1.\" Copyright (c) 1995 2.\" Jordan K. Hubbard 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.Dd November 14, 2025 26.Dt RC.CONF 5 27.Os 28.Sh NAME 29.Nm rc.conf 30.Nd system configuration information 31.Sh DESCRIPTION 32The file 33.Nm 34contains descriptive information about the local host name, configuration 35details for any potential network interfaces and which services should be 36started up at system initial boot time. 37In new installations, the 38.Nm 39file is generally initialized by the system installation utility. 40.Pp 41The purpose of 42.Nm 43is not to run commands or perform system startup actions 44directly. 45Instead, it is included by the 46various generic startup scripts in 47.Pa /etc 48which conditionalize their 49internal actions according to the settings found there. 50.Pp 51The 52.Pa /etc/rc.conf 53file is included from the file 54.Pa /etc/defaults/rc.conf , 55which specifies the default settings for all the available options. 56Options need only be specified in 57.Pa /etc/rc.conf 58when the system administrator wishes to override these defaults. 59The file 60.Pa /etc/defaults/vendor.conf 61allows vendors to override 62.Fx 63defaults. 64The file 65.Pa /etc/rc.conf.local 66is used to override settings in 67.Pa /etc/rc.conf 68for historical reasons. 69.Pp 70The sysrc(8) command provides a scripting interface to modify system 71config files. 72.Pp 73In addition to 74.Pa /etc/rc.conf.local 75you can also place smaller configuration files for each 76.Xr rc 8 77script in the 78.Pa /etc/rc.conf.d 79directory or 80.Ao Ar dir Ac Ns Pa /rc.conf.d 81directories (where 82.Ao Ar dir Ac 83is each entry specified in 84.Va local_startup , 85but with any trailing 86.Pa /rc.d 87stripped), 88which will be included by the 89.Va load_rc_config 90function. 91For jail configurations you could use the file 92.Pa /etc/rc.conf.d/jail 93to store jail-specific configuration options. 94If 95.Va local_startup 96contains 97.Pa /usr/local/etc/rc.d 98and 99.Pa /opt/conf , 100.Pa /usr/local/etc/rc.conf.d/jail 101and 102.Pa /opt/conf/rc.conf.d/jail 103will be loaded. 104If 105.Ao Ar dir Ac Ns Pa /rc.conf.d/ Ns Ao Ar name Ac 106is a directory then all of the files in the directory will be loaded. 107See also the 108.Va rc_conf_files 109variable below. 110.Pp 111Options are set with 112.Dq Ar name Ns Li = Ns Ar value 113assignments that use 114.Xr sh 1 115syntax. 116The following list provides a name and short description for each 117variable that can be set in the 118.Nm 119file: 120.Bl -tag -width indent-two 121.It Va rc_debug 122.Pq Vt bool 123If set to 124.Dq Li YES , 125enable output of debug messages from rc scripts. 126This variable can be helpful in diagnosing mistakes when 127editing or integrating new scripts. 128Beware that this produces copious output to the terminal and 129.Xr syslog 3 . 130.It Va rc_info 131.Pq Vt bool 132If set to 133.Dq Li NO , 134disable informational messages from the rc scripts. 135Informational messages are displayed when 136a condition that is not serious enough to warrant a warning or 137an error occurs. 138.It Va rc_startmsgs 139.Pq Vt bool 140If set to 141.Dq Li YES , 142show 143.Dq Starting foo: 144when faststart is used (e.g., at boot time). 145.It Va early_late_divider 146.Pq Vt str 147The name of the script that should be used as the 148delimiter between the 149.Dq early 150and 151.Dq late 152stages of the boot process. 153The early stage should contain all the services needed to 154get the disks (local or remote) mounted so that the late 155stage can include scripts contained in the directories 156listed in the 157.Va local_startup 158variable (see below). 159Thus, the two likely candidates for this value are 160.Pa mountcritlocal 161for the typical system, and 162.Pa mountcritremote 163if the system needs remote file 164systems mounted to get access to the 165.Va local_startup 166directories; for example when 167.Pa /usr/local 168is NFS mounted. 169For 170.Pa rc.conf 171within a 172.Xr jail 8 173.Pa NETWORKING 174is likely to be an appropriate value. 175Extreme care should be taken when changing this value, 176and before changing it one should ensure that there are 177adequate provisions to recover from a failed boot 178(such as physical contact with the machine, 179or reliable remote console access). 180.It Va always_force_depends 181.Pq Vt bool 182Various 183.Pa rc.d 184scripts use the force_depend function to check whether required 185services are already running, and to start them if necessary. 186By default during boot time this check is bypassed if the 187required service is enabled in 188.Pa /etc/rc.conf[.local] . 189Setting this option will bypass that check at boot time and 190always test whether or not the service is actually running. 191Enabling this option is likely to increase your boot time if 192services are enabled that utilize the force_depend check. 193.It Ao Ar name Ac Ns Va _audit_user 194.Pq Vt str 195A user name or UID to use as the 196.Xr audit 4 197user for the service. 198Run the chrooted service under this system group. 199By default, when an unprvileged user restarts a service using a utility 200such as sudo or doas, the service's will audit session will point to the 201unprivileged user, which may be undesirable. 202In that case, this variable can be used to override the audit user using 203.Xr setaudit 8 . 204.It Ao Ar name Ac Ns Va _chroot 205.Pq Vt str 206.Xr chroot 8 207to this directory before running the service. 208.It Ao Ar name Ac Ns Va _cpuset 209.Pq Vt str 210A list of CPUs to run the service on. 211Passed to 212.Xr cpuset 1 213using the 214.Fl l 215flag. 216.It Ao Ar name Ac Ns Va _fib 217.Pq Vt int 218The 219.Xr setfib 1 220value to run the service under. 221.It Ao Ar name Ac Ns Va _group 222.Pq Vt str 223Unlike the 224.Ao Ar name Ac Ns Va _user 225setting, this setting has no effect if the service is not chrooted. 226.It Ao Ar name Ac Ns Va _limits 227.Pq Vt str 228Resource limits to apply to the service using 229.Xr limits 1 . 230By default, resource limits are based on the login class defined in 231.Ao Ar name Ac Ns Va _login_class . 232.It Ao Ar name Ac Ns Va _login_class 233.Pq Vt str 234Login class to be used with 235.Ao Ar name Ac Ns Va _limits . 236Defaults to 237.Dq Li daemon . 238.It Ao Ar name Ac Ns Va _nice 239.Pq Vt int 240The 241.Xr nice 1 242value to run the service under. 243.It Ao Ar name Ac Ns Va _oomprotect 244.Pq Vt str 245Use 246.Xr protect 1 247to prevent the service from being killed when swap space 248is exhausted. 249Use 250.Dq Li YES 251to protect only the service itself, and 252.Dq Li ALL 253to protect the service and all its child processes. 254.Pp 255Please note that rc scripts which redefine 256.Dl ${argument}_cmd 257.Pq see Xr rc.subr 8 258such as PostgreSQL will not inherit the OOM killer protection. 259.Pp 260This variable has no effect on services running within a 261.Xr jail 8 . 262.It Ao Ar name Ac Ns Va _setup 263.Pq Vt str 264Run the specified setup script right before starting the actual service 265command. 266Useful for automatic configuration file generation. 267.It Ao Ar name Ac Ns Va _umask 268.Pq Vt int 269Run the service using this 270.Xr umask 1 271value. 272.It Ao Ar name Ac Ns Va _user 273.Pq Vt str 274Run the service under this user account. 275.It Ao Ar name Ac Ns Va _svcj 276.Pq Vt bool 277If set to 278.Dq Li YES , 279auto-jail the service with inherited filesystem and other 280jail properties depending on 281.Ao Ar name Ac Ns Va _svcj_options . 282.It Ao Ar name Ac Ns Va _svcj_ipaddrs 283.Pq Vt str 284A list of IP addresses that the service jail will be permitted to use. 285If this is not specified, the service jail will be permitted to use all 286assigned IP addresses if networking is enabled in the jail. 287.It Ao Ar name Ac Ns Va _svcj_options 288.Pq Vt str 289A list of jail properties for the service. 290See 291.Sx SERVICE JAILS 292for a list of valid properties. 293.It Va apm_enable 294.Pq Vt bool 295If set to 296.Dq Li YES , 297enable support for Automatic Power Management with 298the 299.Xr apm 8 300command. 301.It Va apmd_enable 302.Pq Vt bool 303Run 304.Xr apmd 8 305to handle APM event from userland. 306This also enables support for APM. 307.It Va apmd_flags 308.Pq Vt str 309If 310.Va apmd_enable 311is set to 312.Dq Li YES , 313these are the flags to pass to the 314.Xr apmd 8 315daemon. 316.It Va devd_enable 317.Pq Vt bool 318Run 319.Xr devd 8 320to handle device added, removed or unknown events from the kernel. 321.It Va ddb_enable 322.Pq Vt bool 323Run 324.Xr ddb 8 325to install 326.Xr ddb 4 327scripts at boot time. 328.It Va ddb_config 329.Pq Vt str 330Configuration file for 331.Xr ddb 8 . 332Default 333.Pa /etc/ddb.conf . 334.It Va devmatch_enable 335.Pq Vt bool 336If set to 337.Dq Li NO , 338disable auto-loading of kernel modules with 339.Xr devmatch 8 . 340.It Va devmatch_blocklist 341.Pq Vt str 342A whitespace-separated list of kernel modules to be ignored by 343.Xr devmatch 8 . 344In addition, the 345.Xr kenv 1 346.Va devmatch_blocklist 347is appended to this variable to allow disabling of 348.Xr devmatch 8 349loaded modules from the boot loader. 350.It Va devmatch_blacklist 351.Pq Vt str 352This variable is deprecated. 353Use 354.Va devmatch_blocklist 355instead. 356A whitespace-separated list of kernel modules to be ignored by 357.Xr devmatch 8 . 358.It Va kld_list 359.Pq Vt str 360A whitespace-separated list of kernel modules to load right after 361the local disks are mounted, without any 362.Pa .ko 363extension or path. 364.It Va kldxref_enable 365.Pq Vt bool 366Set to 367.Dq Li NO 368by default. 369Set to 370.Dq Li YES 371to automatically rebuild 372.Pa linker.hints 373files with 374.Xr kldxref 8 375at boot time. 376.It Va kldxref_clobber 377.Pq Vt bool 378Set to 379.Dq Li NO 380by default. 381If 382.Va kldxref_enable 383is true, 384setting to 385.Dq Li YES 386will overwrite existing 387.Pa linker.hints 388files at boot time. 389Otherwise, 390only missing 391.Pa linker.hints 392files are generated. 393.It Va kldxref_module_path 394.Pq Vt str 395Empty by default. 396A semi-colon 397.Pq Ql \&; 398delimited list of paths containing 399.Xr kld 4 400modules. 401If empty, 402the contents of the 403.Va kern.module_path 404.Xr sysctl 8 405are used. 406.It Va powerd_enable 407.Pq Vt bool 408If set to 409.Dq Li YES , 410enable the system power control facility with the 411.Xr powerd 8 412daemon. 413.It Va powerd_flags 414.Pq Vt str 415If 416.Va powerd_enable 417is set to 418.Dq Li YES , 419these are the flags to pass to the 420.Xr powerd 8 421daemon. 422.It Va svcj_all_enable 423Enable auto-jailing of all services which are not explicitly 424excluded. 425See 426.Sx SERVICE JAILS 427for more info. 428.It Va tmpmfs 429Controls the creation of a 430.Pa /tmp 431memory file system. 432Always happens if set to 433.Dq Li YES 434and never happens if set to 435.Dq Li NO . 436If set to anything else, a memory file system is created if 437.Pa /tmp 438is not writable. 439.It Va tmpsize 440Controls the size of a created 441.Pa /tmp 442memory file system. 443.It Va tmpmfs_flags 444Extra options passed to the 445.Xr mdmfs 8 446utility when the memory file system for 447.Pa /tmp 448is created. 449The default is 450.Dq Li "-S" , 451which inhibits the use of softupdates on 452.Pa /tmp 453so that file system space is freed without delay 454after file truncation or deletion. 455See 456.Xr mdmfs 8 457for other options you can use in 458.Va tmpmfs_flags . 459.It Va varmfs 460Controls the creation of a 461.Pa /var 462memory file system. 463Always happens if set to 464.Dq Li YES 465and never happens if set to 466.Dq Li NO . 467If set to anything else, a memory file system is created if 468.Pa /var 469is not writable. 470.It Va varsize 471Controls the size of a created 472.Pa /var 473memory file system. 474.It Va varmfs_flags 475Extra options passed to the 476.Xr mdmfs 8 477utility when the memory file system for 478.Pa /var 479is created. 480The default is 481.Dq Li "-S" , 482which inhibits the use of softupdates on 483.Pa /var 484so that file system space is freed without delay 485after file truncation or deletion. 486See 487.Xr mdmfs 8 488for other options you can use in 489.Va varmfs_flags . 490.It Va populate_var 491Controls the automatic population of the 492.Pa /var 493file system. 494Always happens if set to 495.Dq Li YES 496and never happens if set to 497.Dq Li NO . 498If set to anything else, a memory file system is created if 499.Pa /var 500is not writable. 501Note that this process requires access to certain commands in 502.Pa /usr 503before 504.Pa /usr 505is mounted on normal systems. 506.It Va cleanvar_enable 507.Pq Vt bool 508Clean the 509.Pa /var 510directory. 511.It Va var_run_enable 512.Pq Vt bool 513Set to "YES" to enable saving of the 514.Pa /var/run 515directory structure into an mtree file at shutdown and the reload of the 516.Pa /var/run 517directory structure at boot. 518.It Va var_run_autosave 519.Pq Vt bool 520In some cases it may be undesirable to save 521.Pa /var/run 522at shutdown. 523When set to "NO" 524.Pa /var/run 525is loaded at reboot but not saved at shutdown. 526Typically in this scenario 527.Ql service var_run save 528would be performed to save a copy of the 529.Pa /var/run 530directory structure once, to be reloaded during all subsequent reboots. 531.It Va var_run_mtree 532.Pq Vt str 533Where to save the 534.Pa /var/run 535mtree. 536The default location is 537.Pa /var/db/mtree/BSD.var-run.mtree . 538.It Va local_startup 539.Pq Vt str 540List of directories to search for startup script files. 541.It Va script_name_sep 542.Pq Vt str 543The field separator to use for breaking down the list of startup script files 544into individual filenames. 545The default is a space. 546It is not necessary to change this unless there are startup scripts with names 547containing spaces. 548.It Va hostapd_enable 549.Pq Vt bool 550Set to 551.Dq Li YES 552to start 553.Xr hostapd 8 554at system boot time. 555.It Va hostname 556.Pq Vt str 557The fully qualified domain name (FQDN) of this host on the network. 558This should almost certainly be set to something meaningful, even if 559there is no network connection. 560If 561.Xr dhclient 8 562is used to set the hostname via DHCP, 563this variable should be set to an empty string. 564Within a 565.Xr jail 8 566the hostname is generally already set and this variable may be absent. 567If this value remains unset when the system is done booting 568your console login will display the default hostname of 569.Dq Amnesiac . 570.It Va nisdomainname 571.Pq Vt str 572The NIS domain name of this host, or 573.Dq Li NO 574if NIS is not used. 575.It Va hostid_enable 576.Pq Vt bool 577If set to 578.Dq Li NO , 579disable the generation or saving of the 580.Pa hostid 581and 582.Pa machine-id 583files at system boot and shutdown. 584.It Va hostid_file 585.Pq Vt str 586Path to the 587.Pa hostid 588file, default 589.Pa /etc/hostid . 590.It Va hostid_uuidgen_flags 591.Pq Vt str 592Flags passed to 593.Xr uuidgen 1 594when generating a software host UUID. 595This is used only if the system cannot determine a hardware UUID. 596Set to 597.Dq Li -r 598by default. 599.It Va machine_id_file 600.Pq Vt str 601Path to the 602.Pa machine-id 603file, default 604.Pa /etc/machine-id . 605.It Va dhclient_program 606.Pq Vt str 607Path to the DHCP client program, defaulting to 608.Pa /sbin/dhclient . 609.It Va dhclient_flags 610.Pq Vt str 611Additional flags to pass to the DHCP client program. 612See the 613.Xr dhclient 8 614manpage for a description of the command line options available. 615.It Va dhclient_flags_ Ns Aq Ar iface 616Additional flags to pass to the DHCP client program running on 617.Ar iface 618only. 619When specified, this variable overrides 620.Va dhclient_flags . 621.It Va background_dhclient 622.Pq Vt bool 623Set to 624.Dq Li YES 625to start the DHCP client in background. 626This can cause trouble with applications depending on 627a working network, but it will provide a faster startup 628in many cases. 629.It Va background_dhclient_ Ns Aq Ar iface 630When specified, this variable overrides the 631.Va background_dhclient 632variable for interface 633.Ar iface 634only. 635.It Va dhclient_arpwait 636.Pq Vt bool 637Set to 638.Dq Li NO 639to stop 640.Xr dhclient 8 641from waiting for ARP resolution, to make the system boot faster. 642This may be done on networks where the DHCP server is certain to 643know whether an address is available. 644.It Va synchronous_dhclient 645.Pq Vt bool 646Set to 647.Dq Li YES 648to start 649.Xr dhclient 8 650synchronously at startup. 651This behavior can be overridden on a per-interface basis by replacing 652the 653.Dq Li DHCP 654keyword in the 655.Va ifconfig_ Ns Aq Ar interface 656variable with 657.Dq Li SYNCDHCP 658or 659.Dq Li NOSYNCDHCP . 660.It Va defaultroute_delay 661.Pq Vt int 662When set to a positive value, wait up to this long after configuring 663DHCP interfaces at startup to give the interfaces time to receive a lease. 664.It Va firewall_enable 665.Pq Vt bool 666Set to 667.Dq Li YES 668to load firewall rules at startup. 669If the kernel was not built with 670.Cd "options IPFIREWALL" , 671the 672.Pa ipfw.ko 673kernel module will be loaded. 674See also 675.Va ipfilter_enable . 676.It Va firewall_script 677.Pq Vt str 678This variable specifies the full path to the firewall script to run. 679The default is 680.Pa /etc/rc.firewall . 681.It Va firewall_type 682.Pq Vt str 683Names the firewall type from the selection in 684.Pa /etc/rc.firewall , 685or the file which contains the local firewall ruleset. 686Valid selections from 687.Pa /etc/rc.firewall 688are: 689.Pp 690.Bl -tag -width ".Li workstation" -compact 691.It Li open 692unrestricted IP access 693.It Li closed 694all IP services disabled, except via 695.Dq Li lo0 696.It Li client 697basic protection for a workstation 698.It Li workstation 699basic protection for a workstation using stateful firewalling 700.It Li simple 701basic protection for a LAN. 702.El 703.Pp 704If a filename is specified, the full path 705must be given. 706.Pp 707Most of the predefined rulesets define additional configuration variables. 708These are documented in 709.Pa /etc/rc.firewall . 710.It Va firewall_quiet 711.Pq Vt bool 712Set to 713.Dq Li YES 714to disable the display of firewall rules on the console during boot. 715.It Va firewall_logging 716.Pq Vt bool 717Set to 718.Dq Li YES 719to enable firewall event logging. 720This is equivalent to the 721.Dv IPFIREWALL_VERBOSE 722kernel option. 723.It Va firewall_logif 724.Pq Vt bool 725Set to 726.Dq Li YES 727to create pseudo interface 728.Li ipfw0 729for logging. 730For more details, see 731.Xr ipfw 8 732manual page. 733.It Va firewall_flags 734.Pq Vt str 735Flags passed to 736.Xr ipfw 8 737if 738.Va firewall_type 739specifies a filename. 740.It Va firewall_coscripts 741.Pq Vt str 742List of executables and/or rc scripts to run after firewall starts/stops. 743Default is empty. 744.\" ----- firewall_nat_enable setting -------------------------------- 745.It Va firewall_nat_enable 746.Pq Vt bool 747The 748.Xr ipfw 8 749equivalent of 750.Va natd_enable . 751Setting this to 752.Dq Li YES 753will automatically load the 754.Xr ipfw 8 755NAT kernel module if 756.Va firewall_enable 757is also set to 758.Dq Li YES . 759.It Va firewall_nat_interface 760.Pq Vt str 761The 762.Xr ipfw 8 763equivalent of 764.Va natd_interface . 765This is the name of the public interface or IP address on which 766kernel NAT should run. 767.It Va firewall_nat_flags 768.Pq Vt str 769Additional configuration parameters for kernel NAT should be placed here. 770.It Va firewall_nat64_enable 771.Pq Vt bool 772Setting this to 773.Dq Li YES 774will automatically load the 775.Xr ipfw 8 776NAT64 kernel module if 777.Va firewall_enable 778is also set to 779.Dq Li YES . 780.It Va firewall_nptv6_enable 781.Pq Vt bool 782Setting this to 783.Dq Li YES 784will automatically load the 785.Xr ipfw 8 786NPTv6 kernel module if 787.Va firewall_enable 788is also set to 789.Dq Li YES . 790.It Va firewall_pmod_enable 791.Pq Vt bool 792Setting this to 793.Dq Li YES 794will automatically load the 795.Xr ipfw 8 796pmod kernel module if 797.Va firewall_enable 798is also set to 799.Dq Li YES . 800.It Va dummynet_enable 801.Pq Vt bool 802Setting this to 803.Dq Li YES 804will automatically load the 805.Xr dummynet 4 806module if 807.Va firewall_enable 808is also set to 809.Dq Li YES . 810.\" ------------------------------------------------------------------- 811.It Va ipfw_netflow_enable 812.Pq Vt bool 813Setting this to 814.Dq Li YES 815will enable netflow logging via 816.Xr ng_netflow 4 . 817.Pp 818By default a ipfw rule is inserted and all packets are duplicated with 819the ngtee command and netflow packets are sent to 127.0.0.1 on the netflow 820port using protocol version 5. 821.It Va ipfw_netflow_hook 822.Pq Vt int 823netflow hook name, must be numerical 824(default 825.Pa 9995 ) . 826.It Va ipfw_netflow_rule 827.Pq Vt int 828ipfw rule number 829(default 830.Pa 1000 ) . 831.It Va ipfw_netflow_ip 832.Pq Vt str 833Destination server ip for receiving netflow data 834(default 835.Pa 127.0.0.1 ) . 836.It Va ipfw_netflow_port 837.Pq Vt int 838Destination server port for receiving netflow data 839(default 840.Pa 9995 ) . 841.It Va ipfw_netflow_version 842.Pq Vt int 843Do not set for using version 5 of the netflow protocol, set it to 9 for using 844version 9. 845.It Va ipfw_netflow_fib 846.Pq Vt int 847Only match packet in FIB 848.Pa ipfw_netflow_fib 849(default is undefined meaning all FIBs). 850.It Va natd_program 851.Pq Vt str 852Path to 853.Xr natd 8 . 854.It Va natd_enable 855.Pq Vt bool 856Set to 857.Dq Li YES 858to enable 859.Xr natd 8 . 860.Va firewall_enable 861must also be set to 862.Dq Li YES , 863and 864.Xr divert 4 865sockets must be enabled in the kernel. 866If the kernel was not built with 867.Cd "options IPDIVERT" , 868the 869.Pa ipdivert.ko 870kernel module will be loaded. 871.It Va natd_interface 872.Pq Vt str 873This is the name of the public interface on which 874.Xr natd 8 875should run. 876The interface may be given as an interface name or as an IP address. 877.It Va natd_flags 878.Pq Vt str 879Additional 880.Xr natd 8 881flags should be placed here. 882The 883.Fl n 884or 885.Fl a 886flag is automatically added with the above 887.Va natd_interface 888as an argument. 889.\" ----- ipfilter_enable setting -------------------------------- 890.It Va ipfilter_enable 891.Pq Vt bool 892Set to 893.Dq Li NO 894by default. 895Setting this to 896.Dq Li YES 897enables 898.Xr ipf 8 899packet filtering. 900.Pp 901Typical usage will require putting 902.Bd -literal 903ipfilter_enable="YES" 904ipnat_enable="YES" 905ipmon_enable="YES" 906ipfs_enable="YES" 907.Ed 908.Pp 909into 910.Pa /etc/rc.conf 911and editing 912.Pa /etc/ipf.rules 913and 914.Pa /etc/ipnat.rules 915appropriately. 916.Pp 917Note that 918.Va ipfilter_enable 919and 920.Va ipnat_enable 921can be enabled independently. 922.Va ipmon_enable 923and 924.Va ipfs_enable 925both require at least one of 926.Va ipfilter_enable 927and 928.Va ipnat_enable 929to be enabled. 930.Pp 931Having 932.Bd -literal 933options IPFILTER 934options IPFILTER_LOG 935options IPFILTER_DEFAULT_BLOCK 936.Ed 937.Pp 938in the kernel configuration file is a good idea, too. 939.\" ----- ipfilter_program setting ------------------------------ 940.It Va ipfilter_program 941.Pq Vt str 942Path to 943.Xr ipf 8 944(default 945.Pa /sbin/ipf ) . 946.\" ----- ipfilter_rules setting -------------------------------- 947.It Va ipfilter_rules 948.Pq Vt str 949Set to 950.Pa /etc/ipf.rules 951by default. 952This variable contains the name of the filter rule definition file. 953The file is expected to be readable for the 954.Xr ipf 8 955command to execute. 956.\" ----- ipfilter_flags setting -------------------------------- 957.It Va ipfilter_flags 958.Pq Vt str 959Empty by default. 960This variable contains flags passed to the 961.Xr ipf 8 962program. 963.\" ----- ipnat_enable setting ---------------------------------- 964.It Va ipnat_enable 965.Pq Vt bool 966Set to 967.Dq Li NO 968by default. 969Set it to 970.Dq Li YES 971to enable 972.Xr ipnat 8 973network address translation. 974See 975.Va ipfilter_enable 976for a detailed discussion. 977.\" ----- ipnat_program setting --------------------------------- 978.It Va ipnat_program 979.Pq Vt str 980Path to 981.Xr ipnat 8 982(default 983.Pa /sbin/ipnat ) . 984.\" ----- ipnat_rules setting ----------------------------------- 985.It Va ipnat_rules 986.Pq Vt str 987Set to 988.Pa /etc/ipnat.rules 989by default. 990This variable contains the name of the file 991holding the network address translation definition. 992This file is expected to be readable for the 993.Xr ipnat 8 994command to execute. 995.\" ----- ipnat_flags setting ----------------------------------- 996.It Va ipnat_flags 997.Pq Vt str 998Empty by default. 999This variable contains flags passed to the 1000.Xr ipnat 8 1001program. 1002.\" ----- ipmon_enable setting ---------------------------------- 1003.It Va ipmon_enable 1004.Pq Vt bool 1005Set to 1006.Dq Li NO 1007by default. 1008Set it to 1009.Dq Li YES 1010to enable 1011.Xr ipmon 8 1012monitoring (logging 1013.Xr ipf 8 1014and 1015.Xr ipnat 8 1016events). 1017Setting this variable needs setting 1018.Va ipfilter_enable 1019or 1020.Va ipnat_enable 1021too. 1022See 1023.Va ipfilter_enable 1024for a detailed discussion. 1025.\" ----- ipmon_program setting --------------------------------- 1026.It Va ipmon_program 1027.Pq Vt str 1028Path to 1029.Xr ipmon 8 1030(default 1031.Pa /sbin/ipmon ) . 1032.\" ----- ipmon_flags setting ----------------------------------- 1033.It Va ipmon_flags 1034.Pq Vt str 1035Set to 1036.Dq Li -Ds 1037by default. 1038This variable contains flags passed to the 1039.Xr ipmon 8 1040program. 1041Another typical example would be 1042.Dq Fl D Pa /var/log/ipflog 1043to have 1044.Xr ipmon 8 1045log directly to a file bypassing 1046.Xr syslogd 8 . 1047Make sure to adjust 1048.Pa /etc/newsyslog.conf 1049in such case like this: 1050.Bd -literal 1051/var/log/ipflog 640 10 100 * Z /var/run/ipmon.pid 1052.Ed 1053.\" ----- ipfs_enable setting ----------------------------------- 1054.It Va ipfs_enable 1055.Pq Vt bool 1056Set to 1057.Dq Li NO 1058by default. 1059Set it to 1060.Dq Li YES 1061to enable 1062.Xr ipfs 8 1063saving the filter and NAT state tables during shutdown 1064and reloading them during startup again. 1065Setting this variable needs setting 1066.Va ipfilter_enable 1067or 1068.Va ipnat_enable 1069to 1070.Dq Li YES 1071too. 1072See 1073.Va ipfilter_enable 1074for a detailed discussion. 1075Note that if 1076.Va kern_securelevel 1077is set to 3, 1078.Va ipfs_enable 1079cannot be used 1080because the raised securelevel will prevent 1081.Xr ipfs 8 1082from saving the state tables at shutdown time. 1083.\" ----- ipfs_program setting ---------------------------------- 1084.It Va ipfs_program 1085.Pq Vt str 1086Path to 1087.Xr ipfs 8 1088(default 1089.Pa /sbin/ipfs ) . 1090.\" ----- ipfs_flags setting ------------------------------------ 1091.It Va ipfs_flags 1092.Pq Vt str 1093Empty by default. 1094This variable contains flags passed to the 1095.Xr ipfs 8 1096program. 1097.\" ----- end of added ipf hook --------------------------------- 1098.It Va pf_enable 1099.Pq Vt bool 1100Set to 1101.Dq Li NO 1102by default. 1103Setting this to 1104.Dq Li YES 1105enables 1106.Xr pf 4 1107packet filtering. 1108.Pp 1109Typical usage will require putting 1110.Pp 1111.Dl pf_enable="YES" 1112.Pp 1113into 1114.Pa /etc/rc.conf 1115and editing 1116.Pa /etc/pf.conf 1117appropriately. 1118Adding 1119.Pp 1120.Dl "device pf" 1121.Pp 1122builds support for 1123.Xr pf 4 1124into the kernel, otherwise the 1125kernel module will be loaded. 1126.It Va pf_rules 1127.Pq Vt str 1128Path to 1129.Xr pf 4 1130ruleset configuration file 1131(default 1132.Pa /etc/pf.conf ) . 1133.It Va pf_program 1134.Pq Vt str 1135Path to 1136.Xr pfctl 8 1137(default 1138.Pa /sbin/pfctl ) . 1139.It Va pf_flags 1140.Pq Vt str 1141If 1142.Va pf_enable 1143is set to 1144.Dq Li YES , 1145these flags are passed to the 1146.Xr pfctl 8 1147program when loading the ruleset. 1148.It Va pf_fallback_rules_enable 1149.Pq Vt bool 1150Set to 1151.Dq Li NO 1152by default. 1153Setting this to 1154.Dq Li YES 1155enables loading 1156.Va pf_fallback_rules_file 1157or 1158.Va pf_fallback_rules 1159in case of a problem when loading the ruleset in 1160.Va pf_rules . 1161.It Va pf_fallback_rules_file 1162.Pq Vt str 1163Path to a pf ruleset to load in case of failure when loading the 1164ruleset in 1165.Va pf_rules 1166(default 1167.Pa /etc/pf-fallback.conf ) . 1168.It Va pf_fallback_rules 1169.Pq Vt str 1170A pf ruleset to load in case of failure when loading the ruleset in 1171.Va pf_rules 1172and 1173.Va pf_fallback_rules_file 1174is not found. 1175Multiple rules can be set as follows: 1176.Bd -literal 1177pf_fallback_rules=" 1178 block drop log all 1179 pass in quick on em0" 1180.Pp 1181.Ed 1182The default fallback rule is 1183.Dq block drop log all 1184.It Va pflog_enable 1185.Pq Vt bool 1186Set to 1187.Dq Li NO 1188by default. 1189Setting this to 1190.Dq Li YES 1191enables 1192.Xr pflogd 8 1193which logs packets from the 1194.Xr pf 4 1195packet filter. 1196.It Va pflog_logfile 1197.Pq Vt str 1198If 1199.Va pflog_enable 1200is set to 1201.Dq Li YES 1202this controls where 1203.Xr pflogd 8 1204stores the logfile 1205(default 1206.Pa /var/log/pflog ) . 1207Check 1208.Pa /etc/newsyslog.conf 1209to adjust logfile rotation for this. 1210.It Va pflog_program 1211.Pq Vt str 1212Path to 1213.Xr pflogd 8 1214(default 1215.Pa /sbin/pflogd ) . 1216.It Va pflog_flags 1217.Pq Vt str 1218Empty by default. 1219This variable contains additional flags passed to the 1220.Xr pflogd 8 1221program. 1222.It Va pflog_instances 1223.Pq Vt str 1224If logging to more than one 1225.Xr pflog 4 1226interface is desired, 1227.Va pflog_instances 1228is set to the list of 1229.Xr pflogd 8 1230instances that should be started at system boot time. 1231If 1232.Va pflog_instances 1233is set, for each whitespace-separated 1234.Ar element 1235in the list, 1236.Ao Ar element Ac Ns Va _dev 1237and 1238.Ao Ar element Ac Ns Va _logfile 1239elements are assumed to exist. 1240.Ao Ar element Ac Ns Va _dev 1241must contain the 1242.Xr pflog 4 1243interface to be watched by the named 1244.Xr pflogd 8 1245instance. 1246.Ao Ar element Ac Ns Va _logfile 1247must contain the name of the logfile that will be used by the 1248.Xr pflogd 8 1249instance. 1250.It Va ftpproxy_enable 1251.Pq Vt bool 1252Set to 1253.Dq Li NO 1254by default. 1255Setting this to 1256.Dq Li YES 1257enables 1258.Xr ftp-proxy 8 1259which supports the 1260.Xr pf 4 1261packet filter in translating ftp connections. 1262.It Va ftpproxy_flags 1263.Pq Vt str 1264Empty by default. 1265This variable contains additional flags passed to the 1266.Xr ftp-proxy 8 1267program. 1268.It Va ftpproxy_instances 1269.Pq Vt str 1270Empty by default. 1271If multiple instances of 1272.Xr ftp-proxy 8 1273are desired at boot time, 1274.Va ftpproxy_instances 1275should contain a whitespace-separated list of instance names. 1276For each 1277.Ar element 1278in the list, a variable named 1279.Ao Ar element Ac Ns Va _flags 1280should be defined, containing the command-line flags to be passed to the 1281.Xr ftp-proxy 8 1282instance. 1283.It Va pfsync_enable 1284.Pq Vt bool 1285Set to 1286.Dq Li NO 1287by default. 1288Setting this to 1289.Dq Li YES 1290enables exposing 1291.Xr pf 4 1292state changes to other hosts over the network by means of 1293.Xr pfsync 4 . 1294The 1295.Va pfsync_syncdev 1296variable 1297must also be set then. 1298.It Va pfsync_syncdev 1299.Pq Vt str 1300Empty by default. 1301This variable specifies the name of the network interface 1302.Xr pfsync 4 1303should operate through. 1304It must be set accordingly if 1305.Va pfsync_enable 1306is set to 1307.Dq Li YES . 1308.It Va pfsync_syncpeer 1309.Pq Vt str 1310Empty by default. 1311This variable is optional. 1312By default, state change messages are sent out on the synchronisation 1313interface using IP multicast packets. 1314The protocol is IP protocol 240, PFSYNC, and the multicast group used is 1315224.0.0.240. 1316When a peer address is specified using the 1317.Va pfsync_syncpeer 1318option, the peer address is used as a destination for the pfsync 1319traffic, and the traffic can then be protected using 1320.Xr ipsec 4 . 1321See the 1322.Xr pfsync 4 1323manpage for more details about using 1324.Xr ipsec 4 1325with 1326.Xr pfsync 4 1327interfaces. 1328.It Va pfsync_ifconfig 1329.Pq Vt str 1330Empty by default. 1331This variable can contain additional options to be passed to the 1332.Xr ifconfig 8 1333command used to set up 1334.Xr pfsync 4 . 1335.It Va tcp_extensions 1336.Pq Vt bool 1337Set to 1338.Dq Li YES 1339by default. 1340Setting this to 1341.Dq Li NO 1342disables certain TCP options as described by 1343.Rs 1344.%T "RFC 1323" 1345.Re 1346Setting this to 1347.Dq Li NO 1348might help remedy such problems with connections as randomly hanging 1349or other weird behavior. 1350Some network devices are known 1351to be broken with respect to these options. 1352.It Va log_in_vain 1353.Pq Vt int 1354Set to 0 by default. 1355The 1356.Xr sysctl 8 1357variables, 1358.Va net.inet.tcp.log_in_vain 1359and 1360.Va net.inet.udp.log_in_vain , 1361as described in 1362.Xr tcp 4 1363and 1364.Xr udp 4 , 1365are set to the given value. 1366.It Va tcp_keepalive 1367.Pq Vt bool 1368Set to 1369.Dq Li YES 1370by default. 1371Setting to 1372.Dq Li NO 1373will disable probing idle TCP connections to verify that the 1374peer is still up and reachable. 1375.It Va tcp_drop_synfin 1376.Pq Vt bool 1377Set to 1378.Dq Li NO 1379by default. 1380Setting to 1381.Dq Li YES 1382will cause the kernel to ignore TCP frames that have both 1383the SYN and FIN flags set. 1384This prevents OS fingerprinting, but may 1385break some legitimate applications. 1386.It Va icmp_drop_redirect 1387.Pq Vt bool 1388Set to 1389.Dq Li AUTO 1390by default. 1391This setting will be identical to 1392.Dq Li YES , 1393if a dynamic routing daemon is enabled, because redirect processing may 1394cause performance issues for large routing tables. 1395If no such service is enabled, this setting behaves like a 1396.Dq Li NO . 1397Setting to 1398.Dq Li YES 1399will cause the kernel to ignore ICMP REDIRECT packets. 1400Setting to 1401.Dq Li NO 1402will cause the kernel to process ICMP REDIRECT packets. 1403Refer to 1404.Xr icmp 4 1405for more information. 1406.It Va icmp_log_redirect 1407.Pq Vt bool 1408Set to 1409.Dq Li NO 1410by default. 1411Setting to 1412.Dq Li YES 1413will cause the kernel to log ICMP REDIRECT packets. 1414Note that 1415the log messages are not rate-limited, so this option should only be used 1416for troubleshooting networks. 1417Refer to 1418.Xr icmp 4 1419for more information. 1420.It Va icmp_bmcastecho 1421.Pq Vt bool 1422Set to 1423.Dq Li YES 1424to respond to broadcast or multicast ICMP ping packets. 1425Refer to 1426.Xr icmp 4 1427for more information. 1428.It Va ip_portrange_first 1429.Pq Vt int 1430If not set to 1431.Dq Li NO , 1432this is the first port in the default portrange. 1433Refer to 1434.Xr ip 4 1435for more information. 1436.It Va ip_portrange_last 1437.Pq Vt int 1438If not set to 1439.Dq Li NO , 1440this is the last port in the default portrange. 1441Refer to 1442.Xr ip 4 1443for more information. 1444.It Va network_interfaces 1445.Pq Vt str 1446Set to the list of network interfaces to configure on this host or 1447.Dq Li AUTO 1448(the default) for all current interfaces. 1449Setting the 1450.Va network_interfaces 1451variable to anything other than the default is deprecated. 1452Interfaces that the administrator wishes to store configuration for, 1453but not start at boot should be configured with the 1454.Dq Li NOAUTO 1455keyword in their 1456.Va ifconfig_ Ns Aq Ar interface 1457variables as described below. 1458.Pp 1459An 1460.Va ifconfig_ Ns Aq Ar interface 1461variable is assumed to exist for each value of 1462.Ar interface . 1463When an interface name contains any of the characters 1464.Dq Li .-/+ 1465they are translated to 1466.Dq Li _ 1467before lookup. 1468For example, the interface 1469.Va em0.102 1470would be configured using the variable 1471.Va ifconfig_em0_102 . 1472.Pp 1473The variable can contain arguments to 1474.Xr ifconfig 8 , 1475as well as special case-insensitive keywords described below. 1476Such keywords are removed before passing the value to 1477.Xr ifconfig 8 1478while the order of the other arguments is preserved. 1479.Pp 1480For example, to assign the IPv4 address 192.0.2.1/24 to the interface em0: 1481.Bd -literal 1482ifconfig_em0="inet 192.0.2.1/24 up" 1483.Ed 1484.Pp 1485If the variable 1486.Va ifconfig_ Ns Ao Ar interface Ac Ns Pa _ipv6 1487is set, then 1488.Va ifconfig_ Ns Aq Ar interface 1489does not need to be set unless an IPv4 address should also be assigned to 1490the interface. 1491.Pp 1492It is possible to add IP alias entries using 1493.Xr ifconfig 8 1494syntax with the address family keyword such as 1495.Li inet . 1496Assuming that the interface in question was 1497.Li em0 , 1498it might look something like this: 1499.Bd -literal 1500ifconfig_em0_alias0="inet 127.0.0.253/32" 1501ifconfig_em0_alias1="inet 127.0.0.254/32" 1502.Ed 1503.Pp 1504It also possible to configure multiple IP addresses in Classless 1505Inter-Domain Routing 1506.Pq CIDR 1507address notation, 1508whose each address component can be a range like 1509.Li inet 192.0.2.5-23/24 1510or 1511.Li inet6 2001:db8:1-f::1/64 . 1512This notation allows address and prefix length part only, 1513not the other address modifiers. 1514Note that the maximum number of the generated addresses from a range 1515specification is limited to an integer value specified in 1516.Va netif_ipexpand_max 1517in 1518.Nm 1519because a small typo can unexpectedly generate a large number of addresses. 1520The default value is 1521.Li 2048 . 1522It can be increased by adding the following line into 1523.Nm : 1524.Bd -literal 1525netif_ipexpand_max="4096" 1526.Ed 1527.Pp 1528In the case of 1529.Li 192.0.2.5-23/24 , 1530the address 192.0.2.5 will be configured with the prefix length /24 and the 1531addresses 192.0.2.6 to 192.0.2.23 with the non-conflicting prefix length /32 as 1532explained in the 1533.Xr ifconfig 8 1534alias section. 1535Note that this special CIDR handling is only for 1536.Li inet , 1537not for the other address families such as 1538.Li inet6 . 1539.Pp 1540With the interface in question being 1541.Li em0 , 1542an example could look like: 1543.Bd -literal 1544ifconfig_em0_alias2="inet 192.0.2.129/27" 1545ifconfig_em0_alias3="inet 192.0.2.1-5/28" 1546.Ed 1547.Pp 1548and so on. 1549.Pp 1550Note that deprecated 1551.Va ipv4_addrs_ Ns Aq Ar interface 1552variable was supported for IPv4 CIDR address notation. 1553The 1554.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1555variable replaces it, though 1556.Va ipv4_addrs_ Ns Aq Ar interface 1557is still supported for backward compatibility. 1558.Pp 1559For each 1560.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1561entry with an address family keyword, 1562its contents are passed to 1563.Xr ifconfig 8 . 1564Execution stops at the first unsuccessful access, so if 1565something like this is present: 1566.Bd -literal 1567ifconfig_em0_alias0="inet 127.0.0.251/32" 1568ifconfig_em0_alias1="inet 127.0.0.252/32" 1569ifconfig_em0_alias2="inet 127.0.0.253/32" 1570ifconfig_em0_alias4="inet 127.0.0.254/32" 1571.Ed 1572.Pp 1573Then note that alias4 would 1574.Em not 1575be added since the search would 1576stop with the missing 1577.Dq Li alias3 1578entry. 1579Because of this difficult to manage behavior, 1580there is 1581.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _aliases 1582variable, which has the same functionality as 1583.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1584and can have all of the entries in a variable like the following: 1585.Bd -literal 1586ifconfig_em0_aliases="\\ 1587 inet 127.0.0.251/32 \\ 1588 inet 127.0.0.252/32 \\ 1589 inet 127.0.0.253/32 \\ 1590 inet 127.0.0.254/32" 1591.Ed 1592.Pp 1593It also supports netmask notation for backward compatibility. 1594.Pp 1595If the 1596.Pa /etc/start_if . Ns Aq Ar interface 1597file is present, it is read and executed by the 1598.Xr sh 1 1599interpreter 1600before configuring the interface as specified in the 1601.Va ifconfig_ Ns Aq Ar interface 1602and 1603.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1604variables. 1605.Pp 1606If a 1607.Va vlans_ Ns Aq Ar interface 1608variable is set, 1609a 1610.Xr vlan 4 1611interface will be created for each item in the list with the 1612.Ar vlandev 1613argument set to 1614.Ar interface . 1615If a vlan interface's name is a number, 1616then that number is used as the vlan tag and the new vlan interface is 1617named 1618.Ar interface . Ns Ar tag . 1619Otherwise, 1620the vlan tag must be specified via a 1621.Va vlan 1622parameter in the 1623.Va create_args_ Ns Aq Ar interface 1624variable. 1625.Pp 1626To create a vlan device named 1627.Li em0.101 1628on 1629.Li em0 1630with the vlan tag 101 and the optional IPv4 address 192.0.2.1/24: 1631.Bd -literal 1632vlans_em0="101" 1633ifconfig_em0_101="inet 192.0.2.1/24" 1634.Ed 1635.Pp 1636To create a vlan device named 1637.Li myvlan 1638on 1639.Li em0 1640with the vlan tag 102: 1641.Bd -literal 1642vlans_em0="myvlan" 1643create_args_myvlan="vlan 102" 1644.Ed 1645.Pp 1646If a 1647.Va wlans_ Ns Aq Ar interface 1648variable is set, 1649an 1650.Xr wlan 4 1651interface will be created for each item in the list with the 1652.Ar wlandev 1653argument set to 1654.Ar interface . 1655Further wlan cloning arguments may be passed to the 1656.Xr ifconfig 8 1657.Cm create 1658command by setting the 1659.Va create_args_ Ns Aq Ar interface 1660variable. 1661One or more 1662.Xr wlan 4 1663devices must be created for each wireless device as of 1664.Fx 8.0 . 1665Debugging flags for 1666.Xr wlan 4 1667devices as set by 1668.Xr wlandebug 8 1669may be specified with an 1670.Va wlandebug_ Ns Aq Ar interface 1671variable. 1672The contents of this variable will be passed directly to 1673.Xr wlandebug 8 . 1674.Pp 1675If the 1676.Va ifconfig_ Ns Aq Ar interface 1677contains the keyword 1678.Dq Li NOAUTO 1679then the interface will not be configured 1680at boot or by 1681.Pa /etc/pccard_ether 1682when 1683.Va network_interfaces 1684is set to 1685.Dq Li AUTO . 1686.Pp 1687It is possible to bring up an interface with DHCP by adding 1688.Dq Li DHCP 1689to the 1690.Va ifconfig_ Ns Aq Ar interface 1691variable. 1692For instance, to initialize the 1693.Li em0 1694device via DHCP, 1695it is possible to use something like: 1696.Bd -literal 1697ifconfig_em0="DHCP" 1698.Ed 1699.Pp 1700If you want to configure your wireless interface with 1701.Xr wpa_supplicant 8 1702for use with WPA, EAP/LEAP or WEP, you need to add 1703.Dq Li WPA 1704to the 1705.Va ifconfig_ Ns Aq Ar interface 1706variable. 1707.Pp 1708On the other hand, if you want to configure your wireless interface with 1709.Xr hostapd 8 , 1710you need to add 1711.Dq Li HOSTAP 1712to the 1713.Va ifconfig_ Ns Aq Ar interface 1714variable. 1715.Xr hostapd 8 1716will use the settings from 1717.Pa /etc/hostapd- Ns Ao Ar interface Ac Ns .conf 1718.Pp 1719Finally, you can add 1720.Xr ifconfig 8 1721options in this variable, in addition to the 1722.Pa /etc/start_if . Ns Aq Ar interface 1723file. 1724For instance, to configure an 1725.Xr ath 4 1726wireless device in station mode with an address obtained 1727via DHCP, using WPA authentication and 802.11b mode, it is 1728possible to use something like: 1729.Bd -literal 1730wlans_ath0="wlan0" 1731ifconfig_wlan0="DHCP WPA mode 11b" 1732.Ed 1733.Pp 1734In addition to the 1735.Va ifconfig_ Ns Aq Ar interface 1736form, a fallback variable 1737.Va ifconfig_DEFAULT 1738may be configured. 1739It will be used for all interfaces with no 1740.Va ifconfig_ Ns Aq Ar interface 1741variable. 1742.Pp 1743It is also possible to rename an interface by doing: 1744.Bd -literal 1745ifconfig_em0_name="net0" 1746ifconfig_net0="inet 192.0.2.1/24" 1747.Ed 1748.It Va ipv6_enable 1749.Pq Vt bool 1750This variable is deprecated. 1751Use 1752.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1753and 1754.Va ipv6_activate_all_interfaces 1755if necessary. 1756.Pp 1757If the variable is 1758.Dq Li YES , 1759.Dq Li inet6 accept_rtadv 1760is added to all of 1761.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1762and the 1763.Va ipv6_activate_all_interfaces 1764variable is defined as 1765.Dq Li YES . 1766.It Va ipv6_prefer 1767.Pq Vt bool 1768This variable is deprecated. 1769Use 1770.Va ip6addrctl_policy 1771instead. 1772.Pp 1773If the variable is 1774.Dq Li YES , 1775the default address selection policy table set by 1776.Xr ip6addrctl 8 1777will be IPv6-preferred. 1778.Pp 1779If the variable is 1780.Dq Li NO , 1781the default address selection policy table set by 1782.Xr ip6addrctl 8 1783will be IPv4-preferred. 1784.It Va ipv6_activate_all_interfaces 1785.Pq Vt bool 1786This controls initial configuration on IPv6-capable 1787interfaces with no corresponding 1788.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1789variable. 1790Note that it is not always necessary to set this variable to 1791.Dq YES 1792to use IPv6 functionality on 1793.Fx . 1794In most cases, just configuring 1795.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1796variables works. 1797.Pp 1798If the variable is 1799.Dq Li NO , 1800all interfaces which do not have a corresponding 1801.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1802variable will be marked as 1803.Dq Li IFDISABLED 1804at creation. 1805This means that all IPv6 functionality on that interface 1806is completely disabled to enforce a security policy. 1807If the variable is set to 1808.Dq YES , 1809the flag will be cleared on all of the interfaces. 1810.Pp 1811In most cases, just defining an 1812.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1813for an IPv6-capable interface should be sufficient. 1814However, if an interface is added dynamically 1815.Pq by some tunneling protocols such as PPP, for example , 1816it is often difficult to define the variable in advance. 1817In such a case, configuring the 1818.Dq Li IFDISABLED 1819flag can be disabled by setting this variable to 1820.Dq YES . 1821.Pp 1822For more details of the 1823.Dq Li IFDISABLED 1824flag and keywords 1825.Dq Li inet6 ifdisabled , 1826see 1827.Xr ifconfig 8 . 1828.Pp 1829Default is 1830.Dq Li NO . 1831.It Va ipv6_privacy 1832.Pq Vt bool 1833If the variable is 1834.Dq Li YES 1835privacy addresses will be generated for each IPv6 1836interface as described in RFC 4941. 1837.It Va ipv6_network_interfaces 1838.Pq Vt str 1839This is the IPv6 equivalent of 1840.Va network_interfaces . 1841Normally manual configuration of this variable is not needed. 1842.It Va ipv6_cpe_wanif 1843.Pq Vt str 1844If the variable is set to an interface name, 1845the 1846.Xr ifconfig 8 1847options 1848.Dq inet6 -no_radr accept_rtadv 1849will be added to the specified interface automatically before evaluating 1850.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 , 1851and two 1852.Xr sysctl 8 1853variables 1854.Va net.inet6.ip6.rfc6204w3 1855and 1856.Va net.inet6.ip6.no_radr 1857will be set to 1. 1858.Pp 1859This means the specified interface will accept ICMPv6 Router 1860Advertisement messages on that link and add the discovered 1861routers into the Default Router List. 1862While the other interfaces can still accept RA messages if the 1863.Dq inet6 accept_rtadv 1864option is specified, adding 1865routes into the Default Router List will be disabled by 1866.Dq inet6 no_radr 1867option by default. 1868See 1869.Xr ifconfig 8 1870for more details. 1871.Pp 1872Note that ICMPv6 Router Advertisement messages will be 1873accepted even when 1874.Va net.inet6.ip6.forwarding 1875is 1 1876.Pq packet forwarding is enabled 1877when 1878.Va net.inet6.ip6.rfc6204w3 1879is set to 1. 1880.Pp 1881Default is 1882.Dq Li NO . 1883.It Va ifconfig_ Ns Ao Ar interface Ac Ns _descr 1884.Pq Vt str 1885This assigns arbitrary description to an interface. 1886The 1887.Xr sysctl 8 1888variable 1889.Va net.ifdescr_maxlen 1890limits its length. 1891This static setting may be overridden by commands 1892started with dynamic interface configuration utilities 1893like 1894.Xr dhclient 8 1895hooks. 1896The description can be seen with 1897.Xr ifconfig 8 1898command and it may be exported with 1899.Xr bsnmpd 1 1900daemon using its MIB-2 module. 1901.It Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1902.Pq Vt str 1903IPv6 functionality on an interface should be configured by 1904.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 , 1905instead of setting ifconfig parameters in 1906.Va ifconfig_ Ns Aq Ar interface . 1907If this variable is empty, all IPv6 configurations on the 1908specified interface by other variables such as 1909.Va ipv6_prefix_ Ns Ao Ar interface Ac 1910will be ignored. 1911.Pp 1912Aliases should be set by 1913.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1914with 1915.Dq Li inet6 1916keyword. 1917For example: 1918.Bd -literal 1919ifconfig_em0_ipv6="inet6 2001:db8:1::1 prefixlen 64" 1920ifconfig_em0_alias0="inet6 2001:db8:2::1 prefixlen 64" 1921.Ed 1922.Pp 1923Interfaces that have an 1924.Dq Li inet6 accept_rtadv 1925keyword in 1926.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1927setting will be automatically configured by SLAAC 1928.Pq StateLess Address AutoConfiguration 1929described in 1930.Rs 1931.%T "RFC 4862" 1932.Re 1933.Pp 1934Note that a link-local address will be automatically configured in 1935addition to the configured global-scope addresses because the IPv6 1936specifications require it on each link. 1937The address is calculated from the MAC address by using an algorithm 1938defined in 1939.Rs 1940.%T "RFC 4862" 1941.%O "Section 5.3" 1942.Re 1943.Pp 1944If only a link-local address is needed on the interface, 1945the following configuration can be used: 1946.Bd -literal 1947ifconfig_em0_ipv6="inet6 auto_linklocal" 1948.Ed 1949.Pp 1950A link-local address can also be configured manually. 1951This is useful for the default router address of an IPv6 router 1952so that it does not change when the network interface 1953card is replaced. 1954For example: 1955.Bd -literal 1956ifconfig_em0_ipv6="inet6 fe80::1 prefixlen 64" 1957.Ed 1958.It Va ipv6_prefix_ Ns Aq Ar interface 1959.Pq Vt str 1960If one or more prefixes are defined in 1961.Va ipv6_prefix_ Ns Aq Ar interface 1962addresses based on each prefix and the EUI-64 interface index will be 1963configured on that interface. 1964Note that this variable will be ignored when 1965.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1966is empty. 1967.Pp 1968For example, the following configuration 1969.Bd -literal 1970ipv6_prefix_em0="2001:db8:1:0 2001:db8:2:0" 1971.Ed 1972.Pp 1973is equivalent to the following: 1974.Bd -literal 1975ifconfig_em0_alias0="inet6 2001:db8:1:: eui64 prefixlen 64" 1976ifconfig_em0_alias1="inet6 2001:db8:1:: prefixlen 64 anycast" 1977ifconfig_em0_alias2="inet6 2001:db8:2:: eui64 prefixlen 64" 1978ifconfig_em0_alias3="inet6 2001:db8:2:: prefixlen 64 anycast" 1979.Ed 1980.Pp 1981These Subnet-Router anycast addresses will be added only when 1982.Va ipv6_gateway_enable 1983is YES. 1984.It Va ipv6_default_interface 1985.Pq Vt str 1986If not set to 1987.Dq Li NO , 1988this is the default output interface for scoped addresses. 1989This works only with ipv6_gateway_enable="NO". 1990.It Va ip6addrctl_enable 1991.Pq Vt bool 1992This variable is to enable configuring default address selection policy table 1993.Pq RFC 3484 . 1994The table can be specified in another variable 1995.Va ip6addrctl_policy . 1996For 1997.Va ip6addrctl_policy 1998the following keywords can be specified: 1999.Dq Li ipv4_prefer , 2000.Dq Li ipv6_prefer , 2001or 2002.Dq Li AUTO . 2003.Pp 2004If 2005.Dq Li ipv4_prefer 2006or 2007.Dq Li ipv6_prefer 2008is specified, 2009.Xr ip6addrctl 8 2010installs a pre-defined policy table described in Section 10.3 2011.Pq IPv4-preferred 2012or 2.1 2013.Pq IPv6-preferred 2014of RFC 3484. 2015.Pp 2016If 2017.Dq Li AUTO 2018is specified, it attempts to read a file 2019.Pa /etc/ip6addrctl.conf 2020first. 2021If this file is found, 2022.Xr ip6addrctl 8 2023reads and installs it. 2024If not found, a policy is automatically set 2025according to 2026.Va ipv6_activate_all_interfaces 2027variable; if the variable is set to 2028.Dq Li YES 2029the IPv6-preferred one is used. 2030Otherwise IPv4-preferred. 2031.Pp 2032The default value of 2033.Va ip6addrctl_enable 2034and 2035.Va ip6addrctl_policy 2036are 2037.Dq Li YES 2038and 2039.Dq Li AUTO , 2040respectively. 2041.It Va cloned_interfaces 2042.Pq Vt str 2043Set to the list of clonable network interfaces to create on this host. 2044Further cloning arguments may be passed to the 2045.Xr ifconfig 8 2046.Cm create 2047command for each interface by setting the 2048.Va create_args_ Ns Aq Ar interface 2049variable. 2050If an interface name is specified with 2051.Dq :sticky 2052keyword, 2053the interface will not be destroyed even when 2054.Pa rc.d/netif 2055script is invoked with 2056.Dq stop 2057argument. 2058This is useful when reconfiguring the interface without destroying it. 2059Entries in 2060.Va cloned_interfaces 2061are automatically appended to 2062.Va network_interfaces 2063for configuration. 2064.It Va cloned_interfaces_sticky 2065.Pq Vt bool 2066This variable is to globally enable functionality of 2067.Dq :sticky 2068keyword in 2069.Va cloned_interfaces 2070for all interfaces. 2071The default value is 2072.Dq NO . 2073Even if this variable is specified to 2074.Dq YES , 2075.Dq :nosticky 2076keyword can be used to override it on per interface basis. 2077.It Va gif_interfaces 2078Set to the list of 2079.Xr gif 4 2080tunnel interfaces to configure on this host. 2081A 2082.Va gifconfig_ Ns Aq Ar interface 2083variable is assumed to exist for each value of 2084.Ar interface . 2085The value of this variable is used to configure the link layer of the 2086tunnel using the 2087.Cm tunnel 2088option to 2089.Xr ifconfig 8 . 2090Additionally, this option ensures that each listed interface is created 2091via the 2092.Cm create 2093option to 2094.Xr ifconfig 8 2095before attempting to configure it. 2096.Pp 2097For example, configure two 2098.Xr gif 4 2099interfaces with: 2100.Bd -literal 2101gif_interfaces="gif0 gif1" 2102gifconfig_gif0="100.64.0.1 100.64.0.2" 2103ifconfig_gif0="inet 10.0.0.1/30 10.0.0.2" 2104gifconfig_gif1="inet6 2a00::1 2a01::1" 2105ifconfig_gif1="inet 10.1.0.1/30 10.1.0.2" 2106.Ed 2107.It Va ppp_enable 2108.Pq Vt bool 2109If set to 2110.Dq Li YES , 2111run the 2112.Xr ppp 8 2113daemon. 2114.It Va ppp_profile 2115.Pq Vt str 2116The name of the profile to use from 2117.Pa /etc/ppp/ppp.conf . 2118Also used for per-profile overrides of 2119.Va ppp_mode 2120and 2121.Va ppp_nat , 2122and 2123.Va ppp_ Ns Ao Ar profile Ac Ns _unit . 2124When the profile name contains any of the characters 2125.Dq Li .-/+ 2126they are translated to 2127.Dq Li _ 2128for the proposes of the override variable names. 2129.It Va ppp_mode 2130.Pq Vt str 2131Mode in which to run the 2132.Xr ppp 8 2133daemon. 2134.It Va ppp_ Ns Ao Ar profile Ac Ns _mode 2135.Pq Vt str 2136Overrides the global 2137.Va ppp_mode 2138for 2139.Ar profile . 2140Accepted modes are 2141.Dq Li auto , 2142.Dq Li ddial , 2143.Dq Li direct 2144and 2145.Dq Li dedicated . 2146See the manual for a full description. 2147.It Va ppp_nat 2148.Pq Vt bool 2149If set to 2150.Dq Li YES , 2151enables network address translation. 2152Used in conjunction with 2153.Va gateway_enable 2154allows hosts on private network addresses access to the Internet using 2155this host as a network address translating router. 2156Default is 2157.Dq Li YES . 2158.It Va ppp_ Ns Ao Ar profile Ac Ns _nat 2159.Pq Vt str 2160Overrides the global 2161.Va ppp_nat 2162for 2163.Ar profile . 2164.It Va ppp_ Ns Ao Ar profile Ac Ns _unit 2165.Pq Vt int 2166Set the unit number to be used for this profile. 2167See the manual description of 2168.Fl unit Ns Ar N 2169for details. 2170.It Va ppp_user 2171.Pq Vt str 2172The name of the user under which 2173.Xr ppp 8 2174should be started. 2175By 2176default, 2177.Xr ppp 8 2178is started as 2179.Dq Li root . 2180.It Va rc_conf_files 2181.Pq Vt str 2182This option is used to specify a list of files that will override 2183the settings in 2184.Pa /etc/defaults/rc.conf . 2185The files will be read in the order in which they are specified and should 2186include the full path to the file. 2187By default, the files specified are 2188.Pa /etc/rc.conf 2189and 2190.Pa /etc/rc.conf.local . 2191.It Va zfs_enable 2192.Pq Vt bool 2193If set to 2194.Dq Li YES , 2195.Pa /etc/rc.d/zfs 2196will attempt to automatically mount ZFS file systems and initialize ZFS volumes 2197(ZVOLs). 2198.It Va zpool_reguid 2199.Pq Vt str 2200A space-separated list of ZFS pool names for which new pool GUIDs should be 2201assigned upon first boot. 2202This is useful when using a ZFS pool copied from a template, such as a virtual 2203machine image. 2204.It Va zpool_upgrade 2205.Pq Vt str 2206A space-separated list of ZFS pool names for which the version should be 2207upgraded upon first boot. 2208This is useful when using a ZFS pool generated by the 2209.Xr makefs 8 2210utility. 2211.It Va gptboot_enable 2212.Pq Vt bool 2213If set to 2214.Dq Li YES , 2215.Pa /etc/rc.d/gptboot 2216will log if the system successfully (or not) booted from a GPT partition, 2217which had the 2218.Ar bootonce 2219attribute set using 2220.Xr gpart 8 2221utility. 2222.It Va geli_devices 2223.Pq Vt str 2224List of devices to automatically attach on boot. 2225Note that .eli devices from 2226.Pa /etc/fstab 2227are automatically appended to this list. 2228.It Va geli_groups 2229.Pq Vt str 2230List of groups containing devices to automatically attach on boot with the same 2231keyfiles and passphrase. 2232This must be accompanied with a corresponding 2233.Va geli_ Ns Ao Ar group Ac Ns Va _devices 2234variable. 2235.It Va geli_tries 2236.Pq Vt int 2237Number of times user is asked for the pass-phrase. 2238If empty, it will be taken from 2239.Va kern.geom.eli.tries 2240sysctl variable. 2241.It Va geli_default_flags 2242.Pq Vt str 2243Default flags to use by 2244.Xr geli 8 2245when configuring disk encryption. 2246Flags can be configured for every device separately by defining the 2247.Va geli_ Ns Ao Ar device Ac Ns Va _flags 2248variable, and for every group separately by defining the 2249.Va geli_ Ns Ao Ar group Ac Ns Va _flags 2250variable. 2251.It Va geli_autodetach 2252.Pq Vt str 2253Specifies if GELI devices should be marked for detach on last close after 2254file systems are mounted. 2255Default is 2256.Dq Li YES . 2257This can be changed for every device separately by defining the 2258.Va geli_ Ns Ao Ar device Ac Ns Va _autodetach 2259variable. 2260.It Va root_rw_mount 2261.Pq Vt bool 2262Set to 2263.Dq Li YES 2264by default. 2265After the file systems are checked at boot time, the root file system 2266is remounted as read-write if this is set to 2267.Dq Li YES . 2268Diskless systems that mount their root file system from a read-only remote 2269NFS share should set this to 2270.Dq Li NO 2271in their 2272.Pa rc.conf . 2273.It Va fsck_y_enable 2274.Pq Vt bool 2275If set to 2276.Dq Li YES , 2277.Xr fsck 8 2278will be run with the 2279.Fl y 2280flag if the initial preen 2281of the file systems fails. 2282.It Va background_fsck 2283.Pq Vt bool 2284If set to 2285.Dq Li NO , 2286the system will not attempt to run 2287.Xr fsck 8 2288in the background where possible. 2289.It Va background_fsck_delay 2290.Pq Vt int 2291The amount of time in seconds to sleep before starting a background 2292.Xr fsck 8 . 2293It defaults to sixty seconds to allow large applications such as 2294the X server to start before disk I/O bandwidth is monopolized by 2295.Xr fsck 8 . 2296If set to a negative number, the background file system check will be 2297delayed indefinitely to allow the administrator to run it at a more 2298convenient time. 2299For example it may be run from 2300.Xr cron 8 2301by adding a line like 2302.Pp 2303.Dl "0 4 * * * root /etc/rc.d/bgfsck forcestart" 2304.Pp 2305to 2306.Pa /etc/crontab . 2307.It Va netfs_types 2308.Pq Vt str 2309List of file system types that are network-based. 2310This list should generally not be modified by end users. 2311Use 2312.Va extra_netfs_types 2313instead. 2314.It Va extra_netfs_types 2315.Pq Vt str 2316If set to something other than 2317.Dq Li NO 2318(the default), 2319this variable extends the list of file system types 2320for which automatic mounting at startup by 2321.Xr rc 8 2322should be delayed until the network is initialized. 2323It should contain 2324a whitespace-separated list of network file system descriptor pairs, 2325each consisting of a file system type as passed to 2326.Xr mount 8 2327and a human-readable, one-word description, 2328joined with a colon 2329.Pq Ql \&: . 2330Extending the default list in this way is only necessary 2331when third party file system types are used. 2332.It Va syslogd_enable 2333.Pq Vt bool 2334If set to 2335.Dq Li YES , 2336run the 2337.Xr syslogd 8 2338daemon. 2339Note, the 2340.Va syslogd_oomprotect 2341variable is set to 2342.Dq Li YES 2343by default in 2344.Pa /etc/defaults/rc.conf . 2345.It Va syslogd_program 2346.Pq Vt str 2347Path to 2348.Xr syslogd 8 2349(default 2350.Pa /usr/sbin/syslogd ) . 2351.It Va syslogd_flags 2352.Pq Vt str 2353If 2354.Va syslogd_enable 2355is set to 2356.Dq Li YES , 2357these are the flags to pass to 2358.Xr syslogd 8 . 2359.It Va inetd_enable 2360.Pq Vt bool 2361If set to 2362.Dq Li YES , 2363run the 2364.Xr inetd 8 2365daemon. 2366.It Va inetd_program 2367.Pq Vt str 2368Path to 2369.Xr inetd 8 2370(default 2371.Pa /usr/sbin/inetd ) . 2372.It Va inetd_flags 2373.Pq Vt str 2374If 2375.Va inetd_enable 2376is set to 2377.Dq Li YES , 2378these are the flags to pass to 2379.Xr inetd 8 . 2380.It Va hastd_enable 2381.Pq Vt bool 2382If set to 2383.Dq Li YES , 2384run the 2385.Xr hastd 8 2386daemon. 2387.It Va hastd_program 2388.Pq Vt str 2389Path to 2390.Xr hastd 8 2391(default 2392.Pa /sbin/hastd ) . 2393.It Va hastd_flags 2394.Pq Vt str 2395If 2396.Va hastd_enable 2397is set to 2398.Dq Li YES , 2399these are the flags to pass to 2400.Xr hastd 8 . 2401.It Va local_unbound_enable 2402.Pq Vt bool 2403If set to 2404.Dq Li YES , 2405run the 2406.Xr unbound 8 2407daemon as a local caching DNS resolver. 2408Note, the 2409.Va local_unbound_oomprotect 2410variable is set to 2411.Dq Li YES 2412by default in 2413.Pa /etc/defaults/rc.conf . 2414.It Va nscd_enable 2415.Pq Vt bool 2416Set to 2417.Dq Li YES 2418to start the 2419.Xr nscd 8 2420caching daemon for the 2421.Nm nsswitch 2422subsystem. 2423.It Va nscd_flags 2424.Pq Vt str 2425If 2426.Va nscd_enable 2427is set to 2428.Dq Li YES , 2429these flags are passed to 2430.Xr nscd 8 . 2431.It Va kdc_enable 2432.Pq Vt bool 2433Set to 2434.Dq Li YES 2435to start a Kerberos 5 authentication server 2436at boot time. 2437.It Va kdc_program 2438.Pq Vt str 2439If 2440.Va kdc_enable 2441is set to 2442.Dq Li YES 2443this is the path to Kerberos 5 Authentication Server. 2444.It Va kdc_flags 2445.Pq Vt str 2446Empty by default. 2447This variable contains additional flags to be passed to the Kerberos 5 2448authentication server. 2449.It Va kadmind_enable 2450.Pq Vt bool 2451Set to 2452.Dq Li YES 2453to start 2454.Xr kadmind 8 , 2455the Kerberos 5 Administration Daemon; set to 2456.Dq Li NO 2457on a slave server. 2458.It Va kadmind_program 2459.Pq Vt str 2460If 2461.Va kadmind_enable 2462is set to 2463.Dq Li YES 2464this is the path to Kerberos 5 Administration Daemon. 2465.It Va kpasswdd_enable 2466.Pq Vt bool 2467Set to 2468.Dq Li YES 2469to start 2470.Xr kpasswdd 8 , 2471the Kerberos 5 Password-Changing Daemon; set to 2472.Dq Li NO 2473on a slave server. 2474.It Va kpasswdd_program 2475.Pq Vt str 2476If 2477.Va kpasswdd_enable 2478is set to 2479.Dq Li YES 2480this is the path to Kerberos 5 Password-Changing Daemon. 2481.It Va kfd_enable 2482.Pq Vt bool 2483Set to 2484.Dq Li YES 2485to start 2486.Xr kfd 8 , 2487the Kerberos 5 ticket forwarding daemon, at the boot time. 2488.It Va kfd_program 2489.Pq Vt str 2490Path to 2491.Xr kfd 8 2492(default 2493.Pa /usr/libexec/kfd ) . 2494.It Va rwhod_enable 2495.Pq Vt bool 2496If set to 2497.Dq Li YES , 2498run the 2499.Xr rwhod 8 2500daemon at boot time. 2501.It Va rwhod_flags 2502.Pq Vt str 2503If 2504.Va rwhod_enable 2505is set to 2506.Dq Li YES , 2507these are the flags to pass to it. 2508.It Va update_motd 2509.Pq Vt bool 2510If set to 2511.Dq Li YES , 2512.Pa /var/run/motd 2513will be updated at boot time to reflect the kernel release 2514being run. 2515If set to 2516.Dq Li NO , 2517.Pa /var/run/motd 2518will not be updated. 2519.It Va nfs_client_enable 2520.Pq Vt bool 2521If set to 2522.Dq Li YES , 2523run the NFS client daemons at boot time. 2524.It Va nfs_access_cache 2525.Pq Vt int 2526If 2527.Va nfs_client_enable 2528is set to 2529.Dq Li YES , 2530this can be set to 2531.Dq Li 0 2532to disable NFS ACCESS RPC caching, or to the number of seconds for which 2533NFS ACCESS 2534results should be cached. 2535A value of 2-10 seconds will substantially reduce network 2536traffic for many NFS operations. 2537.It Va nfs_server_enable 2538.Pq Vt bool 2539If set to 2540.Dq Li YES , 2541run the NFS server daemons at boot time. 2542.It Va nfs_server_flags 2543.Pq Vt str 2544If 2545.Va nfs_server_enable 2546is set to 2547.Dq Li YES , 2548these are the flags to pass to the 2549.Xr nfsd 8 2550daemon. 2551.It Va nfsv4_server_enable 2552.Pq Vt bool 2553If 2554.Va nfs_server_enable 2555is set to 2556.Dq Li YES 2557and 2558.Va nfsv4_server_enable 2559is set to 2560.Dq Li YES , 2561enable the server for NFSv4 as well as NFSv2 and NFSv3. 2562.It Va nfsv4_server_only 2563.Pq Vt bool 2564If 2565.Va nfs_server_enable 2566is set to 2567.Dq Li YES 2568and 2569.Va nfsv4_server_only 2570is set to 2571.Dq Li YES , 2572enable the NFS server for NFSv4 only. 2573.It Va nfs_server_maxio 2574.Pq Vt int 2575value to set vfs.nfsd.srvmaxio to, which is the 2576maximum I/O size for the NFS server. 2577.It Va tlsclntd_enable 2578.Pq Vt bool 2579If set to 2580.Dq Li YES , 2581run the 2582.Xr rpc.tlsclntd 8 2583daemon, which is needed for NFS-over-TLS NFS mounts. 2584.It Va tlsservd_enable 2585.Pq Vt bool 2586If set to 2587.Dq Li YES , 2588run the 2589.Xr rpc.tlsservd 8 2590daemon, which is needed for the 2591.Xr nfsd 8 2592to support NFS-over-TLS NFS mounts. 2593.It Va nfsuserd_enable 2594.Pq Vt bool 2595If 2596.Va nfsuserd_enable 2597is set to 2598.Dq Li YES , 2599run the nfsuserd daemon, which is needed for NFSv4 in order 2600to map between user/group names vs uid/gid numbers. 2601If 2602.Va nfsv4_server_enable 2603is set to 2604.Dq Li YES , 2605this will be forced enabled. 2606.It Va nfsuserd_flags 2607.Pq Vt str 2608If 2609.Va nfsuserd_enable 2610is set to 2611.Dq Li YES , 2612these are the flags to pass to the 2613.Xr nfsuserd 8 2614daemon. 2615.It Va nfscbd_enable 2616.Pq Vt bool 2617If 2618.Va nfscbd_enable 2619is set to 2620.Dq Li YES , 2621run the nfscbd daemon, which enables callbacks/delegations for the NFSv4 client. 2622.It Va nfscbd_flags 2623.Pq Vt str 2624If 2625.Va nfscbd_enable 2626is set to 2627.Dq Li YES , 2628these are the flags to pass to the 2629.Xr nfscbd 8 2630daemon. 2631.It Va mountd_enable 2632.Pq Vt bool 2633If set to 2634.Dq Li YES , 2635and no 2636.Va nfs_server_enable 2637is set, start 2638.Xr mountd 8 , 2639but not 2640.Xr nfsd 8 2641daemon. 2642It is commonly needed to run CFS without real NFS used. 2643.It Va mountd_flags 2644.Pq Vt str 2645If 2646.Va mountd_enable 2647is set to 2648.Dq Li YES , 2649these are the flags to pass to the 2650.Xr mountd 8 2651daemon. 2652.It Va weak_mountd_authentication 2653.Pq Vt bool 2654If set to 2655.Dq Li YES , 2656allow services like PCNFSD to make non-privileged mount 2657requests. 2658.It Va nfs_reserved_port_only 2659.Pq Vt bool 2660If set to 2661.Dq Li YES , 2662provide NFS services only on a secure port. 2663.It Va nfs_bufpackets 2664.Pq Vt int 2665If set to a number, indicates the number of packets worth of 2666socket buffer space to reserve on an NFS client. 2667The kernel default is typically 4. 2668Using a higher number may be 2669useful on gigabit networks to improve performance. 2670The minimum value is 26712 and the maximum is 64. 2672.It Va rpc_lockd_enable 2673.Pq Vt bool 2674If set to 2675.Dq Li YES 2676and also an NFS server or client, run 2677.Xr rpc.lockd 8 2678at boot time. 2679.It Va rpc_lockd_flags 2680.Pq Vt str 2681If 2682.Va rpc_lockd_enable 2683is set to 2684.Dq Li YES , 2685these are the flags to pass to the 2686.Xr rpc.lockd 8 2687daemon. 2688.It Va rpc_statd_enable 2689.Pq Vt bool 2690If set to 2691.Dq Li YES 2692and also an NFS server or client, run 2693.Xr rpc.statd 8 2694at boot time. 2695.It Va rpc_statd_flags 2696.Pq Vt str 2697If 2698.Va rpc_statd_enable 2699is set to 2700.Dq Li YES , 2701these are the flags to pass to the 2702.Xr rpc.statd 8 2703daemon. 2704.It Va rpcbind_program 2705.Pq Vt str 2706Path to 2707.Xr rpcbind 8 2708(default 2709.Pa /usr/sbin/rpcbind ) . 2710.It Va rpcbind_enable 2711.Pq Vt bool 2712If set to 2713.Dq Li YES , 2714run the 2715.Xr rpcbind 8 2716service at boot time. 2717.It Va rpcbind_flags 2718.Pq Vt str 2719If 2720.Va rpcbind_enable 2721is set to 2722.Dq Li YES , 2723these are the flags to pass to the 2724.Xr rpcbind 8 2725daemon. 2726.It Va pppoed_enable 2727.Pq Vt bool 2728If set to 2729.Dq Li YES , 2730run the 2731.Xr pppoed 8 2732daemon at boot time to provide PPP over Ethernet services. 2733.It Va pppoed_ Ns Aq Ar provider 2734.Pq Vt str 2735.Xr pppoed 8 2736listens to requests to this 2737.Ar provider 2738and ultimately runs 2739.Xr ppp 8 2740with a 2741.Ar system 2742argument of the same name. 2743.It Va pppoed_flags 2744.Pq Vt str 2745Additional flags to pass to 2746.Xr pppoed 8 . 2747.It Va pppoed_interface 2748.Pq Vt str 2749The network interface to run 2750.Xr pppoed 8 2751on. 2752This is mandatory when 2753.Va pppoed_enable 2754is set to 2755.Dq Li YES . 2756.It Va ntpdate_enable 2757.Pq Vt bool 2758If set to 2759.Dq Li YES , 2760run 2761.Xr ntpdate 8 2762at system startup. 2763This command is intended to 2764synchronize the system clock only 2765.Em once 2766from some standard reference. 2767.Pp 2768Note that the use of the 2769.Va ntpd_sync_on_start 2770variable is a preferred alternative to the 2771.Xr ntpdate 8 2772utility as 2773.Xr ntpdate 8 2774is to be retired from the NTP distribution. 2775.It Va ntpdate_config 2776.Pq Vt str 2777Configuration file for 2778.Xr ntpdate 8 . 2779Default 2780.Pa /etc/ntp.conf . 2781.It Va ntpdate_hosts 2782.Pq Vt str 2783A whitespace-separated list of NTP servers to synchronize with at startup. 2784The default is to use the servers listed in 2785.Va ntpdate_config , 2786if that file exists. 2787.It Va ntpdate_program 2788.Pq Vt str 2789Path to 2790.Xr ntpdate 8 2791(default 2792.Pa /usr/sbin/ntpdate ) . 2793.It Va ntpdate_flags 2794.Pq Vt str 2795If 2796.Va ntpdate_enable 2797is set to 2798.Dq Li YES , 2799these are the flags to pass to the 2800.Xr ntpdate 8 2801command (typically a hostname). 2802.It Va ntpd_enable 2803.Pq Vt bool 2804If set to 2805.Dq Li YES , 2806run the 2807.Xr ntpd 8 2808command at boot time. 2809.It Va ntpd_program 2810.Pq Vt str 2811Path to 2812.Xr ntpd 8 2813(default 2814.Pa /usr/sbin/ntpd ) . 2815.It Va ntpd_config 2816.Pq Vt str 2817Path to 2818.Xr ntpd 8 2819configuration file. 2820Default 2821.Pa /etc/ntp.conf . 2822.It Va ntpd_flags 2823.Pq Vt str 2824If 2825.Va ntpd_enable 2826is set to 2827.Dq Li YES , 2828these are the flags to pass to the 2829.Xr ntpd 8 2830daemon. 2831.It Va ntpd_sync_on_start 2832.Pq Vt bool 2833If set to 2834.Dq Li YES , 2835.Xr ntpd 8 2836is run with the 2837.Fl g 2838flag, which syncs the system's clock on startup. 2839See 2840.Xr ntpd 8 2841for more information regarding the 2842.Fl g 2843option. 2844This is a preferred alternative to using 2845.Xr ntpdate 8 2846or specifying the 2847.Va ntpdate_enable 2848variable. 2849.It Va nis_client_enable 2850.Pq Vt bool 2851If set to 2852.Dq Li YES , 2853run the 2854.Xr ypbind 8 2855service at system boot time. 2856.It Va nis_client_flags 2857.Pq Vt str 2858If 2859.Va nis_client_enable 2860is set to 2861.Dq Li YES , 2862these are the flags to pass to the 2863.Xr ypbind 8 2864service. 2865.It Va nis_ypldap_enable 2866.Pq Vt bool 2867If set to 2868.Dq Li YES , 2869run the 2870.Xr ypldap 8 2871daemon at system boot time. 2872.It Va nis_ypldap_flags 2873.Pq Vt str 2874If 2875.Va nis.ypldap_enable 2876is set to 2877.Dq Li YES , 2878these are the flags to pass to the 2879.Xr ypldap 8 2880daemon. 2881.It Va nis_ypset_enable 2882.Pq Vt bool 2883If set to 2884.Dq Li YES , 2885run the 2886.Xr ypset 8 2887daemon at system boot time. 2888.It Va nis_ypset_flags 2889.Pq Vt str 2890If 2891.Va nis_ypset_enable 2892is set to 2893.Dq Li YES , 2894these are the flags to pass to the 2895.Xr ypset 8 2896daemon. 2897.It Va nis_server_enable 2898.Pq Vt bool 2899If set to 2900.Dq Li YES , 2901run the 2902.Xr ypserv 8 2903daemon at system boot time. 2904.It Va nis_server_flags 2905.Pq Vt str 2906If 2907.Va nis_server_enable 2908is set to 2909.Dq Li YES , 2910these are the flags to pass to the 2911.Xr ypserv 8 2912daemon. 2913.It Va nis_ypxfrd_enable 2914.Pq Vt bool 2915If set to 2916.Dq Li YES , 2917run the 2918.Xr rpc.ypxfrd 8 2919daemon at system boot time. 2920.It Va nis_ypxfrd_flags 2921.Pq Vt str 2922If 2923.Va nis_ypxfrd_enable 2924is set to 2925.Dq Li YES , 2926these are the flags to pass to the 2927.Xr rpc.ypxfrd 8 2928daemon. 2929.It Va nis_yppasswdd_enable 2930.Pq Vt bool 2931If set to 2932.Dq Li YES , 2933run the 2934.Xr rpc.yppasswdd 8 2935daemon at system boot time. 2936.It Va nis_yppasswdd_flags 2937.Pq Vt str 2938If 2939.Va nis_yppasswdd_enable 2940is set to 2941.Dq Li YES , 2942these are the flags to pass to the 2943.Xr rpc.yppasswdd 8 2944daemon. 2945.It Va rpc_ypupdated_enable 2946.Pq Vt bool 2947If set to 2948.Dq Li YES , 2949run the 2950.Nm rpc.ypupdated 2951daemon at system boot time. 2952.It Va bsnmpd_enable 2953.Pq Vt bool 2954If set to 2955.Dq Li YES , 2956run the 2957.Xr bsnmpd 1 2958daemon at system boot time. 2959Be sure to understand the security implications of running an SNMP daemon 2960on your host. 2961.It Va bsnmpd_flags 2962.Pq Vt str 2963If 2964.Va bsnmpd_enable 2965is set to 2966.Dq Li YES , 2967these are the flags to pass to the 2968.Xr bsnmpd 1 2969daemon. 2970.It Va defaultrouter 2971.Pq Vt str 2972If not set to 2973.Dq Li NO , 2974create a default route to this host name or IP address 2975(use an IP address if this router is also required to get to the 2976name server!). 2977.It Va defaultrouter_fibN 2978.Pq Vt str 2979If not set to 2980.Dq Li NO , 2981create a default route in FIB N to this host name or IP address. 2982.It Va ipv6_defaultrouter 2983.Pq Vt str 2984The IPv6 equivalent of 2985.Va defaultrouter . 2986.It Va ipv6_defaultrouter_fibN 2987.Pq Vt str 2988The IPv6 equivalent of 2989.Va defaultrouter_fibN . 2990.It Va static_arp_pairs 2991.Pq Vt str 2992Set to the list of static ARP pairs that are to be added at system 2993boot time. 2994For each whitespace separated 2995.Ar element 2996in the value, a 2997.Va static_arp_ Ns Aq Ar element 2998variable is assumed to exist whose contents will later be passed to a 2999.Dq Nm arp Cm -S 3000operation. 3001For example 3002.Bd -literal 3003static_arp_pairs="gw" 3004static_arp_gw="192.168.1.1 00:01:02:03:04:05" 3005.Ed 3006.It Va static_ndp_pairs 3007.Pq Vt str 3008Set to the list of static NDP pairs that are to be added at system 3009boot time. 3010For each whitespace separated 3011.Ar element 3012in the value, a 3013.Va static_ndp_ Ns Aq Ar element 3014variable is assumed to exist whose contents will later be passed to a 3015.Dq Nm ndp Cm -s 3016operation. 3017For example 3018.Bd -literal 3019static_ndp_pairs="gw" 3020static_ndp_gw="2001:db8:3::1 00:01:02:03:04:05" 3021.Ed 3022.It Va static_routes 3023.Pq Vt str 3024Set to the list of static routes that are to be added at system 3025boot time. 3026If not set to 3027.Dq Li NO 3028then for each whitespace separated 3029.Ar element 3030in the value, a 3031.Va route_ Ns Aq Ar element 3032variable is assumed to exist 3033whose contents will later be passed to a 3034.Dq Nm route Cm add 3035operation. 3036For example: 3037.Bd -literal 3038static_routes="ext mcast:gif0 gif0local:gif0" 3039route_ext="-net 10.0.0.0/24 -gateway 192.168.0.1" 3040route_mcast="-net 224.0.0.0/4 -iface gif0" 3041route_gif0local="-host 169.254.1.1 -iface lo0" 3042.Ed 3043.Pp 3044When an 3045.Ar element 3046is in the form of 3047.Li name:ifname , 3048the route is specific to the interface 3049.Li ifname . 3050.It Va ipv6_static_routes 3051.Pq Vt str 3052The IPv6 equivalent of 3053.Va static_routes . 3054If not set to 3055.Dq Li NO 3056then for each whitespace separated 3057.Ar element 3058in the value, a 3059.Va ipv6_route_ Ns Aq Ar element 3060variable is assumed to exist 3061whose contents will later be passed to a 3062.Dq Nm route Cm add Fl inet6 3063operation. 3064.It Va gateway_enable 3065.Pq Vt bool 3066If set to 3067.Dq Li YES , 3068configure host to act as an IP router, e.g.\& to forward packets 3069between interfaces. 3070.It Va ipv6_gateway_enable 3071.Pq Vt bool 3072The IPv6 equivalent of 3073.Va gateway_enable . 3074.It Va routed_enable 3075.Pq Vt bool 3076If set to 3077.Dq Li YES , 3078run a routing daemon of some sort, based on the 3079settings of 3080.Va routed_program 3081and 3082.Va routed_flags . 3083.It Va route6d_enable 3084.Pq Vt bool 3085The IPv6 equivalent of 3086.Va routed_enable . 3087If set to 3088.Dq Li YES , 3089run a routing daemon of some sort, based on the 3090settings of 3091.Va route6d_program 3092and 3093.Va route6d_flags . 3094.It Va routed_program 3095.Pq Vt str 3096If 3097.Va routed_enable 3098is set to 3099.Dq Li YES , 3100this is the name of the routing daemon to use. 3101The default is 3102.Xr routed 8 . 3103.It Va route6d_program 3104.Pq Vt str 3105The IPv6 equivalent of 3106.Va routed_program . 3107The default is 3108.Xr route6d 8 . 3109.It Va routed_flags 3110.Pq Vt str 3111If 3112.Va routed_enable 3113is set to 3114.Dq Li YES , 3115these are the flags to pass to the routing daemon. 3116.It Va route6d_flags 3117.Pq Vt str 3118The IPv6 equivalent of 3119.Va routed_flags . 3120.It Va rtadvd_enable 3121.Pq Vt bool 3122If set to 3123.Dq Li YES , 3124run the 3125.Xr rtadvd 8 3126daemon at boot time. 3127The 3128.Xr rtadvd 8 3129utility sends ICMPv6 Router Advertisement messages to 3130the interfaces specified in 3131.Va rtadvd_interfaces . 3132This should only be enabled with great care. 3133You may want to fine-tune 3134.Xr rtadvd.conf 5 . 3135.It Va rtadvd_flags 3136.Pq Vt str 3137If 3138.Va rtadvd_enable 3139is set to 3140.Dq Li YES , 3141these are the flags to pass to 3142.Xr rtadvd 8 . 3143.It Va rtadvd_interfaces 3144.Pq Vt str 3145If 3146.Va rtadvd_enable 3147is set to 3148.Dq Li YES 3149this is the list of interfaces to use. 3150.It Va arpproxy_all 3151.Pq Vt bool 3152If set to 3153.Dq Li YES , 3154enable global proxy ARP. 3155.It Va forward_sourceroute 3156.Pq Vt bool 3157If set to 3158.Dq Li YES 3159and 3160.Va gateway_enable 3161is also set to 3162.Dq Li YES , 3163source-routed packets are forwarded. 3164.It Va accept_sourceroute 3165.Pq Vt bool 3166If set to 3167.Dq Li YES , 3168the system will accept source-routed packets directed at it. 3169.It Va rarpd_enable 3170.Pq Vt bool 3171If set to 3172.Dq Li YES , 3173run the 3174.Xr rarpd 8 3175daemon at system boot time. 3176.It Va rarpd_flags 3177.Pq Vt str 3178If 3179.Va rarpd_enable 3180is set to 3181.Dq Li YES , 3182these are the flags to pass to the 3183.Xr rarpd 8 3184daemon. 3185.It Va bootparamd_enable 3186.Pq Vt bool 3187If set to 3188.Dq Li YES , 3189run the 3190.Xr bootparamd 8 3191daemon at system boot time. 3192.It Va bootparamd_flags 3193.Pq Vt str 3194If 3195.Va bootparamd_enable 3196is set to 3197.Dq Li YES , 3198these are the flags to pass to the 3199.Xr bootparamd 8 3200daemon. 3201.It Va stf_interface_ipv4addr 3202.Pq Vt str 3203If not set to 3204.Dq Li NO , 3205this is the local IPv4 address for 6to4 (IPv6 over IPv4 tunneling 3206interface). 3207Specify this entry to enable the 6to4 interface. 3208.It Va stf_interface_ipv4plen 3209.Pq Vt int 3210Prefix length for 6to4 IPv4 addresses, to limit peer address range. 3211An effective value is 0-31. 3212.It Va stf_interface_ipv6_ifid 3213.Pq Vt str 3214IPv6 interface ID for 3215.Xr stf 4 . 3216This can be set to 3217.Dq Li AUTO . 3218.It Va stf_interface_ipv6_slaid 3219.Pq Vt str 3220IPv6 Site Level Aggregator for 3221.Xr stf 4 . 3222.It Va ipv6_ipv4mapping 3223.Pq Vt bool 3224If set to 3225.Dq Li YES 3226this enables IPv4 mapped IPv6 address communication (like 3227.Li ::ffff:a.b.c.d ) . 3228.It Va rtsold_enable 3229.Pq Vt bool 3230Set to 3231.Dq Li YES 3232to enable the 3233.Xr rtsold 8 3234daemon to send ICMPv6 Router Solicitation messages. 3235.It Va rtsold_flags 3236.Pq Vt str 3237If 3238.Va rtsold_enable 3239is set to 3240.Dq Li YES , 3241these are the flags to pass to 3242.Xr rtsold 8 . 3243.It Va rtsol_flags 3244.Pq Vt str 3245For interfaces configured with the 3246.Dq Li inet6 accept_rtadv 3247keyword, these are the flags to pass to 3248.Xr rtsol 8 . 3249.Pp 3250Note that 3251.Va rtsold_enable 3252is mutually exclusive to 3253.Va rtsol_flags ; 3254.Va rtsold_enable 3255takes precedence. 3256.It Va keybell 3257.Pq Vt str 3258The keyboard bell sound. 3259Set to 3260.Dq Li normal , 3261.Dq Li visual , 3262.Dq Li off , 3263or 3264.Dq Li NO 3265if the default behavior is desired. 3266For details, refer to the 3267.Xr kbdcontrol 1 3268manpage. 3269.It Va keyboard 3270.Pq Vt str 3271If set to a non-null string, the virtual console's keyboard input is 3272set to this device. 3273.It Va keymap 3274.Pq Vt str 3275If set to 3276.Dq Li NO , 3277no keymap is installed, otherwise the value is used to install 3278the keymap file found in 3279.Pa /usr/share/syscons/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd 3280(if using 3281.Xr syscons 4 ) or 3282.Pa /usr/share/vt/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd 3283(if using 3284.Xr vt 4 ) . 3285.It Va keyrate 3286.Pq Vt str 3287The keyboard repeat speed. 3288Set to 3289.Dq Li slow , 3290.Dq Li normal , 3291.Dq Li fast , 3292or 3293.Dq Li NO 3294if the default behavior is desired. 3295.It Va keychange 3296.Pq Vt str 3297If not set to 3298.Dq Li NO , 3299attempt to program the function keys with the value. 3300The value should 3301be a single string of the form: 3302.Dq Ar funkey_number new_value Op Ar funkey_number new_value ... . 3303.It Va cursor 3304.Pq Vt str 3305Can be set to the value of 3306.Dq Li normal , 3307.Dq Li blink , 3308.Dq Li destructive , 3309or 3310.Dq Li NO 3311to set the cursor behavior explicitly or choose the default behavior. 3312.It Va scrnmap 3313.Pq Vt str 3314If set to 3315.Dq Li NO , 3316no screen map is installed, otherwise the value is used to install 3317the screen map file in 3318.Pa /usr/share/syscons/scrnmaps/ Ns Aq Ar value . 3319This parameter is ignored when using 3320.Xr vt 4 3321as the console driver. 3322.It Va font8x16 3323.Pq Vt str 3324If set to 3325.Dq Li NO , 3326the default 8x16 font value is used for screen size requests, otherwise 3327the value in 3328.Pa /usr/share/syscons/fonts/ Ns Aq Ar value 3329or 3330.Pa /usr/share/vt/fonts/ Ns Aq Ar value 3331is used (depending on the console driver being used). 3332.It Va font8x14 3333.Pq Vt str 3334If set to 3335.Dq Li NO , 3336the default 8x14 font value is used for screen size requests, otherwise 3337the value in 3338.Pa /usr/share/syscons/fonts/ Ns Aq Ar value 3339or 3340.Pa /usr/share/vt/fonts/ Ns Aq Ar value 3341is used (depending on the console driver being used). 3342.It Va font8x8 3343.Pq Vt str 3344If set to 3345.Dq Li NO , 3346the default 8x8 font value is used for screen size requests, otherwise 3347the value in 3348.Pa /usr/share/syscons/fonts/ Ns Aq Ar value 3349or 3350.Pa /usr/share/vt/fonts/ Ns Aq Ar value 3351is used (depending on the console driver being used). 3352.It Va blanktime 3353.Pq Vt int 3354If set to 3355.Dq Li NO , 3356the default screen blanking interval is used, otherwise it is set 3357to 3358.Ar value 3359seconds. 3360.It Va saver 3361.Pq Vt str 3362If not set to 3363.Dq Li NO , 3364this is the actual screen saver to use 3365.Li ( blank , snake , daemon , 3366etc). 3367.It Va moused_nondefault_enable 3368.Pq Vt str 3369If set to 3370.Dq Li NO , 3371the mouse device specified on 3372the command line is not automatically treated as enabled by the 3373.Pa /etc/rc.d/moused 3374script. 3375Having this variable set to 3376.Dq Li YES 3377allows a 3378.Xr usb 4 3379mouse, 3380for example, 3381to be enabled as soon as it is plugged in. 3382.It Va moused_enable 3383.Pq Vt str 3384If set to 3385.Dq Li YES , 3386the 3387.Xr moused 8 3388daemon is started for doing cut/paste selection on the console. 3389.It Va moused_type 3390.Pq Vt str 3391This is the protocol type of the mouse connected to this host. 3392This variable must be set if 3393.Va moused_enable 3394is set to 3395.Dq Li YES , 3396but defaults to 3397.Dq Li auto 3398as the 3399.Xr moused 8 3400daemon 3401is able to detect the appropriate mouse type automatically in many cases. 3402Set this variable to 3403one from the following list if the automatic detection fails. 3404.Pp 3405If the mouse is attached to the PS/2 mouse port, choose 3406.Dq Li auto 3407or 3408.Dq Li ps/2 , 3409regardless of the brand and model of the mouse. 3410Likewise, if the 3411mouse is attached to the bus mouse port, choose 3412.Dq Li auto 3413or 3414.Dq Li busmouse . 3415All other protocols are for serial mice and will not work with 3416the PS/2 and bus mice. 3417If this is a USB mouse, 3418.Dq Li auto 3419is the only protocol type which will work. 3420.Pp 3421.Bl -tag -width ".Li x10mouseremote" -compact 3422.It Li microsoft 3423Microsoft mouse (serial) 3424.It Li intellimouse 3425Microsoft IntelliMouse (serial) 3426.It Li mousesystems 3427Mouse systems Corp.\& mouse (serial) 3428.It Li mmseries 3429MM Series mouse (serial) 3430.It Li logitech 3431Logitech mouse (serial) 3432.It Li busmouse 3433A bus mouse 3434.It Li mouseman 3435Logitech MouseMan and TrackMan (serial) 3436.It Li glidepoint 3437ALPS GlidePoint (serial) 3438.It Li thinkingmouse 3439Kensington ThinkingMouse (serial) 3440.It Li ps/2 3441PS/2 mouse 3442.It Li mmhittab 3443MM HitTablet (serial) 3444.It Li x10mouseremote 3445X10 MouseRemote (serial) 3446.It Li versapad 3447Interlink VersaPad (serial) 3448.El 3449.Pp 3450Even if the mouse is not in the above list, it may be compatible 3451with one in the list. 3452Refer to the manual page for 3453.Xr moused 8 3454for compatibility information. 3455.Pp 3456It should also be noted that while this is enabled, any 3457other client of the mouse (such as an X server) should access 3458the mouse through the virtual mouse device, 3459.Pa /dev/sysmouse , 3460and configure it as a 3461.Dq Li sysmouse 3462type mouse, since all 3463mouse data is converted to this single canonical format when 3464using 3465.Xr moused 8 . 3466If the client program does not support the 3467.Dq Li sysmouse 3468type, 3469specify the 3470.Dq Li mousesystems 3471type. 3472It is the second preferred type. 3473.It Va moused_port 3474.Pq Vt str 3475If 3476.Va moused_enable 3477is set to 3478.Dq Li YES , 3479this is the actual port the mouse is on. 3480It might be 3481.Pa /dev/cuau0 3482for a COM1 serial mouse, or 3483.Pa /dev/psm0 3484for a PS/2 mouse, for example. 3485.It Va moused_flags 3486.Pq Vt str 3487If 3488.Va moused_flags 3489is set, its value is used as an additional set of flags to pass to the 3490.Xr moused 8 3491daemon. 3492.It Va "moused_" Ns Ar XXX Ns Va "_flags" 3493When 3494.Va moused_nondefault_enable 3495is enabled, and a 3496.Xr moused 8 3497daemon is started for a non-default port, the 3498.Va "moused_" Ns Ar XXX Ns Va "_flags" 3499set of options has precedence over and replaces the default 3500.Va moused_flags 3501(where 3502.Ar XXX 3503is the name of the non-default port, i.e.,\& 3504.Ar ums0 ) . 3505By setting 3506.Va "moused_" Ns Ar XXX Ns Va "_flags" 3507it is possible to set up a different set of default flags for each 3508.Xr moused 8 3509instance. 3510For example, you can use 3511.Dq Li "-3" 3512for the default 3513.Va moused_flags 3514to make your laptop's touchpad more comfortable to use, 3515but an empty set of options for 3516.Va moused_ums0_flags 3517when your 3518.Xr usb 4 3519mouse has three or more buttons. 3520.It Va mousechar_start 3521.Pq Vt int 3522If set to 3523.Dq Li NO , 3524the default mouse cursor character range 3525.Li 0xd0 Ns - Ns Li 0xd3 3526is used, 3527otherwise the range start is set 3528to 3529.Ar value 3530character, see 3531.Xr vidcontrol 1 . 3532Use if the default range is occupied in the language code table. 3533.It Va allscreens_flags 3534.Pq Vt str 3535If set, 3536.Xr vidcontrol 1 3537is run with these options for each of the virtual terminals 3538.Pq Pa /dev/ttyv* . 3539For example, 3540.Dq Fl m Cm on 3541will enable the mouse pointer on all virtual terminals 3542if 3543.Va moused_enable 3544is set to 3545.Dq Li YES . 3546.It Va allscreens_kbdflags 3547.Pq Vt str 3548If set, 3549.Xr kbdcontrol 1 3550is run with these options for each of the virtual terminals 3551.Pq Pa /dev/ttyv* . 3552For example, 3553.Dq Fl h Li 200 3554will set the 3555.Xr syscons 4 3556or 3557.Xr vt 4 3558scrollback (history) buffer to 200 lines. 3559.It Va cron_enable 3560.Pq Vt bool 3561If set to 3562.Dq Li YES , 3563run the 3564.Xr cron 8 3565daemon at system boot time. 3566.It Va cron_program 3567.Pq Vt str 3568Path to 3569.Xr cron 8 3570(default 3571.Pa /usr/sbin/cron ) . 3572.It Va cron_flags 3573.Pq Vt str 3574If 3575.Va cron_enable 3576is set to 3577.Dq Li YES , 3578these are the flags to pass to 3579.Xr cron 8 . 3580.It Va cron_dst 3581.Pq Vt bool 3582If set to 3583.Dq Li YES , 3584enable the special handling of transitions to and from the 3585Daylight Saving Time in 3586.Xr cron 8 3587(equivalent to using the flag 3588.Fl s ) . 3589.It Va lpd_program 3590.Pq Vt str 3591Path to 3592.Xr lpd 8 3593(default 3594.Pa /usr/sbin/lpd ) . 3595.It Va lpd_enable 3596.Pq Vt bool 3597If set to 3598.Dq Li YES , 3599run the 3600.Xr lpd 8 3601daemon at system boot time. 3602.It Va lpd_flags 3603.Pq Vt str 3604If 3605.Va lpd_enable 3606is set to 3607.Dq Li YES , 3608these are the flags to pass to the 3609.Xr lpd 8 3610daemon. 3611.It Va chkprintcap_enable 3612.Pq Vt bool 3613If set to 3614.Dq Li YES , 3615run the 3616.Xr chkprintcap 8 3617command before starting the 3618.Xr lpd 8 3619daemon. 3620.It Va chkprintcap_flags 3621.Pq Vt str 3622If 3623.Va lpd_enable 3624and 3625.Va chkprintcap_enable 3626are set to 3627.Dq Li YES , 3628these are the flags to pass to the 3629.Xr chkprintcap 8 3630program. 3631The default is 3632.Dq Li -d , 3633which causes missing directories to be created. 3634.It Va dumpdev 3635.Pq Vt str 3636Indicates the device (usually a swap partition) to which a crash dump 3637should be written in the event of a system crash. 3638If the value of this variable is 3639.Dq Li AUTO , 3640the first suitable swap device listed in 3641.Pa /etc/fstab 3642will be used as dump device. 3643Otherwise, the value of this variable is passed as the argument to 3644.Xr dumpon 8 3645and 3646.Xr savecore 8 . 3647To disable crash dumps, set this variable to 3648.Dq Li NO . 3649.It Va dumpon_flags 3650.Pq Vt str 3651Flags to pass to 3652.Xr dumpon 8 3653when configuring 3654.Va dumpdev 3655as the system dump device. 3656.It Va dumpdir 3657.Pq Vt str 3658When the system reboots after a crash and a crash dump is found on the 3659device specified by the 3660.Va dumpdev 3661variable, 3662.Xr savecore 8 3663will save that crash dump and a copy of the kernel to the directory 3664specified by the 3665.Va dumpdir 3666variable. 3667The default value is 3668.Pa /var/crash . 3669Set to 3670.Dq Li NO 3671to not run 3672.Xr savecore 8 3673at boot time when 3674.Va dumpdir 3675is set. 3676.It Va savecore_enable 3677.Pq Vt bool 3678If set to 3679.Dq Li NO , 3680disable automatic extraction of the crash dump from the 3681.Va dumpdev . 3682.It Va savecore_flags 3683.Pq Vt str 3684If crash dumps are enabled, these are the flags to pass to the 3685.Xr savecore 8 3686utility. 3687.It Va quota_enable 3688.Pq Vt bool 3689Set to 3690.Dq Li YES 3691to turn on user and group disk quotas on system startup via the 3692.Xr quotaon 8 3693command for all file systems marked as having quotas enabled in 3694.Pa /etc/fstab . 3695The kernel must be built with 3696.Cd "options QUOTA" 3697for disk quotas to function. 3698.It Va check_quotas 3699.Pq Vt bool 3700Set to 3701.Dq Li YES 3702to enable user and group disk quota checking via the 3703.Xr quotacheck 8 3704command. 3705.It Va quotacheck_flags 3706.Pq Vt str 3707If 3708.Va quota_enable 3709is set to 3710.Dq Li YES , 3711and 3712.Va check_quotas 3713is set to 3714.Dq Li YES , 3715these are the flags to pass to the 3716.Xr quotacheck 8 3717utility. 3718The default is 3719.Dq Li "-a" , 3720which checks quotas for all file systems with quotas enabled in 3721.Pa /etc/fstab . 3722.It Va quotaon_flags 3723.Pq Vt str 3724If 3725.Va quota_enable 3726is set to 3727.Dq Li YES , 3728these are the flags to pass to the 3729.Xr quotaon 8 3730utility. 3731The default is 3732.Dq Li "-a" , 3733which enables quotas for all file systems with quotas enabled in 3734.Pa /etc/fstab . 3735.It Va quotaoff_flags 3736.Pq Vt str 3737If 3738.Va quota_enable 3739is set to 3740.Dq Li YES , 3741these are the flags to pass to the 3742.Xr quotaoff 8 3743utility when shutting down the quota system. 3744The default is 3745.Dq Li "-a" , 3746which disables quotas for all file systems with quotas enabled in 3747.Pa /etc/fstab . 3748.It Va accounting_enable 3749.Pq Vt bool 3750Set to 3751.Dq Li YES 3752to enable system accounting through the 3753.Xr accton 8 3754facility. 3755.It Va firstboot_sentinel 3756.Pq Vt str 3757This variable specifies the full path to a 3758.Dq first boot 3759sentinel file. 3760If a file exists with this path, 3761.Pa rc.d 3762scripts with the 3763.Dq firstboot 3764keyword will be run on startup and the sentinel file will be deleted 3765after the boot process completes. 3766The sentinel file must be located on a writable file system which is 3767mounted no later than 3768.Va early_late_divider 3769to function properly. 3770The default is 3771.Pa /firstboot . 3772.It Va linux_enable 3773.Pq Vt bool 3774Set to 3775.Dq Li YES 3776to enable Linux/ELF binary emulation at system initial 3777boot time. 3778.It Va sysvipc_enable 3779.Pq Vt bool 3780If set to 3781.Dq Li YES , 3782load System V IPC primitives at boot time. 3783.It Va clear_tmp_enable 3784.Pq Vt bool 3785Set to 3786.Dq Li YES 3787to have 3788.Pa /tmp 3789cleaned at startup. 3790.It Va clear_tmp_X 3791.Pq Vt bool 3792Set to 3793.Dq Li NO 3794to disable removing of X11 lock files, 3795and the removal and (secure) recreation 3796of the various socket directories for X11 3797related programs. 3798.It Va ldconfig_paths 3799.Pq Vt str 3800Set to the list of shared library paths to use with 3801.Xr ldconfig 8 . 3802NOTE: 3803.Pa /lib 3804and 3805.Pa /usr/lib 3806will always be added first, so they need not appear in this list. 3807.It Va ldconfig32_paths 3808.Pq Vt str 3809Set to the list of 32-bit compatibility shared library paths to 3810use with 3811.Xr ldconfig 8 . 3812.It Va ldconfig_insecure 3813.Pq Vt bool 3814The 3815.Xr ldconfig 8 3816utility normally refuses to use directories 3817which are writable by anyone except root. 3818Set this variable to 3819.Dq Li YES 3820to disable that security check during system startup. 3821.It Va ldconfig_local_dirs 3822.Pq Vt str 3823Set to the list of local 3824.Xr ldconfig 8 3825directories. 3826The names of all files in the directories listed will be 3827passed as arguments to 3828.Xr ldconfig 8 . 3829.It Va ldconfig_local32_dirs 3830.Pq Vt str 3831Set to the list of local 32-bit compatibility 3832.Xr ldconfig 8 3833directories. 3834The names of all files in the directories listed will be 3835passed as arguments to 3836.Dq Nm ldconfig Fl 32 . 3837.It Va kern_securelevel_enable 3838.Pq Vt bool 3839Set to 3840.Dq Li YES 3841to set the kernel security level at system startup. 3842.It Va kern_securelevel 3843.Pq Vt int 3844The kernel security level to set at startup. 3845The allowed range of 3846.Ar value 3847ranges from \-1 (the compile time default) to 3 (the 3848most secure). 3849See 3850.Xr security 7 3851for the list of possible security levels and their effect 3852on system operation. 3853.It Va sshd_program 3854.Pq Vt str 3855Path to the SSH server program 3856.Pa ( /usr/sbin/sshd 3857is the default). 3858.It Va sshd_enable 3859.Pq Vt bool 3860Set to 3861.Dq Li YES 3862to start 3863.Xr sshd 8 3864at system boot time. 3865Note, the 3866.Va sshd_oomprotect 3867variable is set to 3868.Dq Li YES 3869by default in 3870.Pa /etc/defaults/rc.conf . 3871.It Va sshd_flags 3872.Pq Vt str 3873If 3874.Va sshd_enable 3875is set to 3876.Dq Li YES , 3877these are the flags to pass to the 3878.Xr sshd 8 3879daemon. 3880.It Va watchdogd_enable 3881.Pq Vt bool 3882If set to 3883.Dq Li YES , 3884start the 3885.Xr watchdogd 8 3886daemon at boot time. 3887This requires that the kernel have been compiled with a 3888.Xr watchdog 4 3889compatible device. 3890.It Va watchdogd_flags 3891.Pq Vt str 3892If 3893.Va watchdogd_enable 3894is set to 3895.Dq Li YES , 3896these are the flags passed to the 3897.Xr watchdogd 8 3898daemon. 3899.It Va watchdogd_timeout 3900.Pq Vt int 3901If 3902.Va watchdogd_enable 3903is set to 3904.Dq Li YES , 3905this is a timeout that will be used by the 3906.Xr watchdogd 8 3907daemon. 3908If this option is set, it overrides 3909.Fl t 3910in 3911.Va watchdogd_flags . 3912.It Va watchdogd_shutdown_timeout 3913.Pq Vt int 3914If 3915.Va watchdogd_enable 3916is set to 3917.Dq Li YES , 3918this is a timeout that will be set by the 3919.Xr watchdogd 8 3920daemon when it exits during the system shutdown. 3921This timeout will not be set when returning to the single-user mode 3922or when the watchdogd service is stopped individually using the 3923.Xr service 8 3924command or the rc.d script. 3925Note that the timeout will be applied if 3926.Xr watchdogd 8 3927is stopped outside of 3928.Xr rc 8 3929framework. 3930If this option is set, it overrides 3931.Fl x 3932in 3933.Va watchdogd_flags . 3934.It Va devfs_rulesets 3935.Pq Vt str 3936List of files containing sets of rules for 3937.Xr devfs 8 . 3938.It Va devfs_system_ruleset 3939.Pq Vt str 3940Rule name(s) to apply to the system 3941.Pa /dev 3942itself. 3943.It Va devfs_set_rulesets 3944.Pq Vt str 3945Pairs of already-mounted 3946.Pa dev 3947directories and rulesets that should be applied to them. 3948For example: /mount/dev=ruleset_name 3949.It Va devfs_load_rulesets 3950.Pq Vt bool 3951If set, always load the default rulesets listed in 3952.Va devfs_rulesets . 3953.It Va performance_cx_lowest 3954.Pq Vt str 3955CPU idle state to use while on AC power. 3956The string 3957.Dq Li LOW 3958indicates that 3959.Xr acpi 4 3960should use the lowest power state available while 3961.Dq Li HIGH 3962indicates that the lowest latency state (less power savings) should be used. 3963.It Va performance_cpu_freq 3964.Pq Vt str 3965CPU clock frequency to use while on AC power. 3966The string 3967.Dq Li LOW 3968indicates that 3969.Xr cpufreq 4 3970should use the lowest frequency available while 3971.Dq Li HIGH 3972indicates that the highest frequency (less power savings) should be used. 3973.It Va economy_cx_lowest 3974.Pq Vt str 3975CPU idle state to use when off AC power. 3976The string 3977.Dq Li LOW 3978indicates that 3979.Xr acpi 4 3980should use the lowest power state available while 3981.Dq Li HIGH 3982indicates that the lowest latency state (less power savings) should be used. 3983.It Va economy_cpu_freq 3984.Pq Vt str 3985CPU clock frequency to use when off AC power. 3986The string 3987.Dq Li LOW 3988indicates that 3989.Xr cpufreq 4 3990should use the lowest frequency available while 3991.Dq Li HIGH 3992indicates that the highest frequency (less power savings) should be used. 3993.It Va jail_enable 3994.Pq Vt bool 3995If set to 3996.Dq Li NO , 3997any configured jails will not be started. 3998.It Va jail_conf 3999.Pq Vt str 4000The configuration filename used by 4001.Xr jail 8 4002utility. 4003The default value is 4004.Pa /etc/jail.conf . 4005.Pa /etc/jail\&. Ns Ao Va jname Ac Ns Pa .conf 4006and 4007.Pa /etc/jail.conf.d/ Ns Ao Va jname Ac Ns Pa .conf 4008will also be used if 4009.Ao Va jname Ac 4010is set in 4011.Va jail_list . 4012.It Va jail_parallel_start 4013.Pq Vt bool 4014If set to 4015.Dq Li YES , 4016all configured jails will be started in the background (in parallel). 4017.It Va jail_flags 4018.Pq Vt str 4019Unset by default. 4020When set, use as default value for 4021.Va jail_ Ns Ao Ar jname Ac Ns Va _flags 4022for every jail in 4023.Va jail_list . 4024.It Va jail_list 4025.Pq Vt str 4026A space-delimited list of jail names. 4027When left empty, all of the 4028.Xr jail 8 4029instances defined in the configuration file are started. 4030The names specified in this list control the jail startup order. 4031.Xr jail 8 4032instances missing from 4033.Va jail_list 4034must be started manually. 4035Note that a jail's 4036.Va depend 4037parameter in the configuration file may override this list. 4038.It Va jail_reverse_stop 4039.Pq Vt bool 4040When set to 4041.Dq Li YES , 4042all configured jails in 4043.Va jail_list 4044are stopped in reverse order. 4045.It Va jail_ Ns * variables 4046Note that older releases supported per-jail configuration via 4047.Nm 4048variables. 4049For example, 4050hostname of a jail named 4051.Li vjail 4052was able to be set by 4053.Li jail_vjail_hostname . 4054These per-jail configuration variables are now obsolete in favor of 4055.Xr jail 8 4056configuration file. 4057For backward compatibility, 4058when per-jail configuration variables are defined, 4059.Xr jail 8 4060configuration files are created as 4061.Pa /var/run/jail . Ns Ao Ar jname Ac Ns Pa .conf 4062and used. 4063.Pp 4064The following per-jail parameters are handled by 4065.Pa rc.d/jail 4066script out of their corresponding 4067.Nm 4068variables. 4069In addition to them, parameters in 4070.Va jail_ Ns Ao Ar jname Ac Ns Va _parameters 4071will be added to the configuration file. 4072They must be a semi-colon 4073.Pq Ql \&; 4074delimited list of 4075.Dq key=value . 4076For more details, 4077see 4078.Xr jail 8 4079manual page. 4080.Bl -tag -width "host.hostname" -offset indent 4081.It Li path 4082set from 4083.Va jail_ Ns Ao Ar jname Ac Ns Va _rootdir 4084.It Li host.hostname 4085set from 4086.Va jail_ Ns Ao Ar jname Ac Ns Va _hostname 4087.It Li exec.consolelog 4088set from 4089.Va jail_ Ns Ao Ar jname Ac Ns Va _consolelog . 4090The default value is 4091.Pa /var/log/jail_ Ns Ao Ar jname Ac Ns Pa _console.log . 4092.It Li interface 4093set from 4094.Va jail_ Ns Ao Ar jname Ac Ns Va _interface . 4095.It Li vnet.interface 4096set from 4097.Va jail_ Ns Ao Ar jname Ac Ns Va _vnet_interface . 4098This implies 4099.Li vnet 4100parameter will be enabled and cannot be specified with 4101.Va jail_ Ns Ao Ar jname Ac Ns Va _interface , 4102.Va jail_ Ns Ao Ar jname Ac Ns Va _ip 4103and/or 4104.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n 4105at the same time. 4106.It Li fstab 4107set from 4108.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab 4109.It Li mount 4110set from 4111.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable . 4112.It Li exec.fib 4113set from 4114.Va jail_ Ns Ao Ar jname Ac Ns Va _fib 4115.It Li exec.start 4116set from 4117.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start . 4118The parameter name was 4119.Li command 4120in some older releases. 4121.It Li exec.prestart 4122set from 4123.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart 4124.It Li exec.poststart 4125set from 4126.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart 4127.It Li exec.stop 4128set from 4129.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop 4130.It Li exec.prestop 4131set from 4132.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop 4133.It Li exec.poststop 4134set from 4135.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop 4136.It Li ip4.addr 4137set if 4138.Va jail_ Ns Ao Ar jname Ac Ns Va _ip 4139or 4140.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n 4141contain IPv4 addresses 4142.It Li ip6.addr 4143set if 4144.Va jail_ Ns Ao Ar jname Ac Ns Va _ip 4145or 4146.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n 4147contain IPv6 addresses 4148.It Li allow.mount 4149set from 4150.Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable 4151.It Li mount.devfs 4152set from 4153.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable 4154.It Li devfs_ruleset 4155set from 4156.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset . 4157This must be an integer, 4158not a string. 4159.It Li mount.fdescfs 4160set from 4161.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable 4162.It Li allow.set_hostname 4163set from 4164.Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow 4165.It Li allow.rawsocket 4166set from 4167.Va jail_ Ns Ao Ar jname Ac Ns Va _socket_unixiproute_only 4168.It Li allow.sysvipc 4169set from 4170.Va jail_ Ns Ao Ar jname Ac Ns Va _sysvipc_allow 4171.El 4172.\" ----------------------------------------------------- 4173.It Va harvest_mask 4174.Pq Vt int 4175Set to a bit-mask 4176representing the entropy sources 4177you wish to harvest. 4178Refer to 4179.Xr random 4 4180for more information. 4181.It Va entropy_dir 4182.Pq Vt str 4183Set to 4184.Dq Li NO 4185to disable caching entropy via 4186.Xr cron 8 . 4187Otherwise set to the directory 4188in which the entropy files are stored. 4189To be useful, 4190there must be 4191a system cron job 4192that regularly writes and rotates 4193files here. 4194All files found 4195will be used at boot time. 4196The default is 4197.Pa /var/db/entropy . 4198.It Va entropy_file 4199.Pq Vt str 4200Set to 4201.Dq Li NO 4202to disable caching entropy through reboots. 4203Otherwise set to the name 4204of a file used to store cached entropy. 4205This file should be located 4206on a file system that is readable 4207before all the volumes specified in 4208.Xr fstab 5 4209are mounted. 4210By default, 4211.Pa /entropy 4212is used, 4213but if 4214.Pa /var/db/entropy-file 4215is found it will also be used. 4216This will be of some use to 4217.Xr bsdinstall 8 . 4218.It Va entropy_boot_file 4219.Pq Vt str 4220Set to 4221.Dq Li NO 4222to disable 4223very early caching entropy 4224through reboots. 4225Otherwise set to the filename 4226used to read 4227very early reboot cached entropy. 4228This file should be located where 4229.Xr loader 8 4230can read it. 4231See also 4232.Xr loader.conf 5 . 4233The default location is 4234.Pa /boot/entropy . 4235.It Va entropy_save_sz 4236.Pq Vt int 4237Size of the entropy cache files saved by 4238.Nm save-entropy 4239periodically. 4240.It Va entropy_save_num 4241.Pq Vt int 4242Number of entropy cache files to save by 4243.Nm save-entropy 4244periodically. 4245.It Va ipsec_enable 4246.Pq Vt bool 4247Set to 4248.Dq Li YES 4249to run 4250.Xr setkey 8 4251on 4252.Va ipsec_file 4253at boot time. 4254.It Va ipsec_file 4255.Pq Vt str 4256Configuration file for 4257.Xr setkey 8 . 4258.It Va dmesg_enable 4259.Pq Vt bool 4260Set to 4261.Dq Li YES 4262to save 4263.Xr dmesg 8 4264to 4265.Pa /var/run/dmesg.boot 4266on boot. 4267.It Va rcshutdown_timeout 4268.Pq Vt int 4269If set, start a watchdog timer in the background which will terminate 4270.Pa rc.shutdown 4271if 4272.Xr shutdown 8 4273has not completed within the specified time (in seconds). 4274Notice that in addition to this soft timeout, 4275.Xr init 8 4276also applies a hard timeout for the execution of 4277.Pa rc.shutdown . 4278This is configured via 4279.Xr sysctl 8 4280variable 4281.Va kern.init_shutdown_timeout 4282and defaults to 120 seconds. 4283Setting the value of 4284.Va rcshutdown_timeout 4285to more than 120 seconds will have no effect until the 4286.Xr sysctl 8 4287variable 4288.Va kern.init_shutdown_timeout 4289is also increased. 4290.It Va virecover_enable 4291.Pq Vt bool 4292Set to 4293.Dq Li NO 4294to prevent the system from trying to 4295recover prematurely terminated 4296.Xr vi 1 4297sessions. 4298.It Va ugidfw_enable 4299.Pq Vt bool 4300Set to 4301.Dq Li YES 4302to load the 4303.Xr mac_bsdextended 4 4304module upon system initialization and load a default 4305ruleset file. 4306.It Va bsdextended_script 4307.Pq Vt str 4308The default 4309.Xr mac_bsdextended 4 4310ruleset file to load. 4311The default value of this variable is 4312.Pa /etc/rc.bsdextended . 4313.It Va newsyslog_enable 4314.Pq Vt bool 4315If set to 4316.Dq Li YES , 4317run 4318.Xr newsyslog 8 4319command at startup. 4320.It Va newsyslog_flags 4321.Pq Vt str 4322If 4323.Va newsyslog_enable 4324is set to 4325.Dq Li YES , 4326these are the flags to pass to the 4327.Xr newsyslog 8 4328program. 4329The default is 4330.Dq Li -CN , 4331which causes log files flagged with a 4332.Cm C 4333to be created. 4334.It Va mdconfig_md Ns Aq Ar X 4335.Pq Vt str 4336Arguments to 4337.Xr mdconfig 8 4338for 4339.Xr md 4 4340device 4341.Ar X . 4342At minimum a 4343.Fl t Ar type 4344must be specified and either a 4345.Fl s Ar size 4346for malloc or swap backed 4347.Xr md 4 4348devices or a 4349.Fl f Ar file 4350for vnode backed 4351.Xr md 4 4352devices. 4353Note that 4354.Va mdconfig_md Ns Aq Ar X 4355variables are evaluated until one variable is unset or null. 4356.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _newfs 4357.Pq Vt str 4358Optional arguments passed to 4359.Xr newfs 8 4360to initialize 4361.Xr md 4 4362device 4363.Ar X . 4364.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _owner 4365.Pq Vt str 4366An ownership specification passed to 4367.Xr chown 8 4368after the specified 4369.Xr md 4 4370device 4371.Ar X 4372has been mounted. 4373Both the 4374.Xr md 4 4375device and the mount point will be changed. 4376.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _perms 4377.Pq Vt str 4378A mode string passed to 4379.Xr chmod 1 4380after the specified 4381.Xr md 4 4382device 4383.Ar X 4384has been mounted. 4385Both the 4386.Xr md 4 4387device and the mount point will be changed. 4388.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _files 4389.Pq Vt str 4390Files to be copied to the mount point of the 4391.Xr md 4 4392device 4393.Ar X 4394after it has been mounted. 4395.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _cmd 4396.Pq Vt str 4397Command to execute after the specified 4398.Xr md 4 4399device 4400.Ar X 4401has been mounted. 4402Note that the command is passed to 4403.Ic eval 4404and that both 4405.Va _dev 4406and 4407.Va _mp 4408variables can be used to reference respectively the 4409.Xr md 4 4410device and the mount point. 4411Assuming that the 4412.Xr md 4 4413device is 4414.Li md0 , 4415one could set the following: 4416.Bd -literal 4417mdconfig_md0_cmd="tar xfzC /var/file.tgz \e${_mp}" 4418.Ed 4419.It Va autobridge_interfaces 4420.Pq Vt str 4421Set to the list of bridge interfaces that will have newly arriving interfaces 4422checked against to be automatically added. 4423If not set to 4424.Dq Li NO 4425then for each whitespace separated 4426.Ar element 4427in the value, a 4428.Va autobridge_ Ns Aq Ar element 4429variable is assumed to exist which has a whitespace separated list of interface 4430names to match, these names can use wildcards. 4431For example: 4432.Bd -literal 4433autobridge_interfaces="bridge0" 4434autobridge_bridge0="tap* dc0 vlan[345]" 4435.Ed 4436.It Va mixer_enable 4437.Pq Vt bool 4438If set to 4439.Dq Li YES , 4440enable support for sound mixer. 4441.It Va hcsecd_enable 4442.Pq Vt bool 4443If set to 4444.Dq Li YES , 4445enable Bluetooth security daemon. 4446.It Va hcsecd_config 4447.Pq Vt str 4448Configuration file for 4449.Xr hcsecd 8 . 4450Default 4451.Pa /etc/bluetooth/hcsecd.conf . 4452.It Va sdpd_enable 4453.Pq Vt bool 4454If set to 4455.Dq Li YES , 4456enable Bluetooth Service Discovery Protocol daemon. 4457.It Va sdpd_control 4458.Pq Vt str 4459Path to 4460.Xr sdpd 8 4461control socket. 4462Default 4463.Pa /var/run/sdp . 4464.It Va sdpd_groupname 4465.Pq Vt str 4466Sets 4467.Xr sdpd 8 4468group to run as after it initializes. 4469Default 4470.Dq Li nobody . 4471.It Va sdpd_username 4472.Pq Vt str 4473Sets 4474.Xr sdpd 8 4475user to run as after it initializes. 4476Default 4477.Dq Li nobody . 4478.It Va bthidd_enable 4479.Pq Vt bool 4480If set to 4481.Dq Li YES , 4482enable Bluetooth Human Interface Device daemon. 4483.It Va bthidd_config 4484.Pq Vt str 4485Configuration file for 4486.Xr bthidd 8 . 4487Default 4488.Pa /etc/bluetooth/bthidd.conf . 4489.It Va bthidd_hids 4490.Pq Vt str 4491Path to a file, where 4492.Xr bthidd 8 4493will store information about known HID devices. 4494Default 4495.Pa /var/db/bthidd.hids . 4496.It Va rfcomm_pppd_server_enable 4497.Pq Vt bool 4498If set to 4499.Dq Li YES , 4500enable Bluetooth RFCOMM PPP wrapper daemon. 4501.It Va rfcomm_pppd_server_profile 4502.Pq Vt str 4503The name of the profile to use from 4504.Pa /etc/ppp/ppp.conf . 4505Multiple profiles can be specified here. 4506Also used to specify per-profile overrides. 4507When the profile name contains any of the characters 4508.Dq Li .-/+ 4509they are translated to 4510.Dq Li _ 4511for the proposes of the override variable names. 4512.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _bdaddr 4513.Pq Vt str 4514Overrides local address to listen on. 4515By default 4516.Xr rfcomm_pppd 8 4517will listen on 4518.Dq Li ANY 4519address. 4520The address can be specified as BD_ADDR or name. 4521.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _channel 4522.Pq Vt str 4523Overrides local RFCOMM channel to listen on. 4524By default 4525.Xr rfcomm_pppd 8 4526will listen on RFCOMM channel 1. 4527Must set properly if multiple profiles used in the same time. 4528.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_sp 4529.Pq Vt bool 4530Tells 4531.Xr rfcomm_pppd 8 4532if it should register Serial Port service on the specified RFCOMM channel. 4533Default 4534.Dq Li NO . 4535.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_dun 4536.Pq Vt bool 4537Tells 4538.Xr rfcomm_pppd 8 4539if it should register Dial-Up Networking service on the specified 4540RFCOMM channel. 4541Default 4542.Dq Li NO . 4543.It Va ubthidhci_enable 4544.Pq Vt bool 4545If set to 4546.Dq Li YES , 4547change the USB Bluetooth controller from HID mode to HCI mode. 4548You also need to specify the location of USB Bluetooth controller with the 4549.Va ubthidhci_busnum 4550and 4551.Va ubthidhci_addr 4552variables. 4553.It Va ubthidhci_busnum 4554Bus number where the USB Bluetooth controller is located. 4555Check the output of 4556.Xr usbconfig 8 4557on your system to find this information. 4558.It Va ubthidhci_addr 4559Bus address of the USB Bluetooth controller. 4560Check the output of 4561.Xr usbconfig 8 4562on your system to find this information. 4563.It Va utx_enable 4564.Pq Vt bool 4565Set to 4566.Dq Li YES 4567to enable user accounting through the 4568.Xr utx 8 4569facility. 4570.It Va netwait_enable 4571.Pq Vt bool 4572If set to 4573.Dq Li YES , 4574delays the start of network-reliant services until 4575.Va netwait_if 4576is up, duplicate address discovery (DAD) has completed, and ICMP 4577packets to a destination defined in 4578.Va netwait_ip 4579are flowing. 4580Link state is examined first, followed by DAD, then 4581.Dq Li pinging 4582an IP address to verify network usability. 4583If no destination can be reached or timeouts are exceeded, 4584network services are started anyway with no guarantee that 4585the network is usable. 4586.It Va netwait_ip 4587.Pq Vt str 4588Empty by default. 4589This variable contains a space-delimited list of IP addresses to 4590.Xr ping 8 . 4591DNS hostnames should not be used as resolution is not guaranteed 4592to be functional at this point. 4593If multiple IP addresses are specified, 4594each will be tried until one is successful or the list is exhausted. 4595.It Va netwait_timeout 4596.Pq Vt int 4597Indicates the total number of seconds to perform a 4598.Dq Li ping 4599against each IP address in 4600.Va netwait_ip , 4601at a rate of one ping per second. 4602If any of the pings are successful, 4603full network connectivity is considered reliable. 4604The default is 60. 4605.It Va netwait_if 4606.Pq Vt str 4607Empty by default. 4608Defines the name of the network interface on which watch for link. 4609.Xr ifconfig 8 4610is used to monitor the interface, looking for 4611.Dq Li status: no carrier . 4612Once gone, the link is considered up. 4613This can be a 4614.Xr vlan 4 4615interface if desired. 4616.It Va netwait_if_timeout 4617.Pq Vt int 4618Defines the total number of seconds to wait for link to become usable, 4619polled at a 1-second interval. 4620The default is 30. 4621.It Va netwait_dad 4622.Pq Vt str 4623Set to 4624.Dq Li NO 4625by default. 4626Set to 4627.Dq Li YES 4628to enable waiting for DAD to complete. 4629.It Va netwait_dad_timeout 4630.Pq Vt int 4631Unset by default. 4632Indicates the maximum number of seconds to wait for DAD to complete. 4633If zero or unset, the timeout will be one more than the value of the 4634.Va net.inet6.ip6.dad_count 4635sysctl variable. 4636.It Va rctl_enable 4637.Pq Vt bool 4638If set to 4639.Dq Li YES , 4640load 4641.Xr rctl 8 4642rules from the defined ruleset. 4643The kernel must be built with 4644.Cd "options RACCT" 4645and 4646.Cd "options RCTL" . 4647.It Va rctl_rules 4648.Pq Vt str 4649Set to 4650.Pa /etc/rctl.conf 4651by default. 4652This variables contains the 4653.Xr rctl.conf 5 4654ruleset to load for 4655.Xr rctl 8 . 4656.It Va iovctl_files 4657.Pq Vt str 4658A space-separated list of configuration files used by 4659.Xr iovctl 8 . 4660The default value is an empty string. 4661.It Va autofs_enable 4662.Pq Vt bool 4663If set to 4664.Dq Li YES , 4665start the 4666.Xr automount 8 4667utility and the 4668.Xr automountd 8 4669and 4670.Xr autounmountd 8 4671daemons at boot time. 4672.It Va automount_flags 4673.Pq Vt str 4674If 4675.Va autofs_enable 4676is set to 4677.Dq Li YES , 4678these are the flags to pass to the 4679.Xr automount 8 4680program. 4681By default no flags are passed. 4682.It Va automountd_flags 4683.Pq Vt str 4684If 4685.Va autofs_enable 4686is set to 4687.Dq Li YES , 4688these are the flags to pass to the 4689.Xr automountd 8 4690daemon. 4691By default no flags are passed. 4692.It Va autounmountd_flags 4693.Pq Vt str 4694If 4695.Va autofs_enable 4696is set to 4697.Dq Li YES , 4698these are the flags to pass to the 4699.Xr autounmountd 8 4700daemon. 4701By default no flags are passed. 4702.It Va ctld_enable 4703.Pq Vt bool 4704If set to 4705.Dq Li YES , 4706start the 4707.Xr ctld 8 4708daemon at boot time. 4709.It Va iscsid_enable 4710.Pq Vt bool 4711If set to 4712.Dq Li YES , 4713start the 4714.Xr iscsid 8 4715daemon at boot time. 4716.It Va iscsictl_enable 4717.Pq Vt bool 4718If set to 4719.Dq Li YES , 4720start the 4721.Xr iscsictl 8 4722utility at boot time. 4723.It Va iscsictl_flags 4724.Pq Vt str 4725If 4726.Va iscsictl_enable 4727is set to 4728.Dq Li YES , 4729these are the flags to pass to the 4730.Xr iscsictl 8 4731program. 4732The default is 4733.Dq Li -Aa , 4734which configures sessions based on the 4735.Pa /etc/iscsi.conf 4736configuration file. 4737.It Va cfumass_enable 4738.Pq Vt bool 4739If set to 4740.Dq Li YES , 4741create and export an USB LUN using 4742.Xr cfumass 4 4743at boot time. 4744.It Va cfumass_dir 4745.Pq Vt str 4746The directory where the files exported by USB LUN are located. 4747The default directory is 4748.Pa /var/cfumass . 4749.It Va service_delete_empty 4750.Pq Vt bool 4751If set to 4752.Dq Li YES , 4753.Ql Li service delete 4754removes empty 4755.Dq Li rc.conf.d 4756files. 4757.It Va zfs_bootonce_activate 4758.Pq Vt bool 4759If set to 4760.Dq Li YES , 4761and a boot environment marked bootonce is successfully booted, 4762it will be made permanently active. 4763.It Va zfskeys_enable 4764.Pq Vt bool 4765If set to 4766.Dq Li YES , 4767enable auto-loading of encryption keys for encrypted ZFS datasets. 4768For every dataset the script will first load the appropriate encryption key 4769and then attempt to unlock the dataset. 4770.Pp 4771The script operates only on datasets which are encrypted with 4772ZFS native encryption 4773and have a ZFS 4774.Dq Li keylocation 4775dataset property beginning with 4776.Dq Li file:// . 4777.It Va zfskeys_datasets 4778.Pq Vt str 4779A whitespace-separated list of ZFS datasets to unlock. 4780The list is empty by default, 4781which means that the script will attempt to unlock all datasets. 4782.It Va zfskeys_timeout 4783.Pq Vt int 4784Define the total number of seconds to wait for the zfskeys script 4785to unlock an encrypted dataset. 4786The default is 10. 4787.It Va sendmail_enable 4788.Pq Vt str 4789If set to 4790.Dq Li YES , 4791run the 4792.Xr sendmail 8 4793daemon at system boot time. 4794If set to 4795.Dq Li NO , 4796do not run a 4797.Xr sendmail 8 4798daemon to listen for incoming network mail. 4799This does not preclude a 4800.Xr sendmail 8 4801daemon listening on the SMTP port of the loopback interface. 4802The 4803.Dq Li NONE 4804option sets each 4805.Va sendmail_enable , 4806.Va sendmail_submit_enable , 4807.Va sendmail_outbound_enable , 4808.Va sendmail_msp_queue_enable 4809to 4810.Dq Li NO . 4811.It Va sendmail_cert_create 4812.Pq Vt str 4813If 4814.Va sendmail_enable 4815is set to 4816.Dq Li YES , 4817create a signed certificate 4818.Pa /etc/mail/certs/host.cert 4819representing 4820.Pa /etc/mail/certs/host.key 4821by the CA certificate in 4822.Pa /etc/mail/certs/cacert.pem . 4823This will enable connecting hosts to negotiate STARTTLS allowing incoming 4824email to be encrypted in transit. 4825.Xr sendmail 8 4826needs to be configured to use these generated files. 4827The default configuration in 4828.Pa /etc/mail/freebsd.mc 4829has the required options in it. 4830.It Va sendmail_cert_cn 4831.Pq Vt str 4832If 4833.Va sendmail_enable 4834is set to 4835.Dq Li YES 4836and 4837.Va sendmail_cert_create 4838is set to 4839.Dq Li YES , 4840this is the Common Name (CN) of the certificate that will be created. 4841If 4842.Va sendmail_cert_cn 4843is not set, the system's hostname will be used. 4844If there is no hostname set, 4845.Dq Li amnesiac 4846will be used. 4847.It Va sendmail_flags 4848.Pq Vt str 4849If 4850.Va sendmail_enable 4851is set to 4852.Dq Li YES , 4853these are the flags to pass to the 4854.Xr sendmail 8 4855daemon. 4856.It Va sendmail_submit_enable 4857.Pq Vt bool 4858If set to 4859.Dq Li YES 4860and 4861.Va sendmail_enable 4862is set to 4863.Dq Li NO , 4864run 4865.Xr sendmail 8 4866using 4867.Va sendmail_submit_flags 4868instead of 4869.Va sendmail_flags . 4870This is intended to allow local mail submission via 4871a localhost-only listening SMTP service required for running 4872.Xr sendmail 8 4873as a non-set-user-ID binary. 4874Note that this does not work inside 4875.Xr jail 2 4876systems, as jails do not allow binding to just the localhost interface. 4877.It Va sendmail_submit_flags 4878.Pq Vt str 4879If 4880.Va sendmail_enable 4881is set to 4882.Dq Li NO 4883and 4884.Va sendmail_submit_enable 4885is set to 4886.Dq Li YES , 4887these are the flags to pass to the 4888.Xr sendmail 8 4889daemon. 4890.It Va sendmail_outbound_enable 4891.Pq Vt bool 4892If set to 4893.Dq Li YES 4894and both 4895.Va sendmail_enable 4896and 4897.Va sendmail_submit_enable 4898are set to 4899.Dq Li NO , 4900run 4901.Xr sendmail 8 4902using 4903.Va sendmail_outbound_flags 4904instead of 4905.Va sendmail_flags . 4906This is intended to allow local mail queue management 4907for systems that do not offer a listening SMTP service. 4908.It Va sendmail_outbound_flags 4909.Pq Vt str 4910If both 4911.Va sendmail_enable 4912and 4913.Va sendmail_submit_enable 4914are set to 4915.Dq Li NO 4916and 4917.Va sendmail_outbound_enable 4918is set to 4919.Dq Li YES , 4920these are the flags to pass to the 4921.Xr sendmail 8 4922daemon. 4923.It Va sendmail_msp_queue_enable 4924.Pq Vt bool 4925If set to 4926.Dq Li YES , 4927start a client (MSP) queue runner 4928.Xr sendmail 8 4929daemon at system boot time. 4930As of sendmail 8.12, a separate queue is used for command line 4931submissions. 4932The client queue runner ensures that nothing is 4933left behind in the submission queue. 4934.It Va sendmail_msp_queue_flags 4935.Pq Vt str 4936If 4937.Va sendmail_msp_queue_enable 4938is set to 4939daemon. 4940.Dq Li YES , 4941these are the flags to pass to the 4942.Xr sendmail 8 4943.It Va precious_machine 4944If set to 4945.Dq Li YES , 4946some destructive actions require removal of the action-specific safe-belts 4947before being allowed. 4948For instance, the file 4949.Pa /var/run/noshutdown 4950is created to prevent 4951.Xr shutdown 8 4952targeted at the wrong machine. 4953.El 4954.Sh SERVICE JAILS 4955The service jails part of the rc system automatically puts a service 4956into a jail. 4957This jail inherits the filesystem and various other parts of the 4958parent (if you allow child-jails in your jails, service jails 4959can be used in jails) depending on the content of the 4960.Ao Ar name Ac Ns Va _svcj_options 4961variable. 4962Typically this variable is set inside rc scripts, but it can be 4963overridden in the rc config. 4964Valid options for 4965.Ao Ar name Ac Ns Va _svcj_options 4966are: 4967.Bl -tag -width indent-two 4968.It mlock 4969Allows to lock memory pages into the physical memory. 4970.It netv4 4971Allows IPv4 network access and the ability to bind to reserved ports. 4972If 4973.Ao Ar name Ac Ns Va _svcj_ipaddrs 4974is set, only the IPv4 addresses listed there will be visible to the jail, 4975otherwise all assigned IPv4 addresses will be visible. 4976This can not be combined with 4977.Pa netv6 . 4978.It netv6 4979Allows IPv6 network access and the ability to bind to reserved ports. 4980If 4981.Ao Ar name Ac Ns Va _svcj_ipaddrs 4982is set, only the IPv6 addresses listed there will be visible to the jail, 4983otherwise all assigned IPv6 addresses will be visible. 4984This can not be combined with 4985.Pa netv4 . 4986.It net_basic 4987Equivalent to enabling both 4988.Pa netv6 4989and 4990.Pa netv4 . 4991.It net_raw 4992Allow to open raw sockets. 4993This option can be combined with 4994.Pa netv4 , 4995.Pa netv6 , 4996.Pa net_basic . 4997.It net_all 4998Allows IPv6 and IPv4 network access as for 4999.Pa netv4 5000and 5001.Pa netv6 , 5002allows to open raw sockets, and allows to open sockets of protocol stacks that 5003have not had jail functionality added to them. 5004.It nfsd 5005Allows to run nfsd and affiliated daemons. 5006.It routing 5007Allows to modify the system routing table. 5008.It settime 5009Allows to set and slew the system time. 5010.It sysvipc 5011Inherits the SysV semaphores, SysV shared memory and 5012SysV messages from the host or the parent jail. 5013.It sysvipcnew 5014Creates a new namespace for SysV semaphores, SysV shared memory 5015and SysV messages for this particular service jail. 5016.It vmm 5017Allows access to 5018.Xr vmm 4 . 5019This option is only available when 5020.Xr vmm 4 5021is enabled in the kernel. 5022.El 5023 5024All non-network options can be combined with all other options. 5025From the SysV options only one option can be specified. 5026 5027If the 5028.Ao Ar name Ac Ns Va _svcj 5029variable is set to 5030.Dq Li YES , 5031this particular service is started in a 5032service jail named 5033.Va svcj- Ns Ar name . 5034 5035The 5036.Va svcj_all_enable 5037variable allows to enable service jails for all services of the 5038system at once. 5039Services which have 5040.Ao Ar name Ac Ns Va _svcj 5041set to 5042.Dq Li NO 5043are excluded. 5044Some services may set 5045.Ao Ar name Ac Ns Va _svcj 5046to 5047.Dq Li NO 5048in the script to either prevent service jails for this 5049service at all, or may set it to 5050.Dq Li NO 5051if it is not set in the 5052rc config, to exclude it from 5053.Va svcj_all_enable 5054but allow to explicitly enable it. 5055The sshd service for example would not see other jails, if 5056it would run as a service jail. 5057This may or may not be what is needed, and as such it is 5058excluded from 5059.Va svcj_all_enable 5060but can be enabled via setting 5061.Va sshd_svcj 5062to 5063.Dq Li YES . 5064.Sh FILES 5065.Bl -tag -width "/etc/defaults/rc.conf" -compact 5066.It Pa /etc/defaults/rc.conf 5067.It Pa /etc/defaults/vendor.conf 5068.It Pa /etc/rc.conf 5069.It Pa /etc/rc.conf.local 5070.It Pa /etc/rc.conf.d/ 5071.El 5072.Sh SEE ALSO 5073.Xr chmod 1 , 5074.Xr cpuset 1 , 5075.Xr gdb 1 Pq Pa ports/devel/gdb , 5076.Xr kbdcontrol 1 , 5077.Xr limits 1 , 5078.Xr protect 1 , 5079.Xr sh 1 , 5080.Xr umask 1 , 5081.Xr uuidgen 1 , 5082.Xr vi 1 , 5083.Xr vidcontrol 1 , 5084.Xr bridge 4 , 5085.Xr dummynet 4 , 5086.Xr ip 4 , 5087.Xr ipf 4 , 5088.Xr ipfw 4 , 5089.Xr ipnat 4 , 5090.Xr kld 4 , 5091.Xr pf 4 , 5092.Xr pflog 4 , 5093.Xr pfsync 4 , 5094.Xr tcp 4 , 5095.Xr udp 4 , 5096.Xr exports 5 , 5097.Xr fstab 5 , 5098.Xr ipf 5 , 5099.Xr ipnat 5 , 5100.Xr jail.conf 5 , 5101.Xr loader.conf 5 , 5102.Xr login.conf 5 , 5103.Xr motd 5 , 5104.Xr newsyslog.conf 5 , 5105.Xr pf.conf 5 , 5106.Xr firewall 7 , 5107.Xr growfs 7 , 5108.Xr security 7 , 5109.Xr tuning 7 , 5110.Xr accton 8 , 5111.Xr apm 8 , 5112.Xr bsdinstall 8 , 5113.Xr bthidd 8 , 5114.Xr chkprintcap 8 , 5115.Xr chown 8 , 5116.Xr cron 8 , 5117.Xr devfs 8 , 5118.Xr dhclient 8 , 5119.Xr geli 8 , 5120.Xr hcsecd 8 , 5121.Xr ifconfig 8 , 5122.Xr inetd 8 , 5123.Xr iovctl 8 , 5124.Xr ipf 8 , 5125.Xr ipfw 8 , 5126.Xr ipnat 8 , 5127.Xr jail 8 , 5128.Xr kldxref 8 , 5129.Xr loader 8 , 5130.Xr lpd 8 , 5131.Xr makewhatis 8 , 5132.Xr mdconfig 8 , 5133.Xr mdmfs 8 , 5134.Xr mixer 8 , 5135.Xr mountd 8 , 5136.Xr moused 8 , 5137.Xr newfs 8 , 5138.Xr newsyslog 8 , 5139.Xr nfsd 8 , 5140.Xr ntpd 8 , 5141.Xr ntpdate 8 , 5142.Xr pfctl 8 , 5143.Xr pflogd 8 , 5144.Xr ping 8 , 5145.Xr powerd 8 , 5146.Xr quotacheck 8 , 5147.Xr quotaon 8 , 5148.Xr rc 8 , 5149.Xr rc.subr 8 , 5150.Xr rcorder 8 , 5151.Xr rfcomm_pppd 8 , 5152.Xr route 8 , 5153.Xr route6d 8 , 5154.Xr routed 8 , 5155.Xr rpc.lockd 8 , 5156.Xr rpc.statd 8 , 5157.Xr rpc.tlsclntd 8 , 5158.Xr rpc.tlsservd 8 , 5159.Xr rpcbind 8 , 5160.Xr rwhod 8 , 5161.Xr savecore 8 , 5162.Xr sdpd 8 , 5163.Xr sendmail 8 , 5164.Xr service 8 , 5165.Xr sshd 8 , 5166.Xr swapon 8 , 5167.Xr sysctl 8 , 5168.Xr syslogd 8 , 5169.Xr sysrc 8 , 5170.Xr unbound 8 , 5171.Xr usbconfig 8 , 5172.Xr utx 8 , 5173.Xr wlandebug 8 , 5174.Xr yp 8 , 5175.Xr ypbind 8 , 5176.Xr ypserv 8 , 5177.Xr ypset 8 5178.Sh HISTORY 5179The 5180.Nm 5181file appeared in 5182.Fx 2.2.2 . 5183.Sh AUTHORS 5184.An Jordan K. Hubbard . 5185