1.\" Copyright (c) 1995 2.\" Jordan K. Hubbard 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.Dd July 15, 2025 26.Dt RC.CONF 5 27.Os 28.Sh NAME 29.Nm rc.conf 30.Nd system configuration information 31.Sh DESCRIPTION 32The file 33.Nm 34contains descriptive information about the local host name, configuration 35details for any potential network interfaces and which services should be 36started up at system initial boot time. 37In new installations, the 38.Nm 39file is generally initialized by the system installation utility. 40.Pp 41The purpose of 42.Nm 43is not to run commands or perform system startup actions 44directly. 45Instead, it is included by the 46various generic startup scripts in 47.Pa /etc 48which conditionalize their 49internal actions according to the settings found there. 50.Pp 51The 52.Pa /etc/rc.conf 53file is included from the file 54.Pa /etc/defaults/rc.conf , 55which specifies the default settings for all the available options. 56Options need only be specified in 57.Pa /etc/rc.conf 58when the system administrator wishes to override these defaults. 59The file 60.Pa /etc/defaults/vendor.conf 61allows vendors to override 62.Fx 63defaults. 64The file 65.Pa /etc/rc.conf.local 66is used to override settings in 67.Pa /etc/rc.conf 68for historical reasons. 69.Pp 70The sysrc(8) command provides a scripting interface to modify system 71config files. 72.Pp 73In addition to 74.Pa /etc/rc.conf.local 75you can also place smaller configuration files for each 76.Xr rc 8 77script in the 78.Pa /etc/rc.conf.d 79directory or 80.Ao Ar dir Ac Ns Pa /rc.conf.d 81directories (where 82.Ao Ar dir Ac 83is each entry specified in 84.Va local_startup , 85but with any trailing 86.Pa /rc.d 87stripped), 88which will be included by the 89.Va load_rc_config 90function. 91For jail configurations you could use the file 92.Pa /etc/rc.conf.d/jail 93to store jail-specific configuration options. 94If 95.Va local_startup 96contains 97.Pa /usr/local/etc/rc.d 98and 99.Pa /opt/conf , 100.Pa /usr/local/etc/rc.conf.d/jail 101and 102.Pa /opt/conf/rc.conf.d/jail 103will be loaded. 104If 105.Ao Ar dir Ac Ns Pa /rc.conf.d/ Ns Ao Ar name Ac 106is a directory then all of the files in the directory will be loaded. 107See also the 108.Va rc_conf_files 109variable below. 110.Pp 111Options are set with 112.Dq Ar name Ns Li = Ns Ar value 113assignments that use 114.Xr sh 1 115syntax. 116The following list provides a name and short description for each 117variable that can be set in the 118.Nm 119file: 120.Bl -tag -width indent-two 121.It Va rc_debug 122.Pq Vt bool 123If set to 124.Dq Li YES , 125enable output of debug messages from rc scripts. 126This variable can be helpful in diagnosing mistakes when 127editing or integrating new scripts. 128Beware that this produces copious output to the terminal and 129.Xr syslog 3 . 130.It Va rc_info 131.Pq Vt bool 132If set to 133.Dq Li NO , 134disable informational messages from the rc scripts. 135Informational messages are displayed when 136a condition that is not serious enough to warrant a warning or 137an error occurs. 138.It Va rc_startmsgs 139.Pq Vt bool 140If set to 141.Dq Li YES , 142show 143.Dq Starting foo: 144when faststart is used (e.g., at boot time). 145.It Va early_late_divider 146.Pq Vt str 147The name of the script that should be used as the 148delimiter between the 149.Dq early 150and 151.Dq late 152stages of the boot process. 153The early stage should contain all the services needed to 154get the disks (local or remote) mounted so that the late 155stage can include scripts contained in the directories 156listed in the 157.Va local_startup 158variable (see below). 159Thus, the two likely candidates for this value are 160.Pa mountcritlocal 161for the typical system, and 162.Pa mountcritremote 163if the system needs remote file 164systems mounted to get access to the 165.Va local_startup 166directories; for example when 167.Pa /usr/local 168is NFS mounted. 169For 170.Pa rc.conf 171within a 172.Xr jail 8 173.Pa NETWORKING 174is likely to be an appropriate value. 175Extreme care should be taken when changing this value, 176and before changing it one should ensure that there are 177adequate provisions to recover from a failed boot 178(such as physical contact with the machine, 179or reliable remote console access). 180.It Va always_force_depends 181.Pq Vt bool 182Various 183.Pa rc.d 184scripts use the force_depend function to check whether required 185services are already running, and to start them if necessary. 186By default during boot time this check is bypassed if the 187required service is enabled in 188.Pa /etc/rc.conf[.local] . 189Setting this option will bypass that check at boot time and 190always test whether or not the service is actually running. 191Enabling this option is likely to increase your boot time if 192services are enabled that utilize the force_depend check. 193.It Ao Ar name Ac Ns Va _chroot 194.Pq Vt str 195.Xr chroot 8 196to this directory before running the service. 197.It Ao Ar name Ac Ns Va _cpuset 198.Pq Vt str 199A list of CPUs to run the service on. 200Passed to 201.Xr cpuset 1 202using the 203.Fl l 204flag. 205.It Ao Ar name Ac Ns Va _fib 206.Pq Vt int 207The 208.Xr setfib 1 209value to run the service under. 210.It Ao Ar name Ac Ns Va _group 211.Pq Vt str 212Run the chrooted service under this system group. 213Unlike the 214.Ao Ar name Ac Ns Va _user 215setting, this setting has no effect if the service is not chrooted. 216.It Ao Ar name Ac Ns Va _limits 217.Pq Vt str 218Resource limits to apply to the service using 219.Xr limits 1 . 220By default, resource limits are based on the login class defined in 221.Ao Ar name Ac Ns Va _login_class . 222.It Ao Ar name Ac Ns Va _login_class 223.Pq Vt str 224Login class to be used with 225.Ao Ar name Ac Ns Va _limits . 226Defaults to 227.Dq Li daemon . 228.It Ao Ar name Ac Ns Va _nice 229.Pq Vt int 230The 231.Xr nice 1 232value to run the service under. 233.It Ao Ar name Ac Ns Va _oomprotect 234.Pq Vt str 235Use 236.Xr protect 1 237to prevent the service from being killed when swap space 238is exhausted. 239Use 240.Dq Li YES 241to protect only the service itself, and 242.Dq Li ALL 243to protect the service and all its child processes. 244.Pp 245Please note that rc scripts which redefine 246.Dl ${argument}_cmd 247.Pq see Xr rc.subr 8 248such as PostgreSQL will not inherit the OOM killer protection. 249.Pp 250This variable has no effect on services running within a 251.Xr jail 8 . 252.It Ao Ar name Ac Ns Va _setup 253.Pq Vt str 254Run the specified setup script right before starting the actual service 255command. 256Useful for automatic configuration file generation. 257.It Ao Ar name Ac Ns Va _umask 258.Pq Vt int 259Run the service using this 260.Xr umask 1 261value. 262.It Ao Ar name Ac Ns Va _user 263.Pq Vt str 264Run the service under this user account. 265.It Ao Ar name Ac Ns Va _svcj 266.Pq Vt bool 267If set to 268.Dq Li YES , 269auto-jail the service with inherited filesystem and other 270jail properties depending on 271.Ao Ar name Ac Ns Va _svcj_options . 272.It Ao Ar name Ac Ns Va _svcj_ipaddrs 273.Pq Vt str 274A list of IP addresses that the service jail will be permitted to use. 275If this is not specified, the service jail will be permitted to use all 276assigned IP addresses if networking is enabled in the jail. 277.It Ao Ar name Ac Ns Va _svcj_options 278.Pq Vt str 279A list of jail properties for the service. 280See 281.Sx SERVICE JAILS 282for a list of valid properties. 283.It Va apm_enable 284.Pq Vt bool 285If set to 286.Dq Li YES , 287enable support for Automatic Power Management with 288the 289.Xr apm 8 290command. 291.It Va apmd_enable 292.Pq Vt bool 293Run 294.Xr apmd 8 295to handle APM event from userland. 296This also enables support for APM. 297.It Va apmd_flags 298.Pq Vt str 299If 300.Va apmd_enable 301is set to 302.Dq Li YES , 303these are the flags to pass to the 304.Xr apmd 8 305daemon. 306.It Va devd_enable 307.Pq Vt bool 308Run 309.Xr devd 8 310to handle device added, removed or unknown events from the kernel. 311.It Va ddb_enable 312.Pq Vt bool 313Run 314.Xr ddb 8 315to install 316.Xr ddb 4 317scripts at boot time. 318.It Va ddb_config 319.Pq Vt str 320Configuration file for 321.Xr ddb 8 . 322Default 323.Pa /etc/ddb.conf . 324.It Va devmatch_enable 325.Pq Vt bool 326If set to 327.Dq Li NO , 328disable auto-loading of kernel modules with 329.Xr devmatch 8 . 330.It Va devmatch_blocklist 331.Pq Vt str 332A whitespace-separated list of kernel modules to be ignored by 333.Xr devmatch 8 . 334In addition, the 335.Xr kenv 1 336.Va devmatch_blocklist 337is appended to this variable to allow disabling of 338.Xr devmatch 8 339loaded modules from the boot loader. 340.It Va devmatch_blacklist 341.Pq Vt str 342This variable is deprecated. 343Use 344.Va devmatch_blocklist 345instead. 346A whitespace-separated list of kernel modules to be ignored by 347.Xr devmatch 8 . 348.It Va kld_list 349.Pq Vt str 350A whitespace-separated list of kernel modules to load right after 351the local disks are mounted, without any 352.Pa .ko 353extension or path. 354.It Va kldxref_enable 355.Pq Vt bool 356Set to 357.Dq Li NO 358by default. 359Set to 360.Dq Li YES 361to automatically rebuild 362.Pa linker.hints 363files with 364.Xr kldxref 8 365at boot time. 366.It Va kldxref_clobber 367.Pq Vt bool 368Set to 369.Dq Li NO 370by default. 371If 372.Va kldxref_enable 373is true, 374setting to 375.Dq Li YES 376will overwrite existing 377.Pa linker.hints 378files at boot time. 379Otherwise, 380only missing 381.Pa linker.hints 382files are generated. 383.It Va kldxref_module_path 384.Pq Vt str 385Empty by default. 386A semi-colon 387.Pq Ql \&; 388delimited list of paths containing 389.Xr kld 4 390modules. 391If empty, 392the contents of the 393.Va kern.module_path 394.Xr sysctl 8 395are used. 396.It Va powerd_enable 397.Pq Vt bool 398If set to 399.Dq Li YES , 400enable the system power control facility with the 401.Xr powerd 8 402daemon. 403.It Va powerd_flags 404.Pq Vt str 405If 406.Va powerd_enable 407is set to 408.Dq Li YES , 409these are the flags to pass to the 410.Xr powerd 8 411daemon. 412.It Va svcj_all_enable 413Enable auto-jailing of all services which are not explicitly 414excluded. 415See 416.Sx SERVICE JAILS 417for more info. 418.It Va tmpmfs 419Controls the creation of a 420.Pa /tmp 421memory file system. 422Always happens if set to 423.Dq Li YES 424and never happens if set to 425.Dq Li NO . 426If set to anything else, a memory file system is created if 427.Pa /tmp 428is not writable. 429.It Va tmpsize 430Controls the size of a created 431.Pa /tmp 432memory file system. 433.It Va tmpmfs_flags 434Extra options passed to the 435.Xr mdmfs 8 436utility when the memory file system for 437.Pa /tmp 438is created. 439The default is 440.Dq Li "-S" , 441which inhibits the use of softupdates on 442.Pa /tmp 443so that file system space is freed without delay 444after file truncation or deletion. 445See 446.Xr mdmfs 8 447for other options you can use in 448.Va tmpmfs_flags . 449.It Va varmfs 450Controls the creation of a 451.Pa /var 452memory file system. 453Always happens if set to 454.Dq Li YES 455and never happens if set to 456.Dq Li NO . 457If set to anything else, a memory file system is created if 458.Pa /var 459is not writable. 460.It Va varsize 461Controls the size of a created 462.Pa /var 463memory file system. 464.It Va varmfs_flags 465Extra options passed to the 466.Xr mdmfs 8 467utility when the memory file system for 468.Pa /var 469is created. 470The default is 471.Dq Li "-S" , 472which inhibits the use of softupdates on 473.Pa /var 474so that file system space is freed without delay 475after file truncation or deletion. 476See 477.Xr mdmfs 8 478for other options you can use in 479.Va varmfs_flags . 480.It Va populate_var 481Controls the automatic population of the 482.Pa /var 483file system. 484Always happens if set to 485.Dq Li YES 486and never happens if set to 487.Dq Li NO . 488If set to anything else, a memory file system is created if 489.Pa /var 490is not writable. 491Note that this process requires access to certain commands in 492.Pa /usr 493before 494.Pa /usr 495is mounted on normal systems. 496.It Va cleanvar_enable 497.Pq Vt bool 498Clean the 499.Pa /var 500directory. 501.It Va var_run_enable 502.Pq Vt bool 503Set to "YES" to enable saving of the 504.Pa /var/run 505directory structure into an mtree file at shutdown and the reload of the 506.Pa /var/run 507directory structure at boot. 508.It Va var_run_autosave 509.Pq Vt bool 510In some cases it may be undesirable to save 511.Pa /var/run 512at shutdown. 513When set to "NO" 514.Pa /var/run 515is loaded at reboot but not saved at shutdown. 516Typically in this scenario 517.Ql service var_run save 518would be performed to save a copy of the 519.Pa /var/run 520directory structure once, to be reloaded during all subsequent reboots. 521.It Va var_run_mtree 522.Pq Vt str 523Where to save the 524.Pa /var/run 525mtree. 526The default location is 527.Pa /var/db/mtree/BSD.var-run.mtree . 528.It Va local_startup 529.Pq Vt str 530List of directories to search for startup script files. 531.It Va script_name_sep 532.Pq Vt str 533The field separator to use for breaking down the list of startup script files 534into individual filenames. 535The default is a space. 536It is not necessary to change this unless there are startup scripts with names 537containing spaces. 538.It Va hostapd_enable 539.Pq Vt bool 540Set to 541.Dq Li YES 542to start 543.Xr hostapd 8 544at system boot time. 545.It Va hostname 546.Pq Vt str 547The fully qualified domain name (FQDN) of this host on the network. 548This should almost certainly be set to something meaningful, even if 549there is no network connection. 550If 551.Xr dhclient 8 552is used to set the hostname via DHCP, 553this variable should be set to an empty string. 554Within a 555.Xr jail 8 556the hostname is generally already set and this variable may be absent. 557If this value remains unset when the system is done booting 558your console login will display the default hostname of 559.Dq Amnesiac . 560.It Va nisdomainname 561.Pq Vt str 562The NIS domain name of this host, or 563.Dq Li NO 564if NIS is not used. 565.It Va hostid_enable 566.Pq Vt bool 567If set to 568.Dq Li NO , 569disable the generation or saving of the 570.Pa hostid 571and 572.Pa machine-id 573files at system boot and shutdown. 574.It Va hostid_file 575.Pq Vt str 576Path to the 577.Pa hostid 578file, default 579.Pa /etc/hostid . 580.It Va hostid_uuidgen_flags 581.Pq Vt str 582Flags passed to 583.Xr uuidgen 1 584when generating a software host UUID. 585This is used only if the system cannot determine a hardware UUID. 586Set to 587.Dq Li -r 588by default. 589.It Va machine_id_file 590.Pq Vt str 591Path to the 592.Pa machine-id 593file, default 594.Pa /etc/machine-id . 595.It Va dhclient_program 596.Pq Vt str 597Path to the DHCP client program, defaulting to 598.Pa /sbin/dhclient . 599.It Va dhclient_flags 600.Pq Vt str 601Additional flags to pass to the DHCP client program. 602See the 603.Xr dhclient 8 604manpage for a description of the command line options available. 605.It Va dhclient_flags_ Ns Aq Ar iface 606Additional flags to pass to the DHCP client program running on 607.Ar iface 608only. 609When specified, this variable overrides 610.Va dhclient_flags . 611.It Va background_dhclient 612.Pq Vt bool 613Set to 614.Dq Li YES 615to start the DHCP client in background. 616This can cause trouble with applications depending on 617a working network, but it will provide a faster startup 618in many cases. 619.It Va background_dhclient_ Ns Aq Ar iface 620When specified, this variable overrides the 621.Va background_dhclient 622variable for interface 623.Ar iface 624only. 625.It Va dhclient_arpwait 626.Pq Vt bool 627Set to 628.Dq Li NO 629to stop 630.Xr dhclient 8 631from waiting for ARP resolution, to make the system boot faster. 632This may be done on networks where the DHCP server is certain to 633know whether an address is available. 634.It Va synchronous_dhclient 635.Pq Vt bool 636Set to 637.Dq Li YES 638to start 639.Xr dhclient 8 640synchronously at startup. 641This behavior can be overridden on a per-interface basis by replacing 642the 643.Dq Li DHCP 644keyword in the 645.Va ifconfig_ Ns Aq Ar interface 646variable with 647.Dq Li SYNCDHCP 648or 649.Dq Li NOSYNCDHCP . 650.It Va defaultroute_delay 651.Pq Vt int 652When set to a positive value, wait up to this long after configuring 653DHCP interfaces at startup to give the interfaces time to receive a lease. 654.It Va firewall_enable 655.Pq Vt bool 656Set to 657.Dq Li YES 658to load firewall rules at startup. 659If the kernel was not built with 660.Cd "options IPFIREWALL" , 661the 662.Pa ipfw.ko 663kernel module will be loaded. 664See also 665.Va ipfilter_enable . 666.It Va firewall_script 667.Pq Vt str 668This variable specifies the full path to the firewall script to run. 669The default is 670.Pa /etc/rc.firewall . 671.It Va firewall_type 672.Pq Vt str 673Names the firewall type from the selection in 674.Pa /etc/rc.firewall , 675or the file which contains the local firewall ruleset. 676Valid selections from 677.Pa /etc/rc.firewall 678are: 679.Pp 680.Bl -tag -width ".Li workstation" -compact 681.It Li open 682unrestricted IP access 683.It Li closed 684all IP services disabled, except via 685.Dq Li lo0 686.It Li client 687basic protection for a workstation 688.It Li workstation 689basic protection for a workstation using stateful firewalling 690.It Li simple 691basic protection for a LAN. 692.El 693.Pp 694If a filename is specified, the full path 695must be given. 696.Pp 697Most of the predefined rulesets define additional configuration variables. 698These are documented in 699.Pa /etc/rc.firewall . 700.It Va firewall_quiet 701.Pq Vt bool 702Set to 703.Dq Li YES 704to disable the display of firewall rules on the console during boot. 705.It Va firewall_logging 706.Pq Vt bool 707Set to 708.Dq Li YES 709to enable firewall event logging. 710This is equivalent to the 711.Dv IPFIREWALL_VERBOSE 712kernel option. 713.It Va firewall_logif 714.Pq Vt bool 715Set to 716.Dq Li YES 717to create pseudo interface 718.Li ipfw0 719for logging. 720For more details, see 721.Xr ipfw 8 722manual page. 723.It Va firewall_flags 724.Pq Vt str 725Flags passed to 726.Xr ipfw 8 727if 728.Va firewall_type 729specifies a filename. 730.It Va firewall_coscripts 731.Pq Vt str 732List of executables and/or rc scripts to run after firewall starts/stops. 733Default is empty. 734.\" ----- firewall_nat_enable setting -------------------------------- 735.It Va firewall_nat_enable 736.Pq Vt bool 737The 738.Xr ipfw 8 739equivalent of 740.Va natd_enable . 741Setting this to 742.Dq Li YES 743will automatically load the 744.Xr ipfw 8 745NAT kernel module if 746.Va firewall_enable 747is also set to 748.Dq Li YES . 749.It Va firewall_nat_interface 750.Pq Vt str 751The 752.Xr ipfw 8 753equivalent of 754.Va natd_interface . 755This is the name of the public interface or IP address on which 756kernel NAT should run. 757.It Va firewall_nat_flags 758.Pq Vt str 759Additional configuration parameters for kernel NAT should be placed here. 760.It Va firewall_nat64_enable 761.Pq Vt bool 762Setting this to 763.Dq Li YES 764will automatically load the 765.Xr ipfw 8 766NAT64 kernel module if 767.Va firewall_enable 768is also set to 769.Dq Li YES . 770.It Va firewall_nptv6_enable 771.Pq Vt bool 772Setting this to 773.Dq Li YES 774will automatically load the 775.Xr ipfw 8 776NPTv6 kernel module if 777.Va firewall_enable 778is also set to 779.Dq Li YES . 780.It Va firewall_pmod_enable 781.Pq Vt bool 782Setting this to 783.Dq Li YES 784will automatically load the 785.Xr ipfw 8 786pmod kernel module if 787.Va firewall_enable 788is also set to 789.Dq Li YES . 790.It Va dummynet_enable 791.Pq Vt bool 792Setting this to 793.Dq Li YES 794will automatically load the 795.Xr dummynet 4 796module if 797.Va firewall_enable 798is also set to 799.Dq Li YES . 800.\" ------------------------------------------------------------------- 801.It Va ipfw_netflow_enable 802.Pq Vt bool 803Setting this to 804.Dq Li YES 805will enable netflow logging via 806.Xr ng_netflow 4 . 807.Pp 808By default a ipfw rule is inserted and all packets are duplicated with 809the ngtee command and netflow packets are sent to 127.0.0.1 on the netflow 810port using protocol version 5. 811.It Va ipfw_netflow_hook 812.Pq Vt int 813netflow hook name, must be numerical 814(default 815.Pa 9995 ) . 816.It Va ipfw_netflow_rule 817.Pq Vt int 818ipfw rule number 819(default 820.Pa 1000 ) . 821.It Va ipfw_netflow_ip 822.Pq Vt str 823Destination server ip for receiving netflow data 824(default 825.Pa 127.0.0.1 ) . 826.It Va ipfw_netflow_port 827.Pq Vt int 828Destination server port for receiving netflow data 829(default 830.Pa 9995 ) . 831.It Va ipfw_netflow_version 832.Pq Vt int 833Do not set for using version 5 of the netflow protocol, set it to 9 for using 834version 9. 835.It Va ipfw_netflow_fib 836.Pq Vt int 837Only match packet in FIB 838.Pa ipfw_netflow_fib 839(default is undefined meaning all FIBs). 840.It Va natd_program 841.Pq Vt str 842Path to 843.Xr natd 8 . 844.It Va natd_enable 845.Pq Vt bool 846Set to 847.Dq Li YES 848to enable 849.Xr natd 8 . 850.Va firewall_enable 851must also be set to 852.Dq Li YES , 853and 854.Xr divert 4 855sockets must be enabled in the kernel. 856If the kernel was not built with 857.Cd "options IPDIVERT" , 858the 859.Pa ipdivert.ko 860kernel module will be loaded. 861.It Va natd_interface 862.Pq Vt str 863This is the name of the public interface on which 864.Xr natd 8 865should run. 866The interface may be given as an interface name or as an IP address. 867.It Va natd_flags 868.Pq Vt str 869Additional 870.Xr natd 8 871flags should be placed here. 872The 873.Fl n 874or 875.Fl a 876flag is automatically added with the above 877.Va natd_interface 878as an argument. 879.\" ----- ipfilter_enable setting -------------------------------- 880.It Va ipfilter_enable 881.Pq Vt bool 882Set to 883.Dq Li NO 884by default. 885Setting this to 886.Dq Li YES 887enables 888.Xr ipf 8 889packet filtering. 890.Pp 891Typical usage will require putting 892.Bd -literal 893ipfilter_enable="YES" 894ipnat_enable="YES" 895ipmon_enable="YES" 896ipfs_enable="YES" 897.Ed 898.Pp 899into 900.Pa /etc/rc.conf 901and editing 902.Pa /etc/ipf.rules 903and 904.Pa /etc/ipnat.rules 905appropriately. 906.Pp 907Note that 908.Va ipfilter_enable 909and 910.Va ipnat_enable 911can be enabled independently. 912.Va ipmon_enable 913and 914.Va ipfs_enable 915both require at least one of 916.Va ipfilter_enable 917and 918.Va ipnat_enable 919to be enabled. 920.Pp 921Having 922.Bd -literal 923options IPFILTER 924options IPFILTER_LOG 925options IPFILTER_DEFAULT_BLOCK 926.Ed 927.Pp 928in the kernel configuration file is a good idea, too. 929.\" ----- ipfilter_program setting ------------------------------ 930.It Va ipfilter_program 931.Pq Vt str 932Path to 933.Xr ipf 8 934(default 935.Pa /sbin/ipf ) . 936.\" ----- ipfilter_rules setting -------------------------------- 937.It Va ipfilter_rules 938.Pq Vt str 939Set to 940.Pa /etc/ipf.rules 941by default. 942This variable contains the name of the filter rule definition file. 943The file is expected to be readable for the 944.Xr ipf 8 945command to execute. 946.\" ----- ipfilter_flags setting -------------------------------- 947.It Va ipfilter_flags 948.Pq Vt str 949Empty by default. 950This variable contains flags passed to the 951.Xr ipf 8 952program. 953.\" ----- ipnat_enable setting ---------------------------------- 954.It Va ipnat_enable 955.Pq Vt bool 956Set to 957.Dq Li NO 958by default. 959Set it to 960.Dq Li YES 961to enable 962.Xr ipnat 8 963network address translation. 964See 965.Va ipfilter_enable 966for a detailed discussion. 967.\" ----- ipnat_program setting --------------------------------- 968.It Va ipnat_program 969.Pq Vt str 970Path to 971.Xr ipnat 8 972(default 973.Pa /sbin/ipnat ) . 974.\" ----- ipnat_rules setting ----------------------------------- 975.It Va ipnat_rules 976.Pq Vt str 977Set to 978.Pa /etc/ipnat.rules 979by default. 980This variable contains the name of the file 981holding the network address translation definition. 982This file is expected to be readable for the 983.Xr ipnat 8 984command to execute. 985.\" ----- ipnat_flags setting ----------------------------------- 986.It Va ipnat_flags 987.Pq Vt str 988Empty by default. 989This variable contains flags passed to the 990.Xr ipnat 8 991program. 992.\" ----- ipmon_enable setting ---------------------------------- 993.It Va ipmon_enable 994.Pq Vt bool 995Set to 996.Dq Li NO 997by default. 998Set it to 999.Dq Li YES 1000to enable 1001.Xr ipmon 8 1002monitoring (logging 1003.Xr ipf 8 1004and 1005.Xr ipnat 8 1006events). 1007Setting this variable needs setting 1008.Va ipfilter_enable 1009or 1010.Va ipnat_enable 1011too. 1012See 1013.Va ipfilter_enable 1014for a detailed discussion. 1015.\" ----- ipmon_program setting --------------------------------- 1016.It Va ipmon_program 1017.Pq Vt str 1018Path to 1019.Xr ipmon 8 1020(default 1021.Pa /sbin/ipmon ) . 1022.\" ----- ipmon_flags setting ----------------------------------- 1023.It Va ipmon_flags 1024.Pq Vt str 1025Set to 1026.Dq Li -Ds 1027by default. 1028This variable contains flags passed to the 1029.Xr ipmon 8 1030program. 1031Another typical example would be 1032.Dq Fl D Pa /var/log/ipflog 1033to have 1034.Xr ipmon 8 1035log directly to a file bypassing 1036.Xr syslogd 8 . 1037Make sure to adjust 1038.Pa /etc/newsyslog.conf 1039in such case like this: 1040.Bd -literal 1041/var/log/ipflog 640 10 100 * Z /var/run/ipmon.pid 1042.Ed 1043.\" ----- ipfs_enable setting ----------------------------------- 1044.It Va ipfs_enable 1045.Pq Vt bool 1046Set to 1047.Dq Li NO 1048by default. 1049Set it to 1050.Dq Li YES 1051to enable 1052.Xr ipfs 8 1053saving the filter and NAT state tables during shutdown 1054and reloading them during startup again. 1055Setting this variable needs setting 1056.Va ipfilter_enable 1057or 1058.Va ipnat_enable 1059to 1060.Dq Li YES 1061too. 1062See 1063.Va ipfilter_enable 1064for a detailed discussion. 1065Note that if 1066.Va kern_securelevel 1067is set to 3, 1068.Va ipfs_enable 1069cannot be used 1070because the raised securelevel will prevent 1071.Xr ipfs 8 1072from saving the state tables at shutdown time. 1073.\" ----- ipfs_program setting ---------------------------------- 1074.It Va ipfs_program 1075.Pq Vt str 1076Path to 1077.Xr ipfs 8 1078(default 1079.Pa /sbin/ipfs ) . 1080.\" ----- ipfs_flags setting ------------------------------------ 1081.It Va ipfs_flags 1082.Pq Vt str 1083Empty by default. 1084This variable contains flags passed to the 1085.Xr ipfs 8 1086program. 1087.\" ----- end of added ipf hook --------------------------------- 1088.It Va pf_enable 1089.Pq Vt bool 1090Set to 1091.Dq Li NO 1092by default. 1093Setting this to 1094.Dq Li YES 1095enables 1096.Xr pf 4 1097packet filtering. 1098.Pp 1099Typical usage will require putting 1100.Pp 1101.Dl pf_enable="YES" 1102.Pp 1103into 1104.Pa /etc/rc.conf 1105and editing 1106.Pa /etc/pf.conf 1107appropriately. 1108Adding 1109.Pp 1110.Dl "device pf" 1111.Pp 1112builds support for 1113.Xr pf 4 1114into the kernel, otherwise the 1115kernel module will be loaded. 1116.It Va pf_rules 1117.Pq Vt str 1118Path to 1119.Xr pf 4 1120ruleset configuration file 1121(default 1122.Pa /etc/pf.conf ) . 1123.It Va pf_program 1124.Pq Vt str 1125Path to 1126.Xr pfctl 8 1127(default 1128.Pa /sbin/pfctl ) . 1129.It Va pf_flags 1130.Pq Vt str 1131If 1132.Va pf_enable 1133is set to 1134.Dq Li YES , 1135these flags are passed to the 1136.Xr pfctl 8 1137program when loading the ruleset. 1138.It Va pf_fallback_rules_enable 1139.Pq Vt bool 1140Set to 1141.Dq Li NO 1142by default. 1143Setting this to 1144.Dq Li YES 1145enables loading 1146.Va pf_fallback_rules_file 1147or 1148.Va pf_fallback_rules 1149in case of a problem when loading the ruleset in 1150.Va pf_rules . 1151.It Va pf_fallback_rules_file 1152.Pq Vt str 1153Path to a pf ruleset to load in case of failure when loading the 1154ruleset in 1155.Va pf_rules 1156(default 1157.Pa /etc/pf-fallback.conf ) . 1158.It Va pf_fallback_rules 1159.Pq Vt str 1160A pf ruleset to load in case of failure when loading the ruleset in 1161.Va pf_rules 1162and 1163.Va pf_fallback_rules_file 1164is not found. 1165Multiple rules can be set as follows: 1166.Bd -literal 1167pf_fallback_rules=" 1168 block drop log all 1169 pass in quick on em0" 1170.Pp 1171.Ed 1172The default fallback rule is 1173.Dq block drop log all 1174.It Va pflog_enable 1175.Pq Vt bool 1176Set to 1177.Dq Li NO 1178by default. 1179Setting this to 1180.Dq Li YES 1181enables 1182.Xr pflogd 8 1183which logs packets from the 1184.Xr pf 4 1185packet filter. 1186.It Va pflog_logfile 1187.Pq Vt str 1188If 1189.Va pflog_enable 1190is set to 1191.Dq Li YES 1192this controls where 1193.Xr pflogd 8 1194stores the logfile 1195(default 1196.Pa /var/log/pflog ) . 1197Check 1198.Pa /etc/newsyslog.conf 1199to adjust logfile rotation for this. 1200.It Va pflog_program 1201.Pq Vt str 1202Path to 1203.Xr pflogd 8 1204(default 1205.Pa /sbin/pflogd ) . 1206.It Va pflog_flags 1207.Pq Vt str 1208Empty by default. 1209This variable contains additional flags passed to the 1210.Xr pflogd 8 1211program. 1212.It Va pflog_instances 1213.Pq Vt str 1214If logging to more than one 1215.Xr pflog 4 1216interface is desired, 1217.Va pflog_instances 1218is set to the list of 1219.Xr pflogd 8 1220instances that should be started at system boot time. 1221If 1222.Va pflog_instances 1223is set, for each whitespace-separated 1224.Ar element 1225in the list, 1226.Ao Ar element Ac Ns Va _dev 1227and 1228.Ao Ar element Ac Ns Va _logfile 1229elements are assumed to exist. 1230.Ao Ar element Ac Ns Va _dev 1231must contain the 1232.Xr pflog 4 1233interface to be watched by the named 1234.Xr pflogd 8 1235instance. 1236.Ao Ar element Ac Ns Va _logfile 1237must contain the name of the logfile that will be used by the 1238.Xr pflogd 8 1239instance. 1240.It Va ftpproxy_enable 1241.Pq Vt bool 1242Set to 1243.Dq Li NO 1244by default. 1245Setting this to 1246.Dq Li YES 1247enables 1248.Xr ftp-proxy 8 1249which supports the 1250.Xr pf 4 1251packet filter in translating ftp connections. 1252.It Va ftpproxy_flags 1253.Pq Vt str 1254Empty by default. 1255This variable contains additional flags passed to the 1256.Xr ftp-proxy 8 1257program. 1258.It Va ftpproxy_instances 1259.Pq Vt str 1260Empty by default. 1261If multiple instances of 1262.Xr ftp-proxy 8 1263are desired at boot time, 1264.Va ftpproxy_instances 1265should contain a whitespace-separated list of instance names. 1266For each 1267.Ar element 1268in the list, a variable named 1269.Ao Ar element Ac Ns Va _flags 1270should be defined, containing the command-line flags to be passed to the 1271.Xr ftp-proxy 8 1272instance. 1273.It Va pfsync_enable 1274.Pq Vt bool 1275Set to 1276.Dq Li NO 1277by default. 1278Setting this to 1279.Dq Li YES 1280enables exposing 1281.Xr pf 4 1282state changes to other hosts over the network by means of 1283.Xr pfsync 4 . 1284The 1285.Va pfsync_syncdev 1286variable 1287must also be set then. 1288.It Va pfsync_syncdev 1289.Pq Vt str 1290Empty by default. 1291This variable specifies the name of the network interface 1292.Xr pfsync 4 1293should operate through. 1294It must be set accordingly if 1295.Va pfsync_enable 1296is set to 1297.Dq Li YES . 1298.It Va pfsync_syncpeer 1299.Pq Vt str 1300Empty by default. 1301This variable is optional. 1302By default, state change messages are sent out on the synchronisation 1303interface using IP multicast packets. 1304The protocol is IP protocol 240, PFSYNC, and the multicast group used is 1305224.0.0.240. 1306When a peer address is specified using the 1307.Va pfsync_syncpeer 1308option, the peer address is used as a destination for the pfsync 1309traffic, and the traffic can then be protected using 1310.Xr ipsec 4 . 1311See the 1312.Xr pfsync 4 1313manpage for more details about using 1314.Xr ipsec 4 1315with 1316.Xr pfsync 4 1317interfaces. 1318.It Va pfsync_ifconfig 1319.Pq Vt str 1320Empty by default. 1321This variable can contain additional options to be passed to the 1322.Xr ifconfig 8 1323command used to set up 1324.Xr pfsync 4 . 1325.It Va tcp_extensions 1326.Pq Vt bool 1327Set to 1328.Dq Li YES 1329by default. 1330Setting this to 1331.Dq Li NO 1332disables certain TCP options as described by 1333.Rs 1334.%T "RFC 1323" 1335.Re 1336Setting this to 1337.Dq Li NO 1338might help remedy such problems with connections as randomly hanging 1339or other weird behavior. 1340Some network devices are known 1341to be broken with respect to these options. 1342.It Va log_in_vain 1343.Pq Vt int 1344Set to 0 by default. 1345The 1346.Xr sysctl 8 1347variables, 1348.Va net.inet.tcp.log_in_vain 1349and 1350.Va net.inet.udp.log_in_vain , 1351as described in 1352.Xr tcp 4 1353and 1354.Xr udp 4 , 1355are set to the given value. 1356.It Va tcp_keepalive 1357.Pq Vt bool 1358Set to 1359.Dq Li YES 1360by default. 1361Setting to 1362.Dq Li NO 1363will disable probing idle TCP connections to verify that the 1364peer is still up and reachable. 1365.It Va tcp_drop_synfin 1366.Pq Vt bool 1367Set to 1368.Dq Li NO 1369by default. 1370Setting to 1371.Dq Li YES 1372will cause the kernel to ignore TCP frames that have both 1373the SYN and FIN flags set. 1374This prevents OS fingerprinting, but may 1375break some legitimate applications. 1376.It Va icmp_drop_redirect 1377.Pq Vt bool 1378Set to 1379.Dq Li AUTO 1380by default. 1381This setting will be identical to 1382.Dq Li YES , 1383if a dynamic routing daemon is enabled, because redirect processing may 1384cause performance issues for large routing tables. 1385If no such service is enabled, this setting behaves like a 1386.Dq Li NO . 1387Setting to 1388.Dq Li YES 1389will cause the kernel to ignore ICMP REDIRECT packets. 1390Setting to 1391.Dq Li NO 1392will cause the kernel to process ICMP REDIRECT packets. 1393Refer to 1394.Xr icmp 4 1395for more information. 1396.It Va icmp_log_redirect 1397.Pq Vt bool 1398Set to 1399.Dq Li NO 1400by default. 1401Setting to 1402.Dq Li YES 1403will cause the kernel to log ICMP REDIRECT packets. 1404Note that 1405the log messages are not rate-limited, so this option should only be used 1406for troubleshooting networks. 1407Refer to 1408.Xr icmp 4 1409for more information. 1410.It Va icmp_bmcastecho 1411.Pq Vt bool 1412Set to 1413.Dq Li YES 1414to respond to broadcast or multicast ICMP ping packets. 1415Refer to 1416.Xr icmp 4 1417for more information. 1418.It Va ip_portrange_first 1419.Pq Vt int 1420If not set to 1421.Dq Li NO , 1422this is the first port in the default portrange. 1423Refer to 1424.Xr ip 4 1425for more information. 1426.It Va ip_portrange_last 1427.Pq Vt int 1428If not set to 1429.Dq Li NO , 1430this is the last port in the default portrange. 1431Refer to 1432.Xr ip 4 1433for more information. 1434.It Va network_interfaces 1435.Pq Vt str 1436Set to the list of network interfaces to configure on this host or 1437.Dq Li AUTO 1438(the default) for all current interfaces. 1439Setting the 1440.Va network_interfaces 1441variable to anything other than the default is deprecated. 1442Interfaces that the administrator wishes to store configuration for, 1443but not start at boot should be configured with the 1444.Dq Li NOAUTO 1445keyword in their 1446.Va ifconfig_ Ns Aq Ar interface 1447variables as described below. 1448.Pp 1449An 1450.Va ifconfig_ Ns Aq Ar interface 1451variable is assumed to exist for each value of 1452.Ar interface . 1453When an interface name contains any of the characters 1454.Dq Li .-/+ 1455they are translated to 1456.Dq Li _ 1457before lookup. 1458For example, the interface 1459.Va em0.102 1460would be configured using the variable 1461.Va ifconfig_em0_102 . 1462.Pp 1463The variable can contain arguments to 1464.Xr ifconfig 8 , 1465as well as special case-insensitive keywords described below. 1466Such keywords are removed before passing the value to 1467.Xr ifconfig 8 1468while the order of the other arguments is preserved. 1469.Pp 1470For example, to assign the IPv4 address 192.0.2.1/24 to the interface em0: 1471.Bd -literal 1472ifconfig_em0="inet 192.0.2.1/24 up" 1473.Ed 1474.Pp 1475If the variable 1476.Va ifconfig_ Ns Ao Ar interface Ac Ns Pa _ipv6 1477is set, then 1478.Va ifconfig_ Ns Aq Ar interface 1479does not need to be set unless an IPv4 address should also be assigned to 1480the interface. 1481.Pp 1482It is possible to add IP alias entries using 1483.Xr ifconfig 8 1484syntax with the address family keyword such as 1485.Li inet . 1486Assuming that the interface in question was 1487.Li em0 , 1488it might look something like this: 1489.Bd -literal 1490ifconfig_em0_alias0="inet 127.0.0.253/32" 1491ifconfig_em0_alias1="inet 127.0.0.254/32" 1492.Ed 1493.Pp 1494It also possible to configure multiple IP addresses in Classless 1495Inter-Domain Routing 1496.Pq CIDR 1497address notation, 1498whose each address component can be a range like 1499.Li inet 192.0.2.5-23/24 1500or 1501.Li inet6 2001:db8:1-f::1/64 . 1502This notation allows address and prefix length part only, 1503not the other address modifiers. 1504Note that the maximum number of the generated addresses from a range 1505specification is limited to an integer value specified in 1506.Va netif_ipexpand_max 1507in 1508.Nm 1509because a small typo can unexpectedly generate a large number of addresses. 1510The default value is 1511.Li 2048 . 1512It can be increased by adding the following line into 1513.Nm : 1514.Bd -literal 1515netif_ipexpand_max="4096" 1516.Ed 1517.Pp 1518In the case of 1519.Li 192.0.2.5-23/24 , 1520the address 192.0.2.5 will be configured with the prefix length /24 and the 1521addresses 192.0.2.6 to 192.0.2.23 with the non-conflicting prefix length /32 as 1522explained in the 1523.Xr ifconfig 8 1524alias section. 1525Note that this special CIDR handling is only for 1526.Li inet , 1527not for the other address families such as 1528.Li inet6 . 1529.Pp 1530With the interface in question being 1531.Li em0 , 1532an example could look like: 1533.Bd -literal 1534ifconfig_em0_alias2="inet 192.0.2.129/27" 1535ifconfig_em0_alias3="inet 192.0.2.1-5/28" 1536.Ed 1537.Pp 1538and so on. 1539.Pp 1540Note that deprecated 1541.Va ipv4_addrs_ Ns Aq Ar interface 1542variable was supported for IPv4 CIDR address notation. 1543The 1544.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1545variable replaces it, though 1546.Va ipv4_addrs_ Ns Aq Ar interface 1547is still supported for backward compatibility. 1548.Pp 1549For each 1550.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1551entry with an address family keyword, 1552its contents are passed to 1553.Xr ifconfig 8 . 1554Execution stops at the first unsuccessful access, so if 1555something like this is present: 1556.Bd -literal 1557ifconfig_em0_alias0="inet 127.0.0.251/32" 1558ifconfig_em0_alias1="inet 127.0.0.252/32" 1559ifconfig_em0_alias2="inet 127.0.0.253/32" 1560ifconfig_em0_alias4="inet 127.0.0.254/32" 1561.Ed 1562.Pp 1563Then note that alias4 would 1564.Em not 1565be added since the search would 1566stop with the missing 1567.Dq Li alias3 1568entry. 1569Because of this difficult to manage behavior, 1570there is 1571.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _aliases 1572variable, which has the same functionality as 1573.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1574and can have all of the entries in a variable like the following: 1575.Bd -literal 1576ifconfig_em0_aliases="\\ 1577 inet 127.0.0.251/32 \\ 1578 inet 127.0.0.252/32 \\ 1579 inet 127.0.0.253/32 \\ 1580 inet 127.0.0.254/32" 1581.Ed 1582.Pp 1583It also supports netmask notation for backward compatibility. 1584.Pp 1585If the 1586.Pa /etc/start_if . Ns Aq Ar interface 1587file is present, it is read and executed by the 1588.Xr sh 1 1589interpreter 1590before configuring the interface as specified in the 1591.Va ifconfig_ Ns Aq Ar interface 1592and 1593.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1594variables. 1595.Pp 1596If a 1597.Va vlans_ Ns Aq Ar interface 1598variable is set, 1599a 1600.Xr vlan 4 1601interface will be created for each item in the list with the 1602.Ar vlandev 1603argument set to 1604.Ar interface . 1605If a vlan interface's name is a number, 1606then that number is used as the vlan tag and the new vlan interface is 1607named 1608.Ar interface . Ns Ar tag . 1609Otherwise, 1610the vlan tag must be specified via a 1611.Va vlan 1612parameter in the 1613.Va create_args_ Ns Aq Ar interface 1614variable. 1615.Pp 1616To create a vlan device named 1617.Li em0.101 1618on 1619.Li em0 1620with the vlan tag 101 and the optional IPv4 address 192.0.2.1/24: 1621.Bd -literal 1622vlans_em0="101" 1623ifconfig_em0_101="inet 192.0.2.1/24" 1624.Ed 1625.Pp 1626To create a vlan device named 1627.Li myvlan 1628on 1629.Li em0 1630with the vlan tag 102: 1631.Bd -literal 1632vlans_em0="myvlan" 1633create_args_myvlan="vlan 102" 1634.Ed 1635.Pp 1636If a 1637.Va wlans_ Ns Aq Ar interface 1638variable is set, 1639an 1640.Xr wlan 4 1641interface will be created for each item in the list with the 1642.Ar wlandev 1643argument set to 1644.Ar interface . 1645Further wlan cloning arguments may be passed to the 1646.Xr ifconfig 8 1647.Cm create 1648command by setting the 1649.Va create_args_ Ns Aq Ar interface 1650variable. 1651One or more 1652.Xr wlan 4 1653devices must be created for each wireless device as of 1654.Fx 8.0 . 1655Debugging flags for 1656.Xr wlan 4 1657devices as set by 1658.Xr wlandebug 8 1659may be specified with an 1660.Va wlandebug_ Ns Aq Ar interface 1661variable. 1662The contents of this variable will be passed directly to 1663.Xr wlandebug 8 . 1664.Pp 1665If the 1666.Va ifconfig_ Ns Aq Ar interface 1667contains the keyword 1668.Dq Li NOAUTO 1669then the interface will not be configured 1670at boot or by 1671.Pa /etc/pccard_ether 1672when 1673.Va network_interfaces 1674is set to 1675.Dq Li AUTO . 1676.Pp 1677It is possible to bring up an interface with DHCP by adding 1678.Dq Li DHCP 1679to the 1680.Va ifconfig_ Ns Aq Ar interface 1681variable. 1682For instance, to initialize the 1683.Li em0 1684device via DHCP, 1685it is possible to use something like: 1686.Bd -literal 1687ifconfig_em0="DHCP" 1688.Ed 1689.Pp 1690If you want to configure your wireless interface with 1691.Xr wpa_supplicant 8 1692for use with WPA, EAP/LEAP or WEP, you need to add 1693.Dq Li WPA 1694to the 1695.Va ifconfig_ Ns Aq Ar interface 1696variable. 1697.Pp 1698On the other hand, if you want to configure your wireless interface with 1699.Xr hostapd 8 , 1700you need to add 1701.Dq Li HOSTAP 1702to the 1703.Va ifconfig_ Ns Aq Ar interface 1704variable. 1705.Xr hostapd 8 1706will use the settings from 1707.Pa /etc/hostapd- Ns Ao Ar interface Ac Ns .conf 1708.Pp 1709Finally, you can add 1710.Xr ifconfig 8 1711options in this variable, in addition to the 1712.Pa /etc/start_if . Ns Aq Ar interface 1713file. 1714For instance, to configure an 1715.Xr ath 4 1716wireless device in station mode with an address obtained 1717via DHCP, using WPA authentication and 802.11b mode, it is 1718possible to use something like: 1719.Bd -literal 1720wlans_ath0="wlan0" 1721ifconfig_wlan0="DHCP WPA mode 11b" 1722.Ed 1723.Pp 1724In addition to the 1725.Va ifconfig_ Ns Aq Ar interface 1726form, a fallback variable 1727.Va ifconfig_DEFAULT 1728may be configured. 1729It will be used for all interfaces with no 1730.Va ifconfig_ Ns Aq Ar interface 1731variable. 1732.Pp 1733It is also possible to rename an interface by doing: 1734.Bd -literal 1735ifconfig_em0_name="net0" 1736ifconfig_net0="inet 192.0.2.1/24" 1737.Ed 1738.It Va ipv6_enable 1739.Pq Vt bool 1740This variable is deprecated. 1741Use 1742.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1743and 1744.Va ipv6_activate_all_interfaces 1745if necessary. 1746.Pp 1747If the variable is 1748.Dq Li YES , 1749.Dq Li inet6 accept_rtadv 1750is added to all of 1751.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1752and the 1753.Va ipv6_activate_all_interfaces 1754variable is defined as 1755.Dq Li YES . 1756.It Va ipv6_prefer 1757.Pq Vt bool 1758This variable is deprecated. 1759Use 1760.Va ip6addrctl_policy 1761instead. 1762.Pp 1763If the variable is 1764.Dq Li YES , 1765the default address selection policy table set by 1766.Xr ip6addrctl 8 1767will be IPv6-preferred. 1768.Pp 1769If the variable is 1770.Dq Li NO , 1771the default address selection policy table set by 1772.Xr ip6addrctl 8 1773will be IPv4-preferred. 1774.It Va ipv6_activate_all_interfaces 1775.Pq Vt bool 1776This controls initial configuration on IPv6-capable 1777interfaces with no corresponding 1778.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1779variable. 1780Note that it is not always necessary to set this variable to 1781.Dq YES 1782to use IPv6 functionality on 1783.Fx . 1784In most cases, just configuring 1785.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1786variables works. 1787.Pp 1788If the variable is 1789.Dq Li NO , 1790all interfaces which do not have a corresponding 1791.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1792variable will be marked as 1793.Dq Li IFDISABLED 1794at creation. 1795This means that all IPv6 functionality on that interface 1796is completely disabled to enforce a security policy. 1797If the variable is set to 1798.Dq YES , 1799the flag will be cleared on all of the interfaces. 1800.Pp 1801In most cases, just defining an 1802.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1803for an IPv6-capable interface should be sufficient. 1804However, if an interface is added dynamically 1805.Pq by some tunneling protocols such as PPP, for example , 1806it is often difficult to define the variable in advance. 1807In such a case, configuring the 1808.Dq Li IFDISABLED 1809flag can be disabled by setting this variable to 1810.Dq YES . 1811.Pp 1812For more details of the 1813.Dq Li IFDISABLED 1814flag and keywords 1815.Dq Li inet6 ifdisabled , 1816see 1817.Xr ifconfig 8 . 1818.Pp 1819Default is 1820.Dq Li NO . 1821.It Va ipv6_privacy 1822.Pq Vt bool 1823If the variable is 1824.Dq Li YES 1825privacy addresses will be generated for each IPv6 1826interface as described in RFC 4941. 1827.It Va ipv6_network_interfaces 1828.Pq Vt str 1829This is the IPv6 equivalent of 1830.Va network_interfaces . 1831Normally manual configuration of this variable is not needed. 1832.It Va ipv6_cpe_wanif 1833.Pq Vt str 1834If the variable is set to an interface name, 1835the 1836.Xr ifconfig 8 1837options 1838.Dq inet6 -no_radr accept_rtadv 1839will be added to the specified interface automatically before evaluating 1840.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 , 1841and two 1842.Xr sysctl 8 1843variables 1844.Va net.inet6.ip6.rfc6204w3 1845and 1846.Va net.inet6.ip6.no_radr 1847will be set to 1. 1848.Pp 1849This means the specified interface will accept ICMPv6 Router 1850Advertisement messages on that link and add the discovered 1851routers into the Default Router List. 1852While the other interfaces can still accept RA messages if the 1853.Dq inet6 accept_rtadv 1854option is specified, adding 1855routes into the Default Router List will be disabled by 1856.Dq inet6 no_radr 1857option by default. 1858See 1859.Xr ifconfig 8 1860for more details. 1861.Pp 1862Note that ICMPv6 Router Advertisement messages will be 1863accepted even when 1864.Va net.inet6.ip6.forwarding 1865is 1 1866.Pq packet forwarding is enabled 1867when 1868.Va net.inet6.ip6.rfc6204w3 1869is set to 1. 1870.Pp 1871Default is 1872.Dq Li NO . 1873.It Va ifconfig_ Ns Ao Ar interface Ac Ns _descr 1874.Pq Vt str 1875This assigns arbitrary description to an interface. 1876The 1877.Xr sysctl 8 1878variable 1879.Va net.ifdescr_maxlen 1880limits its length. 1881This static setting may be overridden by commands 1882started with dynamic interface configuration utilities 1883like 1884.Xr dhclient 8 1885hooks. 1886The description can be seen with 1887.Xr ifconfig 8 1888command and it may be exported with 1889.Xr bsnmpd 1 1890daemon using its MIB-2 module. 1891.It Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1892.Pq Vt str 1893IPv6 functionality on an interface should be configured by 1894.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 , 1895instead of setting ifconfig parameters in 1896.Va ifconfig_ Ns Aq Ar interface . 1897If this variable is empty, all IPv6 configurations on the 1898specified interface by other variables such as 1899.Va ipv6_prefix_ Ns Ao Ar interface Ac 1900will be ignored. 1901.Pp 1902Aliases should be set by 1903.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1904with 1905.Dq Li inet6 1906keyword. 1907For example: 1908.Bd -literal 1909ifconfig_em0_ipv6="inet6 2001:db8:1::1 prefixlen 64" 1910ifconfig_em0_alias0="inet6 2001:db8:2::1 prefixlen 64" 1911.Ed 1912.Pp 1913Interfaces that have an 1914.Dq Li inet6 accept_rtadv 1915keyword in 1916.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1917setting will be automatically configured by SLAAC 1918.Pq StateLess Address AutoConfiguration 1919described in 1920.Rs 1921.%T "RFC 4862" 1922.Re 1923.Pp 1924Note that a link-local address will be automatically configured in 1925addition to the configured global-scope addresses because the IPv6 1926specifications require it on each link. 1927The address is calculated from the MAC address by using an algorithm 1928defined in 1929.Rs 1930.%T "RFC 4862" 1931.%O "Section 5.3" 1932.Re 1933.Pp 1934If only a link-local address is needed on the interface, 1935the following configuration can be used: 1936.Bd -literal 1937ifconfig_em0_ipv6="inet6 auto_linklocal" 1938.Ed 1939.Pp 1940A link-local address can also be configured manually. 1941This is useful for the default router address of an IPv6 router 1942so that it does not change when the network interface 1943card is replaced. 1944For example: 1945.Bd -literal 1946ifconfig_em0_ipv6="inet6 fe80::1 prefixlen 64" 1947.Ed 1948.It Va ipv6_prefix_ Ns Aq Ar interface 1949.Pq Vt str 1950If one or more prefixes are defined in 1951.Va ipv6_prefix_ Ns Aq Ar interface 1952addresses based on each prefix and the EUI-64 interface index will be 1953configured on that interface. 1954Note that this variable will be ignored when 1955.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1956is empty. 1957.Pp 1958For example, the following configuration 1959.Bd -literal 1960ipv6_prefix_em0="2001:db8:1:0 2001:db8:2:0" 1961.Ed 1962.Pp 1963is equivalent to the following: 1964.Bd -literal 1965ifconfig_em0_alias0="inet6 2001:db8:1:: eui64 prefixlen 64" 1966ifconfig_em0_alias1="inet6 2001:db8:1:: prefixlen 64 anycast" 1967ifconfig_em0_alias2="inet6 2001:db8:2:: eui64 prefixlen 64" 1968ifconfig_em0_alias3="inet6 2001:db8:2:: prefixlen 64 anycast" 1969.Ed 1970.Pp 1971These Subnet-Router anycast addresses will be added only when 1972.Va ipv6_gateway_enable 1973is YES. 1974.It Va ipv6_default_interface 1975.Pq Vt str 1976If not set to 1977.Dq Li NO , 1978this is the default output interface for scoped addresses. 1979This works only with ipv6_gateway_enable="NO". 1980.It Va ip6addrctl_enable 1981.Pq Vt bool 1982This variable is to enable configuring default address selection policy table 1983.Pq RFC 3484 . 1984The table can be specified in another variable 1985.Va ip6addrctl_policy . 1986For 1987.Va ip6addrctl_policy 1988the following keywords can be specified: 1989.Dq Li ipv4_prefer , 1990.Dq Li ipv6_prefer , 1991or 1992.Dq Li AUTO . 1993.Pp 1994If 1995.Dq Li ipv4_prefer 1996or 1997.Dq Li ipv6_prefer 1998is specified, 1999.Xr ip6addrctl 8 2000installs a pre-defined policy table described in Section 10.3 2001.Pq IPv4-preferred 2002or 2.1 2003.Pq IPv6-preferred 2004of RFC 3484. 2005.Pp 2006If 2007.Dq Li AUTO 2008is specified, it attempts to read a file 2009.Pa /etc/ip6addrctl.conf 2010first. 2011If this file is found, 2012.Xr ip6addrctl 8 2013reads and installs it. 2014If not found, a policy is automatically set 2015according to 2016.Va ipv6_activate_all_interfaces 2017variable; if the variable is set to 2018.Dq Li YES 2019the IPv6-preferred one is used. 2020Otherwise IPv4-preferred. 2021.Pp 2022The default value of 2023.Va ip6addrctl_enable 2024and 2025.Va ip6addrctl_policy 2026are 2027.Dq Li YES 2028and 2029.Dq Li AUTO , 2030respectively. 2031.It Va cloned_interfaces 2032.Pq Vt str 2033Set to the list of clonable network interfaces to create on this host. 2034Further cloning arguments may be passed to the 2035.Xr ifconfig 8 2036.Cm create 2037command for each interface by setting the 2038.Va create_args_ Ns Aq Ar interface 2039variable. 2040If an interface name is specified with 2041.Dq :sticky 2042keyword, 2043the interface will not be destroyed even when 2044.Pa rc.d/netif 2045script is invoked with 2046.Dq stop 2047argument. 2048This is useful when reconfiguring the interface without destroying it. 2049Entries in 2050.Va cloned_interfaces 2051are automatically appended to 2052.Va network_interfaces 2053for configuration. 2054.It Va cloned_interfaces_sticky 2055.Pq Vt bool 2056This variable is to globally enable functionality of 2057.Dq :sticky 2058keyword in 2059.Va cloned_interfaces 2060for all interfaces. 2061The default value is 2062.Dq NO . 2063Even if this variable is specified to 2064.Dq YES , 2065.Dq :nosticky 2066keyword can be used to override it on per interface basis. 2067.It Va gif_interfaces 2068Set to the list of 2069.Xr gif 4 2070tunnel interfaces to configure on this host. 2071A 2072.Va gifconfig_ Ns Aq Ar interface 2073variable is assumed to exist for each value of 2074.Ar interface . 2075The value of this variable is used to configure the link layer of the 2076tunnel using the 2077.Cm tunnel 2078option to 2079.Xr ifconfig 8 . 2080Additionally, this option ensures that each listed interface is created 2081via the 2082.Cm create 2083option to 2084.Xr ifconfig 8 2085before attempting to configure it. 2086.Pp 2087For example, configure two 2088.Xr gif 4 2089interfaces with: 2090.Bd -literal 2091gif_interfaces="gif0 gif1" 2092gifconfig_gif0="100.64.0.1 100.64.0.2" 2093ifconfig_gif0="inet 10.0.0.1/30 10.0.0.2" 2094gifconfig_gif1="inet6 2a00::1 2a01::1" 2095ifconfig_gif1="inet 10.1.0.1/30 10.1.0.2" 2096.Ed 2097.It Va ppp_enable 2098.Pq Vt bool 2099If set to 2100.Dq Li YES , 2101run the 2102.Xr ppp 8 2103daemon. 2104.It Va ppp_profile 2105.Pq Vt str 2106The name of the profile to use from 2107.Pa /etc/ppp/ppp.conf . 2108Also used for per-profile overrides of 2109.Va ppp_mode 2110and 2111.Va ppp_nat , 2112and 2113.Va ppp_ Ns Ao Ar profile Ac Ns _unit . 2114When the profile name contains any of the characters 2115.Dq Li .-/+ 2116they are translated to 2117.Dq Li _ 2118for the proposes of the override variable names. 2119.It Va ppp_mode 2120.Pq Vt str 2121Mode in which to run the 2122.Xr ppp 8 2123daemon. 2124.It Va ppp_ Ns Ao Ar profile Ac Ns _mode 2125.Pq Vt str 2126Overrides the global 2127.Va ppp_mode 2128for 2129.Ar profile . 2130Accepted modes are 2131.Dq Li auto , 2132.Dq Li ddial , 2133.Dq Li direct 2134and 2135.Dq Li dedicated . 2136See the manual for a full description. 2137.It Va ppp_nat 2138.Pq Vt bool 2139If set to 2140.Dq Li YES , 2141enables network address translation. 2142Used in conjunction with 2143.Va gateway_enable 2144allows hosts on private network addresses access to the Internet using 2145this host as a network address translating router. 2146Default is 2147.Dq Li YES . 2148.It Va ppp_ Ns Ao Ar profile Ac Ns _nat 2149.Pq Vt str 2150Overrides the global 2151.Va ppp_nat 2152for 2153.Ar profile . 2154.It Va ppp_ Ns Ao Ar profile Ac Ns _unit 2155.Pq Vt int 2156Set the unit number to be used for this profile. 2157See the manual description of 2158.Fl unit Ns Ar N 2159for details. 2160.It Va ppp_user 2161.Pq Vt str 2162The name of the user under which 2163.Xr ppp 8 2164should be started. 2165By 2166default, 2167.Xr ppp 8 2168is started as 2169.Dq Li root . 2170.It Va rc_conf_files 2171.Pq Vt str 2172This option is used to specify a list of files that will override 2173the settings in 2174.Pa /etc/defaults/rc.conf . 2175The files will be read in the order in which they are specified and should 2176include the full path to the file. 2177By default, the files specified are 2178.Pa /etc/rc.conf 2179and 2180.Pa /etc/rc.conf.local . 2181.It Va zfs_enable 2182.Pq Vt bool 2183If set to 2184.Dq Li YES , 2185.Pa /etc/rc.d/zfs 2186will attempt to automatically mount ZFS file systems and initialize ZFS volumes 2187(ZVOLs). 2188.It Va zpool_reguid 2189.Pq Vt str 2190A space-separated list of ZFS pool names for which new pool GUIDs should be 2191assigned upon first boot. 2192This is useful when using a ZFS pool copied from a template, such as a virtual 2193machine image. 2194.It Va zpool_upgrade 2195.Pq Vt str 2196A space-separated list of ZFS pool names for which the version should be 2197upgraded upon first boot. 2198This is useful when using a ZFS pool generated by the 2199.Xr makefs 8 2200utility. 2201.It Va gptboot_enable 2202.Pq Vt bool 2203If set to 2204.Dq Li YES , 2205.Pa /etc/rc.d/gptboot 2206will log if the system successfully (or not) booted from a GPT partition, 2207which had the 2208.Ar bootonce 2209attribute set using 2210.Xr gpart 8 2211utility. 2212.It Va geli_devices 2213.Pq Vt str 2214List of devices to automatically attach on boot. 2215Note that .eli devices from 2216.Pa /etc/fstab 2217are automatically appended to this list. 2218.It Va geli_groups 2219.Pq Vt str 2220List of groups containing devices to automatically attach on boot with the same 2221keyfiles and passphrase. 2222This must be accompanied with a corresponding 2223.Va geli_ Ns Ao Ar group Ac Ns Va _devices 2224variable. 2225.It Va geli_tries 2226.Pq Vt int 2227Number of times user is asked for the pass-phrase. 2228If empty, it will be taken from 2229.Va kern.geom.eli.tries 2230sysctl variable. 2231.It Va geli_default_flags 2232.Pq Vt str 2233Default flags to use by 2234.Xr geli 8 2235when configuring disk encryption. 2236Flags can be configured for every device separately by defining the 2237.Va geli_ Ns Ao Ar device Ac Ns Va _flags 2238variable, and for every group separately by defining the 2239.Va geli_ Ns Ao Ar group Ac Ns Va _flags 2240variable. 2241.It Va geli_autodetach 2242.Pq Vt str 2243Specifies if GELI devices should be marked for detach on last close after 2244file systems are mounted. 2245Default is 2246.Dq Li YES . 2247This can be changed for every device separately by defining the 2248.Va geli_ Ns Ao Ar device Ac Ns Va _autodetach 2249variable. 2250.It Va root_rw_mount 2251.Pq Vt bool 2252Set to 2253.Dq Li YES 2254by default. 2255After the file systems are checked at boot time, the root file system 2256is remounted as read-write if this is set to 2257.Dq Li YES . 2258Diskless systems that mount their root file system from a read-only remote 2259NFS share should set this to 2260.Dq Li NO 2261in their 2262.Pa rc.conf . 2263.It Va fsck_y_enable 2264.Pq Vt bool 2265If set to 2266.Dq Li YES , 2267.Xr fsck 8 2268will be run with the 2269.Fl y 2270flag if the initial preen 2271of the file systems fails. 2272.It Va background_fsck 2273.Pq Vt bool 2274If set to 2275.Dq Li NO , 2276the system will not attempt to run 2277.Xr fsck 8 2278in the background where possible. 2279.It Va background_fsck_delay 2280.Pq Vt int 2281The amount of time in seconds to sleep before starting a background 2282.Xr fsck 8 . 2283It defaults to sixty seconds to allow large applications such as 2284the X server to start before disk I/O bandwidth is monopolized by 2285.Xr fsck 8 . 2286If set to a negative number, the background file system check will be 2287delayed indefinitely to allow the administrator to run it at a more 2288convenient time. 2289For example it may be run from 2290.Xr cron 8 2291by adding a line like 2292.Pp 2293.Dl "0 4 * * * root /etc/rc.d/bgfsck forcestart" 2294.Pp 2295to 2296.Pa /etc/crontab . 2297.It Va netfs_types 2298.Pq Vt str 2299List of file system types that are network-based. 2300This list should generally not be modified by end users. 2301Use 2302.Va extra_netfs_types 2303instead. 2304.It Va extra_netfs_types 2305.Pq Vt str 2306If set to something other than 2307.Dq Li NO 2308(the default), 2309this variable extends the list of file system types 2310for which automatic mounting at startup by 2311.Xr rc 8 2312should be delayed until the network is initialized. 2313It should contain 2314a whitespace-separated list of network file system descriptor pairs, 2315each consisting of a file system type as passed to 2316.Xr mount 8 2317and a human-readable, one-word description, 2318joined with a colon 2319.Pq Ql \&: . 2320Extending the default list in this way is only necessary 2321when third party file system types are used. 2322.It Va syslogd_enable 2323.Pq Vt bool 2324If set to 2325.Dq Li YES , 2326run the 2327.Xr syslogd 8 2328daemon. 2329Note, the 2330.Va syslogd_oomprotect 2331variable is set to 2332.Dq Li YES 2333by default in 2334.Pa /etc/defaults/rc.conf . 2335.It Va syslogd_program 2336.Pq Vt str 2337Path to 2338.Xr syslogd 8 2339(default 2340.Pa /usr/sbin/syslogd ) . 2341.It Va syslogd_flags 2342.Pq Vt str 2343If 2344.Va syslogd_enable 2345is set to 2346.Dq Li YES , 2347these are the flags to pass to 2348.Xr syslogd 8 . 2349.It Va inetd_enable 2350.Pq Vt bool 2351If set to 2352.Dq Li YES , 2353run the 2354.Xr inetd 8 2355daemon. 2356.It Va inetd_program 2357.Pq Vt str 2358Path to 2359.Xr inetd 8 2360(default 2361.Pa /usr/sbin/inetd ) . 2362.It Va inetd_flags 2363.Pq Vt str 2364If 2365.Va inetd_enable 2366is set to 2367.Dq Li YES , 2368these are the flags to pass to 2369.Xr inetd 8 . 2370.It Va hastd_enable 2371.Pq Vt bool 2372If set to 2373.Dq Li YES , 2374run the 2375.Xr hastd 8 2376daemon. 2377.It Va hastd_program 2378.Pq Vt str 2379Path to 2380.Xr hastd 8 2381(default 2382.Pa /sbin/hastd ) . 2383.It Va hastd_flags 2384.Pq Vt str 2385If 2386.Va hastd_enable 2387is set to 2388.Dq Li YES , 2389these are the flags to pass to 2390.Xr hastd 8 . 2391.It Va local_unbound_enable 2392.Pq Vt bool 2393If set to 2394.Dq Li YES , 2395run the 2396.Xr unbound 8 2397daemon as a local caching DNS resolver. 2398Note, the 2399.Va local_unbound_oomprotect 2400variable is set to 2401.Dq Li YES 2402by default in 2403.Pa /etc/defaults/rc.conf . 2404.It Va nscd_enable 2405.Pq Vt bool 2406Set to 2407.Dq Li YES 2408to start the 2409.Xr nscd 8 2410caching daemon for the 2411.Nm nsswitch 2412subsystem. 2413.It Va nscd_flags 2414.Pq Vt str 2415If 2416.Va nscd_enable 2417is set to 2418.Dq Li YES , 2419these flags are passed to 2420.Xr nscd 8 . 2421.It Va kdc_enable 2422.Pq Vt bool 2423Set to 2424.Dq Li YES 2425to start a Kerberos 5 authentication server 2426at boot time. 2427.It Va kdc_program 2428.Pq Vt str 2429If 2430.Va kdc_enable 2431is set to 2432.Dq Li YES 2433this is the path to Kerberos 5 Authentication Server. 2434.It Va kdc_flags 2435.Pq Vt str 2436Empty by default. 2437This variable contains additional flags to be passed to the Kerberos 5 2438authentication server. 2439.It Va kadmind_enable 2440.Pq Vt bool 2441Set to 2442.Dq Li YES 2443to start 2444.Xr kadmind 8 , 2445the Kerberos 5 Administration Daemon; set to 2446.Dq Li NO 2447on a slave server. 2448.It Va kadmind_program 2449.Pq Vt str 2450If 2451.Va kadmind_enable 2452is set to 2453.Dq Li YES 2454this is the path to Kerberos 5 Administration Daemon. 2455.It Va kpasswdd_enable 2456.Pq Vt bool 2457Set to 2458.Dq Li YES 2459to start 2460.Xr kpasswdd 8 , 2461the Kerberos 5 Password-Changing Daemon; set to 2462.Dq Li NO 2463on a slave server. 2464.It Va kpasswdd_program 2465.Pq Vt str 2466If 2467.Va kpasswdd_enable 2468is set to 2469.Dq Li YES 2470this is the path to Kerberos 5 Password-Changing Daemon. 2471.It Va kfd_enable 2472.Pq Vt bool 2473Set to 2474.Dq Li YES 2475to start 2476.Xr kfd 8 , 2477the Kerberos 5 ticket forwarding daemon, at the boot time. 2478.It Va kfd_program 2479.Pq Vt str 2480Path to 2481.Xr kfd 8 2482(default 2483.Pa /usr/libexec/kfd ) . 2484.It Va rwhod_enable 2485.Pq Vt bool 2486If set to 2487.Dq Li YES , 2488run the 2489.Xr rwhod 8 2490daemon at boot time. 2491.It Va rwhod_flags 2492.Pq Vt str 2493If 2494.Va rwhod_enable 2495is set to 2496.Dq Li YES , 2497these are the flags to pass to it. 2498.It Va update_motd 2499.Pq Vt bool 2500If set to 2501.Dq Li YES , 2502.Pa /var/run/motd 2503will be updated at boot time to reflect the kernel release 2504being run. 2505If set to 2506.Dq Li NO , 2507.Pa /var/run/motd 2508will not be updated. 2509.It Va nfs_client_enable 2510.Pq Vt bool 2511If set to 2512.Dq Li YES , 2513run the NFS client daemons at boot time. 2514.It Va nfs_access_cache 2515.Pq Vt int 2516If 2517.Va nfs_client_enable 2518is set to 2519.Dq Li YES , 2520this can be set to 2521.Dq Li 0 2522to disable NFS ACCESS RPC caching, or to the number of seconds for which 2523NFS ACCESS 2524results should be cached. 2525A value of 2-10 seconds will substantially reduce network 2526traffic for many NFS operations. 2527.It Va nfs_server_enable 2528.Pq Vt bool 2529If set to 2530.Dq Li YES , 2531run the NFS server daemons at boot time. 2532.It Va nfs_server_flags 2533.Pq Vt str 2534If 2535.Va nfs_server_enable 2536is set to 2537.Dq Li YES , 2538these are the flags to pass to the 2539.Xr nfsd 8 2540daemon. 2541.It Va nfsv4_server_enable 2542.Pq Vt bool 2543If 2544.Va nfs_server_enable 2545is set to 2546.Dq Li YES 2547and 2548.Va nfsv4_server_enable 2549is set to 2550.Dq Li YES , 2551enable the server for NFSv4 as well as NFSv2 and NFSv3. 2552.It Va nfsv4_server_only 2553.Pq Vt bool 2554If 2555.Va nfs_server_enable 2556is set to 2557.Dq Li YES 2558and 2559.Va nfsv4_server_only 2560is set to 2561.Dq Li YES , 2562enable the NFS server for NFSv4 only. 2563.It Va nfs_server_maxio 2564.Pq Vt int 2565value to set vfs.nfsd.srvmaxio to, which is the 2566maximum I/O size for the NFS server. 2567.It Va tlsclntd_enable 2568.Pq Vt bool 2569If set to 2570.Dq Li YES , 2571run the 2572.Xr rpc.tlsclntd 8 2573daemon, which is needed for NFS-over-TLS NFS mounts. 2574.It Va tlsservd_enable 2575.Pq Vt bool 2576If set to 2577.Dq Li YES , 2578run the 2579.Xr rpc.tlsservd 8 2580daemon, which is needed for the 2581.Xr nfsd 8 2582to support NFS-over-TLS NFS mounts. 2583.It Va nfsuserd_enable 2584.Pq Vt bool 2585If 2586.Va nfsuserd_enable 2587is set to 2588.Dq Li YES , 2589run the nfsuserd daemon, which is needed for NFSv4 in order 2590to map between user/group names vs uid/gid numbers. 2591If 2592.Va nfsv4_server_enable 2593is set to 2594.Dq Li YES , 2595this will be forced enabled. 2596.It Va nfsuserd_flags 2597.Pq Vt str 2598If 2599.Va nfsuserd_enable 2600is set to 2601.Dq Li YES , 2602these are the flags to pass to the 2603.Xr nfsuserd 8 2604daemon. 2605.It Va nfscbd_enable 2606.Pq Vt bool 2607If 2608.Va nfscbd_enable 2609is set to 2610.Dq Li YES , 2611run the nfscbd daemon, which enables callbacks/delegations for the NFSv4 client. 2612.It Va nfscbd_flags 2613.Pq Vt str 2614If 2615.Va nfscbd_enable 2616is set to 2617.Dq Li YES , 2618these are the flags to pass to the 2619.Xr nfscbd 8 2620daemon. 2621.It Va mountd_enable 2622.Pq Vt bool 2623If set to 2624.Dq Li YES , 2625and no 2626.Va nfs_server_enable 2627is set, start 2628.Xr mountd 8 , 2629but not 2630.Xr nfsd 8 2631daemon. 2632It is commonly needed to run CFS without real NFS used. 2633.It Va mountd_flags 2634.Pq Vt str 2635If 2636.Va mountd_enable 2637is set to 2638.Dq Li YES , 2639these are the flags to pass to the 2640.Xr mountd 8 2641daemon. 2642.It Va weak_mountd_authentication 2643.Pq Vt bool 2644If set to 2645.Dq Li YES , 2646allow services like PCNFSD to make non-privileged mount 2647requests. 2648.It Va nfs_reserved_port_only 2649.Pq Vt bool 2650If set to 2651.Dq Li YES , 2652provide NFS services only on a secure port. 2653.It Va nfs_bufpackets 2654.Pq Vt int 2655If set to a number, indicates the number of packets worth of 2656socket buffer space to reserve on an NFS client. 2657The kernel default is typically 4. 2658Using a higher number may be 2659useful on gigabit networks to improve performance. 2660The minimum value is 26612 and the maximum is 64. 2662.It Va rpc_lockd_enable 2663.Pq Vt bool 2664If set to 2665.Dq Li YES 2666and also an NFS server or client, run 2667.Xr rpc.lockd 8 2668at boot time. 2669.It Va rpc_lockd_flags 2670.Pq Vt str 2671If 2672.Va rpc_lockd_enable 2673is set to 2674.Dq Li YES , 2675these are the flags to pass to the 2676.Xr rpc.lockd 8 2677daemon. 2678.It Va rpc_statd_enable 2679.Pq Vt bool 2680If set to 2681.Dq Li YES 2682and also an NFS server or client, run 2683.Xr rpc.statd 8 2684at boot time. 2685.It Va rpc_statd_flags 2686.Pq Vt str 2687If 2688.Va rpc_statd_enable 2689is set to 2690.Dq Li YES , 2691these are the flags to pass to the 2692.Xr rpc.statd 8 2693daemon. 2694.It Va rpcbind_program 2695.Pq Vt str 2696Path to 2697.Xr rpcbind 8 2698(default 2699.Pa /usr/sbin/rpcbind ) . 2700.It Va rpcbind_enable 2701.Pq Vt bool 2702If set to 2703.Dq Li YES , 2704run the 2705.Xr rpcbind 8 2706service at boot time. 2707.It Va rpcbind_flags 2708.Pq Vt str 2709If 2710.Va rpcbind_enable 2711is set to 2712.Dq Li YES , 2713these are the flags to pass to the 2714.Xr rpcbind 8 2715daemon. 2716.It Va pppoed_enable 2717.Pq Vt bool 2718If set to 2719.Dq Li YES , 2720run the 2721.Xr pppoed 8 2722daemon at boot time to provide PPP over Ethernet services. 2723.It Va pppoed_ Ns Aq Ar provider 2724.Pq Vt str 2725.Xr pppoed 8 2726listens to requests to this 2727.Ar provider 2728and ultimately runs 2729.Xr ppp 8 2730with a 2731.Ar system 2732argument of the same name. 2733.It Va pppoed_flags 2734.Pq Vt str 2735Additional flags to pass to 2736.Xr pppoed 8 . 2737.It Va pppoed_interface 2738.Pq Vt str 2739The network interface to run 2740.Xr pppoed 8 2741on. 2742This is mandatory when 2743.Va pppoed_enable 2744is set to 2745.Dq Li YES . 2746.It Va ntpdate_enable 2747.Pq Vt bool 2748If set to 2749.Dq Li YES , 2750run 2751.Xr ntpdate 8 2752at system startup. 2753This command is intended to 2754synchronize the system clock only 2755.Em once 2756from some standard reference. 2757.Pp 2758Note that the use of the 2759.Va ntpd_sync_on_start 2760variable is a preferred alternative to the 2761.Xr ntpdate 8 2762utility as 2763.Xr ntpdate 8 2764is to be retired from the NTP distribution. 2765.It Va ntpdate_config 2766.Pq Vt str 2767Configuration file for 2768.Xr ntpdate 8 . 2769Default 2770.Pa /etc/ntp.conf . 2771.It Va ntpdate_hosts 2772.Pq Vt str 2773A whitespace-separated list of NTP servers to synchronize with at startup. 2774The default is to use the servers listed in 2775.Va ntpdate_config , 2776if that file exists. 2777.It Va ntpdate_program 2778.Pq Vt str 2779Path to 2780.Xr ntpdate 8 2781(default 2782.Pa /usr/sbin/ntpdate ) . 2783.It Va ntpdate_flags 2784.Pq Vt str 2785If 2786.Va ntpdate_enable 2787is set to 2788.Dq Li YES , 2789these are the flags to pass to the 2790.Xr ntpdate 8 2791command (typically a hostname). 2792.It Va ntpd_enable 2793.Pq Vt bool 2794If set to 2795.Dq Li YES , 2796run the 2797.Xr ntpd 8 2798command at boot time. 2799.It Va ntpd_program 2800.Pq Vt str 2801Path to 2802.Xr ntpd 8 2803(default 2804.Pa /usr/sbin/ntpd ) . 2805.It Va ntpd_config 2806.Pq Vt str 2807Path to 2808.Xr ntpd 8 2809configuration file. 2810Default 2811.Pa /etc/ntp.conf . 2812.It Va ntpd_flags 2813.Pq Vt str 2814If 2815.Va ntpd_enable 2816is set to 2817.Dq Li YES , 2818these are the flags to pass to the 2819.Xr ntpd 8 2820daemon. 2821.It Va ntpd_sync_on_start 2822.Pq Vt bool 2823If set to 2824.Dq Li YES , 2825.Xr ntpd 8 2826is run with the 2827.Fl g 2828flag, which syncs the system's clock on startup. 2829See 2830.Xr ntpd 8 2831for more information regarding the 2832.Fl g 2833option. 2834This is a preferred alternative to using 2835.Xr ntpdate 8 2836or specifying the 2837.Va ntpdate_enable 2838variable. 2839.It Va nis_client_enable 2840.Pq Vt bool 2841If set to 2842.Dq Li YES , 2843run the 2844.Xr ypbind 8 2845service at system boot time. 2846.It Va nis_client_flags 2847.Pq Vt str 2848If 2849.Va nis_client_enable 2850is set to 2851.Dq Li YES , 2852these are the flags to pass to the 2853.Xr ypbind 8 2854service. 2855.It Va nis_ypldap_enable 2856.Pq Vt bool 2857If set to 2858.Dq Li YES , 2859run the 2860.Xr ypldap 8 2861daemon at system boot time. 2862.It Va nis_ypldap_flags 2863.Pq Vt str 2864If 2865.Va nis.ypldap_enable 2866is set to 2867.Dq Li YES , 2868these are the flags to pass to the 2869.Xr ypldap 8 2870daemon. 2871.It Va nis_ypset_enable 2872.Pq Vt bool 2873If set to 2874.Dq Li YES , 2875run the 2876.Xr ypset 8 2877daemon at system boot time. 2878.It Va nis_ypset_flags 2879.Pq Vt str 2880If 2881.Va nis_ypset_enable 2882is set to 2883.Dq Li YES , 2884these are the flags to pass to the 2885.Xr ypset 8 2886daemon. 2887.It Va nis_server_enable 2888.Pq Vt bool 2889If set to 2890.Dq Li YES , 2891run the 2892.Xr ypserv 8 2893daemon at system boot time. 2894.It Va nis_server_flags 2895.Pq Vt str 2896If 2897.Va nis_server_enable 2898is set to 2899.Dq Li YES , 2900these are the flags to pass to the 2901.Xr ypserv 8 2902daemon. 2903.It Va nis_ypxfrd_enable 2904.Pq Vt bool 2905If set to 2906.Dq Li YES , 2907run the 2908.Xr rpc.ypxfrd 8 2909daemon at system boot time. 2910.It Va nis_ypxfrd_flags 2911.Pq Vt str 2912If 2913.Va nis_ypxfrd_enable 2914is set to 2915.Dq Li YES , 2916these are the flags to pass to the 2917.Xr rpc.ypxfrd 8 2918daemon. 2919.It Va nis_yppasswdd_enable 2920.Pq Vt bool 2921If set to 2922.Dq Li YES , 2923run the 2924.Xr rpc.yppasswdd 8 2925daemon at system boot time. 2926.It Va nis_yppasswdd_flags 2927.Pq Vt str 2928If 2929.Va nis_yppasswdd_enable 2930is set to 2931.Dq Li YES , 2932these are the flags to pass to the 2933.Xr rpc.yppasswdd 8 2934daemon. 2935.It Va rpc_ypupdated_enable 2936.Pq Vt bool 2937If set to 2938.Dq Li YES , 2939run the 2940.Nm rpc.ypupdated 2941daemon at system boot time. 2942.It Va bsnmpd_enable 2943.Pq Vt bool 2944If set to 2945.Dq Li YES , 2946run the 2947.Xr bsnmpd 1 2948daemon at system boot time. 2949Be sure to understand the security implications of running an SNMP daemon 2950on your host. 2951.It Va bsnmpd_flags 2952.Pq Vt str 2953If 2954.Va bsnmpd_enable 2955is set to 2956.Dq Li YES , 2957these are the flags to pass to the 2958.Xr bsnmpd 1 2959daemon. 2960.It Va defaultrouter 2961.Pq Vt str 2962If not set to 2963.Dq Li NO , 2964create a default route to this host name or IP address 2965(use an IP address if this router is also required to get to the 2966name server!). 2967.It Va defaultrouter_fibN 2968.Pq Vt str 2969If not set to 2970.Dq Li NO , 2971create a default route in FIB N to this host name or IP address. 2972.It Va ipv6_defaultrouter 2973.Pq Vt str 2974The IPv6 equivalent of 2975.Va defaultrouter . 2976.It Va ipv6_defaultrouter_fibN 2977.Pq Vt str 2978The IPv6 equivalent of 2979.Va defaultrouter_fibN . 2980.It Va static_arp_pairs 2981.Pq Vt str 2982Set to the list of static ARP pairs that are to be added at system 2983boot time. 2984For each whitespace separated 2985.Ar element 2986in the value, a 2987.Va static_arp_ Ns Aq Ar element 2988variable is assumed to exist whose contents will later be passed to a 2989.Dq Nm arp Cm -S 2990operation. 2991For example 2992.Bd -literal 2993static_arp_pairs="gw" 2994static_arp_gw="192.168.1.1 00:01:02:03:04:05" 2995.Ed 2996.It Va static_ndp_pairs 2997.Pq Vt str 2998Set to the list of static NDP pairs that are to be added at system 2999boot time. 3000For each whitespace separated 3001.Ar element 3002in the value, a 3003.Va static_ndp_ Ns Aq Ar element 3004variable is assumed to exist whose contents will later be passed to a 3005.Dq Nm ndp Cm -s 3006operation. 3007For example 3008.Bd -literal 3009static_ndp_pairs="gw" 3010static_ndp_gw="2001:db8:3::1 00:01:02:03:04:05" 3011.Ed 3012.It Va static_routes 3013.Pq Vt str 3014Set to the list of static routes that are to be added at system 3015boot time. 3016If not set to 3017.Dq Li NO 3018then for each whitespace separated 3019.Ar element 3020in the value, a 3021.Va route_ Ns Aq Ar element 3022variable is assumed to exist 3023whose contents will later be passed to a 3024.Dq Nm route Cm add 3025operation. 3026For example: 3027.Bd -literal 3028static_routes="ext mcast:gif0 gif0local:gif0" 3029route_ext="-net 10.0.0.0/24 -gateway 192.168.0.1" 3030route_mcast="-net 224.0.0.0/4 -iface gif0" 3031route_gif0local="-host 169.254.1.1 -iface lo0" 3032.Ed 3033.Pp 3034When an 3035.Ar element 3036is in the form of 3037.Li name:ifname , 3038the route is specific to the interface 3039.Li ifname . 3040.It Va ipv6_static_routes 3041.Pq Vt str 3042The IPv6 equivalent of 3043.Va static_routes . 3044If not set to 3045.Dq Li NO 3046then for each whitespace separated 3047.Ar element 3048in the value, a 3049.Va ipv6_route_ Ns Aq Ar element 3050variable is assumed to exist 3051whose contents will later be passed to a 3052.Dq Nm route Cm add Fl inet6 3053operation. 3054.It Va gateway_enable 3055.Pq Vt bool 3056If set to 3057.Dq Li YES , 3058configure host to act as an IP router, e.g.\& to forward packets 3059between interfaces. 3060.It Va ipv6_gateway_enable 3061.Pq Vt bool 3062The IPv6 equivalent of 3063.Va gateway_enable . 3064.It Va routed_enable 3065.Pq Vt bool 3066If set to 3067.Dq Li YES , 3068run a routing daemon of some sort, based on the 3069settings of 3070.Va routed_program 3071and 3072.Va routed_flags . 3073.It Va route6d_enable 3074.Pq Vt bool 3075The IPv6 equivalent of 3076.Va routed_enable . 3077If set to 3078.Dq Li YES , 3079run a routing daemon of some sort, based on the 3080settings of 3081.Va route6d_program 3082and 3083.Va route6d_flags . 3084.It Va routed_program 3085.Pq Vt str 3086If 3087.Va routed_enable 3088is set to 3089.Dq Li YES , 3090this is the name of the routing daemon to use. 3091The default is 3092.Xr routed 8 . 3093.It Va route6d_program 3094.Pq Vt str 3095The IPv6 equivalent of 3096.Va routed_program . 3097The default is 3098.Xr route6d 8 . 3099.It Va routed_flags 3100.Pq Vt str 3101If 3102.Va routed_enable 3103is set to 3104.Dq Li YES , 3105these are the flags to pass to the routing daemon. 3106.It Va route6d_flags 3107.Pq Vt str 3108The IPv6 equivalent of 3109.Va routed_flags . 3110.It Va rtadvd_enable 3111.Pq Vt bool 3112If set to 3113.Dq Li YES , 3114run the 3115.Xr rtadvd 8 3116daemon at boot time. 3117The 3118.Xr rtadvd 8 3119utility sends ICMPv6 Router Advertisement messages to 3120the interfaces specified in 3121.Va rtadvd_interfaces . 3122This should only be enabled with great care. 3123You may want to fine-tune 3124.Xr rtadvd.conf 5 . 3125.It Va rtadvd_flags 3126.Pq Vt str 3127If 3128.Va rtadvd_enable 3129is set to 3130.Dq Li YES , 3131these are the flags to pass to 3132.Xr rtadvd 8 . 3133.It Va rtadvd_interfaces 3134.Pq Vt str 3135If 3136.Va rtadvd_enable 3137is set to 3138.Dq Li YES 3139this is the list of interfaces to use. 3140.It Va arpproxy_all 3141.Pq Vt bool 3142If set to 3143.Dq Li YES , 3144enable global proxy ARP. 3145.It Va forward_sourceroute 3146.Pq Vt bool 3147If set to 3148.Dq Li YES 3149and 3150.Va gateway_enable 3151is also set to 3152.Dq Li YES , 3153source-routed packets are forwarded. 3154.It Va accept_sourceroute 3155.Pq Vt bool 3156If set to 3157.Dq Li YES , 3158the system will accept source-routed packets directed at it. 3159.It Va rarpd_enable 3160.Pq Vt bool 3161If set to 3162.Dq Li YES , 3163run the 3164.Xr rarpd 8 3165daemon at system boot time. 3166.It Va rarpd_flags 3167.Pq Vt str 3168If 3169.Va rarpd_enable 3170is set to 3171.Dq Li YES , 3172these are the flags to pass to the 3173.Xr rarpd 8 3174daemon. 3175.It Va bootparamd_enable 3176.Pq Vt bool 3177If set to 3178.Dq Li YES , 3179run the 3180.Xr bootparamd 8 3181daemon at system boot time. 3182.It Va bootparamd_flags 3183.Pq Vt str 3184If 3185.Va bootparamd_enable 3186is set to 3187.Dq Li YES , 3188these are the flags to pass to the 3189.Xr bootparamd 8 3190daemon. 3191.It Va stf_interface_ipv4addr 3192.Pq Vt str 3193If not set to 3194.Dq Li NO , 3195this is the local IPv4 address for 6to4 (IPv6 over IPv4 tunneling 3196interface). 3197Specify this entry to enable the 6to4 interface. 3198.It Va stf_interface_ipv4plen 3199.Pq Vt int 3200Prefix length for 6to4 IPv4 addresses, to limit peer address range. 3201An effective value is 0-31. 3202.It Va stf_interface_ipv6_ifid 3203.Pq Vt str 3204IPv6 interface ID for 3205.Xr stf 4 . 3206This can be set to 3207.Dq Li AUTO . 3208.It Va stf_interface_ipv6_slaid 3209.Pq Vt str 3210IPv6 Site Level Aggregator for 3211.Xr stf 4 . 3212.It Va ipv6_ipv4mapping 3213.Pq Vt bool 3214If set to 3215.Dq Li YES 3216this enables IPv4 mapped IPv6 address communication (like 3217.Li ::ffff:a.b.c.d ) . 3218.It Va rtsold_enable 3219.Pq Vt bool 3220Set to 3221.Dq Li YES 3222to enable the 3223.Xr rtsold 8 3224daemon to send ICMPv6 Router Solicitation messages. 3225.It Va rtsold_flags 3226.Pq Vt str 3227If 3228.Va rtsold_enable 3229is set to 3230.Dq Li YES , 3231these are the flags to pass to 3232.Xr rtsold 8 . 3233.It Va rtsol_flags 3234.Pq Vt str 3235For interfaces configured with the 3236.Dq Li inet6 accept_rtadv 3237keyword, these are the flags to pass to 3238.Xr rtsol 8 . 3239.Pp 3240Note that 3241.Va rtsold_enable 3242is mutually exclusive to 3243.Va rtsol_flags ; 3244.Va rtsold_enable 3245takes precedence. 3246.It Va keybell 3247.Pq Vt str 3248The keyboard bell sound. 3249Set to 3250.Dq Li normal , 3251.Dq Li visual , 3252.Dq Li off , 3253or 3254.Dq Li NO 3255if the default behavior is desired. 3256For details, refer to the 3257.Xr kbdcontrol 1 3258manpage. 3259.It Va keyboard 3260.Pq Vt str 3261If set to a non-null string, the virtual console's keyboard input is 3262set to this device. 3263.It Va keymap 3264.Pq Vt str 3265If set to 3266.Dq Li NO , 3267no keymap is installed, otherwise the value is used to install 3268the keymap file found in 3269.Pa /usr/share/syscons/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd 3270(if using 3271.Xr syscons 4 ) or 3272.Pa /usr/share/vt/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd 3273(if using 3274.Xr vt 4 ) . 3275.It Va keyrate 3276.Pq Vt str 3277The keyboard repeat speed. 3278Set to 3279.Dq Li slow , 3280.Dq Li normal , 3281.Dq Li fast , 3282or 3283.Dq Li NO 3284if the default behavior is desired. 3285.It Va keychange 3286.Pq Vt str 3287If not set to 3288.Dq Li NO , 3289attempt to program the function keys with the value. 3290The value should 3291be a single string of the form: 3292.Dq Ar funkey_number new_value Op Ar funkey_number new_value ... . 3293.It Va cursor 3294.Pq Vt str 3295Can be set to the value of 3296.Dq Li normal , 3297.Dq Li blink , 3298.Dq Li destructive , 3299or 3300.Dq Li NO 3301to set the cursor behavior explicitly or choose the default behavior. 3302.It Va scrnmap 3303.Pq Vt str 3304If set to 3305.Dq Li NO , 3306no screen map is installed, otherwise the value is used to install 3307the screen map file in 3308.Pa /usr/share/syscons/scrnmaps/ Ns Aq Ar value . 3309This parameter is ignored when using 3310.Xr vt 4 3311as the console driver. 3312.It Va font8x16 3313.Pq Vt str 3314If set to 3315.Dq Li NO , 3316the default 8x16 font value is used for screen size requests, otherwise 3317the value in 3318.Pa /usr/share/syscons/fonts/ Ns Aq Ar value 3319or 3320.Pa /usr/share/vt/fonts/ Ns Aq Ar value 3321is used (depending on the console driver being used). 3322.It Va font8x14 3323.Pq Vt str 3324If set to 3325.Dq Li NO , 3326the default 8x14 font value is used for screen size requests, otherwise 3327the value in 3328.Pa /usr/share/syscons/fonts/ Ns Aq Ar value 3329or 3330.Pa /usr/share/vt/fonts/ Ns Aq Ar value 3331is used (depending on the console driver being used). 3332.It Va font8x8 3333.Pq Vt str 3334If set to 3335.Dq Li NO , 3336the default 8x8 font value is used for screen size requests, otherwise 3337the value in 3338.Pa /usr/share/syscons/fonts/ Ns Aq Ar value 3339or 3340.Pa /usr/share/vt/fonts/ Ns Aq Ar value 3341is used (depending on the console driver being used). 3342.It Va blanktime 3343.Pq Vt int 3344If set to 3345.Dq Li NO , 3346the default screen blanking interval is used, otherwise it is set 3347to 3348.Ar value 3349seconds. 3350.It Va saver 3351.Pq Vt str 3352If not set to 3353.Dq Li NO , 3354this is the actual screen saver to use 3355.Li ( blank , snake , daemon , 3356etc). 3357.It Va moused_nondefault_enable 3358.Pq Vt str 3359If set to 3360.Dq Li NO , 3361the mouse device specified on 3362the command line is not automatically treated as enabled by the 3363.Pa /etc/rc.d/moused 3364script. 3365Having this variable set to 3366.Dq Li YES 3367allows a 3368.Xr usb 4 3369mouse, 3370for example, 3371to be enabled as soon as it is plugged in. 3372.It Va moused_enable 3373.Pq Vt str 3374If set to 3375.Dq Li YES , 3376the 3377.Xr moused 8 3378daemon is started for doing cut/paste selection on the console. 3379.It Va moused_type 3380.Pq Vt str 3381This is the protocol type of the mouse connected to this host. 3382This variable must be set if 3383.Va moused_enable 3384is set to 3385.Dq Li YES , 3386but defaults to 3387.Dq Li auto 3388as the 3389.Xr moused 8 3390daemon 3391is able to detect the appropriate mouse type automatically in many cases. 3392Set this variable to 3393one from the following list if the automatic detection fails. 3394.Pp 3395If the mouse is attached to the PS/2 mouse port, choose 3396.Dq Li auto 3397or 3398.Dq Li ps/2 , 3399regardless of the brand and model of the mouse. 3400Likewise, if the 3401mouse is attached to the bus mouse port, choose 3402.Dq Li auto 3403or 3404.Dq Li busmouse . 3405All other protocols are for serial mice and will not work with 3406the PS/2 and bus mice. 3407If this is a USB mouse, 3408.Dq Li auto 3409is the only protocol type which will work. 3410.Pp 3411.Bl -tag -width ".Li x10mouseremote" -compact 3412.It Li microsoft 3413Microsoft mouse (serial) 3414.It Li intellimouse 3415Microsoft IntelliMouse (serial) 3416.It Li mousesystems 3417Mouse systems Corp.\& mouse (serial) 3418.It Li mmseries 3419MM Series mouse (serial) 3420.It Li logitech 3421Logitech mouse (serial) 3422.It Li busmouse 3423A bus mouse 3424.It Li mouseman 3425Logitech MouseMan and TrackMan (serial) 3426.It Li glidepoint 3427ALPS GlidePoint (serial) 3428.It Li thinkingmouse 3429Kensington ThinkingMouse (serial) 3430.It Li ps/2 3431PS/2 mouse 3432.It Li mmhittab 3433MM HitTablet (serial) 3434.It Li x10mouseremote 3435X10 MouseRemote (serial) 3436.It Li versapad 3437Interlink VersaPad (serial) 3438.El 3439.Pp 3440Even if the mouse is not in the above list, it may be compatible 3441with one in the list. 3442Refer to the manual page for 3443.Xr moused 8 3444for compatibility information. 3445.Pp 3446It should also be noted that while this is enabled, any 3447other client of the mouse (such as an X server) should access 3448the mouse through the virtual mouse device, 3449.Pa /dev/sysmouse , 3450and configure it as a 3451.Dq Li sysmouse 3452type mouse, since all 3453mouse data is converted to this single canonical format when 3454using 3455.Xr moused 8 . 3456If the client program does not support the 3457.Dq Li sysmouse 3458type, 3459specify the 3460.Dq Li mousesystems 3461type. 3462It is the second preferred type. 3463.It Va moused_port 3464.Pq Vt str 3465If 3466.Va moused_enable 3467is set to 3468.Dq Li YES , 3469this is the actual port the mouse is on. 3470It might be 3471.Pa /dev/cuau0 3472for a COM1 serial mouse, or 3473.Pa /dev/psm0 3474for a PS/2 mouse, for example. 3475.It Va moused_flags 3476.Pq Vt str 3477If 3478.Va moused_flags 3479is set, its value is used as an additional set of flags to pass to the 3480.Xr moused 8 3481daemon. 3482.It Va "moused_" Ns Ar XXX Ns Va "_flags" 3483When 3484.Va moused_nondefault_enable 3485is enabled, and a 3486.Xr moused 8 3487daemon is started for a non-default port, the 3488.Va "moused_" Ns Ar XXX Ns Va "_flags" 3489set of options has precedence over and replaces the default 3490.Va moused_flags 3491(where 3492.Ar XXX 3493is the name of the non-default port, i.e.,\& 3494.Ar ums0 ) . 3495By setting 3496.Va "moused_" Ns Ar XXX Ns Va "_flags" 3497it is possible to set up a different set of default flags for each 3498.Xr moused 8 3499instance. 3500For example, you can use 3501.Dq Li "-3" 3502for the default 3503.Va moused_flags 3504to make your laptop's touchpad more comfortable to use, 3505but an empty set of options for 3506.Va moused_ums0_flags 3507when your 3508.Xr usb 4 3509mouse has three or more buttons. 3510.It Va mousechar_start 3511.Pq Vt int 3512If set to 3513.Dq Li NO , 3514the default mouse cursor character range 3515.Li 0xd0 Ns - Ns Li 0xd3 3516is used, 3517otherwise the range start is set 3518to 3519.Ar value 3520character, see 3521.Xr vidcontrol 1 . 3522Use if the default range is occupied in the language code table. 3523.It Va allscreens_flags 3524.Pq Vt str 3525If set, 3526.Xr vidcontrol 1 3527is run with these options for each of the virtual terminals 3528.Pq Pa /dev/ttyv* . 3529For example, 3530.Dq Fl m Cm on 3531will enable the mouse pointer on all virtual terminals 3532if 3533.Va moused_enable 3534is set to 3535.Dq Li YES . 3536.It Va allscreens_kbdflags 3537.Pq Vt str 3538If set, 3539.Xr kbdcontrol 1 3540is run with these options for each of the virtual terminals 3541.Pq Pa /dev/ttyv* . 3542For example, 3543.Dq Fl h Li 200 3544will set the 3545.Xr syscons 4 3546or 3547.Xr vt 4 3548scrollback (history) buffer to 200 lines. 3549.It Va cron_enable 3550.Pq Vt bool 3551If set to 3552.Dq Li YES , 3553run the 3554.Xr cron 8 3555daemon at system boot time. 3556.It Va cron_program 3557.Pq Vt str 3558Path to 3559.Xr cron 8 3560(default 3561.Pa /usr/sbin/cron ) . 3562.It Va cron_flags 3563.Pq Vt str 3564If 3565.Va cron_enable 3566is set to 3567.Dq Li YES , 3568these are the flags to pass to 3569.Xr cron 8 . 3570.It Va cron_dst 3571.Pq Vt bool 3572If set to 3573.Dq Li YES , 3574enable the special handling of transitions to and from the 3575Daylight Saving Time in 3576.Xr cron 8 3577(equivalent to using the flag 3578.Fl s ) . 3579.It Va lpd_program 3580.Pq Vt str 3581Path to 3582.Xr lpd 8 3583(default 3584.Pa /usr/sbin/lpd ) . 3585.It Va lpd_enable 3586.Pq Vt bool 3587If set to 3588.Dq Li YES , 3589run the 3590.Xr lpd 8 3591daemon at system boot time. 3592.It Va lpd_flags 3593.Pq Vt str 3594If 3595.Va lpd_enable 3596is set to 3597.Dq Li YES , 3598these are the flags to pass to the 3599.Xr lpd 8 3600daemon. 3601.It Va chkprintcap_enable 3602.Pq Vt bool 3603If set to 3604.Dq Li YES , 3605run the 3606.Xr chkprintcap 8 3607command before starting the 3608.Xr lpd 8 3609daemon. 3610.It Va chkprintcap_flags 3611.Pq Vt str 3612If 3613.Va lpd_enable 3614and 3615.Va chkprintcap_enable 3616are set to 3617.Dq Li YES , 3618these are the flags to pass to the 3619.Xr chkprintcap 8 3620program. 3621The default is 3622.Dq Li -d , 3623which causes missing directories to be created. 3624.It Va dumpdev 3625.Pq Vt str 3626Indicates the device (usually a swap partition) to which a crash dump 3627should be written in the event of a system crash. 3628If the value of this variable is 3629.Dq Li AUTO , 3630the first suitable swap device listed in 3631.Pa /etc/fstab 3632will be used as dump device. 3633Otherwise, the value of this variable is passed as the argument to 3634.Xr dumpon 8 3635and 3636.Xr savecore 8 . 3637To disable crash dumps, set this variable to 3638.Dq Li NO . 3639.It Va dumpon_flags 3640.Pq Vt str 3641Flags to pass to 3642.Xr dumpon 8 3643when configuring 3644.Va dumpdev 3645as the system dump device. 3646.It Va dumpdir 3647.Pq Vt str 3648When the system reboots after a crash and a crash dump is found on the 3649device specified by the 3650.Va dumpdev 3651variable, 3652.Xr savecore 8 3653will save that crash dump and a copy of the kernel to the directory 3654specified by the 3655.Va dumpdir 3656variable. 3657The default value is 3658.Pa /var/crash . 3659Set to 3660.Dq Li NO 3661to not run 3662.Xr savecore 8 3663at boot time when 3664.Va dumpdir 3665is set. 3666.It Va savecore_enable 3667.Pq Vt bool 3668If set to 3669.Dq Li NO , 3670disable automatic extraction of the crash dump from the 3671.Va dumpdev . 3672.It Va savecore_flags 3673.Pq Vt str 3674If crash dumps are enabled, these are the flags to pass to the 3675.Xr savecore 8 3676utility. 3677.It Va quota_enable 3678.Pq Vt bool 3679Set to 3680.Dq Li YES 3681to turn on user and group disk quotas on system startup via the 3682.Xr quotaon 8 3683command for all file systems marked as having quotas enabled in 3684.Pa /etc/fstab . 3685The kernel must be built with 3686.Cd "options QUOTA" 3687for disk quotas to function. 3688.It Va check_quotas 3689.Pq Vt bool 3690Set to 3691.Dq Li YES 3692to enable user and group disk quota checking via the 3693.Xr quotacheck 8 3694command. 3695.It Va quotacheck_flags 3696.Pq Vt str 3697If 3698.Va quota_enable 3699is set to 3700.Dq Li YES , 3701and 3702.Va check_quotas 3703is set to 3704.Dq Li YES , 3705these are the flags to pass to the 3706.Xr quotacheck 8 3707utility. 3708The default is 3709.Dq Li "-a" , 3710which checks quotas for all file systems with quotas enabled in 3711.Pa /etc/fstab . 3712.It Va quotaon_flags 3713.Pq Vt str 3714If 3715.Va quota_enable 3716is set to 3717.Dq Li YES , 3718these are the flags to pass to the 3719.Xr quotaon 8 3720utility. 3721The default is 3722.Dq Li "-a" , 3723which enables quotas for all file systems with quotas enabled in 3724.Pa /etc/fstab . 3725.It Va quotaoff_flags 3726.Pq Vt str 3727If 3728.Va quota_enable 3729is set to 3730.Dq Li YES , 3731these are the flags to pass to the 3732.Xr quotaoff 8 3733utility when shutting down the quota system. 3734The default is 3735.Dq Li "-a" , 3736which disables quotas for all file systems with quotas enabled in 3737.Pa /etc/fstab . 3738.It Va accounting_enable 3739.Pq Vt bool 3740Set to 3741.Dq Li YES 3742to enable system accounting through the 3743.Xr accton 8 3744facility. 3745.It Va firstboot_sentinel 3746.Pq Vt str 3747This variable specifies the full path to a 3748.Dq first boot 3749sentinel file. 3750If a file exists with this path, 3751.Pa rc.d 3752scripts with the 3753.Dq firstboot 3754keyword will be run on startup and the sentinel file will be deleted 3755after the boot process completes. 3756The sentinel file must be located on a writable file system which is 3757mounted no later than 3758.Va early_late_divider 3759to function properly. 3760The default is 3761.Pa /firstboot . 3762.It Va linux_enable 3763.Pq Vt bool 3764Set to 3765.Dq Li YES 3766to enable Linux/ELF binary emulation at system initial 3767boot time. 3768.It Va sysvipc_enable 3769.Pq Vt bool 3770If set to 3771.Dq Li YES , 3772load System V IPC primitives at boot time. 3773.It Va clear_tmp_enable 3774.Pq Vt bool 3775Set to 3776.Dq Li YES 3777to have 3778.Pa /tmp 3779cleaned at startup. 3780.It Va clear_tmp_X 3781.Pq Vt bool 3782Set to 3783.Dq Li NO 3784to disable removing of X11 lock files, 3785and the removal and (secure) recreation 3786of the various socket directories for X11 3787related programs. 3788.It Va ldconfig_paths 3789.Pq Vt str 3790Set to the list of shared library paths to use with 3791.Xr ldconfig 8 . 3792NOTE: 3793.Pa /lib 3794and 3795.Pa /usr/lib 3796will always be added first, so they need not appear in this list. 3797.It Va ldconfig32_paths 3798.Pq Vt str 3799Set to the list of 32-bit compatibility shared library paths to 3800use with 3801.Xr ldconfig 8 . 3802.It Va ldconfig_insecure 3803.Pq Vt bool 3804The 3805.Xr ldconfig 8 3806utility normally refuses to use directories 3807which are writable by anyone except root. 3808Set this variable to 3809.Dq Li YES 3810to disable that security check during system startup. 3811.It Va ldconfig_local_dirs 3812.Pq Vt str 3813Set to the list of local 3814.Xr ldconfig 8 3815directories. 3816The names of all files in the directories listed will be 3817passed as arguments to 3818.Xr ldconfig 8 . 3819.It Va ldconfig_local32_dirs 3820.Pq Vt str 3821Set to the list of local 32-bit compatibility 3822.Xr ldconfig 8 3823directories. 3824The names of all files in the directories listed will be 3825passed as arguments to 3826.Dq Nm ldconfig Fl 32 . 3827.It Va kern_securelevel_enable 3828.Pq Vt bool 3829Set to 3830.Dq Li YES 3831to set the kernel security level at system startup. 3832.It Va kern_securelevel 3833.Pq Vt int 3834The kernel security level to set at startup. 3835The allowed range of 3836.Ar value 3837ranges from \-1 (the compile time default) to 3 (the 3838most secure). 3839See 3840.Xr security 7 3841for the list of possible security levels and their effect 3842on system operation. 3843.It Va sshd_program 3844.Pq Vt str 3845Path to the SSH server program 3846.Pa ( /usr/sbin/sshd 3847is the default). 3848.It Va sshd_enable 3849.Pq Vt bool 3850Set to 3851.Dq Li YES 3852to start 3853.Xr sshd 8 3854at system boot time. 3855Note, the 3856.Va sshd_oomprotect 3857variable is set to 3858.Dq Li YES 3859by default in 3860.Pa /etc/defaults/rc.conf . 3861.It Va sshd_flags 3862.Pq Vt str 3863If 3864.Va sshd_enable 3865is set to 3866.Dq Li YES , 3867these are the flags to pass to the 3868.Xr sshd 8 3869daemon. 3870.It Va ftpd_program 3871.Pq Vt str 3872Path to the FTP server program 3873.Pa ( /usr/libexec/ftpd 3874is the default). 3875.It Va ftpd_enable 3876.Pq Vt bool 3877Set to 3878.Dq Li YES 3879to start 3880.Xr ftpd 8 3881as a stand-alone daemon at system boot time. 3882.It Va ftpd_flags 3883.Pq Vt str 3884If 3885.Va ftpd_enable 3886is set to 3887.Dq Li YES , 3888these are the additional flags to pass to the 3889.Xr ftpd 8 3890daemon. 3891.It Va watchdogd_enable 3892.Pq Vt bool 3893If set to 3894.Dq Li YES , 3895start the 3896.Xr watchdogd 8 3897daemon at boot time. 3898This requires that the kernel have been compiled with a 3899.Xr watchdog 4 3900compatible device. 3901.It Va watchdogd_flags 3902.Pq Vt str 3903If 3904.Va watchdogd_enable 3905is set to 3906.Dq Li YES , 3907these are the flags passed to the 3908.Xr watchdogd 8 3909daemon. 3910.It Va watchdogd_timeout 3911.Pq Vt int 3912If 3913.Va watchdogd_enable 3914is set to 3915.Dq Li YES , 3916this is a timeout that will be used by the 3917.Xr watchdogd 8 3918daemon. 3919If this option is set, it overrides 3920.Fl t 3921in 3922.Va watchdogd_flags . 3923.It Va watchdogd_shutdown_timeout 3924.Pq Vt int 3925If 3926.Va watchdogd_enable 3927is set to 3928.Dq Li YES , 3929this is a timeout that will be set by the 3930.Xr watchdogd 8 3931daemon when it exits during the system shutdown. 3932This timeout will not be set when returning to the single-user mode 3933or when the watchdogd service is stopped individually using the 3934.Xr service 8 3935command or the rc.d script. 3936Note that the timeout will be applied if 3937.Xr watchdogd 8 3938is stopped outside of 3939.Xr rc 8 3940framework. 3941If this option is set, it overrides 3942.Fl x 3943in 3944.Va watchdogd_flags . 3945.It Va devfs_rulesets 3946.Pq Vt str 3947List of files containing sets of rules for 3948.Xr devfs 8 . 3949.It Va devfs_system_ruleset 3950.Pq Vt str 3951Rule name(s) to apply to the system 3952.Pa /dev 3953itself. 3954.It Va devfs_set_rulesets 3955.Pq Vt str 3956Pairs of already-mounted 3957.Pa dev 3958directories and rulesets that should be applied to them. 3959For example: /mount/dev=ruleset_name 3960.It Va devfs_load_rulesets 3961.Pq Vt bool 3962If set, always load the default rulesets listed in 3963.Va devfs_rulesets . 3964.It Va performance_cx_lowest 3965.Pq Vt str 3966CPU idle state to use while on AC power. 3967The string 3968.Dq Li LOW 3969indicates that 3970.Xr acpi 4 3971should use the lowest power state available while 3972.Dq Li HIGH 3973indicates that the lowest latency state (less power savings) should be used. 3974.It Va performance_cpu_freq 3975.Pq Vt str 3976CPU clock frequency to use while on AC power. 3977The string 3978.Dq Li LOW 3979indicates that 3980.Xr cpufreq 4 3981should use the lowest frequency available while 3982.Dq Li HIGH 3983indicates that the highest frequency (less power savings) should be used. 3984.It Va economy_cx_lowest 3985.Pq Vt str 3986CPU idle state to use when off AC power. 3987The string 3988.Dq Li LOW 3989indicates that 3990.Xr acpi 4 3991should use the lowest power state available while 3992.Dq Li HIGH 3993indicates that the lowest latency state (less power savings) should be used. 3994.It Va economy_cpu_freq 3995.Pq Vt str 3996CPU clock frequency to use when off AC power. 3997The string 3998.Dq Li LOW 3999indicates that 4000.Xr cpufreq 4 4001should use the lowest frequency available while 4002.Dq Li HIGH 4003indicates that the highest frequency (less power savings) should be used. 4004.It Va jail_enable 4005.Pq Vt bool 4006If set to 4007.Dq Li NO , 4008any configured jails will not be started. 4009.It Va jail_conf 4010.Pq Vt str 4011The configuration filename used by 4012.Xr jail 8 4013utility. 4014The default value is 4015.Pa /etc/jail.conf . 4016.Pa /etc/jail\&. Ns Ao Va jname Ac Ns Pa .conf 4017and 4018.Pa /etc/jail.conf.d/ Ns Ao Va jname Ac Ns Pa .conf 4019will also be used if 4020.Ao Va jname Ac 4021is set in 4022.Va jail_list . 4023.It Va jail_parallel_start 4024.Pq Vt bool 4025If set to 4026.Dq Li YES , 4027all configured jails will be started in the background (in parallel). 4028.It Va jail_flags 4029.Pq Vt str 4030Unset by default. 4031When set, use as default value for 4032.Va jail_ Ns Ao Ar jname Ac Ns Va _flags 4033for every jail in 4034.Va jail_list . 4035.It Va jail_list 4036.Pq Vt str 4037A space-delimited list of jail names. 4038When left empty, all of the 4039.Xr jail 8 4040instances defined in the configuration file are started. 4041The names specified in this list control the jail startup order. 4042.Xr jail 8 4043instances missing from 4044.Va jail_list 4045must be started manually. 4046Note that a jail's 4047.Va depend 4048parameter in the configuration file may override this list. 4049.It Va jail_reverse_stop 4050.Pq Vt bool 4051When set to 4052.Dq Li YES , 4053all configured jails in 4054.Va jail_list 4055are stopped in reverse order. 4056.It Va jail_ Ns * variables 4057Note that older releases supported per-jail configuration via 4058.Nm 4059variables. 4060For example, 4061hostname of a jail named 4062.Li vjail 4063was able to be set by 4064.Li jail_vjail_hostname . 4065These per-jail configuration variables are now obsolete in favor of 4066.Xr jail 8 4067configuration file. 4068For backward compatibility, 4069when per-jail configuration variables are defined, 4070.Xr jail 8 4071configuration files are created as 4072.Pa /var/run/jail . Ns Ao Ar jname Ac Ns Pa .conf 4073and used. 4074.Pp 4075The following per-jail parameters are handled by 4076.Pa rc.d/jail 4077script out of their corresponding 4078.Nm 4079variables. 4080In addition to them, parameters in 4081.Va jail_ Ns Ao Ar jname Ac Ns Va _parameters 4082will be added to the configuration file. 4083They must be a semi-colon 4084.Pq Ql \&; 4085delimited list of 4086.Dq key=value . 4087For more details, 4088see 4089.Xr jail 8 4090manual page. 4091.Bl -tag -width "host.hostname" -offset indent 4092.It Li path 4093set from 4094.Va jail_ Ns Ao Ar jname Ac Ns Va _rootdir 4095.It Li host.hostname 4096set from 4097.Va jail_ Ns Ao Ar jname Ac Ns Va _hostname 4098.It Li exec.consolelog 4099set from 4100.Va jail_ Ns Ao Ar jname Ac Ns Va _consolelog . 4101The default value is 4102.Pa /var/log/jail_ Ns Ao Ar jname Ac Ns Pa _console.log . 4103.It Li interface 4104set from 4105.Va jail_ Ns Ao Ar jname Ac Ns Va _interface . 4106.It Li vnet.interface 4107set from 4108.Va jail_ Ns Ao Ar jname Ac Ns Va _vnet_interface . 4109This implies 4110.Li vnet 4111parameter will be enabled and cannot be specified with 4112.Va jail_ Ns Ao Ar jname Ac Ns Va _interface , 4113.Va jail_ Ns Ao Ar jname Ac Ns Va _ip 4114and/or 4115.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n 4116at the same time. 4117.It Li fstab 4118set from 4119.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab 4120.It Li mount 4121set from 4122.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable . 4123.It Li exec.fib 4124set from 4125.Va jail_ Ns Ao Ar jname Ac Ns Va _fib 4126.It Li exec.start 4127set from 4128.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start . 4129The parameter name was 4130.Li command 4131in some older releases. 4132.It Li exec.prestart 4133set from 4134.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart 4135.It Li exec.poststart 4136set from 4137.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart 4138.It Li exec.stop 4139set from 4140.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop 4141.It Li exec.prestop 4142set from 4143.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop 4144.It Li exec.poststop 4145set from 4146.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop 4147.It Li ip4.addr 4148set if 4149.Va jail_ Ns Ao Ar jname Ac Ns Va _ip 4150or 4151.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n 4152contain IPv4 addresses 4153.It Li ip6.addr 4154set if 4155.Va jail_ Ns Ao Ar jname Ac Ns Va _ip 4156or 4157.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n 4158contain IPv6 addresses 4159.It Li allow.mount 4160set from 4161.Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable 4162.It Li mount.devfs 4163set from 4164.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable 4165.It Li devfs_ruleset 4166set from 4167.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset . 4168This must be an integer, 4169not a string. 4170.It Li mount.fdescfs 4171set from 4172.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable 4173.It Li allow.set_hostname 4174set from 4175.Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow 4176.It Li allow.rawsocket 4177set from 4178.Va jail_ Ns Ao Ar jname Ac Ns Va _socket_unixiproute_only 4179.It Li allow.sysvipc 4180set from 4181.Va jail_ Ns Ao Ar jname Ac Ns Va _sysvipc_allow 4182.El 4183.\" ----------------------------------------------------- 4184.It Va harvest_mask 4185.Pq Vt int 4186Set to a bit-mask 4187representing the entropy sources 4188you wish to harvest. 4189Refer to 4190.Xr random 4 4191for more information. 4192.It Va entropy_dir 4193.Pq Vt str 4194Set to 4195.Dq Li NO 4196to disable caching entropy via 4197.Xr cron 8 . 4198Otherwise set to the directory 4199in which the entropy files are stored. 4200To be useful, 4201there must be 4202a system cron job 4203that regularly writes and rotates 4204files here. 4205All files found 4206will be used at boot time. 4207The default is 4208.Pa /var/db/entropy . 4209.It Va entropy_file 4210.Pq Vt str 4211Set to 4212.Dq Li NO 4213to disable caching entropy through reboots. 4214Otherwise set to the name 4215of a file used to store cached entropy. 4216This file should be located 4217on a file system that is readable 4218before all the volumes specified in 4219.Xr fstab 5 4220are mounted. 4221By default, 4222.Pa /entropy 4223is used, 4224but if 4225.Pa /var/db/entropy-file 4226is found it will also be used. 4227This will be of some use to 4228.Xr bsdinstall 8 . 4229.It Va entropy_boot_file 4230.Pq Vt str 4231Set to 4232.Dq Li NO 4233to disable 4234very early caching entropy 4235through reboots. 4236Otherwise set to the filename 4237used to read 4238very early reboot cached entropy. 4239This file should be located where 4240.Xr loader 8 4241can read it. 4242See also 4243.Xr loader.conf 5 . 4244The default location is 4245.Pa /boot/entropy . 4246.It Va entropy_save_sz 4247.Pq Vt int 4248Size of the entropy cache files saved by 4249.Nm save-entropy 4250periodically. 4251.It Va entropy_save_num 4252.Pq Vt int 4253Number of entropy cache files to save by 4254.Nm save-entropy 4255periodically. 4256.It Va ipsec_enable 4257.Pq Vt bool 4258Set to 4259.Dq Li YES 4260to run 4261.Xr setkey 8 4262on 4263.Va ipsec_file 4264at boot time. 4265.It Va ipsec_file 4266.Pq Vt str 4267Configuration file for 4268.Xr setkey 8 . 4269.It Va dmesg_enable 4270.Pq Vt bool 4271Set to 4272.Dq Li YES 4273to save 4274.Xr dmesg 8 4275to 4276.Pa /var/run/dmesg.boot 4277on boot. 4278.It Va rcshutdown_timeout 4279.Pq Vt int 4280If set, start a watchdog timer in the background which will terminate 4281.Pa rc.shutdown 4282if 4283.Xr shutdown 8 4284has not completed within the specified time (in seconds). 4285Notice that in addition to this soft timeout, 4286.Xr init 8 4287also applies a hard timeout for the execution of 4288.Pa rc.shutdown . 4289This is configured via 4290.Xr sysctl 8 4291variable 4292.Va kern.init_shutdown_timeout 4293and defaults to 120 seconds. 4294Setting the value of 4295.Va rcshutdown_timeout 4296to more than 120 seconds will have no effect until the 4297.Xr sysctl 8 4298variable 4299.Va kern.init_shutdown_timeout 4300is also increased. 4301.It Va virecover_enable 4302.Pq Vt bool 4303Set to 4304.Dq Li NO 4305to prevent the system from trying to 4306recover prematurely terminated 4307.Xr vi 1 4308sessions. 4309.It Va ugidfw_enable 4310.Pq Vt bool 4311Set to 4312.Dq Li YES 4313to load the 4314.Xr mac_bsdextended 4 4315module upon system initialization and load a default 4316ruleset file. 4317.It Va bsdextended_script 4318.Pq Vt str 4319The default 4320.Xr mac_bsdextended 4 4321ruleset file to load. 4322The default value of this variable is 4323.Pa /etc/rc.bsdextended . 4324.It Va newsyslog_enable 4325.Pq Vt bool 4326If set to 4327.Dq Li YES , 4328run 4329.Xr newsyslog 8 4330command at startup. 4331.It Va newsyslog_flags 4332.Pq Vt str 4333If 4334.Va newsyslog_enable 4335is set to 4336.Dq Li YES , 4337these are the flags to pass to the 4338.Xr newsyslog 8 4339program. 4340The default is 4341.Dq Li -CN , 4342which causes log files flagged with a 4343.Cm C 4344to be created. 4345.It Va mdconfig_md Ns Aq Ar X 4346.Pq Vt str 4347Arguments to 4348.Xr mdconfig 8 4349for 4350.Xr md 4 4351device 4352.Ar X . 4353At minimum a 4354.Fl t Ar type 4355must be specified and either a 4356.Fl s Ar size 4357for malloc or swap backed 4358.Xr md 4 4359devices or a 4360.Fl f Ar file 4361for vnode backed 4362.Xr md 4 4363devices. 4364Note that 4365.Va mdconfig_md Ns Aq Ar X 4366variables are evaluated until one variable is unset or null. 4367.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _newfs 4368.Pq Vt str 4369Optional arguments passed to 4370.Xr newfs 8 4371to initialize 4372.Xr md 4 4373device 4374.Ar X . 4375.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _owner 4376.Pq Vt str 4377An ownership specification passed to 4378.Xr chown 8 4379after the specified 4380.Xr md 4 4381device 4382.Ar X 4383has been mounted. 4384Both the 4385.Xr md 4 4386device and the mount point will be changed. 4387.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _perms 4388.Pq Vt str 4389A mode string passed to 4390.Xr chmod 1 4391after the specified 4392.Xr md 4 4393device 4394.Ar X 4395has been mounted. 4396Both the 4397.Xr md 4 4398device and the mount point will be changed. 4399.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _files 4400.Pq Vt str 4401Files to be copied to the mount point of the 4402.Xr md 4 4403device 4404.Ar X 4405after it has been mounted. 4406.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _cmd 4407.Pq Vt str 4408Command to execute after the specified 4409.Xr md 4 4410device 4411.Ar X 4412has been mounted. 4413Note that the command is passed to 4414.Ic eval 4415and that both 4416.Va _dev 4417and 4418.Va _mp 4419variables can be used to reference respectively the 4420.Xr md 4 4421device and the mount point. 4422Assuming that the 4423.Xr md 4 4424device is 4425.Li md0 , 4426one could set the following: 4427.Bd -literal 4428mdconfig_md0_cmd="tar xfzC /var/file.tgz \e${_mp}" 4429.Ed 4430.It Va autobridge_interfaces 4431.Pq Vt str 4432Set to the list of bridge interfaces that will have newly arriving interfaces 4433checked against to be automatically added. 4434If not set to 4435.Dq Li NO 4436then for each whitespace separated 4437.Ar element 4438in the value, a 4439.Va autobridge_ Ns Aq Ar element 4440variable is assumed to exist which has a whitespace separated list of interface 4441names to match, these names can use wildcards. 4442For example: 4443.Bd -literal 4444autobridge_interfaces="bridge0" 4445autobridge_bridge0="tap* dc0 vlan[345]" 4446.Ed 4447.It Va mixer_enable 4448.Pq Vt bool 4449If set to 4450.Dq Li YES , 4451enable support for sound mixer. 4452.It Va hcsecd_enable 4453.Pq Vt bool 4454If set to 4455.Dq Li YES , 4456enable Bluetooth security daemon. 4457.It Va hcsecd_config 4458.Pq Vt str 4459Configuration file for 4460.Xr hcsecd 8 . 4461Default 4462.Pa /etc/bluetooth/hcsecd.conf . 4463.It Va sdpd_enable 4464.Pq Vt bool 4465If set to 4466.Dq Li YES , 4467enable Bluetooth Service Discovery Protocol daemon. 4468.It Va sdpd_control 4469.Pq Vt str 4470Path to 4471.Xr sdpd 8 4472control socket. 4473Default 4474.Pa /var/run/sdp . 4475.It Va sdpd_groupname 4476.Pq Vt str 4477Sets 4478.Xr sdpd 8 4479group to run as after it initializes. 4480Default 4481.Dq Li nobody . 4482.It Va sdpd_username 4483.Pq Vt str 4484Sets 4485.Xr sdpd 8 4486user to run as after it initializes. 4487Default 4488.Dq Li nobody . 4489.It Va bthidd_enable 4490.Pq Vt bool 4491If set to 4492.Dq Li YES , 4493enable Bluetooth Human Interface Device daemon. 4494.It Va bthidd_config 4495.Pq Vt str 4496Configuration file for 4497.Xr bthidd 8 . 4498Default 4499.Pa /etc/bluetooth/bthidd.conf . 4500.It Va bthidd_hids 4501.Pq Vt str 4502Path to a file, where 4503.Xr bthidd 8 4504will store information about known HID devices. 4505Default 4506.Pa /var/db/bthidd.hids . 4507.It Va rfcomm_pppd_server_enable 4508.Pq Vt bool 4509If set to 4510.Dq Li YES , 4511enable Bluetooth RFCOMM PPP wrapper daemon. 4512.It Va rfcomm_pppd_server_profile 4513.Pq Vt str 4514The name of the profile to use from 4515.Pa /etc/ppp/ppp.conf . 4516Multiple profiles can be specified here. 4517Also used to specify per-profile overrides. 4518When the profile name contains any of the characters 4519.Dq Li .-/+ 4520they are translated to 4521.Dq Li _ 4522for the proposes of the override variable names. 4523.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _bdaddr 4524.Pq Vt str 4525Overrides local address to listen on. 4526By default 4527.Xr rfcomm_pppd 8 4528will listen on 4529.Dq Li ANY 4530address. 4531The address can be specified as BD_ADDR or name. 4532.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _channel 4533.Pq Vt str 4534Overrides local RFCOMM channel to listen on. 4535By default 4536.Xr rfcomm_pppd 8 4537will listen on RFCOMM channel 1. 4538Must set properly if multiple profiles used in the same time. 4539.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_sp 4540.Pq Vt bool 4541Tells 4542.Xr rfcomm_pppd 8 4543if it should register Serial Port service on the specified RFCOMM channel. 4544Default 4545.Dq Li NO . 4546.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_dun 4547.Pq Vt bool 4548Tells 4549.Xr rfcomm_pppd 8 4550if it should register Dial-Up Networking service on the specified 4551RFCOMM channel. 4552Default 4553.Dq Li NO . 4554.It Va ubthidhci_enable 4555.Pq Vt bool 4556If set to 4557.Dq Li YES , 4558change the USB Bluetooth controller from HID mode to HCI mode. 4559You also need to specify the location of USB Bluetooth controller with the 4560.Va ubthidhci_busnum 4561and 4562.Va ubthidhci_addr 4563variables. 4564.It Va ubthidhci_busnum 4565Bus number where the USB Bluetooth controller is located. 4566Check the output of 4567.Xr usbconfig 8 4568on your system to find this information. 4569.It Va ubthidhci_addr 4570Bus address of the USB Bluetooth controller. 4571Check the output of 4572.Xr usbconfig 8 4573on your system to find this information. 4574.It Va utx_enable 4575.Pq Vt bool 4576Set to 4577.Dq Li YES 4578to enable user accounting through the 4579.Xr utx 8 4580facility. 4581.It Va netwait_enable 4582.Pq Vt bool 4583If set to 4584.Dq Li YES , 4585delays the start of network-reliant services until 4586.Va netwait_if 4587is up and ICMP packets to a destination defined in 4588.Va netwait_ip 4589are flowing. 4590Link state is examined first, followed by 4591.Dq Li pinging 4592an IP address to verify network usability. 4593If no destination can be reached or timeouts are exceeded, 4594network services are started anyway with no guarantee that 4595the network is usable. 4596Use of this variable requires both 4597.Va netwait_ip 4598and 4599.Va netwait_if 4600to be set. 4601.It Va netwait_ip 4602.Pq Vt str 4603Empty by default. 4604This variable contains a space-delimited list of IP addresses to 4605.Xr ping 8 . 4606DNS hostnames should not be used as resolution is not guaranteed 4607to be functional at this point. 4608If multiple IP addresses are specified, 4609each will be tried until one is successful or the list is exhausted. 4610.It Va netwait_timeout 4611.Pq Vt int 4612Indicates the total number of seconds to perform a 4613.Dq Li ping 4614against each IP address in 4615.Va netwait_ip , 4616at a rate of one ping per second. 4617If any of the pings are successful, 4618full network connectivity is considered reliable. 4619The default is 60. 4620.It Va netwait_if 4621.Pq Vt str 4622Empty by default. 4623Defines the name of the network interface on which watch for link. 4624.Xr ifconfig 8 4625is used to monitor the interface, looking for 4626.Dq Li status: no carrier . 4627Once gone, the link is considered up. 4628This can be a 4629.Xr vlan 4 4630interface if desired. 4631.It Va netwait_if_timeout 4632.Pq Vt int 4633Defines the total number of seconds to wait for link to become usable, 4634polled at a 1-second interval. 4635The default is 30. 4636.It Va rctl_enable 4637.Pq Vt bool 4638If set to 4639.Dq Li YES , 4640load 4641.Xr rctl 8 4642rules from the defined ruleset. 4643The kernel must be built with 4644.Cd "options RACCT" 4645and 4646.Cd "options RCTL" . 4647.It Va rctl_rules 4648.Pq Vt str 4649Set to 4650.Pa /etc/rctl.conf 4651by default. 4652This variables contains the 4653.Xr rctl.conf 5 4654ruleset to load for 4655.Xr rctl 8 . 4656.It Va iovctl_files 4657.Pq Vt str 4658A space-separated list of configuration files used by 4659.Xr iovctl 8 . 4660The default value is an empty string. 4661.It Va autofs_enable 4662.Pq Vt bool 4663If set to 4664.Dq Li YES , 4665start the 4666.Xr automount 8 4667utility and the 4668.Xr automountd 8 4669and 4670.Xr autounmountd 8 4671daemons at boot time. 4672.It Va automount_flags 4673.Pq Vt str 4674If 4675.Va autofs_enable 4676is set to 4677.Dq Li YES , 4678these are the flags to pass to the 4679.Xr automount 8 4680program. 4681By default no flags are passed. 4682.It Va automountd_flags 4683.Pq Vt str 4684If 4685.Va autofs_enable 4686is set to 4687.Dq Li YES , 4688these are the flags to pass to the 4689.Xr automountd 8 4690daemon. 4691By default no flags are passed. 4692.It Va autounmountd_flags 4693.Pq Vt str 4694If 4695.Va autofs_enable 4696is set to 4697.Dq Li YES , 4698these are the flags to pass to the 4699.Xr autounmountd 8 4700daemon. 4701By default no flags are passed. 4702.It Va ctld_enable 4703.Pq Vt bool 4704If set to 4705.Dq Li YES , 4706start the 4707.Xr ctld 8 4708daemon at boot time. 4709.It Va iscsid_enable 4710.Pq Vt bool 4711If set to 4712.Dq Li YES , 4713start the 4714.Xr iscsid 8 4715daemon at boot time. 4716.It Va iscsictl_enable 4717.Pq Vt bool 4718If set to 4719.Dq Li YES , 4720start the 4721.Xr iscsictl 8 4722utility at boot time. 4723.It Va iscsictl_flags 4724.Pq Vt str 4725If 4726.Va iscsictl_enable 4727is set to 4728.Dq Li YES , 4729these are the flags to pass to the 4730.Xr iscsictl 8 4731program. 4732The default is 4733.Dq Li -Aa , 4734which configures sessions based on the 4735.Pa /etc/iscsi.conf 4736configuration file. 4737.It Va cfumass_enable 4738.Pq Vt bool 4739If set to 4740.Dq Li YES , 4741create and export an USB LUN using 4742.Xr cfumass 4 4743at boot time. 4744.It Va cfumass_dir 4745.Pq Vt str 4746The directory where the files exported by USB LUN are located. 4747The default directory is 4748.Pa /var/cfumass . 4749.It Va service_delete_empty 4750.Pq Vt bool 4751If set to 4752.Dq Li YES , 4753.Ql Li service delete 4754removes empty 4755.Dq Li rc.conf.d 4756files. 4757.It Va zfs_bootonce_activate 4758.Pq Vt bool 4759If set to 4760.Dq Li YES , 4761and a boot environment marked bootonce is successfully booted, 4762it will be made permanently active. 4763.It Va zfskeys_enable 4764.Pq Vt bool 4765If set to 4766.Dq Li YES , 4767enable auto-loading of encryption keys for encrypted ZFS datasets. 4768For every dataset the script will first load the appropriate encryption key 4769and then attempt to unlock the dataset. 4770.Pp 4771The script operates only on datasets which are encrypted with 4772ZFS native encryption 4773and have a ZFS 4774.Dq Li keylocation 4775dataset property beginning with 4776.Dq Li file:// . 4777.It Va zfskeys_datasets 4778.Pq Vt str 4779A whitespace-separated list of ZFS datasets to unlock. 4780The list is empty by default, 4781which means that the script will attempt to unlock all datasets. 4782.It Va zfskeys_timeout 4783.Pq Vt int 4784Define the total number of seconds to wait for the zfskeys script 4785to unlock an encrypted dataset. 4786The default is 10. 4787.It Va sendmail_enable 4788.Pq Vt str 4789If set to 4790.Dq Li YES , 4791run the 4792.Xr sendmail 8 4793daemon at system boot time. 4794If set to 4795.Dq Li NO , 4796do not run a 4797.Xr sendmail 8 4798daemon to listen for incoming network mail. 4799This does not preclude a 4800.Xr sendmail 8 4801daemon listening on the SMTP port of the loopback interface. 4802The 4803.Dq Li NONE 4804option sets each 4805.Va sendmail_enable , 4806.Va sendmail_submit_enable , 4807.Va sendmail_outbound_enable , 4808.Va sendmail_msp_queue_enable 4809to 4810.Dq Li NO . 4811.It Va sendmail_cert_create 4812.Pq Vt str 4813If 4814.Va sendmail_enable 4815is set to 4816.Dq Li YES , 4817create a signed certificate 4818.Pa /etc/mail/certs/host.cert 4819representing 4820.Pa /etc/mail/certs/host.key 4821by the CA certificate in 4822.Pa /etc/mail/certs/cacert.pem . 4823This will enable connecting hosts to negotiate STARTTLS allowing incoming 4824email to be encrypted in transit. 4825.Xr sendmail 8 4826needs to be configured to use these generated files. 4827The default configuration in 4828.Pa /etc/mail/freebsd.mc 4829has the required options in it. 4830.It Va sendmail_cert_cn 4831.Pq Vt str 4832If 4833.Va sendmail_enable 4834is set to 4835.Dq Li YES 4836and 4837.Va sendmail_cert_create 4838is set to 4839.Dq Li YES , 4840this is the Common Name (CN) of the certificate that will be created. 4841If 4842.Va sendmail_cert_cn 4843is not set, the system's hostname will be used. 4844If there is no hostname set, 4845.Dq Li amnesiac 4846will be used. 4847.It Va sendmail_flags 4848.Pq Vt str 4849If 4850.Va sendmail_enable 4851is set to 4852.Dq Li YES , 4853these are the flags to pass to the 4854.Xr sendmail 8 4855daemon. 4856.It Va sendmail_submit_enable 4857.Pq Vt bool 4858If set to 4859.Dq Li YES 4860and 4861.Va sendmail_enable 4862is set to 4863.Dq Li NO , 4864run 4865.Xr sendmail 8 4866using 4867.Va sendmail_submit_flags 4868instead of 4869.Va sendmail_flags . 4870This is intended to allow local mail submission via 4871a localhost-only listening SMTP service required for running 4872.Xr sendmail 8 4873as a non-set-user-ID binary. 4874Note that this does not work inside 4875.Xr jail 2 4876systems, as jails do not allow binding to just the localhost interface. 4877.It Va sendmail_submit_flags 4878.Pq Vt str 4879If 4880.Va sendmail_enable 4881is set to 4882.Dq Li NO 4883and 4884.Va sendmail_submit_enable 4885is set to 4886.Dq Li YES , 4887these are the flags to pass to the 4888.Xr sendmail 8 4889daemon. 4890.It Va sendmail_outbound_enable 4891.Pq Vt bool 4892If set to 4893.Dq Li YES 4894and both 4895.Va sendmail_enable 4896and 4897.Va sendmail_submit_enable 4898are set to 4899.Dq Li NO , 4900run 4901.Xr sendmail 8 4902using 4903.Va sendmail_outbound_flags 4904instead of 4905.Va sendmail_flags . 4906This is intended to allow local mail queue management 4907for systems that do not offer a listening SMTP service. 4908.It Va sendmail_outbound_flags 4909.Pq Vt str 4910If both 4911.Va sendmail_enable 4912and 4913.Va sendmail_submit_enable 4914are set to 4915.Dq Li NO 4916and 4917.Va sendmail_outbound_enable 4918is set to 4919.Dq Li YES , 4920these are the flags to pass to the 4921.Xr sendmail 8 4922daemon. 4923.It Va sendmail_msp_queue_enable 4924.Pq Vt bool 4925If set to 4926.Dq Li YES , 4927start a client (MSP) queue runner 4928.Xr sendmail 8 4929daemon at system boot time. 4930As of sendmail 8.12, a separate queue is used for command line 4931submissions. 4932The client queue runner ensures that nothing is 4933left behind in the submission queue. 4934.It Va sendmail_msp_queue_flags 4935.Pq Vt str 4936If 4937.Va sendmail_msp_queue_enable 4938is set to 4939daemon. 4940.Dq Li YES , 4941these are the flags to pass to the 4942.Xr sendmail 8 4943.It Va precious_machine 4944If set to 4945.Dq Li YES , 4946some destructive actions require removal of the action-specific safe-belts 4947before being allowed. 4948For instance, the file 4949.Pa /var/run/noshutdown 4950is created to prevent 4951.Xr shutdown 8 4952targeted at the wrong machine. 4953.El 4954.Sh SERVICE JAILS 4955The service jails part of the rc system automatically puts a service 4956into a jail. 4957This jail inherits the filesystem and various other parts of the 4958parent (if you allow child-jails in your jails, service jails 4959can be used in jails) depending on the content of the 4960.Ao Ar name Ac Ns Va _svcj_options 4961variable. 4962Typically this variable is set inside rc scripts, but it can be 4963overriden in the rc config. 4964Valid options for 4965.Ao Ar name Ac Ns Va _svcj_options 4966are: 4967.Bl -tag -width indent-two 4968.It mlock 4969Allows to lock memory pages into the physical memory. 4970.It netv4 4971Allows IPv4 network access and the ability to bind to reserved ports. 4972If 4973.Ao Ar name Ac Ns Va _svcj_ipaddrs 4974is set, only the IPv4 addresses listed there will be visible to the jail, 4975otherwise all assigned IPv4 addresses will be visible. 4976This can not be combined with 4977.Pa netv6 . 4978.It netv6 4979Allows IPv6 network access and the ability to bind to reserved ports. 4980If 4981.Ao Ar name Ac Ns Va _svcj_ipaddrs 4982is set, only the IPv6 addresses listed there will be visible to the jail, 4983otherwise all assigned IPv6 addresses will be visible. 4984This can not be combined with 4985.Pa netv4 . 4986.It net_basic 4987Equivalent to enabling both 4988.Pa netv6 4989and 4990.Pa netv4 . 4991.It net_raw 4992Allow to open raw sockets. 4993This option can be combined with 4994.Pa netv4 , 4995.Pa netv6 , 4996.Pa net_basic . 4997.It net_all 4998Allows IPv6 and IPv4 network access as for 4999.Pa netv4 5000and 5001.Pa netv6 , 5002allows to open raw sockets, and allows to open sockets of protocol stacks that 5003have not had jail functionality added to them. 5004.It nfsd 5005Allows to run nfsd and affiliated daemons. 5006.It routing 5007Allows to modify the system routing table. 5008.It settime 5009Allows to set and slew the system time. 5010.It sysvipc 5011Inherits the SysV semaphores, SysV shared memory and 5012SysV messages from the host or the parent jail. 5013.It sysvipcnew 5014Creates a new namespace for SysV semaphores, SysV shared memory 5015and SysV messages for this particular service jail. 5016.It vmm 5017Allows access to 5018.Xr vmm 4 . 5019This option is only available when 5020.Xr vmm 4 5021is enabled in the kernel. 5022.El 5023 5024All non-network options can be combined with all other options. 5025From the SysV options only one option can be specified. 5026 5027If the 5028.Ao Ar name Ac Ns Va _svcj 5029variable is set to 5030.Dq Li YES , 5031this particular service is started in a 5032service jail named 5033.Va svcj- Ns Ar name . 5034 5035The 5036.Va svcj_all_enable 5037variable allows to enable service jails for all services of the 5038system at once. 5039Services which have 5040.Ao Ar name Ac Ns Va _svcj 5041set to 5042.Dq Li NO 5043are excluded. 5044Some services may set 5045.Ao Ar name Ac Ns Va _svcj 5046to 5047.Dq Li NO 5048in the script to either prevent service jails for this 5049service at all, or may set it to 5050.Dq Li NO 5051if it is not set in the 5052rc config, to exclude it from 5053.Va svcj_all_enable 5054but allow to explicitely enable it. 5055The sshd service for example would not see other jails, if 5056it would run as a service jail. 5057This may or may not be what is needed, and as such it is 5058excluded from 5059.Va svcj_all_enable 5060but can be enabled via setting 5061.Va sshd_svcj 5062to 5063.Dq Li YES . 5064.Sh FILES 5065.Bl -tag -width "/etc/defaults/rc.conf" -compact 5066.It Pa /etc/defaults/rc.conf 5067.It Pa /etc/defaults/vendor.conf 5068.It Pa /etc/rc.conf 5069.It Pa /etc/rc.conf.local 5070.It Pa /etc/rc.conf.d/ 5071.El 5072.Sh SEE ALSO 5073.Xr chmod 1 , 5074.Xr cpuset 1 , 5075.Xr gdb 1 Pq Pa ports/devel/gdb , 5076.Xr kbdcontrol 1 , 5077.Xr limits 1 , 5078.Xr protect 1 , 5079.Xr sh 1 , 5080.Xr umask 1 , 5081.Xr uuidgen 1 , 5082.Xr vi 1 , 5083.Xr vidcontrol 1 , 5084.Xr bridge 4 , 5085.Xr dummynet 4 , 5086.Xr ip 4 , 5087.Xr ipf 4 , 5088.Xr ipfw 4 , 5089.Xr ipnat 4 , 5090.Xr kld 4 , 5091.Xr pf 4 , 5092.Xr pflog 4 , 5093.Xr pfsync 4 , 5094.Xr tcp 4 , 5095.Xr udp 4 , 5096.Xr exports 5 , 5097.Xr fstab 5 , 5098.Xr ipf 5 , 5099.Xr ipnat 5 , 5100.Xr jail.conf 5 , 5101.Xr loader.conf 5 , 5102.Xr login.conf 5 , 5103.Xr motd 5 , 5104.Xr newsyslog.conf 5 , 5105.Xr pf.conf 5 , 5106.Xr firewall 7 , 5107.Xr growfs 7 , 5108.Xr security 7 , 5109.Xr tuning 7 , 5110.Xr accton 8 , 5111.Xr apm 8 , 5112.Xr bsdinstall 8 , 5113.Xr bthidd 8 , 5114.Xr chkprintcap 8 , 5115.Xr chown 8 , 5116.Xr cron 8 , 5117.Xr devfs 8 , 5118.Xr dhclient 8 , 5119.Xr ftpd 8 , 5120.Xr geli 8 , 5121.Xr hcsecd 8 , 5122.Xr ifconfig 8 , 5123.Xr inetd 8 , 5124.Xr iovctl 8 , 5125.Xr ipf 8 , 5126.Xr ipfw 8 , 5127.Xr ipnat 8 , 5128.Xr jail 8 , 5129.Xr kldxref 8 , 5130.Xr loader 8 , 5131.Xr lpd 8 , 5132.Xr makewhatis 8 , 5133.Xr mdconfig 8 , 5134.Xr mdmfs 8 , 5135.Xr mixer 8 , 5136.Xr mountd 8 , 5137.Xr moused 8 , 5138.Xr newfs 8 , 5139.Xr newsyslog 8 , 5140.Xr nfsd 8 , 5141.Xr ntpd 8 , 5142.Xr ntpdate 8 , 5143.Xr pfctl 8 , 5144.Xr pflogd 8 , 5145.Xr ping 8 , 5146.Xr powerd 8 , 5147.Xr quotacheck 8 , 5148.Xr quotaon 8 , 5149.Xr rc 8 , 5150.Xr rc.subr 8 , 5151.Xr rcorder 8 , 5152.Xr rfcomm_pppd 8 , 5153.Xr route 8 , 5154.Xr route6d 8 , 5155.Xr routed 8 , 5156.Xr rpc.lockd 8 , 5157.Xr rpc.statd 8 , 5158.Xr rpc.tlsclntd 8 , 5159.Xr rpc.tlsservd 8 , 5160.Xr rpcbind 8 , 5161.Xr rwhod 8 , 5162.Xr savecore 8 , 5163.Xr sdpd 8 , 5164.Xr sendmail 8 , 5165.Xr service 8 , 5166.Xr sshd 8 , 5167.Xr swapon 8 , 5168.Xr sysctl 8 , 5169.Xr syslogd 8 , 5170.Xr sysrc 8 , 5171.Xr unbound 8 , 5172.Xr usbconfig 8 , 5173.Xr utx 8 , 5174.Xr wlandebug 8 , 5175.Xr yp 8 , 5176.Xr ypbind 8 , 5177.Xr ypserv 8 , 5178.Xr ypset 8 5179.Sh HISTORY 5180The 5181.Nm 5182file appeared in 5183.Fx 2.2.2 . 5184.Sh AUTHORS 5185.An Jordan K. Hubbard . 5186