_value ... .
3297.It Va cursor
3298.Pq Vt str
3299Can be set to the value of
3300.Dq Li normal ,
3301.Dq Li blink ,
3302.Dq Li destructive ,
3303or
3304.Dq Li NO
3305to set the cursor behavior explicitly or choose the default behavior.
3306.It Va scrnmap
3307.Pq Vt str
3308If set to
3309.Dq Li NO ,
3310no screen map is installed, otherwise the value is used to install
3311the screen map file in
3312.Pa /usr/share/syscons/scrnmaps/ Ns Aq Ar value .
3313This parameter is ignored when using
3314.Xr vt 4
3315as the console driver.
3316.It Va font8x16
3317.Pq Vt str
3318If set to
3319.Dq Li NO ,
3320the default 8x16 font value is used for screen size requests, otherwise
3321the value in
3322.Pa /usr/share/syscons/fonts/ Ns Aq Ar value
3323or
3324.Pa /usr/share/vt/fonts/ Ns Aq Ar value
3325is used (depending on the console driver being used).
3326.It Va font8x14
3327.Pq Vt str
3328If set to
3329.Dq Li NO ,
3330the default 8x14 font value is used for screen size requests, otherwise
3331the value in
3332.Pa /usr/share/syscons/fonts/ Ns Aq Ar value
3333or
3334.Pa /usr/share/vt/fonts/ Ns Aq Ar value
3335is used (depending on the console driver being used).
3336.It Va font8x8
3337.Pq Vt str
3338If set to
3339.Dq Li NO ,
3340the default 8x8 font value is used for screen size requests, otherwise
3341the value in
3342.Pa /usr/share/syscons/fonts/ Ns Aq Ar value
3343or
3344.Pa /usr/share/vt/fonts/ Ns Aq Ar value
3345is used (depending on the console driver being used).
3346.It Va blanktime
3347.Pq Vt int
3348If set to
3349.Dq Li NO ,
3350the default screen blanking interval is used, otherwise it is set
3351to
3352.Ar value
3353seconds.
3354.It Va saver
3355.Pq Vt str
3356If not set to
3357.Dq Li NO ,
3358this is the actual screen saver to use
3359.Li ( blank , snake , daemon ,
3360etc).
3361.It Va moused_nondefault_enable
3362.Pq Vt str
3363If set to
3364.Dq Li NO ,
3365the mouse device specified on
3366the command line is not automatically treated as enabled by the
3367.Pa /etc/rc.d/moused
3368script.
3369Having this variable set to
3370.Dq Li YES
3371allows a
3372.Xr usb 4
3373mouse,
3374for example,
3375to be enabled as soon as it is plugged in.
3376.It Va moused_enable
3377.Pq Vt str
3378If set to
3379.Dq Li YES ,
3380the
3381.Xr moused 8
3382daemon is started for doing cut/paste selection on the console.
3383.It Va moused_type
3384.Pq Vt str
3385This is the protocol type of the mouse connected to this host.
3386This variable must be set if
3387.Va moused_enable
3388is set to
3389.Dq Li YES ,
3390but defaults to
3391.Dq Li auto
3392as the
3393.Xr moused 8
3394daemon
3395is able to detect the appropriate mouse type automatically in many cases.
3396Set this variable to
3397one from the following list if the automatic detection fails.
3398.Pp
3399If the mouse is attached to the PS/2 mouse port, choose
3400.Dq Li auto
3401or
3402.Dq Li ps/2 ,
3403regardless of the brand and model of the mouse.
3404Likewise, if the
3405mouse is attached to the bus mouse port, choose
3406.Dq Li auto
3407or
3408.Dq Li busmouse .
3409All other protocols are for serial mice and will not work with
3410the PS/2 and bus mice.
3411If this is a USB mouse,
3412.Dq Li auto
3413is the only protocol type which will work.
3414.Pp
3415.Bl -tag -width ".Li x10mouseremote" -compact
3416.It Li microsoft
3417Microsoft mouse (serial)
3418.It Li intellimouse
3419Microsoft IntelliMouse (serial)
3420.It Li mousesystems
3421Mouse systems Corp.\& mouse (serial)
3422.It Li mmseries
3423MM Series mouse (serial)
3424.It Li logitech
3425Logitech mouse (serial)
3426.It Li busmouse
3427A bus mouse
3428.It Li mouseman
3429Logitech MouseMan and TrackMan (serial)
3430.It Li glidepoint
3431ALPS GlidePoint (serial)
3432.It Li thinkingmouse
3433Kensington ThinkingMouse (serial)
3434.It Li ps/2
3435PS/2 mouse
3436.It Li mmhittab
3437MM HitTablet (serial)
3438.It Li x10mouseremote
3439X10 MouseRemote (serial)
3440.It Li versapad
3441Interlink VersaPad (serial)
3442.El
3443.Pp
3444Even if the mouse is not in the above list, it may be compatible
3445with one in the list.
3446Refer to the manual page for
3447.Xr moused 8
3448for compatibility information.
3449.Pp
3450It should also be noted that while this is enabled, any
3451other client of the mouse (such as an X server) should access
3452the mouse through the virtual mouse device,
3453.Pa /dev/sysmouse ,
3454and configure it as a
3455.Dq Li sysmouse
3456type mouse, since all
3457mouse data is converted to this single canonical format when
3458using
3459.Xr moused 8 .
3460If the client program does not support the
3461.Dq Li sysmouse
3462type,
3463specify the
3464.Dq Li mousesystems
3465type.
3466It is the second preferred type.
3467.It Va moused_port
3468.Pq Vt str
3469If
3470.Va moused_enable
3471is set to
3472.Dq Li YES ,
3473this is the actual port the mouse is on.
3474It might be
3475.Pa /dev/cuau0
3476for a COM1 serial mouse, or
3477.Pa /dev/psm0
3478for a PS/2 mouse, for example.
3479.It Va moused_flags
3480.Pq Vt str
3481If
3482.Va moused_flags
3483is set, its value is used as an additional set of flags to pass to the
3484.Xr moused 8
3485daemon.
3486.It Va "moused_" Ns Ar XXX Ns Va "_flags"
3487When
3488.Va moused_nondefault_enable
3489is enabled, and a
3490.Xr moused 8
3491daemon is started for a non-default port, the
3492.Va "moused_" Ns Ar XXX Ns Va "_flags"
3493set of options has precedence over and replaces the default
3494.Va moused_flags
3495(where
3496.Ar XXX
3497is the name of the non-default port, i.e.,\&
3498.Ar ums0 ) .
3499By setting
3500.Va "moused_" Ns Ar XXX Ns Va "_flags"
3501it is possible to set up a different set of default flags for each
3502.Xr moused 8
3503instance.
3504For example, you can use
3505.Dq Li "-3"
3506for the default
3507.Va moused_flags
3508to make your laptop's touchpad more comfortable to use,
3509but an empty set of options for
3510.Va moused_ums0_flags
3511when your
3512.Xr usb 4
3513mouse has three or more buttons.
3514.It Va mousechar_start
3515.Pq Vt int
3516If set to
3517.Dq Li NO ,
3518the default mouse cursor character range
3519.Li 0xd0 Ns - Ns Li 0xd3
3520is used,
3521otherwise the range start is set
3522to
3523.Ar value
3524character, see
3525.Xr vidcontrol 1 .
3526Use if the default range is occupied in the language code table.
3527.It Va allscreens_flags
3528.Pq Vt str
3529If set,
3530.Xr vidcontrol 1
3531is run with these options for each of the virtual terminals
3532.Pq Pa /dev/ttyv* .
3533For example,
3534.Dq Fl m Cm on
3535will enable the mouse pointer on all virtual terminals
3536if
3537.Va moused_enable
3538is set to
3539.Dq Li YES .
3540.It Va allscreens_kbdflags
3541.Pq Vt str
3542If set,
3543.Xr kbdcontrol 1
3544is run with these options for each of the virtual terminals
3545.Pq Pa /dev/ttyv* .
3546For example,
3547.Dq Fl h Li 200
3548will set the
3549.Xr syscons 4
3550or
3551.Xr vt 4
3552scrollback (history) buffer to 200 lines.
3553.It Va cron_enable
3554.Pq Vt bool
3555If set to
3556.Dq Li YES ,
3557run the
3558.Xr cron 8
3559daemon at system boot time.
3560.It Va cron_program
3561.Pq Vt str
3562Path to
3563.Xr cron 8
3564(default
3565.Pa /usr/sbin/cron ) .
3566.It Va cron_flags
3567.Pq Vt str
3568If
3569.Va cron_enable
3570is set to
3571.Dq Li YES ,
3572these are the flags to pass to
3573.Xr cron 8 .
3574.It Va cron_dst
3575.Pq Vt bool
3576If set to
3577.Dq Li YES ,
3578enable the special handling of transitions to and from the
3579Daylight Saving Time in
3580.Xr cron 8
3581(equivalent to using the flag
3582.Fl s ) .
3583.It Va lpd_program
3584.Pq Vt str
3585Path to
3586.Xr lpd 8
3587(default
3588.Pa /usr/sbin/lpd ) .
3589.It Va lpd_enable
3590.Pq Vt bool
3591If set to
3592.Dq Li YES ,
3593run the
3594.Xr lpd 8
3595daemon at system boot time.
3596.It Va lpd_flags
3597.Pq Vt str
3598If
3599.Va lpd_enable
3600is set to
3601.Dq Li YES ,
3602these are the flags to pass to the
3603.Xr lpd 8
3604daemon.
3605.It Va chkprintcap_enable
3606.Pq Vt bool
3607If set to
3608.Dq Li YES ,
3609run the
3610.Xr chkprintcap 8
3611command before starting the
3612.Xr lpd 8
3613daemon.
3614.It Va chkprintcap_flags
3615.Pq Vt str
3616If
3617.Va lpd_enable
3618and
3619.Va chkprintcap_enable
3620are set to
3621.Dq Li YES ,
3622these are the flags to pass to the
3623.Xr chkprintcap 8
3624program.
3625The default is
3626.Dq Li -d ,
3627which causes missing directories to be created.
3628.It Va dumpdev
3629.Pq Vt str
3630Indicates the device (usually a swap partition) to which a crash dump
3631should be written in the event of a system crash.
3632If the value of this variable is
3633.Dq Li AUTO ,
3634the first suitable swap device listed in
3635.Pa /etc/fstab
3636will be used as dump device.
3637Otherwise, the value of this variable is passed as the argument to
3638.Xr dumpon 8
3639and
3640.Xr savecore 8 .
3641To disable crash dumps, set this variable to
3642.Dq Li NO .
3643.It Va dumpon_flags
3644.Pq Vt str
3645Flags to pass to
3646.Xr dumpon 8
3647when configuring
3648.Va dumpdev
3649as the system dump device.
3650.It Va dumpdir
3651.Pq Vt str
3652When the system reboots after a crash and a crash dump is found on the
3653device specified by the
3654.Va dumpdev
3655variable,
3656.Xr savecore 8
3657will save that crash dump and a copy of the kernel to the directory
3658specified by the
3659.Va dumpdir
3660variable.
3661The default value is
3662.Pa /var/crash .
3663Set to
3664.Dq Li NO
3665to not run
3666.Xr savecore 8
3667at boot time when
3668.Va dumpdir
3669is set.
3670.It Va savecore_enable
3671.Pq Vt bool
3672If set to
3673.Dq Li NO ,
3674disable automatic extraction of the crash dump from the
3675.Va dumpdev .
3676.It Va savecore_flags
3677.Pq Vt str
3678If crash dumps are enabled, these are the flags to pass to the
3679.Xr savecore 8
3680utility.
3681.It Va quota_enable
3682.Pq Vt bool
3683Set to
3684.Dq Li YES
3685to turn on user and group disk quotas on system startup via the
3686.Xr quotaon 8
3687command for all file systems marked as having quotas enabled in
3688.Pa /etc/fstab .
3689The kernel must be built with
3690.Cd "options QUOTA"
3691for disk quotas to function.
3692.It Va check_quotas
3693.Pq Vt bool
3694Set to
3695.Dq Li YES
3696to enable user and group disk quota checking via the
3697.Xr quotacheck 8
3698command.
3699.It Va quotacheck_flags
3700.Pq Vt str
3701If
3702.Va quota_enable
3703is set to
3704.Dq Li YES ,
3705and
3706.Va check_quotas
3707is set to
3708.Dq Li YES ,
3709these are the flags to pass to the
3710.Xr quotacheck 8
3711utility.
3712The default is
3713.Dq Li "-a" ,
3714which checks quotas for all file systems with quotas enabled in
3715.Pa /etc/fstab .
3716.It Va quotaon_flags
3717.Pq Vt str
3718If
3719.Va quota_enable
3720is set to
3721.Dq Li YES ,
3722these are the flags to pass to the
3723.Xr quotaon 8
3724utility.
3725The default is
3726.Dq Li "-a" ,
3727which enables quotas for all file systems with quotas enabled in
3728.Pa /etc/fstab .
3729.It Va quotaoff_flags
3730.Pq Vt str
3731If
3732.Va quota_enable
3733is set to
3734.Dq Li YES ,
3735these are the flags to pass to the
3736.Xr quotaoff 8
3737utility when shutting down the quota system.
3738The default is
3739.Dq Li "-a" ,
3740which disables quotas for all file systems with quotas enabled in
3741.Pa /etc/fstab .
3742.It Va accounting_enable
3743.Pq Vt bool
3744Set to
3745.Dq Li YES
3746to enable system accounting through the
3747.Xr accton 8
3748facility.
3749.It Va firstboot_sentinel
3750.Pq Vt str
3751This variable specifies the full path to a
3752.Dq first boot
3753sentinel file.
3754If a file exists with this path,
3755.Pa rc.d
3756scripts with the
3757.Dq firstboot
3758keyword will be run on startup and the sentinel file will be deleted
3759after the boot process completes.
3760The sentinel file must be located on a writable file system which is
3761mounted no later than
3762.Va early_late_divider
3763to function properly.
3764The default is
3765.Pa /firstboot .
3766.It Va linux_enable
3767.Pq Vt bool
3768Set to
3769.Dq Li YES
3770to enable Linux/ELF binary emulation at system initial
3771boot time.
3772.It Va sysvipc_enable
3773.Pq Vt bool
3774If set to
3775.Dq Li YES ,
3776load System V IPC primitives at boot time.
3777.It Va clear_tmp_enable
3778.Pq Vt bool
3779Set to
3780.Dq Li YES
3781to have
3782.Pa /tmp
3783cleaned at startup.
3784.It Va clear_tmp_X
3785.Pq Vt bool
3786Set to
3787.Dq Li NO
3788to disable removing of X11 lock files,
3789and the removal and (secure) recreation
3790of the various socket directories for X11
3791related programs.
3792.It Va ldconfig_paths
3793.Pq Vt str
3794Set to the list of shared library paths to use with
3795.Xr ldconfig 8 .
3796NOTE:
3797.Pa /lib
3798and
3799.Pa /usr/lib
3800will always be added first, so they need not appear in this list.
3801.It Va ldconfig32_paths
3802.Pq Vt str
3803Set to the list of 32-bit compatibility shared library paths to
3804use with
3805.Xr ldconfig 8 .
3806.It Va ldconfig_insecure
3807.Pq Vt bool
3808The
3809.Xr ldconfig 8
3810utility normally refuses to use directories
3811which are writable by anyone except root.
3812Set this variable to
3813.Dq Li YES
3814to disable that security check during system startup.
3815.It Va ldconfig_local_dirs
3816.Pq Vt str
3817Set to the list of local
3818.Xr ldconfig 8
3819directories.
3820The names of all files in the directories listed will be
3821passed as arguments to
3822.Xr ldconfig 8 .
3823.It Va ldconfig_local32_dirs
3824.Pq Vt str
3825Set to the list of local 32-bit compatibility
3826.Xr ldconfig 8
3827directories.
3828The names of all files in the directories listed will be
3829passed as arguments to
3830.Dq Nm ldconfig Fl 32 .
3831.It Va kern_securelevel_enable
3832.Pq Vt bool
3833Set to
3834.Dq Li YES
3835to set the kernel security level at system startup.
3836.It Va kern_securelevel
3837.Pq Vt int
3838The kernel security level to set at startup.
3839The allowed range of
3840.Ar value
3841ranges from \-1 (the compile time default) to 3 (the
3842most secure).
3843See
3844.Xr security 7
3845for the list of possible security levels and their effect
3846on system operation.
3847.It Va sshd_program
3848.Pq Vt str
3849Path to the SSH server program
3850.Pa ( /usr/sbin/sshd
3851is the default).
3852.It Va sshd_enable
3853.Pq Vt bool
3854Set to
3855.Dq Li YES
3856to start
3857.Xr sshd 8
3858at system boot time.
3859Note, the
3860.Va sshd_oomprotect
3861variable is set to
3862.Dq Li YES
3863by default in
3864.Pa /etc/defaults/rc.conf .
3865.It Va sshd_flags
3866.Pq Vt str
3867If
3868.Va sshd_enable
3869is set to
3870.Dq Li YES ,
3871these are the flags to pass to the
3872.Xr sshd 8
3873daemon.
3874.It Va ftpd_program
3875.Pq Vt str
3876Path to the FTP server program
3877.Pa ( /usr/libexec/ftpd
3878is the default).
3879.It Va ftpd_enable
3880.Pq Vt bool
3881Set to
3882.Dq Li YES
3883to start
3884.Xr ftpd 8
3885as a stand-alone daemon at system boot time.
3886.It Va ftpd_flags
3887.Pq Vt str
3888If
3889.Va ftpd_enable
3890is set to
3891.Dq Li YES ,
3892these are the additional flags to pass to the
3893.Xr ftpd 8
3894daemon.
3895.It Va watchdogd_enable
3896.Pq Vt bool
3897If set to
3898.Dq Li YES ,
3899start the
3900.Xr watchdogd 8
3901daemon at boot time.
3902This requires that the kernel have been compiled with a
3903.Xr watchdog 4
3904compatible device.
3905.It Va watchdogd_flags
3906.Pq Vt str
3907If
3908.Va watchdogd_enable
3909is set to
3910.Dq Li YES ,
3911these are the flags passed to the
3912.Xr watchdogd 8
3913daemon.
3914.It Va watchdogd_timeout
3915.Pq Vt int
3916If
3917.Va watchdogd_enable
3918is set to
3919.Dq Li YES ,
3920this is a timeout that will be used by the
3921.Xr watchdogd 8
3922daemon.
3923If this option is set, it overrides
3924.Fl t
3925in
3926.Va watchdogd_flags .
3927.It Va watchdogd_shutdown_timeout
3928.Pq Vt int
3929If
3930.Va watchdogd_enable
3931is set to
3932.Dq Li YES ,
3933this is a timeout that will be set by the
3934.Xr watchdogd 8
3935daemon when it exits during the system shutdown.
3936This timeout will not be set when returning to the single-user mode
3937or when the watchdogd service is stopped individually using the
3938.Xr service 8
3939command or the rc.d script.
3940Note that the timeout will be applied if
3941.Xr watchdogd 8
3942is stopped outside of
3943.Xr rc 8
3944framework.
3945If this option is set, it overrides
3946.Fl x
3947in
3948.Va watchdogd_flags .
3949.It Va devfs_rulesets
3950.Pq Vt str
3951List of files containing sets of rules for
3952.Xr devfs 8 .
3953.It Va devfs_system_ruleset
3954.Pq Vt str
3955Rule name(s) to apply to the system
3956.Pa /dev
3957itself.
3958.It Va devfs_set_rulesets
3959.Pq Vt str
3960Pairs of already-mounted
3961.Pa dev
3962directories and rulesets that should be applied to them.
3963For example: /mount/dev=ruleset_name
3964.It Va devfs_load_rulesets
3965.Pq Vt bool
3966If set, always load the default rulesets listed in
3967.Va devfs_rulesets .
3968.It Va performance_cx_lowest
3969.Pq Vt str
3970CPU idle state to use while on AC power.
3971The string
3972.Dq Li LOW
3973indicates that
3974.Xr acpi 4
3975should use the lowest power state available while
3976.Dq Li HIGH
3977indicates that the lowest latency state (less power savings) should be used.
3978.It Va performance_cpu_freq
3979.Pq Vt str
3980CPU clock frequency to use while on AC power.
3981The string
3982.Dq Li LOW
3983indicates that
3984.Xr cpufreq 4
3985should use the lowest frequency available while
3986.Dq Li HIGH
3987indicates that the highest frequency (less power savings) should be used.
3988.It Va economy_cx_lowest
3989.Pq Vt str
3990CPU idle state to use when off AC power.
3991The string
3992.Dq Li LOW
3993indicates that
3994.Xr acpi 4
3995should use the lowest power state available while
3996.Dq Li HIGH
3997indicates that the lowest latency state (less power savings) should be used.
3998.It Va economy_cpu_freq
3999.Pq Vt str
4000CPU clock frequency to use when off AC power.
4001The string
4002.Dq Li LOW
4003indicates that
4004.Xr cpufreq 4
4005should use the lowest frequency available while
4006.Dq Li HIGH
4007indicates that the highest frequency (less power savings) should be used.
4008.It Va jail_enable
4009.Pq Vt bool
4010If set to
4011.Dq Li NO ,
4012any configured jails will not be started.
4013.It Va jail_conf
4014.Pq Vt str
4015The configuration filename used by
4016.Xr jail 8
4017utility.
4018The default value is
4019.Pa /etc/jail.conf .
4020.Pa /etc/jail\&. Ns Ao Va jname Ac Ns Pa .conf
4021and
4022.Pa /etc/jail.conf.d/ Ns Ao Va jname Ac Ns Pa .conf
4023will also be used if
4024.Ao Va jname Ac
4025is set in
4026.Va jail_list .
4027.It Va jail_parallel_start
4028.Pq Vt bool
4029If set to
4030.Dq Li YES ,
4031all configured jails will be started in the background (in parallel).
4032.It Va jail_flags
4033.Pq Vt str
4034Unset by default.
4035When set, use as default value for
4036.Va jail_ Ns Ao Ar jname Ac Ns Va _flags
4037for every jail in
4038.Va jail_list .
4039.It Va jail_list
4040.Pq Vt str
4041A space-delimited list of jail names.
4042When left empty, all of the
4043.Xr jail 8
4044instances defined in the configuration file are started.
4045The names specified in this list control the jail startup order.
4046.Xr jail 8
4047instances missing from
4048.Va jail_list
4049must be started manually.
4050Note that a jail's
4051.Va depend
4052parameter in the configuration file may override this list.
4053.It Va jail_reverse_stop
4054.Pq Vt bool
4055When set to
4056.Dq Li YES ,
4057all configured jails in
4058.Va jail_list
4059are stopped in reverse order.
4060.It Va jail_ Ns * variables
4061Note that older releases supported per-jail configuration via
4062.Nm
4063variables.
4064For example,
4065hostname of a jail named
4066.Li vjail
4067was able to be set by
4068.Li jail_vjail_hostname .
4069These per-jail configuration variables are now obsolete in favor of
4070.Xr jail 8
4071configuration file.
4072For backward compatibility,
4073when per-jail configuration variables are defined,
4074.Xr jail 8
4075configuration files are created as
4076.Pa /var/run/jail . Ns Ao Ar jname Ac Ns Pa .conf
4077and used.
4078.Pp
4079The following per-jail parameters are handled by
4080.Pa rc.d/jail
4081script out of their corresponding
4082.Nm
4083variables.
4084In addition to them, parameters in
4085.Va jail_ Ns Ao Ar jname Ac Ns Va _parameters
4086will be added to the configuration file.
4087They must be a semi-colon
4088.Pq Ql \&;
4089delimited list of
4090.Dq key=value .
4091For more details,
4092see
4093.Xr jail 8
4094manual page.
4095.Bl  -tag -width "host.hostname" -offset indent
4096.It Li path
4097set from
4098.Va jail_ Ns Ao Ar jname Ac Ns Va _rootdir
4099.It Li host.hostname
4100set from
4101.Va jail_ Ns Ao Ar jname Ac Ns Va _hostname
4102.It Li exec.consolelog
4103set from
4104.Va jail_ Ns Ao Ar jname Ac Ns Va _consolelog .
4105The default value is
4106.Pa /var/log/jail_ Ns Ao Ar jname Ac Ns Pa _console.log .
4107.It Li interface
4108set from
4109.Va jail_ Ns Ao Ar jname Ac Ns Va _interface .
4110.It Li vnet.interface
4111set from
4112.Va jail_ Ns Ao Ar jname Ac Ns Va _vnet_interface .
4113This implies
4114.Li vnet
4115parameter will be enabled and cannot be specified with
4116.Va jail_ Ns Ao Ar jname Ac Ns Va _interface ,
4117.Va jail_ Ns Ao Ar jname Ac Ns Va _ip
4118and/or
4119.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
4120at the same time.
4121.It Li fstab
4122set from
4123.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab
4124.It Li mount
4125set from
4126.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable .
4127.It Li exec.fib
4128set from
4129.Va jail_ Ns Ao Ar jname Ac Ns Va _fib
4130.It Li exec.start
4131set from
4132.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start .
4133The parameter name was
4134.Li command
4135in some older releases.
4136.It Li exec.prestart
4137set from
4138.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart
4139.It Li exec.poststart
4140set from
4141.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart
4142.It Li exec.stop
4143set from
4144.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop
4145.It Li exec.prestop
4146set from
4147.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop
4148.It Li exec.poststop
4149set from
4150.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop
4151.It Li ip4.addr
4152set if
4153.Va jail_ Ns Ao Ar jname Ac Ns Va _ip
4154or
4155.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
4156contain IPv4 addresses
4157.It Li ip6.addr
4158set if
4159.Va jail_ Ns Ao Ar jname Ac Ns Va _ip
4160or
4161.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
4162contain IPv6 addresses
4163.It Li allow.mount
4164set from
4165.Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable
4166.It Li mount.devfs
4167set from
4168.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable
4169.It Li devfs_ruleset
4170set from
4171.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset .
4172This must be an integer,
4173not a string.
4174.It Li mount.fdescfs
4175set from
4176.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable
4177.It Li allow.set_hostname
4178set from
4179.Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow
4180.It Li allow.rawsocket
4181set from
4182.Va jail_ Ns Ao Ar jname Ac Ns Va _socket_unixiproute_only
4183.It Li allow.sysvipc
4184set from
4185.Va jail_ Ns Ao Ar jname Ac Ns Va _sysvipc_allow
4186.El
4187.\" -----------------------------------------------------
4188.It Va harvest_mask
4189.Pq Vt int
4190Set to a bit-mask
4191representing the entropy sources
4192you wish to harvest.
4193Refer to
4194.Xr random 4
4195for more information.
4196.It Va entropy_dir
4197.Pq Vt str
4198Set to
4199.Dq Li NO
4200to disable caching entropy via
4201.Xr cron 8 .
4202Otherwise set to the directory
4203in which the entropy files are stored.
4204To be useful,
4205there must be
4206a system cron job
4207that regularly writes and rotates
4208files here.
4209All files found
4210will be used at boot time.
4211The default is
4212.Pa /var/db/entropy .
4213.It Va entropy_file
4214.Pq Vt str
4215Set to
4216.Dq Li NO
4217to disable caching entropy through reboots.
4218Otherwise set to the name
4219of a file used to store cached entropy.
4220This file should be located
4221on a file system that is readable
4222before all the volumes specified in
4223.Xr fstab 5
4224are mounted.
4225By default,
4226.Pa /entropy
4227is used,
4228but if
4229.Pa /var/db/entropy-file
4230is found it will also be used.
4231This will be of some use to
4232.Xr bsdinstall 8 .
4233.It Va entropy_boot_file
4234.Pq Vt str
4235Set to
4236.Dq Li NO
4237to disable
4238very early caching entropy
4239through reboots.
4240Otherwise set to the filename
4241used to read
4242very early reboot cached entropy.
4243This file should be located where
4244.Xr loader 8
4245can read it.
4246See also
4247.Xr loader.conf 5 .
4248The default location is
4249.Pa /boot/entropy .
4250.It Va entropy_save_sz
4251.Pq Vt int
4252Size of the entropy cache files saved by
4253.Nm save-entropy
4254periodically.
4255.It Va entropy_save_num
4256.Pq Vt int
4257Number of entropy cache files to save by
4258.Nm save-entropy
4259periodically.
4260.It Va ipsec_enable
4261.Pq Vt bool
4262Set to
4263.Dq Li YES
4264to run
4265.Xr setkey 8
4266on
4267.Va ipsec_file
4268at boot time.
4269.It Va ipsec_file
4270.Pq Vt str
4271Configuration file for
4272.Xr setkey 8 .
4273.It Va dmesg_enable
4274.Pq Vt bool
4275Set to
4276.Dq Li YES
4277to save
4278.Xr dmesg 8
4279to
4280.Pa /var/run/dmesg.boot
4281on boot.
4282.It Va rcshutdown_timeout
4283.Pq Vt int
4284If set, start a watchdog timer in the background which will terminate
4285.Pa rc.shutdown
4286if
4287.Xr shutdown 8
4288has not completed within the specified time (in seconds).
4289Notice that in addition to this soft timeout,
4290.Xr init 8
4291also applies a hard timeout for the execution of
4292.Pa rc.shutdown .
4293This is configured via
4294.Xr sysctl 8
4295variable
4296.Va kern.init_shutdown_timeout
4297and defaults to 120 seconds.
4298Setting the value of
4299.Va rcshutdown_timeout
4300to more than 120 seconds will have no effect until the
4301.Xr sysctl 8
4302variable
4303.Va kern.init_shutdown_timeout
4304is also increased.
4305.It Va virecover_enable
4306.Pq Vt bool
4307Set to
4308.Dq Li NO
4309to prevent the system from trying to
4310recover prematurely terminated
4311.Xr vi 1
4312sessions.
4313.It Va ugidfw_enable
4314.Pq Vt bool
4315Set to
4316.Dq Li YES
4317to load the
4318.Xr mac_bsdextended 4
4319module upon system initialization and load a default
4320ruleset file.
4321.It Va bsdextended_script
4322.Pq Vt str
4323The default
4324.Xr mac_bsdextended 4
4325ruleset file to load.
4326The default value of this variable is
4327.Pa /etc/rc.bsdextended .
4328.It Va newsyslog_enable
4329.Pq Vt bool
4330If set to
4331.Dq Li YES ,
4332run
4333.Xr newsyslog 8
4334command at startup.
4335.It Va newsyslog_flags
4336.Pq Vt str
4337If
4338.Va newsyslog_enable
4339is set to
4340.Dq Li YES ,
4341these are the flags to pass to the
4342.Xr newsyslog 8
4343program.
4344The default is
4345.Dq Li -CN ,
4346which causes log files flagged with a
4347.Cm C
4348to be created.
4349.It Va mdconfig_md Ns Aq Ar X
4350.Pq Vt str
4351Arguments to
4352.Xr mdconfig 8
4353for
4354.Xr md 4
4355device
4356.Ar X .
4357At minimum a
4358.Fl t Ar type
4359must be specified and either a
4360.Fl s Ar size
4361for malloc or swap backed
4362.Xr md 4
4363devices or a
4364.Fl f Ar file
4365for vnode backed
4366.Xr md 4
4367devices.
4368Note that
4369.Va mdconfig_md Ns Aq Ar X
4370variables are evaluated until one variable is unset or null.
4371.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _newfs
4372.Pq Vt str
4373Optional arguments passed to
4374.Xr newfs 8
4375to initialize
4376.Xr md 4
4377device
4378.Ar X .
4379.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _owner
4380.Pq Vt str
4381An ownership specification passed to
4382.Xr chown 8
4383after the specified
4384.Xr md 4
4385device
4386.Ar X
4387has been mounted.
4388Both the
4389.Xr md 4
4390device and the mount point will be changed.
4391.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _perms
4392.Pq Vt str
4393A mode string passed to
4394.Xr chmod 1
4395after the specified
4396.Xr md 4
4397device
4398.Ar X
4399has been mounted.
4400Both the
4401.Xr md 4
4402device and the mount point will be changed.
4403.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _files
4404.Pq Vt str
4405Files to be copied to the mount point of the
4406.Xr md 4
4407device
4408.Ar X
4409after it has been mounted.
4410.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _cmd
4411.Pq Vt str
4412Command to execute after the specified
4413.Xr md 4
4414device
4415.Ar X
4416has been mounted.
4417Note that the command is passed to
4418.Ic eval
4419and that both
4420.Va _dev
4421and
4422.Va _mp
4423variables can be used to reference respectively the
4424.Xr md 4
4425device and the mount point.
4426Assuming that the
4427.Xr md 4
4428device is
4429.Li md0 ,
4430one could set the following:
4431.Bd -literal
4432mdconfig_md0_cmd="tar xfzC /var/file.tgz \e${_mp}"
4433.Ed
4434.It Va autobridge_interfaces
4435.Pq Vt str
4436Set to the list of bridge interfaces that will have newly arriving interfaces
4437checked against to be automatically added.
4438If not set to
4439.Dq Li NO
4440then for each whitespace separated
4441.Ar element
4442in the value, a
4443.Va autobridge_ Ns Aq Ar element
4444variable is assumed to exist which has a whitespace separated list of interface
4445names to match, these names can use wildcards.
4446For example:
4447.Bd -literal
4448autobridge_interfaces="bridge0"
4449autobridge_bridge0="tap* dc0 vlan[345]"
4450.Ed
4451.It Va mixer_enable
4452.Pq Vt bool
4453If set to
4454.Dq Li YES ,
4455enable support for sound mixer.
4456.It Va hcsecd_enable
4457.Pq Vt bool
4458If set to
4459.Dq Li YES ,
4460enable Bluetooth security daemon.
4461.It Va hcsecd_config
4462.Pq Vt str
4463Configuration file for
4464.Xr hcsecd 8 .
4465Default
4466.Pa /etc/bluetooth/hcsecd.conf .
4467.It Va sdpd_enable
4468.Pq Vt bool
4469If set to
4470.Dq Li YES ,
4471enable Bluetooth Service Discovery Protocol daemon.
4472.It Va sdpd_control
4473.Pq Vt str
4474Path to
4475.Xr sdpd 8
4476control socket.
4477Default
4478.Pa /var/run/sdp .
4479.It Va sdpd_groupname
4480.Pq Vt str
4481Sets
4482.Xr sdpd 8
4483group to run as after it initializes.
4484Default
4485.Dq Li nobody .
4486.It Va sdpd_username
4487.Pq Vt str
4488Sets
4489.Xr sdpd 8
4490user to run as after it initializes.
4491Default
4492.Dq Li nobody .
4493.It Va bthidd_enable
4494.Pq Vt bool
4495If set to
4496.Dq Li YES ,
4497enable Bluetooth Human Interface Device daemon.
4498.It Va bthidd_config
4499.Pq Vt str
4500Configuration file for
4501.Xr bthidd 8 .
4502Default
4503.Pa /etc/bluetooth/bthidd.conf .
4504.It Va bthidd_hids
4505.Pq Vt str
4506Path to a file, where
4507.Xr bthidd 8
4508will store information about known HID devices.
4509Default
4510.Pa /var/db/bthidd.hids .
4511.It Va rfcomm_pppd_server_enable
4512.Pq Vt bool
4513If set to
4514.Dq Li YES ,
4515enable Bluetooth RFCOMM PPP wrapper daemon.
4516.It Va rfcomm_pppd_server_profile
4517.Pq Vt str
4518The name of the profile to use from
4519.Pa /etc/ppp/ppp.conf .
4520Multiple profiles can be specified here.
4521Also used to specify per-profile overrides.
4522When the profile name contains any of the characters
4523.Dq Li .-/+
4524they are translated to
4525.Dq Li _
4526for the proposes of the override variable names.
4527.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _bdaddr
4528.Pq Vt str
4529Overrides local address to listen on.
4530By default
4531.Xr rfcomm_pppd 8
4532will listen on
4533.Dq Li ANY
4534address.
4535The address can be specified as BD_ADDR or name.
4536.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _channel
4537.Pq Vt str
4538Overrides local RFCOMM channel to listen on.
4539By default
4540.Xr rfcomm_pppd 8
4541will listen on RFCOMM channel 1.
4542Must set properly if multiple profiles used in the same time.
4543.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_sp
4544.Pq Vt bool
4545Tells
4546.Xr rfcomm_pppd 8
4547if it should register Serial Port service on the specified RFCOMM channel.
4548Default
4549.Dq Li NO .
4550.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_dun
4551.Pq Vt bool
4552Tells
4553.Xr rfcomm_pppd 8
4554if it should register Dial-Up Networking service on the specified
4555RFCOMM channel.
4556Default
4557.Dq Li NO .
4558.It Va ubthidhci_enable
4559.Pq Vt bool
4560If set to
4561.Dq Li YES ,
4562change the USB Bluetooth controller from HID mode to HCI mode.
4563You also need to specify the location of USB Bluetooth controller with the
4564.Va ubthidhci_busnum
4565and
4566.Va ubthidhci_addr
4567variables.
4568.It Va ubthidhci_busnum
4569Bus number where the USB Bluetooth controller is located.
4570Check the output of
4571.Xr usbconfig 8
4572on your system to find this information.
4573.It Va ubthidhci_addr
4574Bus address of the USB Bluetooth controller.
4575Check the output of
4576.Xr usbconfig 8
4577on your system to find this information.
4578.It Va utx_enable
4579.Pq Vt bool
4580Set to
4581.Dq Li YES
4582to enable user accounting through the
4583.Xr utx 8
4584facility.
4585.It Va netwait_enable
4586.Pq Vt bool
4587If set to
4588.Dq Li YES ,
4589delays the start of network-reliant services until
4590.Va netwait_if
4591is up and ICMP packets to a destination defined in
4592.Va netwait_ip
4593are flowing.
4594Link state is examined first, followed by
4595.Dq Li pinging
4596an IP address to verify network usability.
4597If no destination can be reached or timeouts are exceeded,
4598network services are started anyway with no guarantee that
4599the network is usable.
4600Use of this variable requires both
4601.Va netwait_ip
4602and
4603.Va netwait_if
4604to be set.
4605.It Va netwait_ip
4606.Pq Vt str
4607Empty by default.
4608This variable contains a space-delimited list of IP addresses to
4609.Xr ping 8 .
4610DNS hostnames should not be used as resolution is not guaranteed
4611to be functional at this point.
4612If multiple IP addresses are specified,
4613each will be tried until one is successful or the list is exhausted.
4614.It Va netwait_timeout
4615.Pq Vt int
4616Indicates the total number of seconds to perform a
4617.Dq Li ping
4618against each IP address in
4619.Va netwait_ip ,
4620at a rate of one ping per second.
4621If any of the pings are successful,
4622full network connectivity is considered reliable.
4623The default is 60.
4624.It Va netwait_if
4625.Pq Vt str
4626Empty by default.
4627Defines the name of the network interface on which watch for link.
4628.Xr ifconfig 8
4629is used to monitor the interface, looking for
4630.Dq Li status: no carrier .
4631Once gone, the link is considered up.
4632This can be a
4633.Xr vlan 4
4634interface if desired.
4635.It Va netwait_if_timeout
4636.Pq Vt int
4637Defines the total number of seconds to wait for link to become usable,
4638polled at a 1-second interval.
4639The default is 30.
4640.It Va rctl_enable
4641.Pq Vt bool
4642If set to
4643.Dq Li YES ,
4644load
4645.Xr rctl 8
4646rules from the defined ruleset.
4647The kernel must be built with
4648.Cd "options RACCT"
4649and
4650.Cd "options RCTL" .
4651.It Va rctl_rules
4652.Pq Vt str
4653Set to
4654.Pa /etc/rctl.conf
4655by default.
4656This variables contains the
4657.Xr rctl.conf 5
4658ruleset to load for
4659.Xr rctl 8 .
4660.It Va iovctl_files
4661.Pq Vt str
4662A space-separated list of configuration files used by
4663.Xr iovctl 8 .
4664The default value is an empty string.
4665.It Va autofs_enable
4666.Pq Vt bool
4667If set to
4668.Dq Li YES ,
4669start the
4670.Xr automount 8
4671utility and the
4672.Xr automountd 8
4673and
4674.Xr autounmountd 8
4675daemons at boot time.
4676.It Va automount_flags
4677.Pq Vt str
4678If
4679.Va autofs_enable
4680is set to
4681.Dq Li YES ,
4682these are the flags to pass to the
4683.Xr automount 8
4684program.
4685By default no flags are passed.
4686.It Va automountd_flags
4687.Pq Vt str
4688If
4689.Va autofs_enable
4690is set to
4691.Dq Li YES ,
4692these are the flags to pass to the
4693.Xr automountd 8
4694daemon.
4695By default no flags are passed.
4696.It Va autounmountd_flags
4697.Pq Vt str
4698If
4699.Va autofs_enable
4700is set to
4701.Dq Li YES ,
4702these are the flags to pass to the
4703.Xr autounmountd 8
4704daemon.
4705By default no flags are passed.
4706.It Va ctld_enable
4707.Pq Vt bool
4708If set to
4709.Dq Li YES ,
4710start the
4711.Xr ctld 8
4712daemon at boot time.
4713.It Va iscsid_enable
4714.Pq Vt bool
4715If set to
4716.Dq Li YES ,
4717start the
4718.Xr iscsid 8
4719daemon at boot time.
4720.It Va iscsictl_enable
4721.Pq Vt bool
4722If set to
4723.Dq Li YES ,
4724start the
4725.Xr iscsictl 8
4726utility at boot time.
4727.It Va iscsictl_flags
4728.Pq Vt str
4729If
4730.Va iscsictl_enable
4731is set to
4732.Dq Li YES ,
4733these are the flags to pass to the
4734.Xr iscsictl 8
4735program.
4736The default is
4737.Dq Li -Aa ,
4738which configures sessions based on the
4739.Pa /etc/iscsi.conf
4740configuration file.
4741.It Va cfumass_enable
4742.Pq Vt bool
4743If set to
4744.Dq Li YES ,
4745create and export an USB LUN using
4746.Xr cfumass 4
4747at boot time.
4748.It Va cfumass_dir
4749.Pq Vt str
4750The directory where the files exported by USB LUN are located.
4751The default directory is
4752.Pa /var/cfumass .
4753.It Va service_delete_empty
4754.Pq Vt bool
4755If set to
4756.Dq Li YES ,
4757.Ql Li service delete
4758removes empty
4759.Dq Li rc.conf.d
4760files.
4761.It Va zfs_bootonce_activate
4762.Pq Vt bool
4763If set to
4764.Dq Li YES ,
4765and a boot environment marked bootonce is successfully booted,
4766it will be made permanently active.
4767.It Va zfskeys_enable
4768.Pq Vt bool
4769If set to
4770.Dq Li YES ,
4771enable auto-loading of encryption keys for encrypted ZFS datasets.
4772For every dataset the script will first load the appropriate encryption key
4773and then attempt to unlock the dataset.
4774.Pp
4775The script operates only on datasets which are encrypted with
4776ZFS native encryption
4777and have a ZFS
4778.Dq Li keylocation
4779dataset property beginning with
4780.Dq Li file:// .
4781.It Va zfskeys_datasets
4782.Pq Vt str
4783A whitespace-separated list of ZFS datasets to unlock.
4784The list is empty by default,
4785which means that the script will attempt to unlock all datasets.
4786.It Va zfskeys_timeout
4787.Pq Vt int
4788Define the total number of seconds to wait for the zfskeys script
4789to unlock an encrypted dataset.
4790The default is 10.
4791.It Va sendmail_enable
4792.Pq Vt str
4793If set to
4794.Dq Li YES ,
4795run the
4796.Xr sendmail 8
4797daemon at system boot time.
4798If set to
4799.Dq Li NO ,
4800do not run a
4801.Xr sendmail 8
4802daemon to listen for incoming network mail.
4803This does not preclude a
4804.Xr sendmail 8
4805daemon listening on the SMTP port of the loopback interface.
4806The
4807.Dq Li NONE
4808option sets each
4809.Va sendmail_enable ,
4810.Va sendmail_submit_enable ,
4811.Va sendmail_outbound_enable ,
4812.Va sendmail_msp_queue_enable
4813to
4814.Dq Li NO .
4815.It Va sendmail_cert_create
4816.Pq Vt str
4817If
4818.Va sendmail_enable
4819is set to
4820.Dq Li YES ,
4821create a signed certificate
4822.Pa /etc/mail/certs/host.cert
4823representing
4824.Pa /etc/mail/certs/host.key
4825by the CA certificate in
4826.Pa /etc/mail/certs/cacert.pem .
4827This will enable connecting hosts to negotiate STARTTLS allowing incoming
4828email to be encrypted in transit.
4829.Xr sendmail 8
4830needs to be configured to use these generated files.
4831The default configuration in
4832.Pa /etc/mail/freebsd.mc
4833has the required options in it.
4834.It Va sendmail_cert_cn
4835.Pq Vt str
4836If
4837.Va sendmail_enable
4838is set to
4839.Dq Li YES
4840and
4841.Va sendmail_cert_create
4842is set to
4843.Dq Li YES ,
4844this is the Common Name (CN) of the certificate that will be created.
4845If
4846.Va sendmail_cert_cn
4847is not set, the system's hostname will be used.
4848If there is no hostname set,
4849.Dq Li amnesiac
4850will be used.
4851.It Va sendmail_flags
4852.Pq Vt str
4853If
4854.Va sendmail_enable
4855is set to
4856.Dq Li YES ,
4857these are the flags to pass to the
4858.Xr sendmail 8
4859daemon.
4860.It Va sendmail_submit_enable
4861.Pq Vt bool
4862If set to
4863.Dq Li YES
4864and
4865.Va sendmail_enable
4866is set to
4867.Dq Li NO ,
4868run
4869.Xr sendmail 8
4870using
4871.Va sendmail_submit_flags
4872instead of
4873.Va sendmail_flags .
4874This is intended to allow local mail submission via
4875a localhost-only listening SMTP service required for running
4876.Xr sendmail 8
4877as a non-set-user-ID binary.
4878Note that this does not work inside
4879.Xr jail 2
4880systems, as jails do not allow binding to just the localhost interface.
4881.It Va sendmail_submit_flags
4882.Pq Vt str
4883If
4884.Va sendmail_enable
4885is set to
4886.Dq Li NO
4887and
4888.Va sendmail_submit_enable
4889is set to
4890.Dq Li YES ,
4891these are the flags to pass to the
4892.Xr sendmail 8
4893daemon.
4894.It Va sendmail_outbound_enable
4895.Pq Vt bool
4896If set to
4897.Dq Li YES
4898and both
4899.Va sendmail_enable
4900and
4901.Va sendmail_submit_enable
4902are set to
4903.Dq Li NO ,
4904run
4905.Xr sendmail 8
4906using
4907.Va sendmail_outbound_flags
4908instead of
4909.Va sendmail_flags .
4910This is intended to allow local mail queue management
4911for systems that do not offer a listening SMTP service.
4912.It Va sendmail_outbound_flags
4913.Pq Vt str
4914If both
4915.Va sendmail_enable
4916and
4917.Va sendmail_submit_enable
4918are set to
4919.Dq Li NO
4920and
4921.Va sendmail_outbound_enable
4922is set to
4923.Dq Li YES ,
4924these are the flags to pass to the
4925.Xr sendmail 8
4926daemon.
4927.It Va sendmail_msp_queue_enable
4928.Pq Vt bool
4929If set to
4930.Dq Li YES ,
4931start a client (MSP) queue runner
4932.Xr sendmail 8
4933daemon at system boot time.
4934As of sendmail 8.12, a separate queue is used for command line
4935submissions.
4936The client queue runner ensures that nothing is
4937left behind in the submission queue.
4938.It Va sendmail_msp_queue_flags
4939.Pq Vt str
4940If
4941.Va sendmail_msp_queue_enable
4942is set to
4943daemon.
4944.Dq Li YES ,
4945these are the flags to pass to the
4946.Xr sendmail 8
4947.El
4948.Sh SERVICE JAILS
4949The service jails part of the rc system automatically puts a service
4950into a jail.
4951This jail inherits the filesystem and various other parts of the
4952parent (if you allow child-jails in your jails, service jails
4953can be used in jails) depending on the content of the
4954.Ao Ar name Ac Ns Va _svcj_options
4955variable.
4956Typically this variable is set inside rc scripts, but it can be
4957overriden in the rc config.
4958Valid options for
4959.Ao Ar name Ac Ns Va _svcj_options
4960are:
4961.Bl -tag -width indent-two
4962.It mlock
4963Allows to lock memory pages into the physical memory.
4964.It netv4
4965Inherit the IPv4 address and allows to open reserved ports.
4966This can not be combined with
4967.Pa netv6 .
4968.It netv6
4969Inherit the IPv6 address and allows to open reserved ports.
4970This can not be combined with
4971.Pa netv4 .
4972.It net_basic
4973Inherits the IPv4 and IPv6 addresses and allows to open
4974reserved ports.
4975.It net_raw
4976Allow to open raw sockets.
4977This option can be combined with
4978.Pa netv4 ,
4979.Pa netv6 ,
4980.Pa net_basic .
4981.It net_all
4982Inherits the IPv4 and IPv6 addresses, allows to open reserved
4983ports, allows to open raw sockets, and allows to open sockets
4984of protocol stacks that have not had jail functionality added
4985to them.
4986.It nfsd
4987Allows to run nfsd and affiliated daemons.
4988.It sysvipc
4989Inherits the SysV semaphores, SysV shared memory and
4990SysV messages from the host or the parent jail.
4991.It sysvipcnew
4992Creates a new namespace for SysV semaphores, SysV shared memory
4993and SysV messages for this particular service jail.
4994.It vmm
4995Allows access to
4996.Xr vmm 4 .
4997This option is only available when
4998.Xr vmm 4
4999is enabled in the kernel.
5000.El
5001
5002All non-network options can be combined with all other options.
5003From the SysV options only one option can be specified.
5004
5005If the
5006.Ao Ar name Ac Ns Va _svcj
5007variable is set to
5008.Dq Li YES ,
5009this particular service is started in a
5010service jail named
5011.Va svcj- Ns Ar name .
5012
5013The
5014.Va svcj_all_enable
5015variable allows to enable service jails for all services of the
5016system at once.
5017Services which have
5018.Ao Ar name Ac Ns Va _svcj
5019set to
5020.Dq Li NO
5021are excluded.
5022Some services may set
5023.Ao Ar name Ac Ns Va _svcj
5024to
5025.Dq Li NO
5026in the script to either prevent service jails for this
5027service at all, or may set it to
5028.Dq Li NO
5029if it is not set in the
5030rc config, to exclude it from
5031.Va svcj_all_enable
5032but allow to explicitely enable it.
5033The sshd service for example would not see other jails, if
5034it would run as a service jail.
5035This may or may not be what is needed, and as such it is
5036excluded from
5037.Va svcj_all_enable
5038but can be enabled via setting
5039.Va sshd_svcj
5040to
5041.Dq Li YES .
5042.Sh FILES
5043.Bl -tag -width "/etc/defaults/rc.conf" -compact
5044.It Pa /etc/defaults/rc.conf
5045.It Pa /etc/defaults/vendor.conf
5046.It Pa /etc/rc.conf
5047.It Pa /etc/rc.conf.local
5048.It Pa /etc/rc.conf.d/
5049.El
5050.Sh SEE ALSO
5051.Xr chmod 1 ,
5052.Xr cpuset 1 ,
5053.Xr gdb 1 Pq Pa ports/devel/gdb ,
5054.Xr kbdcontrol 1 ,
5055.Xr limits 1 ,
5056.Xr protect 1 ,
5057.Xr sh 1 ,
5058.Xr umask 1 ,
5059.Xr uuidgen 1 ,
5060.Xr vi 1 ,
5061.Xr vidcontrol 1 ,
5062.Xr bridge 4 ,
5063.Xr dummynet 4 ,
5064.Xr ip 4 ,
5065.Xr ipf 4 ,
5066.Xr ipfw 4 ,
5067.Xr ipnat 4 ,
5068.Xr kld 4 ,
5069.Xr pf 4 ,
5070.Xr pflog 4 ,
5071.Xr pfsync 4 ,
5072.Xr tcp 4 ,
5073.Xr udp 4 ,
5074.Xr exports 5 ,
5075.Xr fstab 5 ,
5076.Xr ipf 5 ,
5077.Xr ipnat 5 ,
5078.Xr jail.conf 5 ,
5079.Xr loader.conf 5 ,
5080.Xr login.conf 5 ,
5081.Xr motd 5 ,
5082.Xr newsyslog.conf 5 ,
5083.Xr pf.conf 5 ,
5084.Xr firewall 7 ,
5085.Xr growfs 7 ,
5086.Xr security 7 ,
5087.Xr tuning 7 ,
5088.Xr accton 8 ,
5089.Xr apm 8 ,
5090.Xr bsdinstall 8 ,
5091.Xr bthidd 8 ,
5092.Xr chkprintcap 8 ,
5093.Xr chown 8 ,
5094.Xr cron 8 ,
5095.Xr devfs 8 ,
5096.Xr dhclient 8 ,
5097.Xr ftpd 8 ,
5098.Xr geli 8 ,
5099.Xr hcsecd 8 ,
5100.Xr ifconfig 8 ,
5101.Xr inetd 8 ,
5102.Xr iovctl 8 ,
5103.Xr ipf 8 ,
5104.Xr ipfw 8 ,
5105.Xr ipnat 8 ,
5106.Xr jail 8 ,
5107.Xr kldxref 8 ,
5108.Xr loader 8 ,
5109.Xr lpd 8 ,
5110.Xr makewhatis 8 ,
5111.Xr mdconfig 8 ,
5112.Xr mdmfs 8 ,
5113.Xr mixer 8 ,
5114.Xr mountd 8 ,
5115.Xr moused 8 ,
5116.Xr newfs 8 ,
5117.Xr newsyslog 8 ,
5118.Xr nfsd 8 ,
5119.Xr ntpd 8 ,
5120.Xr ntpdate 8 ,
5121.Xr pfctl 8 ,
5122.Xr pflogd 8 ,
5123.Xr ping 8 ,
5124.Xr powerd 8 ,
5125.Xr quotacheck 8 ,
5126.Xr quotaon 8 ,
5127.Xr rc 8 ,
5128.Xr rc.subr 8 ,
5129.Xr rcorder 8 ,
5130.Xr rfcomm_pppd 8 ,
5131.Xr route 8 ,
5132.Xr route6d 8 ,
5133.Xr routed 8 ,
5134.Xr rpc.lockd 8 ,
5135.Xr rpc.statd 8 ,
5136.Xr rpc.tlsclntd 8 ,
5137.Xr rpc.tlsservd 8 ,
5138.Xr rpcbind 8 ,
5139.Xr rwhod 8 ,
5140.Xr savecore 8 ,
5141.Xr sdpd 8 ,
5142.Xr sendmail 8 ,
5143.Xr service 8 ,
5144.Xr sshd 8 ,
5145.Xr swapon 8 ,
5146.Xr sysctl 8 ,
5147.Xr syslogd 8 ,
5148.Xr sysrc 8 ,
5149.Xr unbound 8 ,
5150.Xr usbconfig 8 ,
5151.Xr utx 8 ,
5152.Xr wlandebug 8 ,
5153.Xr yp 8 ,
5154.Xr ypbind 8 ,
5155.Xr ypserv 8 ,
5156.Xr ypset 8
5157.Sh HISTORY
5158The
5159.Nm
5160file appeared in
5161.Fx 2.2.2 .
5162.Sh AUTHORS
5163.An Jordan K. Hubbard .
5164