1.\" Copyright (c) 1995 2.\" Jordan K. Hubbard 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.Dd January 6, 2025 26.Dt RC.CONF 5 27.Os 28.Sh NAME 29.Nm rc.conf 30.Nd system configuration information 31.Sh DESCRIPTION 32The file 33.Nm 34contains descriptive information about the local host name, configuration 35details for any potential network interfaces and which services should be 36started up at system initial boot time. 37In new installations, the 38.Nm 39file is generally initialized by the system installation utility. 40.Pp 41The purpose of 42.Nm 43is not to run commands or perform system startup actions 44directly. 45Instead, it is included by the 46various generic startup scripts in 47.Pa /etc 48which conditionalize their 49internal actions according to the settings found there. 50.Pp 51The 52.Pa /etc/rc.conf 53file is included from the file 54.Pa /etc/defaults/rc.conf , 55which specifies the default settings for all the available options. 56Options need only be specified in 57.Pa /etc/rc.conf 58when the system administrator wishes to override these defaults. 59The file 60.Pa /etc/defaults/vendor.conf 61allows vendors to override 62.Fx 63defaults. 64The file 65.Pa /etc/rc.conf.local 66is used to override settings in 67.Pa /etc/rc.conf 68for historical reasons. 69.Pp 70The sysrc(8) command provides a scripting interface to modify system 71config files. 72.Pp 73In addition to 74.Pa /etc/rc.conf.local 75you can also place smaller configuration files for each 76.Xr rc 8 77script in the 78.Pa /etc/rc.conf.d 79directory or 80.Ao Ar dir Ac Ns Pa /rc.conf.d 81directories (where 82.Ao Ar dir Ac 83is each entry specified in 84.Va local_startup , 85but with any trailing 86.Pa /rc.d 87stripped), 88which will be included by the 89.Va load_rc_config 90function. 91For jail configurations you could use the file 92.Pa /etc/rc.conf.d/jail 93to store jail-specific configuration options. 94If 95.Va local_startup 96contains 97.Pa /usr/local/etc/rc.d 98and 99.Pa /opt/conf , 100.Pa /usr/local/etc/rc.conf.d/jail 101and 102.Pa /opt/conf/rc.conf.d/jail 103will be loaded. 104If 105.Ao Ar dir Ac Ns Pa /rc.conf.d/ Ns Ao Ar name Ac 106is a directory then all of the files in the directory will be loaded. 107See also the 108.Va rc_conf_files 109variable below. 110.Pp 111Options are set with 112.Dq Ar name Ns Li = Ns Ar value 113assignments that use 114.Xr sh 1 115syntax. 116The following list provides a name and short description for each 117variable that can be set in the 118.Nm 119file: 120.Bl -tag -width indent-two 121.It Va rc_debug 122.Pq Vt bool 123If set to 124.Dq Li YES , 125enable output of debug messages from rc scripts. 126This variable can be helpful in diagnosing mistakes when 127editing or integrating new scripts. 128Beware that this produces copious output to the terminal and 129.Xr syslog 3 . 130.It Va rc_info 131.Pq Vt bool 132If set to 133.Dq Li NO , 134disable informational messages from the rc scripts. 135Informational messages are displayed when 136a condition that is not serious enough to warrant a warning or 137an error occurs. 138.It Va rc_startmsgs 139.Pq Vt bool 140If set to 141.Dq Li YES , 142show 143.Dq Starting foo: 144when faststart is used (e.g., at boot time). 145.It Va early_late_divider 146.Pq Vt str 147The name of the script that should be used as the 148delimiter between the 149.Dq early 150and 151.Dq late 152stages of the boot process. 153The early stage should contain all the services needed to 154get the disks (local or remote) mounted so that the late 155stage can include scripts contained in the directories 156listed in the 157.Va local_startup 158variable (see below). 159Thus, the two likely candidates for this value are 160.Pa mountcritlocal 161for the typical system, and 162.Pa mountcritremote 163if the system needs remote file 164systems mounted to get access to the 165.Va local_startup 166directories; for example when 167.Pa /usr/local 168is NFS mounted. 169For 170.Pa rc.conf 171within a 172.Xr jail 8 173.Pa NETWORKING 174is likely to be an appropriate value. 175Extreme care should be taken when changing this value, 176and before changing it one should ensure that there are 177adequate provisions to recover from a failed boot 178(such as physical contact with the machine, 179or reliable remote console access). 180.It Va always_force_depends 181.Pq Vt bool 182Various 183.Pa rc.d 184scripts use the force_depend function to check whether required 185services are already running, and to start them if necessary. 186By default during boot time this check is bypassed if the 187required service is enabled in 188.Pa /etc/rc.conf[.local] . 189Setting this option will bypass that check at boot time and 190always test whether or not the service is actually running. 191Enabling this option is likely to increase your boot time if 192services are enabled that utilize the force_depend check. 193.It Ao Ar name Ac Ns Va _chroot 194.Pq Vt str 195.Xr chroot 8 196to this directory before running the service. 197.It Ao Ar name Ac Ns Va _cpuset 198.Pq Vt str 199A list of CPUs to run the service on. 200Passed to 201.Xr cpuset 1 202using the 203.Fl l 204flag. 205.It Ao Ar name Ac Ns Va _fib 206.Pq Vt int 207The 208.Xr setfib 1 209value to run the service under. 210.It Ao Ar name Ac Ns Va _group 211.Pq Vt str 212Run the chrooted service under this system group. 213Unlike the 214.Ao Ar name Ac Ns Va _user 215setting, this setting has no effect if the service is not chrooted. 216.It Ao Ar name Ac Ns Va _limits 217.Pq Vt str 218Resource limits to apply to the service using 219.Xr limits 1 . 220By default, resource limits are based on the login class defined in 221.Ao Ar name Ac Ns Va _login_class . 222.It Ao Ar name Ac Ns Va _login_class 223.Pq Vt str 224Login class to be used with 225.Ao Ar name Ac Ns Va _limits . 226Defaults to 227.Dq Li daemon . 228.It Ao Ar name Ac Ns Va _nice 229.Pq Vt int 230The 231.Xr nice 1 232value to run the service under. 233.It Ao Ar name Ac Ns Va _oomprotect 234.Pq Vt str 235Use 236.Xr protect 1 237to prevent the service from being killed when swap space 238is exhausted. 239Use 240.Dq Li YES 241to protect only the service itself, and 242.Dq Li ALL 243to protect the service and all its child processes. 244.Pp 245Please note that rc scripts which redefine 246.Dl ${argument}_cmd 247.Pq see Xr rc.subr 8 248such as PostgreSQL will not inherit the OOM killer protection. 249.Pp 250This variable has no effect on services running within a 251.Xr jail 8 . 252.It Ao Ar name Ac Ns Va _setup 253.Pq Vt str 254Run the specified setup script right before starting the actual service 255command. 256Useful for automatic configuration file generation. 257.It Ao Ar name Ac Ns Va _umask 258.Pq Vt int 259Run the service using this 260.Xr umask 1 261value. 262.It Ao Ar name Ac Ns Va _user 263.Pq Vt str 264Run the service under this user account. 265.It Ao Ar name Ac Ns Va _svcj 266.Pq Vt bool 267If set to 268.Dq Li YES , 269auto-jail the service with inherited filesystem and other 270jail properties depending on 271.Ao Ar name Ac Ns Va _svcj_options . 272.It Ao Ar name Ac Ns Va _svcj_options 273.Pq Vt str 274A list of jail properties for the service. 275See 276.Sx SERVICE JAILS 277for a list of valid properties. 278.It Va apm_enable 279.Pq Vt bool 280If set to 281.Dq Li YES , 282enable support for Automatic Power Management with 283the 284.Xr apm 8 285command. 286.It Va apmd_enable 287.Pq Vt bool 288Run 289.Xr apmd 8 290to handle APM event from userland. 291This also enables support for APM. 292.It Va apmd_flags 293.Pq Vt str 294If 295.Va apmd_enable 296is set to 297.Dq Li YES , 298these are the flags to pass to the 299.Xr apmd 8 300daemon. 301.It Va devd_enable 302.Pq Vt bool 303Run 304.Xr devd 8 305to handle device added, removed or unknown events from the kernel. 306.It Va ddb_enable 307.Pq Vt bool 308Run 309.Xr ddb 8 310to install 311.Xr ddb 4 312scripts at boot time. 313.It Va ddb_config 314.Pq Vt str 315Configuration file for 316.Xr ddb 8 . 317Default 318.Pa /etc/ddb.conf . 319.It Va devmatch_enable 320.Pq Vt bool 321If set to 322.Dq Li NO , 323disable auto-loading of kernel modules with 324.Xr devmatch 8 . 325.It Va devmatch_blocklist 326.Pq Vt str 327A whitespace-separated list of kernel modules to be ignored by 328.Xr devmatch 8 . 329In addition, the 330.Xr kenv 1 331.Va devmatch_blocklist 332is appended to this variable to allow disabling of 333.Xr devmatch 8 334loaded modules from the boot loader. 335.It Va devmatch_blacklist 336.Pq Vt str 337This variable is deprecated. 338Use 339.Va devmatch_blocklist 340instead. 341A whitespace-separated list of kernel modules to be ignored by 342.Xr devmatch 8 . 343.It Va kld_list 344.Pq Vt str 345A whitespace-separated list of kernel modules to load right after 346the local disks are mounted, without any 347.Pa .ko 348extension or path. 349.It Va kldxref_enable 350.Pq Vt bool 351Set to 352.Dq Li NO 353by default. 354Set to 355.Dq Li YES 356to automatically rebuild 357.Pa linker.hints 358files with 359.Xr kldxref 8 360at boot time. 361.It Va kldxref_clobber 362.Pq Vt bool 363Set to 364.Dq Li NO 365by default. 366If 367.Va kldxref_enable 368is true, 369setting to 370.Dq Li YES 371will overwrite existing 372.Pa linker.hints 373files at boot time. 374Otherwise, 375only missing 376.Pa linker.hints 377files are generated. 378.It Va kldxref_module_path 379.Pq Vt str 380Empty by default. 381A semi-colon 382.Pq Ql \&; 383delimited list of paths containing 384.Xr kld 4 385modules. 386If empty, 387the contents of the 388.Va kern.module_path 389.Xr sysctl 8 390are used. 391.It Va powerd_enable 392.Pq Vt bool 393If set to 394.Dq Li YES , 395enable the system power control facility with the 396.Xr powerd 8 397daemon. 398.It Va powerd_flags 399.Pq Vt str 400If 401.Va powerd_enable 402is set to 403.Dq Li YES , 404these are the flags to pass to the 405.Xr powerd 8 406daemon. 407.It Va svcj_all_enable 408Enable auto-jailing of all services which are not explicitly 409excluded. 410See 411.Sx SERVICE JAILS 412for more info. 413.It Va tmpmfs 414Controls the creation of a 415.Pa /tmp 416memory file system. 417Always happens if set to 418.Dq Li YES 419and never happens if set to 420.Dq Li NO . 421If set to anything else, a memory file system is created if 422.Pa /tmp 423is not writable. 424.It Va tmpsize 425Controls the size of a created 426.Pa /tmp 427memory file system. 428.It Va tmpmfs_flags 429Extra options passed to the 430.Xr mdmfs 8 431utility when the memory file system for 432.Pa /tmp 433is created. 434The default is 435.Dq Li "-S" , 436which inhibits the use of softupdates on 437.Pa /tmp 438so that file system space is freed without delay 439after file truncation or deletion. 440See 441.Xr mdmfs 8 442for other options you can use in 443.Va tmpmfs_flags . 444.It Va varmfs 445Controls the creation of a 446.Pa /var 447memory file system. 448Always happens if set to 449.Dq Li YES 450and never happens if set to 451.Dq Li NO . 452If set to anything else, a memory file system is created if 453.Pa /var 454is not writable. 455.It Va varsize 456Controls the size of a created 457.Pa /var 458memory file system. 459.It Va varmfs_flags 460Extra options passed to the 461.Xr mdmfs 8 462utility when the memory file system for 463.Pa /var 464is created. 465The default is 466.Dq Li "-S" , 467which inhibits the use of softupdates on 468.Pa /var 469so that file system space is freed without delay 470after file truncation or deletion. 471See 472.Xr mdmfs 8 473for other options you can use in 474.Va varmfs_flags . 475.It Va populate_var 476Controls the automatic population of the 477.Pa /var 478file system. 479Always happens if set to 480.Dq Li YES 481and never happens if set to 482.Dq Li NO . 483If set to anything else, a memory file system is created if 484.Pa /var 485is not writable. 486Note that this process requires access to certain commands in 487.Pa /usr 488before 489.Pa /usr 490is mounted on normal systems. 491.It Va cleanvar_enable 492.Pq Vt bool 493Clean the 494.Pa /var 495directory. 496.It Va var_run_enable 497.Pq Vt bool 498Set to "YES" to enable saving of the 499.Pa /var/run 500directory structure into an mtree file at shutdown and the reload of the 501.Pa /var/run 502directory structure at boot. 503.It Va var_run_autosave 504.Pq Vt bool 505In some cases it may be undesirable to save 506.Pa /var/run 507at shutdown. 508When set to "NO" 509.Pa /var/run 510is loaded at reboot but not saved at shutdown. 511Typically in this scenario 512.Ql service var_run save 513would be performed to save a copy of the 514.Pa /var/run 515directory structure once, to be reloaded during all subsequent reboots. 516.It Va var_run_mtree 517.Pq Vt str 518Where to save the 519.Pa /var/run 520mtree. 521The default location is 522.Pa /var/db/mtree/BSD.var-run.mtree . 523.It Va local_startup 524.Pq Vt str 525List of directories to search for startup script files. 526.It Va script_name_sep 527.Pq Vt str 528The field separator to use for breaking down the list of startup script files 529into individual filenames. 530The default is a space. 531It is not necessary to change this unless there are startup scripts with names 532containing spaces. 533.It Va hostapd_enable 534.Pq Vt bool 535Set to 536.Dq Li YES 537to start 538.Xr hostapd 8 539at system boot time. 540.It Va hostname 541.Pq Vt str 542The fully qualified domain name (FQDN) of this host on the network. 543This should almost certainly be set to something meaningful, even if 544there is no network connection. 545If 546.Xr dhclient 8 547is used to set the hostname via DHCP, 548this variable should be set to an empty string. 549Within a 550.Xr jail 8 551the hostname is generally already set and this variable may be absent. 552If this value remains unset when the system is done booting 553your console login will display the default hostname of 554.Dq Amnesiac . 555.It Va nisdomainname 556.Pq Vt str 557The NIS domain name of this host, or 558.Dq Li NO 559if NIS is not used. 560.It Va hostid_enable 561.Pq Vt bool 562If set to 563.Dq Li NO , 564disable the generation or saving of the 565.Pa hostid 566and 567.Pa machine-id 568files at system boot and shutdown. 569.It Va hostid_file 570.Pq Vt str 571Path to the 572.Pa hostid 573file, default 574.Pa /etc/hostid . 575.It Va hostid_uuidgen_flags 576.Pq Vt str 577Flags passed to 578.Xr uuidgen 1 579when generating a software host UUID. 580This is used only if the system cannot determine a hardware UUID. 581Set to 582.Dq Li -r 583by default. 584.It Va machine_id_file 585.Pq Vt str 586Path to the 587.Pa machine-id 588file, default 589.Pa /etc/machine-id . 590.It Va dhclient_program 591.Pq Vt str 592Path to the DHCP client program, defaulting to 593.Pa /sbin/dhclient . 594.It Va dhclient_flags 595.Pq Vt str 596Additional flags to pass to the DHCP client program. 597See the 598.Xr dhclient 8 599manpage for a description of the command line options available. 600.It Va dhclient_flags_ Ns Aq Ar iface 601Additional flags to pass to the DHCP client program running on 602.Ar iface 603only. 604When specified, this variable overrides 605.Va dhclient_flags . 606.It Va background_dhclient 607.Pq Vt bool 608Set to 609.Dq Li YES 610to start the DHCP client in background. 611This can cause trouble with applications depending on 612a working network, but it will provide a faster startup 613in many cases. 614.It Va background_dhclient_ Ns Aq Ar iface 615When specified, this variable overrides the 616.Va background_dhclient 617variable for interface 618.Ar iface 619only. 620.It Va dhclient_arpwait 621.Pq Vt bool 622Set to 623.Dq Li NO 624to stop 625.Xr dhclient 8 626from waiting for ARP resolution, to make the system boot faster. 627This may be done on networks where the DHCP server is certain to 628know whether an address is available. 629.It Va synchronous_dhclient 630.Pq Vt bool 631Set to 632.Dq Li YES 633to start 634.Xr dhclient 8 635synchronously at startup. 636This behavior can be overridden on a per-interface basis by replacing 637the 638.Dq Li DHCP 639keyword in the 640.Va ifconfig_ Ns Aq Ar interface 641variable with 642.Dq Li SYNCDHCP 643or 644.Dq Li NOSYNCDHCP . 645.It Va defaultroute_delay 646.Pq Vt int 647When set to a positive value, wait up to this long after configuring 648DHCP interfaces at startup to give the interfaces time to receive a lease. 649.It Va firewall_enable 650.Pq Vt bool 651Set to 652.Dq Li YES 653to load firewall rules at startup. 654If the kernel was not built with 655.Cd "options IPFIREWALL" , 656the 657.Pa ipfw.ko 658kernel module will be loaded. 659See also 660.Va ipfilter_enable . 661.It Va firewall_script 662.Pq Vt str 663This variable specifies the full path to the firewall script to run. 664The default is 665.Pa /etc/rc.firewall . 666.It Va firewall_type 667.Pq Vt str 668Names the firewall type from the selection in 669.Pa /etc/rc.firewall , 670or the file which contains the local firewall ruleset. 671Valid selections from 672.Pa /etc/rc.firewall 673are: 674.Pp 675.Bl -tag -width ".Li workstation" -compact 676.It Li open 677unrestricted IP access 678.It Li closed 679all IP services disabled, except via 680.Dq Li lo0 681.It Li client 682basic protection for a workstation 683.It Li workstation 684basic protection for a workstation using stateful firewalling 685.It Li simple 686basic protection for a LAN. 687.El 688.Pp 689If a filename is specified, the full path 690must be given. 691.Pp 692Most of the predefined rulesets define additional configuration variables. 693These are documented in 694.Pa /etc/rc.firewall . 695.It Va firewall_quiet 696.Pq Vt bool 697Set to 698.Dq Li YES 699to disable the display of firewall rules on the console during boot. 700.It Va firewall_logging 701.Pq Vt bool 702Set to 703.Dq Li YES 704to enable firewall event logging. 705This is equivalent to the 706.Dv IPFIREWALL_VERBOSE 707kernel option. 708.It Va firewall_logif 709.Pq Vt bool 710Set to 711.Dq Li YES 712to create pseudo interface 713.Li ipfw0 714for logging. 715For more details, see 716.Xr ipfw 8 717manual page. 718.It Va firewall_flags 719.Pq Vt str 720Flags passed to 721.Xr ipfw 8 722if 723.Va firewall_type 724specifies a filename. 725.It Va firewall_coscripts 726.Pq Vt str 727List of executables and/or rc scripts to run after firewall starts/stops. 728Default is empty. 729.\" ----- firewall_nat_enable setting -------------------------------- 730.It Va firewall_nat_enable 731.Pq Vt bool 732The 733.Xr ipfw 8 734equivalent of 735.Va natd_enable . 736Setting this to 737.Dq Li YES 738will automatically load the 739.Xr ipfw 8 740NAT kernel module if 741.Va firewall_enable 742is also set to 743.Dq Li YES . 744.It Va firewall_nat_interface 745.Pq Vt str 746The 747.Xr ipfw 8 748equivalent of 749.Va natd_interface . 750This is the name of the public interface or IP address on which 751kernel NAT should run. 752.It Va firewall_nat_flags 753.Pq Vt str 754Additional configuration parameters for kernel NAT should be placed here. 755.It Va firewall_nat64_enable 756.Pq Vt bool 757Setting this to 758.Dq Li YES 759will automatically load the 760.Xr ipfw 8 761NAT64 kernel module if 762.Va firewall_enable 763is also set to 764.Dq Li YES . 765.It Va firewall_nptv6_enable 766.Pq Vt bool 767Setting this to 768.Dq Li YES 769will automatically load the 770.Xr ipfw 8 771NPTv6 kernel module if 772.Va firewall_enable 773is also set to 774.Dq Li YES . 775.It Va firewall_pmod_enable 776.Pq Vt bool 777Setting this to 778.Dq Li YES 779will automatically load the 780.Xr ipfw 8 781pmod kernel module if 782.Va firewall_enable 783is also set to 784.Dq Li YES . 785.It Va dummynet_enable 786.Pq Vt bool 787Setting this to 788.Dq Li YES 789will automatically load the 790.Xr dummynet 4 791module if 792.Va firewall_enable 793is also set to 794.Dq Li YES . 795.\" ------------------------------------------------------------------- 796.It Va ipfw_netflow_enable 797.Pq Vt bool 798Setting this to 799.Dq Li YES 800will enable netflow logging via 801.Xr ng_netflow 4 . 802.Pp 803By default a ipfw rule is inserted and all packets are duplicated with 804the ngtee command and netflow packets are sent to 127.0.0.1 on the netflow 805port using protocol version 5. 806.It Va ipfw_netflow_hook 807.Pq Vt int 808netflow hook name, must be numerical 809(default 810.Pa 9995 ) . 811.It Va ipfw_netflow_rule 812.Pq Vt int 813ipfw rule number 814(default 815.Pa 1000 ) . 816.It Va ipfw_netflow_ip 817.Pq Vt str 818Destination server ip for receiving netflow data 819(default 820.Pa 127.0.0.1 ) . 821.It Va ipfw_netflow_port 822.Pq Vt int 823Destination server port for receiving netflow data 824(default 825.Pa 9995 ) . 826.It Va ipfw_netflow_version 827.Pq Vt int 828Do not set for using version 5 of the netflow protocol, set it to 9 for using 829version 9. 830.It Va ipfw_netflow_fib 831.Pq Vt int 832Only match packet in FIB 833.Pa ipfw_netflow_fib 834(default is undefined meaning all FIBs). 835.It Va natd_program 836.Pq Vt str 837Path to 838.Xr natd 8 . 839.It Va natd_enable 840.Pq Vt bool 841Set to 842.Dq Li YES 843to enable 844.Xr natd 8 . 845.Va firewall_enable 846must also be set to 847.Dq Li YES , 848and 849.Xr divert 4 850sockets must be enabled in the kernel. 851If the kernel was not built with 852.Cd "options IPDIVERT" , 853the 854.Pa ipdivert.ko 855kernel module will be loaded. 856.It Va natd_interface 857.Pq Vt str 858This is the name of the public interface on which 859.Xr natd 8 860should run. 861The interface may be given as an interface name or as an IP address. 862.It Va natd_flags 863.Pq Vt str 864Additional 865.Xr natd 8 866flags should be placed here. 867The 868.Fl n 869or 870.Fl a 871flag is automatically added with the above 872.Va natd_interface 873as an argument. 874.\" ----- ipfilter_enable setting -------------------------------- 875.It Va ipfilter_enable 876.Pq Vt bool 877Set to 878.Dq Li NO 879by default. 880Setting this to 881.Dq Li YES 882enables 883.Xr ipf 8 884packet filtering. 885.Pp 886Typical usage will require putting 887.Bd -literal 888ipfilter_enable="YES" 889ipnat_enable="YES" 890ipmon_enable="YES" 891ipfs_enable="YES" 892.Ed 893.Pp 894into 895.Pa /etc/rc.conf 896and editing 897.Pa /etc/ipf.rules 898and 899.Pa /etc/ipnat.rules 900appropriately. 901.Pp 902Note that 903.Va ipfilter_enable 904and 905.Va ipnat_enable 906can be enabled independently. 907.Va ipmon_enable 908and 909.Va ipfs_enable 910both require at least one of 911.Va ipfilter_enable 912and 913.Va ipnat_enable 914to be enabled. 915.Pp 916Having 917.Bd -literal 918options IPFILTER 919options IPFILTER_LOG 920options IPFILTER_DEFAULT_BLOCK 921.Ed 922.Pp 923in the kernel configuration file is a good idea, too. 924.\" ----- ipfilter_program setting ------------------------------ 925.It Va ipfilter_program 926.Pq Vt str 927Path to 928.Xr ipf 8 929(default 930.Pa /sbin/ipf ) . 931.\" ----- ipfilter_rules setting -------------------------------- 932.It Va ipfilter_rules 933.Pq Vt str 934Set to 935.Pa /etc/ipf.rules 936by default. 937This variable contains the name of the filter rule definition file. 938The file is expected to be readable for the 939.Xr ipf 8 940command to execute. 941.\" ----- ipfilter_flags setting -------------------------------- 942.It Va ipfilter_flags 943.Pq Vt str 944Empty by default. 945This variable contains flags passed to the 946.Xr ipf 8 947program. 948.\" ----- ipnat_enable setting ---------------------------------- 949.It Va ipnat_enable 950.Pq Vt bool 951Set to 952.Dq Li NO 953by default. 954Set it to 955.Dq Li YES 956to enable 957.Xr ipnat 8 958network address translation. 959See 960.Va ipfilter_enable 961for a detailed discussion. 962.\" ----- ipnat_program setting --------------------------------- 963.It Va ipnat_program 964.Pq Vt str 965Path to 966.Xr ipnat 8 967(default 968.Pa /sbin/ipnat ) . 969.\" ----- ipnat_rules setting ----------------------------------- 970.It Va ipnat_rules 971.Pq Vt str 972Set to 973.Pa /etc/ipnat.rules 974by default. 975This variable contains the name of the file 976holding the network address translation definition. 977This file is expected to be readable for the 978.Xr ipnat 8 979command to execute. 980.\" ----- ipnat_flags setting ----------------------------------- 981.It Va ipnat_flags 982.Pq Vt str 983Empty by default. 984This variable contains flags passed to the 985.Xr ipnat 8 986program. 987.\" ----- ipmon_enable setting ---------------------------------- 988.It Va ipmon_enable 989.Pq Vt bool 990Set to 991.Dq Li NO 992by default. 993Set it to 994.Dq Li YES 995to enable 996.Xr ipmon 8 997monitoring (logging 998.Xr ipf 8 999and 1000.Xr ipnat 8 1001events). 1002Setting this variable needs setting 1003.Va ipfilter_enable 1004or 1005.Va ipnat_enable 1006too. 1007See 1008.Va ipfilter_enable 1009for a detailed discussion. 1010.\" ----- ipmon_program setting --------------------------------- 1011.It Va ipmon_program 1012.Pq Vt str 1013Path to 1014.Xr ipmon 8 1015(default 1016.Pa /sbin/ipmon ) . 1017.\" ----- ipmon_flags setting ----------------------------------- 1018.It Va ipmon_flags 1019.Pq Vt str 1020Set to 1021.Dq Li -Ds 1022by default. 1023This variable contains flags passed to the 1024.Xr ipmon 8 1025program. 1026Another typical example would be 1027.Dq Fl D Pa /var/log/ipflog 1028to have 1029.Xr ipmon 8 1030log directly to a file bypassing 1031.Xr syslogd 8 . 1032Make sure to adjust 1033.Pa /etc/newsyslog.conf 1034in such case like this: 1035.Bd -literal 1036/var/log/ipflog 640 10 100 * Z /var/run/ipmon.pid 1037.Ed 1038.\" ----- ipfs_enable setting ----------------------------------- 1039.It Va ipfs_enable 1040.Pq Vt bool 1041Set to 1042.Dq Li NO 1043by default. 1044Set it to 1045.Dq Li YES 1046to enable 1047.Xr ipfs 8 1048saving the filter and NAT state tables during shutdown 1049and reloading them during startup again. 1050Setting this variable needs setting 1051.Va ipfilter_enable 1052or 1053.Va ipnat_enable 1054to 1055.Dq Li YES 1056too. 1057See 1058.Va ipfilter_enable 1059for a detailed discussion. 1060Note that if 1061.Va kern_securelevel 1062is set to 3, 1063.Va ipfs_enable 1064cannot be used 1065because the raised securelevel will prevent 1066.Xr ipfs 8 1067from saving the state tables at shutdown time. 1068.\" ----- ipfs_program setting ---------------------------------- 1069.It Va ipfs_program 1070.Pq Vt str 1071Path to 1072.Xr ipfs 8 1073(default 1074.Pa /sbin/ipfs ) . 1075.\" ----- ipfs_flags setting ------------------------------------ 1076.It Va ipfs_flags 1077.Pq Vt str 1078Empty by default. 1079This variable contains flags passed to the 1080.Xr ipfs 8 1081program. 1082.\" ----- end of added ipf hook --------------------------------- 1083.It Va pf_enable 1084.Pq Vt bool 1085Set to 1086.Dq Li NO 1087by default. 1088Setting this to 1089.Dq Li YES 1090enables 1091.Xr pf 4 1092packet filtering. 1093.Pp 1094Typical usage will require putting 1095.Pp 1096.Dl pf_enable="YES" 1097.Pp 1098into 1099.Pa /etc/rc.conf 1100and editing 1101.Pa /etc/pf.conf 1102appropriately. 1103Adding 1104.Pp 1105.Dl "device pf" 1106.Pp 1107builds support for 1108.Xr pf 4 1109into the kernel, otherwise the 1110kernel module will be loaded. 1111.It Va pf_rules 1112.Pq Vt str 1113Path to 1114.Xr pf 4 1115ruleset configuration file 1116(default 1117.Pa /etc/pf.conf ) . 1118.It Va pf_program 1119.Pq Vt str 1120Path to 1121.Xr pfctl 8 1122(default 1123.Pa /sbin/pfctl ) . 1124.It Va pf_flags 1125.Pq Vt str 1126If 1127.Va pf_enable 1128is set to 1129.Dq Li YES , 1130these flags are passed to the 1131.Xr pfctl 8 1132program when loading the ruleset. 1133.It Va pf_fallback_rules_enable 1134.Pq Vt bool 1135Set to 1136.Dq Li NO 1137by default. 1138Setting this to 1139.Dq Li YES 1140enables loading 1141.Va pf_fallback_rules_file 1142or 1143.Va pf_fallback_rules 1144in case of a problem when loading the ruleset in 1145.Va pf_rules . 1146.It Va pf_fallback_rules_file 1147.Pq Vt str 1148Path to a pf ruleset to load in case of failure when loading the 1149ruleset in 1150.Va pf_rules 1151(default 1152.Pa /etc/pf-fallback.conf ) . 1153.It Va pf_fallback_rules 1154.Pq Vt str 1155A pf ruleset to load in case of failure when loading the ruleset in 1156.Va pf_rules 1157and 1158.Va pf_fallback_rules_file 1159is not found. 1160Multiple rules can be set as follows: 1161.Bd -literal 1162pf_fallback_rules="\\ 1163 block drop log all\\ 1164 pass in quick on em0" 1165.Pp 1166.Ed 1167The default fallback rule is 1168.Dq block drop log all 1169.It Va pflog_enable 1170.Pq Vt bool 1171Set to 1172.Dq Li NO 1173by default. 1174Setting this to 1175.Dq Li YES 1176enables 1177.Xr pflogd 8 1178which logs packets from the 1179.Xr pf 4 1180packet filter. 1181.It Va pflog_logfile 1182.Pq Vt str 1183If 1184.Va pflog_enable 1185is set to 1186.Dq Li YES 1187this controls where 1188.Xr pflogd 8 1189stores the logfile 1190(default 1191.Pa /var/log/pflog ) . 1192Check 1193.Pa /etc/newsyslog.conf 1194to adjust logfile rotation for this. 1195.It Va pflog_program 1196.Pq Vt str 1197Path to 1198.Xr pflogd 8 1199(default 1200.Pa /sbin/pflogd ) . 1201.It Va pflog_flags 1202.Pq Vt str 1203Empty by default. 1204This variable contains additional flags passed to the 1205.Xr pflogd 8 1206program. 1207.It Va pflog_instances 1208.Pq Vt str 1209If logging to more than one 1210.Xr pflog 4 1211interface is desired, 1212.Va pflog_instances 1213is set to the list of 1214.Xr pflogd 8 1215instances that should be started at system boot time. 1216If 1217.Va pflog_instances 1218is set, for each whitespace-separated 1219.Ar element 1220in the list, 1221.Ao Ar element Ac Ns Va _dev 1222and 1223.Ao Ar element Ac Ns Va _logfile 1224elements are assumed to exist. 1225.Ao Ar element Ac Ns Va _dev 1226must contain the 1227.Xr pflog 4 1228interface to be watched by the named 1229.Xr pflogd 8 1230instance. 1231.Ao Ar element Ac Ns Va _logfile 1232must contain the name of the logfile that will be used by the 1233.Xr pflogd 8 1234instance. 1235.It Va ftpproxy_enable 1236.Pq Vt bool 1237Set to 1238.Dq Li NO 1239by default. 1240Setting this to 1241.Dq Li YES 1242enables 1243.Xr ftp-proxy 8 1244which supports the 1245.Xr pf 4 1246packet filter in translating ftp connections. 1247.It Va ftpproxy_flags 1248.Pq Vt str 1249Empty by default. 1250This variable contains additional flags passed to the 1251.Xr ftp-proxy 8 1252program. 1253.It Va ftpproxy_instances 1254.Pq Vt str 1255Empty by default. 1256If multiple instances of 1257.Xr ftp-proxy 8 1258are desired at boot time, 1259.Va ftpproxy_instances 1260should contain a whitespace-separated list of instance names. 1261For each 1262.Ar element 1263in the list, a variable named 1264.Ao Ar element Ac Ns Va _flags 1265should be defined, containing the command-line flags to be passed to the 1266.Xr ftp-proxy 8 1267instance. 1268.It Va pfsync_enable 1269.Pq Vt bool 1270Set to 1271.Dq Li NO 1272by default. 1273Setting this to 1274.Dq Li YES 1275enables exposing 1276.Xr pf 4 1277state changes to other hosts over the network by means of 1278.Xr pfsync 4 . 1279The 1280.Va pfsync_syncdev 1281variable 1282must also be set then. 1283.It Va pfsync_syncdev 1284.Pq Vt str 1285Empty by default. 1286This variable specifies the name of the network interface 1287.Xr pfsync 4 1288should operate through. 1289It must be set accordingly if 1290.Va pfsync_enable 1291is set to 1292.Dq Li YES . 1293.It Va pfsync_syncpeer 1294.Pq Vt str 1295Empty by default. 1296This variable is optional. 1297By default, state change messages are sent out on the synchronisation 1298interface using IP multicast packets. 1299The protocol is IP protocol 240, PFSYNC, and the multicast group used is 1300224.0.0.240. 1301When a peer address is specified using the 1302.Va pfsync_syncpeer 1303option, the peer address is used as a destination for the pfsync 1304traffic, and the traffic can then be protected using 1305.Xr ipsec 4 . 1306See the 1307.Xr pfsync 4 1308manpage for more details about using 1309.Xr ipsec 4 1310with 1311.Xr pfsync 4 1312interfaces. 1313.It Va pfsync_ifconfig 1314.Pq Vt str 1315Empty by default. 1316This variable can contain additional options to be passed to the 1317.Xr ifconfig 8 1318command used to set up 1319.Xr pfsync 4 . 1320.It Va tcp_extensions 1321.Pq Vt bool 1322Set to 1323.Dq Li YES 1324by default. 1325Setting this to 1326.Dq Li NO 1327disables certain TCP options as described by 1328.Rs 1329.%T "RFC 1323" 1330.Re 1331Setting this to 1332.Dq Li NO 1333might help remedy such problems with connections as randomly hanging 1334or other weird behavior. 1335Some network devices are known 1336to be broken with respect to these options. 1337.It Va log_in_vain 1338.Pq Vt int 1339Set to 0 by default. 1340The 1341.Xr sysctl 8 1342variables, 1343.Va net.inet.tcp.log_in_vain 1344and 1345.Va net.inet.udp.log_in_vain , 1346as described in 1347.Xr tcp 4 1348and 1349.Xr udp 4 , 1350are set to the given value. 1351.It Va tcp_keepalive 1352.Pq Vt bool 1353Set to 1354.Dq Li YES 1355by default. 1356Setting to 1357.Dq Li NO 1358will disable probing idle TCP connections to verify that the 1359peer is still up and reachable. 1360.It Va tcp_drop_synfin 1361.Pq Vt bool 1362Set to 1363.Dq Li NO 1364by default. 1365Setting to 1366.Dq Li YES 1367will cause the kernel to ignore TCP frames that have both 1368the SYN and FIN flags set. 1369This prevents OS fingerprinting, but may 1370break some legitimate applications. 1371.It Va icmp_drop_redirect 1372.Pq Vt bool 1373Set to 1374.Dq Li AUTO 1375by default. 1376This setting will be identical to 1377.Dq Li YES , 1378if a dynamic routing daemon is enabled, because redirect processing may 1379cause performance issues for large routing tables. 1380If no such service is enabled, this setting behaves like a 1381.Dq Li NO . 1382Setting to 1383.Dq Li YES 1384will cause the kernel to ignore ICMP REDIRECT packets. 1385Setting to 1386.Dq Li NO 1387will cause the kernel to process ICMP REDIRECT packets. 1388Refer to 1389.Xr icmp 4 1390for more information. 1391.It Va icmp_log_redirect 1392.Pq Vt bool 1393Set to 1394.Dq Li NO 1395by default. 1396Setting to 1397.Dq Li YES 1398will cause the kernel to log ICMP REDIRECT packets. 1399Note that 1400the log messages are not rate-limited, so this option should only be used 1401for troubleshooting networks. 1402Refer to 1403.Xr icmp 4 1404for more information. 1405.It Va icmp_bmcastecho 1406.Pq Vt bool 1407Set to 1408.Dq Li YES 1409to respond to broadcast or multicast ICMP ping packets. 1410Refer to 1411.Xr icmp 4 1412for more information. 1413.It Va ip_portrange_first 1414.Pq Vt int 1415If not set to 1416.Dq Li NO , 1417this is the first port in the default portrange. 1418Refer to 1419.Xr ip 4 1420for more information. 1421.It Va ip_portrange_last 1422.Pq Vt int 1423If not set to 1424.Dq Li NO , 1425this is the last port in the default portrange. 1426Refer to 1427.Xr ip 4 1428for more information. 1429.It Va network_interfaces 1430.Pq Vt str 1431Set to the list of network interfaces to configure on this host or 1432.Dq Li AUTO 1433(the default) for all current interfaces. 1434Setting the 1435.Va network_interfaces 1436variable to anything other than the default is deprecated. 1437Interfaces that the administrator wishes to store configuration for, 1438but not start at boot should be configured with the 1439.Dq Li NOAUTO 1440keyword in their 1441.Va ifconfig_ Ns Aq Ar interface 1442variables as described below. 1443.Pp 1444An 1445.Va ifconfig_ Ns Aq Ar interface 1446variable is assumed to exist for each value of 1447.Ar interface . 1448When an interface name contains any of the characters 1449.Dq Li .-/+ 1450they are translated to 1451.Dq Li _ 1452before lookup. 1453For example, the interface 1454.Va em0.102 1455would be configured using the variable 1456.Va ifconfig_em0_102 . 1457.Pp 1458The variable can contain arguments to 1459.Xr ifconfig 8 , 1460as well as special case-insensitive keywords described below. 1461Such keywords are removed before passing the value to 1462.Xr ifconfig 8 1463while the order of the other arguments is preserved. 1464.Pp 1465For example, to assign the IPv4 address 192.0.2.1/24 to the interface em0: 1466.Bd -literal 1467ifconfig_em0="inet 192.0.2.1/24 up" 1468.Ed 1469.Pp 1470If the variable 1471.Va ifconfig_ Ns Ao Ar interface Ac Ns Pa _ipv6 1472is set, then 1473.Va ifconfig_ Ns Aq Ar interface 1474does not need to be set unless an IPv4 address should also be assigned to 1475the interface. 1476.Pp 1477It is possible to add IP alias entries using 1478.Xr ifconfig 8 1479syntax with the address family keyword such as 1480.Li inet . 1481Assuming that the interface in question was 1482.Li em0 , 1483it might look something like this: 1484.Bd -literal 1485ifconfig_em0_alias0="inet 127.0.0.253/32" 1486ifconfig_em0_alias1="inet 127.0.0.254/32" 1487.Ed 1488.Pp 1489It also possible to configure multiple IP addresses in Classless 1490Inter-Domain Routing 1491.Pq CIDR 1492address notation, 1493whose each address component can be a range like 1494.Li inet 192.0.2.5-23/24 1495or 1496.Li inet6 2001:db8:1-f::1/64 . 1497This notation allows address and prefix length part only, 1498not the other address modifiers. 1499Note that the maximum number of the generated addresses from a range 1500specification is limited to an integer value specified in 1501.Va netif_ipexpand_max 1502in 1503.Nm 1504because a small typo can unexpectedly generate a large number of addresses. 1505The default value is 1506.Li 2048 . 1507It can be increased by adding the following line into 1508.Nm : 1509.Bd -literal 1510netif_ipexpand_max="4096" 1511.Ed 1512.Pp 1513In the case of 1514.Li 192.0.2.5-23/24 , 1515the address 192.0.2.5 will be configured with the prefix length /24 and the 1516addresses 192.0.2.6 to 192.0.2.23 with the non-conflicting prefix length /32 as 1517explained in the 1518.Xr ifconfig 8 1519alias section. 1520Note that this special CIDR handling is only for 1521.Li inet , 1522not for the other address families such as 1523.Li inet6 . 1524.Pp 1525With the interface in question being 1526.Li em0 , 1527an example could look like: 1528.Bd -literal 1529ifconfig_em0_alias2="inet 192.0.2.129/27" 1530ifconfig_em0_alias3="inet 192.0.2.1-5/28" 1531.Ed 1532.Pp 1533and so on. 1534.Pp 1535Note that deprecated 1536.Va ipv4_addrs_ Ns Aq Ar interface 1537variable was supported for IPv4 CIDR address notation. 1538The 1539.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1540variable replaces it, though 1541.Va ipv4_addrs_ Ns Aq Ar interface 1542is still supported for backward compatibility. 1543.Pp 1544For each 1545.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1546entry with an address family keyword, 1547its contents are passed to 1548.Xr ifconfig 8 . 1549Execution stops at the first unsuccessful access, so if 1550something like this is present: 1551.Bd -literal 1552ifconfig_em0_alias0="inet 127.0.0.251/32" 1553ifconfig_em0_alias1="inet 127.0.0.252/32" 1554ifconfig_em0_alias2="inet 127.0.0.253/32" 1555ifconfig_em0_alias4="inet 127.0.0.254/32" 1556.Ed 1557.Pp 1558Then note that alias4 would 1559.Em not 1560be added since the search would 1561stop with the missing 1562.Dq Li alias3 1563entry. 1564Because of this difficult to manage behavior, 1565there is 1566.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _aliases 1567variable, which has the same functionality as 1568.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1569and can have all of the entries in a variable like the following: 1570.Bd -literal 1571ifconfig_em0_aliases="\\ 1572 inet 127.0.0.251/32 \\ 1573 inet 127.0.0.252/32 \\ 1574 inet 127.0.0.253/32 \\ 1575 inet 127.0.0.254/32" 1576.Ed 1577.Pp 1578It also supports netmask notation for backward compatibility. 1579.Pp 1580If the 1581.Pa /etc/start_if . Ns Aq Ar interface 1582file is present, it is read and executed by the 1583.Xr sh 1 1584interpreter 1585before configuring the interface as specified in the 1586.Va ifconfig_ Ns Aq Ar interface 1587and 1588.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1589variables. 1590.Pp 1591If a 1592.Va vlans_ Ns Aq Ar interface 1593variable is set, 1594a 1595.Xr vlan 4 1596interface will be created for each item in the list with the 1597.Ar vlandev 1598argument set to 1599.Ar interface . 1600If a vlan interface's name is a number, 1601then that number is used as the vlan tag and the new vlan interface is 1602named 1603.Ar interface . Ns Ar tag . 1604Otherwise, 1605the vlan tag must be specified via a 1606.Va vlan 1607parameter in the 1608.Va create_args_ Ns Aq Ar interface 1609variable. 1610.Pp 1611To create a vlan device named 1612.Li em0.101 1613on 1614.Li em0 1615with the vlan tag 101 and the optional IPv4 address 192.0.2.1/24: 1616.Bd -literal 1617vlans_em0="101" 1618ifconfig_em0_101="inet 192.0.2.1/24" 1619.Ed 1620.Pp 1621To create a vlan device named 1622.Li myvlan 1623on 1624.Li em0 1625with the vlan tag 102: 1626.Bd -literal 1627vlans_em0="myvlan" 1628create_args_myvlan="vlan 102" 1629.Ed 1630.Pp 1631If a 1632.Va wlans_ Ns Aq Ar interface 1633variable is set, 1634an 1635.Xr wlan 4 1636interface will be created for each item in the list with the 1637.Ar wlandev 1638argument set to 1639.Ar interface . 1640Further wlan cloning arguments may be passed to the 1641.Xr ifconfig 8 1642.Cm create 1643command by setting the 1644.Va create_args_ Ns Aq Ar interface 1645variable. 1646One or more 1647.Xr wlan 4 1648devices must be created for each wireless device as of 1649.Fx 8.0 . 1650Debugging flags for 1651.Xr wlan 4 1652devices as set by 1653.Xr wlandebug 8 1654may be specified with an 1655.Va wlandebug_ Ns Aq Ar interface 1656variable. 1657The contents of this variable will be passed directly to 1658.Xr wlandebug 8 . 1659.Pp 1660If the 1661.Va ifconfig_ Ns Aq Ar interface 1662contains the keyword 1663.Dq Li NOAUTO 1664then the interface will not be configured 1665at boot or by 1666.Pa /etc/pccard_ether 1667when 1668.Va network_interfaces 1669is set to 1670.Dq Li AUTO . 1671.Pp 1672It is possible to bring up an interface with DHCP by adding 1673.Dq Li DHCP 1674to the 1675.Va ifconfig_ Ns Aq Ar interface 1676variable. 1677For instance, to initialize the 1678.Li em0 1679device via DHCP, 1680it is possible to use something like: 1681.Bd -literal 1682ifconfig_em0="DHCP" 1683.Ed 1684.Pp 1685If you want to configure your wireless interface with 1686.Xr wpa_supplicant 8 1687for use with WPA, EAP/LEAP or WEP, you need to add 1688.Dq Li WPA 1689to the 1690.Va ifconfig_ Ns Aq Ar interface 1691variable. 1692.Pp 1693On the other hand, if you want to configure your wireless interface with 1694.Xr hostapd 8 , 1695you need to add 1696.Dq Li HOSTAP 1697to the 1698.Va ifconfig_ Ns Aq Ar interface 1699variable. 1700.Xr hostapd 8 1701will use the settings from 1702.Pa /etc/hostapd- Ns Ao Ar interface Ac Ns .conf 1703.Pp 1704Finally, you can add 1705.Xr ifconfig 8 1706options in this variable, in addition to the 1707.Pa /etc/start_if . Ns Aq Ar interface 1708file. 1709For instance, to configure an 1710.Xr ath 4 1711wireless device in station mode with an address obtained 1712via DHCP, using WPA authentication and 802.11b mode, it is 1713possible to use something like: 1714.Bd -literal 1715wlans_ath0="wlan0" 1716ifconfig_wlan0="DHCP WPA mode 11b" 1717.Ed 1718.Pp 1719In addition to the 1720.Va ifconfig_ Ns Aq Ar interface 1721form, a fallback variable 1722.Va ifconfig_DEFAULT 1723may be configured. 1724It will be used for all interfaces with no 1725.Va ifconfig_ Ns Aq Ar interface 1726variable. 1727.Pp 1728It is also possible to rename an interface by doing: 1729.Bd -literal 1730ifconfig_em0_name="net0" 1731ifconfig_net0="inet 192.0.2.1/24" 1732.Ed 1733.It Va ipv6_enable 1734.Pq Vt bool 1735This variable is deprecated. 1736Use 1737.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1738and 1739.Va ipv6_activate_all_interfaces 1740if necessary. 1741.Pp 1742If the variable is 1743.Dq Li YES , 1744.Dq Li inet6 accept_rtadv 1745is added to all of 1746.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1747and the 1748.Va ipv6_activate_all_interfaces 1749is defined as 1750.Dq Li YES . 1751.It Va ipv6_prefer 1752.Pq Vt bool 1753This variable is deprecated. 1754Use 1755.Va ip6addrctl_policy 1756instead. 1757.Pp 1758If the variable is 1759.Dq Li YES , 1760the default address selection policy table set by 1761.Xr ip6addrctl 8 1762will be IPv6-preferred. 1763.Pp 1764If the variable is 1765.Dq Li NO , 1766the default address selection policy table set by 1767.Xr ip6addrctl 8 1768will be IPv4-preferred. 1769.It Va ipv6_activate_all_interfaces 1770.Pq Vt bool 1771This controls initial configuration on IPv6-capable 1772interfaces with no corresponding 1773.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1774variable. 1775Note that it is not always necessary to set this variable to 1776.Dq YES 1777to use IPv6 functionality on 1778.Fx . 1779In most cases, just configuring 1780.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1781variables works. 1782.Pp 1783If the variable is 1784.Dq Li NO , 1785all interfaces which do not have a corresponding 1786.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1787variable will be marked as 1788.Dq Li IFDISABLED 1789at creation. 1790This means that all IPv6 functionality on that interface 1791is completely disabled to enforce a security policy. 1792If the variable is set to 1793.Dq YES , 1794the flag will be cleared on all of the interfaces. 1795.Pp 1796In most cases, just defining an 1797.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1798for an IPv6-capable interface should be sufficient. 1799However, if an interface is added dynamically 1800.Pq by some tunneling protocols such as PPP, for example , 1801it is often difficult to define the variable in advance. 1802In such a case, configuring the 1803.Dq Li IFDISABLED 1804flag can be disabled by setting this variable to 1805.Dq YES . 1806.Pp 1807For more details of the 1808.Dq Li IFDISABLED 1809flag and keywords 1810.Dq Li inet6 ifdisabled , 1811see 1812.Xr ifconfig 8 . 1813.Pp 1814Default is 1815.Dq Li NO . 1816.It Va ipv6_privacy 1817.Pq Vt bool 1818If the variable is 1819.Dq Li YES 1820privacy addresses will be generated for each IPv6 1821interface as described in RFC 4941. 1822.It Va ipv6_network_interfaces 1823.Pq Vt str 1824This is the IPv6 equivalent of 1825.Va network_interfaces . 1826Normally manual configuration of this variable is not needed. 1827.It Va ipv6_cpe_wanif 1828.Pq Vt str 1829If the variable is set to an interface name, 1830the 1831.Xr ifconfig 8 1832options 1833.Dq inet6 -no_radr accept_rtadv 1834will be added to the specified interface automatically before evaluating 1835.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 , 1836and two 1837.Xr sysctl 8 1838variables 1839.Va net.inet6.ip6.rfc6204w3 1840and 1841.Va net.inet6.ip6.no_radr 1842will be set to 1. 1843.Pp 1844This means the specified interface will accept ICMPv6 Router 1845Advertisement messages on that link and add the discovered 1846routers into the Default Router List. 1847While the other interfaces can still accept RA messages if the 1848.Dq inet6 accept_rtadv 1849option is specified, adding 1850routes into the Default Router List will be disabled by 1851.Dq inet6 no_radr 1852option by default. 1853See 1854.Xr ifconfig 8 1855for more details. 1856.Pp 1857Note that ICMPv6 Router Advertisement messages will be 1858accepted even when 1859.Va net.inet6.ip6.forwarding 1860is 1 1861.Pq packet forwarding is enabled 1862when 1863.Va net.inet6.ip6.rfc6204w3 1864is set to 1. 1865.Pp 1866Default is 1867.Dq Li NO . 1868.It Va ifconfig_ Ns Ao Ar interface Ac Ns _descr 1869.Pq Vt str 1870This assigns arbitrary description to an interface. 1871The 1872.Xr sysctl 8 1873variable 1874.Va net.ifdescr_maxlen 1875limits its length. 1876This static setting may be overridden by commands 1877started with dynamic interface configuration utilities 1878like 1879.Xr dhclient 8 1880hooks. 1881The description can be seen with 1882.Xr ifconfig 8 1883command and it may be exported with 1884.Xr bsnmpd 1 1885daemon using its MIB-2 module. 1886.It Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1887.Pq Vt str 1888IPv6 functionality on an interface should be configured by 1889.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 , 1890instead of setting ifconfig parameters in 1891.Va ifconfig_ Ns Aq Ar interface . 1892If this variable is empty, all IPv6 configurations on the 1893specified interface by other variables such as 1894.Va ipv6_prefix_ Ns Ao Ar interface Ac 1895will be ignored. 1896.Pp 1897Aliases should be set by 1898.Va ifconfig_ Ns Ao Ar interface Ac Ns Va _alias Ns Aq Ar n 1899with 1900.Dq Li inet6 1901keyword. 1902For example: 1903.Bd -literal 1904ifconfig_em0_ipv6="inet6 2001:db8:1::1 prefixlen 64" 1905ifconfig_em0_alias0="inet6 2001:db8:2::1 prefixlen 64" 1906.Ed 1907.Pp 1908Interfaces that have an 1909.Dq Li inet6 accept_rtadv 1910keyword in 1911.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1912setting will be automatically configured by SLAAC 1913.Pq StateLess Address AutoConfiguration 1914described in 1915.Rs 1916.%T "RFC 4862" 1917.Re 1918.Pp 1919Note that a link-local address will be automatically configured in 1920addition to the configured global-scope addresses because the IPv6 1921specifications require it on each link. 1922The address is calculated from the MAC address by using an algorithm 1923defined in 1924.Rs 1925.%T "RFC 4862" 1926.%O "Section 5.3" 1927.Re 1928.Pp 1929If only a link-local address is needed on the interface, 1930the following configuration can be used: 1931.Bd -literal 1932ifconfig_em0_ipv6="inet6 auto_linklocal" 1933.Ed 1934.Pp 1935A link-local address can also be configured manually. 1936This is useful for the default router address of an IPv6 router 1937so that it does not change when the network interface 1938card is replaced. 1939For example: 1940.Bd -literal 1941ifconfig_em0_ipv6="inet6 fe80::1 prefixlen 64" 1942.Ed 1943.It Va ipv6_prefix_ Ns Aq Ar interface 1944.Pq Vt str 1945If one or more prefixes are defined in 1946.Va ipv6_prefix_ Ns Aq Ar interface 1947addresses based on each prefix and the EUI-64 interface index will be 1948configured on that interface. 1949Note that this variable will be ignored when 1950.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 1951is empty. 1952.Pp 1953For example, the following configuration 1954.Bd -literal 1955ipv6_prefix_em0="2001:db8:1:0 2001:db8:2:0" 1956.Ed 1957.Pp 1958is equivalent to the following: 1959.Bd -literal 1960ifconfig_em0_alias0="inet6 2001:db8:1:: eui64 prefixlen 64" 1961ifconfig_em0_alias1="inet6 2001:db8:1:: prefixlen 64 anycast" 1962ifconfig_em0_alias2="inet6 2001:db8:2:: eui64 prefixlen 64" 1963ifconfig_em0_alias3="inet6 2001:db8:2:: prefixlen 64 anycast" 1964.Ed 1965.Pp 1966These Subnet-Router anycast addresses will be added only when 1967.Va ipv6_gateway_enable 1968is YES. 1969.It Va ipv6_default_interface 1970.Pq Vt str 1971If not set to 1972.Dq Li NO , 1973this is the default output interface for scoped addresses. 1974This works only with ipv6_gateway_enable="NO". 1975.It Va ip6addrctl_enable 1976.Pq Vt bool 1977This variable is to enable configuring default address selection policy table 1978.Pq RFC 3484 . 1979The table can be specified in another variable 1980.Va ip6addrctl_policy . 1981For 1982.Va ip6addrctl_policy 1983the following keywords can be specified: 1984.Dq Li ipv4_prefer , 1985.Dq Li ipv6_prefer , 1986or 1987.Dq Li AUTO . 1988.Pp 1989If 1990.Dq Li ipv4_prefer 1991or 1992.Dq Li ipv6_prefer 1993is specified, 1994.Xr ip6addrctl 8 1995installs a pre-defined policy table described in Section 10.3 1996.Pq IPv4-preferred 1997or 2.1 1998.Pq IPv6-preferred 1999of RFC 3484. 2000.Pp 2001If 2002.Dq Li AUTO 2003is specified, it attempts to read a file 2004.Pa /etc/ip6addrctl.conf 2005first. 2006If this file is found, 2007.Xr ip6addrctl 8 2008reads and installs it. 2009If not found, a policy is automatically set 2010according to 2011.Va ipv6_activate_all_interfaces 2012variable; if the variable is set to 2013.Dq Li YES 2014the IPv6-preferred one is used. 2015Otherwise IPv4-preferred. 2016.Pp 2017The default value of 2018.Va ip6addrctl_enable 2019and 2020.Va ip6addrctl_policy 2021are 2022.Dq Li YES 2023and 2024.Dq Li AUTO , 2025respectively. 2026.It Va cloned_interfaces 2027.Pq Vt str 2028Set to the list of clonable network interfaces to create on this host. 2029Further cloning arguments may be passed to the 2030.Xr ifconfig 8 2031.Cm create 2032command for each interface by setting the 2033.Va create_args_ Ns Aq Ar interface 2034variable. 2035If an interface name is specified with 2036.Dq :sticky 2037keyword, 2038the interface will not be destroyed even when 2039.Pa rc.d/netif 2040script is invoked with 2041.Dq stop 2042argument. 2043This is useful when reconfiguring the interface without destroying it. 2044Entries in 2045.Va cloned_interfaces 2046are automatically appended to 2047.Va network_interfaces 2048for configuration. 2049.It Va cloned_interfaces_sticky 2050.Pq Vt bool 2051This variable is to globally enable functionality of 2052.Dq :sticky 2053keyword in 2054.Va cloned_interfaces 2055for all interfaces. 2056The default value is 2057.Dq NO . 2058Even if this variable is specified to 2059.Dq YES , 2060.Dq :nosticky 2061keyword can be used to override it on per interface basis. 2062.It Va gif_interfaces 2063Set to the list of 2064.Xr gif 4 2065tunnel interfaces to configure on this host. 2066A 2067.Va gifconfig_ Ns Aq Ar interface 2068variable is assumed to exist for each value of 2069.Ar interface . 2070The value of this variable is used to configure the link layer of the 2071tunnel using the 2072.Cm tunnel 2073option to 2074.Xr ifconfig 8 . 2075Additionally, this option ensures that each listed interface is created 2076via the 2077.Cm create 2078option to 2079.Xr ifconfig 8 2080before attempting to configure it. 2081.Pp 2082For example, configure two 2083.Xr gif 4 2084interfaces with: 2085.Bd -literal 2086gif_interfaces="gif0 gif1" 2087gifconfig_gif0="100.64.0.1 100.64.0.2" 2088ifconfig_gif0="inet 10.0.0.1/30 10.0.0.2" 2089gifconfig_gif1="inet6 2a00::1 2a01::1" 2090ifconfig_gif1="inet 10.1.0.1/30 10.1.0.2" 2091.Ed 2092.It Va ppp_enable 2093.Pq Vt bool 2094If set to 2095.Dq Li YES , 2096run the 2097.Xr ppp 8 2098daemon. 2099.It Va ppp_profile 2100.Pq Vt str 2101The name of the profile to use from 2102.Pa /etc/ppp/ppp.conf . 2103Also used for per-profile overrides of 2104.Va ppp_mode 2105and 2106.Va ppp_nat , 2107and 2108.Va ppp_ Ns Ao Ar profile Ac Ns _unit . 2109When the profile name contains any of the characters 2110.Dq Li .-/+ 2111they are translated to 2112.Dq Li _ 2113for the proposes of the override variable names. 2114.It Va ppp_mode 2115.Pq Vt str 2116Mode in which to run the 2117.Xr ppp 8 2118daemon. 2119.It Va ppp_ Ns Ao Ar profile Ac Ns _mode 2120.Pq Vt str 2121Overrides the global 2122.Va ppp_mode 2123for 2124.Ar profile . 2125Accepted modes are 2126.Dq Li auto , 2127.Dq Li ddial , 2128.Dq Li direct 2129and 2130.Dq Li dedicated . 2131See the manual for a full description. 2132.It Va ppp_nat 2133.Pq Vt bool 2134If set to 2135.Dq Li YES , 2136enables network address translation. 2137Used in conjunction with 2138.Va gateway_enable 2139allows hosts on private network addresses access to the Internet using 2140this host as a network address translating router. 2141Default is 2142.Dq Li YES . 2143.It Va ppp_ Ns Ao Ar profile Ac Ns _nat 2144.Pq Vt str 2145Overrides the global 2146.Va ppp_nat 2147for 2148.Ar profile . 2149.It Va ppp_ Ns Ao Ar profile Ac Ns _unit 2150.Pq Vt int 2151Set the unit number to be used for this profile. 2152See the manual description of 2153.Fl unit Ns Ar N 2154for details. 2155.It Va ppp_user 2156.Pq Vt str 2157The name of the user under which 2158.Xr ppp 8 2159should be started. 2160By 2161default, 2162.Xr ppp 8 2163is started as 2164.Dq Li root . 2165.It Va rc_conf_files 2166.Pq Vt str 2167This option is used to specify a list of files that will override 2168the settings in 2169.Pa /etc/defaults/rc.conf . 2170The files will be read in the order in which they are specified and should 2171include the full path to the file. 2172By default, the files specified are 2173.Pa /etc/rc.conf 2174and 2175.Pa /etc/rc.conf.local . 2176.It Va zfs_enable 2177.Pq Vt bool 2178If set to 2179.Dq Li YES , 2180.Pa /etc/rc.d/zfs 2181will attempt to automatically mount ZFS file systems and initialize ZFS volumes 2182(ZVOLs). 2183.It Va zpool_reguid 2184.Pq Vt str 2185A space-separated list of ZFS pool names for which new pool GUIDs should be 2186assigned upon first boot. 2187This is useful when using a ZFS pool copied from a template, such as a virtual 2188machine image. 2189.It Va zpool_upgrade 2190.Pq Vt str 2191A space-separated list of ZFS pool names for which the version should be 2192upgraded upon first boot. 2193This is useful when using a ZFS pool generated by the 2194.Xr makefs 8 2195utility. 2196.It Va gptboot_enable 2197.Pq Vt bool 2198If set to 2199.Dq Li YES , 2200.Pa /etc/rc.d/gptboot 2201will log if the system successfully (or not) booted from a GPT partition, 2202which had the 2203.Ar bootonce 2204attribute set using 2205.Xr gpart 8 2206utility. 2207.It Va geli_devices 2208.Pq Vt str 2209List of devices to automatically attach on boot. 2210Note that .eli devices from 2211.Pa /etc/fstab 2212are automatically appended to this list. 2213.It Va geli_groups 2214.Pq Vt str 2215List of groups containing devices to automatically attach on boot with the same 2216keyfiles and passphrase. 2217This must be accompanied with a corresponding 2218.Va geli_ Ns Ao Ar group Ac Ns Va _devices 2219variable. 2220.It Va geli_tries 2221.Pq Vt int 2222Number of times user is asked for the pass-phrase. 2223If empty, it will be taken from 2224.Va kern.geom.eli.tries 2225sysctl variable. 2226.It Va geli_default_flags 2227.Pq Vt str 2228Default flags to use by 2229.Xr geli 8 2230when configuring disk encryption. 2231Flags can be configured for every device separately by defining the 2232.Va geli_ Ns Ao Ar device Ac Ns Va _flags 2233variable, and for every group separately by defining the 2234.Va geli_ Ns Ao Ar group Ac Ns Va _flags 2235variable. 2236.It Va geli_autodetach 2237.Pq Vt str 2238Specifies if GELI devices should be marked for detach on last close after 2239file systems are mounted. 2240Default is 2241.Dq Li YES . 2242This can be changed for every device separately by defining the 2243.Va geli_ Ns Ao Ar device Ac Ns Va _autodetach 2244variable. 2245.It Va root_rw_mount 2246.Pq Vt bool 2247Set to 2248.Dq Li YES 2249by default. 2250After the file systems are checked at boot time, the root file system 2251is remounted as read-write if this is set to 2252.Dq Li YES . 2253Diskless systems that mount their root file system from a read-only remote 2254NFS share should set this to 2255.Dq Li NO 2256in their 2257.Pa rc.conf . 2258.It Va fsck_y_enable 2259.Pq Vt bool 2260If set to 2261.Dq Li YES , 2262.Xr fsck 8 2263will be run with the 2264.Fl y 2265flag if the initial preen 2266of the file systems fails. 2267.It Va background_fsck 2268.Pq Vt bool 2269If set to 2270.Dq Li NO , 2271the system will not attempt to run 2272.Xr fsck 8 2273in the background where possible. 2274.It Va background_fsck_delay 2275.Pq Vt int 2276The amount of time in seconds to sleep before starting a background 2277.Xr fsck 8 . 2278It defaults to sixty seconds to allow large applications such as 2279the X server to start before disk I/O bandwidth is monopolized by 2280.Xr fsck 8 . 2281If set to a negative number, the background file system check will be 2282delayed indefinitely to allow the administrator to run it at a more 2283convenient time. 2284For example it may be run from 2285.Xr cron 8 2286by adding a line like 2287.Pp 2288.Dl "0 4 * * * root /etc/rc.d/bgfsck forcestart" 2289.Pp 2290to 2291.Pa /etc/crontab . 2292.It Va netfs_types 2293.Pq Vt str 2294List of file system types that are network-based. 2295This list should generally not be modified by end users. 2296Use 2297.Va extra_netfs_types 2298instead. 2299.It Va extra_netfs_types 2300.Pq Vt str 2301If set to something other than 2302.Dq Li NO 2303(the default), 2304this variable extends the list of file system types 2305for which automatic mounting at startup by 2306.Xr rc 8 2307should be delayed until the network is initialized. 2308It should contain 2309a whitespace-separated list of network file system descriptor pairs, 2310each consisting of a file system type as passed to 2311.Xr mount 8 2312and a human-readable, one-word description, 2313joined with a colon 2314.Pq Ql \&: . 2315Extending the default list in this way is only necessary 2316when third party file system types are used. 2317.It Va syslogd_enable 2318.Pq Vt bool 2319If set to 2320.Dq Li YES , 2321run the 2322.Xr syslogd 8 2323daemon. 2324Note, the 2325.Va syslogd_oomprotect 2326variable is set to 2327.Dq Li YES 2328by default in 2329.Pa /etc/defaults/rc.conf . 2330.It Va syslogd_program 2331.Pq Vt str 2332Path to 2333.Xr syslogd 8 2334(default 2335.Pa /usr/sbin/syslogd ) . 2336.It Va syslogd_flags 2337.Pq Vt str 2338If 2339.Va syslogd_enable 2340is set to 2341.Dq Li YES , 2342these are the flags to pass to 2343.Xr syslogd 8 . 2344.It Va inetd_enable 2345.Pq Vt bool 2346If set to 2347.Dq Li YES , 2348run the 2349.Xr inetd 8 2350daemon. 2351.It Va inetd_program 2352.Pq Vt str 2353Path to 2354.Xr inetd 8 2355(default 2356.Pa /usr/sbin/inetd ) . 2357.It Va inetd_flags 2358.Pq Vt str 2359If 2360.Va inetd_enable 2361is set to 2362.Dq Li YES , 2363these are the flags to pass to 2364.Xr inetd 8 . 2365.It Va hastd_enable 2366.Pq Vt bool 2367If set to 2368.Dq Li YES , 2369run the 2370.Xr hastd 8 2371daemon. 2372.It Va hastd_program 2373.Pq Vt str 2374Path to 2375.Xr hastd 8 2376(default 2377.Pa /sbin/hastd ) . 2378.It Va hastd_flags 2379.Pq Vt str 2380If 2381.Va hastd_enable 2382is set to 2383.Dq Li YES , 2384these are the flags to pass to 2385.Xr hastd 8 . 2386.It Va local_unbound_enable 2387.Pq Vt bool 2388If set to 2389.Dq Li YES , 2390run the 2391.Xr unbound 8 2392daemon as a local caching DNS resolver. 2393Note, the 2394.Va local_unbound_oomprotect 2395variable is set to 2396.Dq Li YES 2397by default in 2398.Pa /etc/defaults/rc.conf . 2399.It Va nscd_enable 2400.Pq Vt bool 2401Set to 2402.Dq Li YES 2403to start the 2404.Xr nscd 8 2405caching daemon for the 2406.Nm nsswitch 2407subsystem. 2408.It Va nscd_flags 2409.Pq Vt str 2410If 2411.Va nscd_enable 2412is set to 2413.Dq Li YES , 2414these flags are passed to 2415.Xr nscd 8 . 2416.It Va kdc_enable 2417.Pq Vt bool 2418Set to 2419.Dq Li YES 2420to start a Kerberos 5 authentication server 2421at boot time. 2422.It Va kdc_program 2423.Pq Vt str 2424If 2425.Va kdc_enable 2426is set to 2427.Dq Li YES 2428this is the path to Kerberos 5 Authentication Server. 2429.It Va kdc_flags 2430.Pq Vt str 2431Empty by default. 2432This variable contains additional flags to be passed to the Kerberos 5 2433authentication server. 2434.It Va kadmind_enable 2435.Pq Vt bool 2436Set to 2437.Dq Li YES 2438to start 2439.Xr kadmind 8 , 2440the Kerberos 5 Administration Daemon; set to 2441.Dq Li NO 2442on a slave server. 2443.It Va kadmind_program 2444.Pq Vt str 2445If 2446.Va kadmind_enable 2447is set to 2448.Dq Li YES 2449this is the path to Kerberos 5 Administration Daemon. 2450.It Va kpasswdd_enable 2451.Pq Vt bool 2452Set to 2453.Dq Li YES 2454to start 2455.Xr kpasswdd 8 , 2456the Kerberos 5 Password-Changing Daemon; set to 2457.Dq Li NO 2458on a slave server. 2459.It Va kpasswdd_program 2460.Pq Vt str 2461If 2462.Va kpasswdd_enable 2463is set to 2464.Dq Li YES 2465this is the path to Kerberos 5 Password-Changing Daemon. 2466.It Va kfd_enable 2467.Pq Vt bool 2468Set to 2469.Dq Li YES 2470to start 2471.Xr kfd 8 , 2472the Kerberos 5 ticket forwarding daemon, at the boot time. 2473.It Va kfd_program 2474.Pq Vt str 2475Path to 2476.Xr kfd 8 2477(default 2478.Pa /usr/libexec/kfd ) . 2479.It Va rwhod_enable 2480.Pq Vt bool 2481If set to 2482.Dq Li YES , 2483run the 2484.Xr rwhod 8 2485daemon at boot time. 2486.It Va rwhod_flags 2487.Pq Vt str 2488If 2489.Va rwhod_enable 2490is set to 2491.Dq Li YES , 2492these are the flags to pass to it. 2493.It Va update_motd 2494.Pq Vt bool 2495If set to 2496.Dq Li YES , 2497.Pa /var/run/motd 2498will be updated at boot time to reflect the kernel release 2499being run. 2500If set to 2501.Dq Li NO , 2502.Pa /var/run/motd 2503will not be updated. 2504.It Va nfs_client_enable 2505.Pq Vt bool 2506If set to 2507.Dq Li YES , 2508run the NFS client daemons at boot time. 2509.It Va nfs_access_cache 2510.Pq Vt int 2511If 2512.Va nfs_client_enable 2513is set to 2514.Dq Li YES , 2515this can be set to 2516.Dq Li 0 2517to disable NFS ACCESS RPC caching, or to the number of seconds for which 2518NFS ACCESS 2519results should be cached. 2520A value of 2-10 seconds will substantially reduce network 2521traffic for many NFS operations. 2522.It Va nfs_server_enable 2523.Pq Vt bool 2524If set to 2525.Dq Li YES , 2526run the NFS server daemons at boot time. 2527.It Va nfs_server_flags 2528.Pq Vt str 2529If 2530.Va nfs_server_enable 2531is set to 2532.Dq Li YES , 2533these are the flags to pass to the 2534.Xr nfsd 8 2535daemon. 2536.It Va nfsv4_server_enable 2537.Pq Vt bool 2538If 2539.Va nfs_server_enable 2540is set to 2541.Dq Li YES 2542and 2543.Va nfsv4_server_enable 2544is set to 2545.Dq Li YES , 2546enable the server for NFSv4 as well as NFSv2 and NFSv3. 2547.It Va nfsv4_server_only 2548.Pq Vt bool 2549If 2550.Va nfs_server_enable 2551is set to 2552.Dq Li YES 2553and 2554.Va nfsv4_server_only 2555is set to 2556.Dq Li YES , 2557enable the NFS server for NFSv4 only. 2558.It Va nfs_server_maxio 2559.Pq Vt int 2560value to set vfs.nfsd.srvmaxio to, which is the 2561maximum I/O size for the NFS server. 2562.It Va tlsclntd_enable 2563.Pq Vt bool 2564If set to 2565.Dq Li YES , 2566run the 2567.Xr rpc.tlsclntd 8 2568daemon, which is needed for NFS-over-TLS NFS mounts. 2569.It Va tlsservd_enable 2570.Pq Vt bool 2571If set to 2572.Dq Li YES , 2573run the 2574.Xr rpc.tlsservd 8 2575daemon, which is needed for the 2576.Xr nfsd 8 2577to support NFS-over-TLS NFS mounts. 2578.It Va nfsuserd_enable 2579.Pq Vt bool 2580If 2581.Va nfsuserd_enable 2582is set to 2583.Dq Li YES , 2584run the nfsuserd daemon, which is needed for NFSv4 in order 2585to map between user/group names vs uid/gid numbers. 2586If 2587.Va nfsv4_server_enable 2588is set to 2589.Dq Li YES , 2590this will be forced enabled. 2591.It Va nfsuserd_flags 2592.Pq Vt str 2593If 2594.Va nfsuserd_enable 2595is set to 2596.Dq Li YES , 2597these are the flags to pass to the 2598.Xr nfsuserd 8 2599daemon. 2600.It Va nfscbd_enable 2601.Pq Vt bool 2602If 2603.Va nfscbd_enable 2604is set to 2605.Dq Li YES , 2606run the nfscbd daemon, which enables callbacks/delegations for the NFSv4 client. 2607.It Va nfscbd_flags 2608.Pq Vt str 2609If 2610.Va nfscbd_enable 2611is set to 2612.Dq Li YES , 2613these are the flags to pass to the 2614.Xr nfscbd 8 2615daemon. 2616.It Va mountd_enable 2617.Pq Vt bool 2618If set to 2619.Dq Li YES , 2620and no 2621.Va nfs_server_enable 2622is set, start 2623.Xr mountd 8 , 2624but not 2625.Xr nfsd 8 2626daemon. 2627It is commonly needed to run CFS without real NFS used. 2628.It Va mountd_flags 2629.Pq Vt str 2630If 2631.Va mountd_enable 2632is set to 2633.Dq Li YES , 2634these are the flags to pass to the 2635.Xr mountd 8 2636daemon. 2637.It Va weak_mountd_authentication 2638.Pq Vt bool 2639If set to 2640.Dq Li YES , 2641allow services like PCNFSD to make non-privileged mount 2642requests. 2643.It Va nfs_reserved_port_only 2644.Pq Vt bool 2645If set to 2646.Dq Li YES , 2647provide NFS services only on a secure port. 2648.It Va nfs_bufpackets 2649.Pq Vt int 2650If set to a number, indicates the number of packets worth of 2651socket buffer space to reserve on an NFS client. 2652The kernel default is typically 4. 2653Using a higher number may be 2654useful on gigabit networks to improve performance. 2655The minimum value is 26562 and the maximum is 64. 2657.It Va rpc_lockd_enable 2658.Pq Vt bool 2659If set to 2660.Dq Li YES 2661and also an NFS server or client, run 2662.Xr rpc.lockd 8 2663at boot time. 2664.It Va rpc_lockd_flags 2665.Pq Vt str 2666If 2667.Va rpc_lockd_enable 2668is set to 2669.Dq Li YES , 2670these are the flags to pass to the 2671.Xr rpc.lockd 8 2672daemon. 2673.It Va rpc_statd_enable 2674.Pq Vt bool 2675If set to 2676.Dq Li YES 2677and also an NFS server or client, run 2678.Xr rpc.statd 8 2679at boot time. 2680.It Va rpc_statd_flags 2681.Pq Vt str 2682If 2683.Va rpc_statd_enable 2684is set to 2685.Dq Li YES , 2686these are the flags to pass to the 2687.Xr rpc.statd 8 2688daemon. 2689.It Va rpcbind_program 2690.Pq Vt str 2691Path to 2692.Xr rpcbind 8 2693(default 2694.Pa /usr/sbin/rpcbind ) . 2695.It Va rpcbind_enable 2696.Pq Vt bool 2697If set to 2698.Dq Li YES , 2699run the 2700.Xr rpcbind 8 2701service at boot time. 2702.It Va rpcbind_flags 2703.Pq Vt str 2704If 2705.Va rpcbind_enable 2706is set to 2707.Dq Li YES , 2708these are the flags to pass to the 2709.Xr rpcbind 8 2710daemon. 2711.It Va keyserv_enable 2712.Pq Vt bool 2713If set to 2714.Dq Li YES , 2715run the 2716.Xr keyserv 8 2717daemon on boot for running Secure RPC. 2718.It Va keyserv_flags 2719.Pq Vt str 2720If 2721.Va keyserv_enable 2722is set to 2723.Dq Li YES , 2724these are the flags to pass to 2725.Xr keyserv 8 2726daemon. 2727.It Va pppoed_enable 2728.Pq Vt bool 2729If set to 2730.Dq Li YES , 2731run the 2732.Xr pppoed 8 2733daemon at boot time to provide PPP over Ethernet services. 2734.It Va pppoed_ Ns Aq Ar provider 2735.Pq Vt str 2736.Xr pppoed 8 2737listens to requests to this 2738.Ar provider 2739and ultimately runs 2740.Xr ppp 8 2741with a 2742.Ar system 2743argument of the same name. 2744.It Va pppoed_flags 2745.Pq Vt str 2746Additional flags to pass to 2747.Xr pppoed 8 . 2748.It Va pppoed_interface 2749.Pq Vt str 2750The network interface to run 2751.Xr pppoed 8 2752on. 2753This is mandatory when 2754.Va pppoed_enable 2755is set to 2756.Dq Li YES . 2757.It Va ntpdate_enable 2758.Pq Vt bool 2759If set to 2760.Dq Li YES , 2761run 2762.Xr ntpdate 8 2763at system startup. 2764This command is intended to 2765synchronize the system clock only 2766.Em once 2767from some standard reference. 2768.Pp 2769Note that the use of the 2770.Va ntpd_sync_on_start 2771variable is a preferred alternative to the 2772.Xr ntpdate 8 2773utility as 2774.Xr ntpdate 8 2775is to be retired from the NTP distribution. 2776.It Va ntpdate_config 2777.Pq Vt str 2778Configuration file for 2779.Xr ntpdate 8 . 2780Default 2781.Pa /etc/ntp.conf . 2782.It Va ntpdate_hosts 2783.Pq Vt str 2784A whitespace-separated list of NTP servers to synchronize with at startup. 2785The default is to use the servers listed in 2786.Va ntpdate_config , 2787if that file exists. 2788.It Va ntpdate_program 2789.Pq Vt str 2790Path to 2791.Xr ntpdate 8 2792(default 2793.Pa /usr/sbin/ntpdate ) . 2794.It Va ntpdate_flags 2795.Pq Vt str 2796If 2797.Va ntpdate_enable 2798is set to 2799.Dq Li YES , 2800these are the flags to pass to the 2801.Xr ntpdate 8 2802command (typically a hostname). 2803.It Va ntpd_enable 2804.Pq Vt bool 2805If set to 2806.Dq Li YES , 2807run the 2808.Xr ntpd 8 2809command at boot time. 2810.It Va ntpd_program 2811.Pq Vt str 2812Path to 2813.Xr ntpd 8 2814(default 2815.Pa /usr/sbin/ntpd ) . 2816.It Va ntpd_config 2817.Pq Vt str 2818Path to 2819.Xr ntpd 8 2820configuration file. 2821Default 2822.Pa /etc/ntp.conf . 2823.It Va ntpd_flags 2824.Pq Vt str 2825If 2826.Va ntpd_enable 2827is set to 2828.Dq Li YES , 2829these are the flags to pass to the 2830.Xr ntpd 8 2831daemon. 2832.It Va ntpd_sync_on_start 2833.Pq Vt bool 2834If set to 2835.Dq Li YES , 2836.Xr ntpd 8 2837is run with the 2838.Fl g 2839flag, which syncs the system's clock on startup. 2840See 2841.Xr ntpd 8 2842for more information regarding the 2843.Fl g 2844option. 2845This is a preferred alternative to using 2846.Xr ntpdate 8 2847or specifying the 2848.Va ntpdate_enable 2849variable. 2850.It Va nis_client_enable 2851.Pq Vt bool 2852If set to 2853.Dq Li YES , 2854run the 2855.Xr ypbind 8 2856service at system boot time. 2857.It Va nis_client_flags 2858.Pq Vt str 2859If 2860.Va nis_client_enable 2861is set to 2862.Dq Li YES , 2863these are the flags to pass to the 2864.Xr ypbind 8 2865service. 2866.It Va nis_ypldap_enable 2867.Pq Vt bool 2868If set to 2869.Dq Li YES , 2870run the 2871.Xr ypldap 8 2872daemon at system boot time. 2873.It Va nis_ypldap_flags 2874.Pq Vt str 2875If 2876.Va nis.ypldap_enable 2877is set to 2878.Dq Li YES , 2879these are the flags to pass to the 2880.Xr ypldap 8 2881daemon. 2882.It Va nis_ypset_enable 2883.Pq Vt bool 2884If set to 2885.Dq Li YES , 2886run the 2887.Xr ypset 8 2888daemon at system boot time. 2889.It Va nis_ypset_flags 2890.Pq Vt str 2891If 2892.Va nis_ypset_enable 2893is set to 2894.Dq Li YES , 2895these are the flags to pass to the 2896.Xr ypset 8 2897daemon. 2898.It Va nis_server_enable 2899.Pq Vt bool 2900If set to 2901.Dq Li YES , 2902run the 2903.Xr ypserv 8 2904daemon at system boot time. 2905.It Va nis_server_flags 2906.Pq Vt str 2907If 2908.Va nis_server_enable 2909is set to 2910.Dq Li YES , 2911these are the flags to pass to the 2912.Xr ypserv 8 2913daemon. 2914.It Va nis_ypxfrd_enable 2915.Pq Vt bool 2916If set to 2917.Dq Li YES , 2918run the 2919.Xr rpc.ypxfrd 8 2920daemon at system boot time. 2921.It Va nis_ypxfrd_flags 2922.Pq Vt str 2923If 2924.Va nis_ypxfrd_enable 2925is set to 2926.Dq Li YES , 2927these are the flags to pass to the 2928.Xr rpc.ypxfrd 8 2929daemon. 2930.It Va nis_yppasswdd_enable 2931.Pq Vt bool 2932If set to 2933.Dq Li YES , 2934run the 2935.Xr rpc.yppasswdd 8 2936daemon at system boot time. 2937.It Va nis_yppasswdd_flags 2938.Pq Vt str 2939If 2940.Va nis_yppasswdd_enable 2941is set to 2942.Dq Li YES , 2943these are the flags to pass to the 2944.Xr rpc.yppasswdd 8 2945daemon. 2946.It Va rpc_ypupdated_enable 2947.Pq Vt bool 2948If set to 2949.Dq Li YES , 2950run the 2951.Nm rpc.ypupdated 2952daemon at system boot time. 2953.It Va bsnmpd_enable 2954.Pq Vt bool 2955If set to 2956.Dq Li YES , 2957run the 2958.Xr bsnmpd 1 2959daemon at system boot time. 2960Be sure to understand the security implications of running an SNMP daemon 2961on your host. 2962.It Va bsnmpd_flags 2963.Pq Vt str 2964If 2965.Va bsnmpd_enable 2966is set to 2967.Dq Li YES , 2968these are the flags to pass to the 2969.Xr bsnmpd 1 2970daemon. 2971.It Va defaultrouter 2972.Pq Vt str 2973If not set to 2974.Dq Li NO , 2975create a default route to this host name or IP address 2976(use an IP address if this router is also required to get to the 2977name server!). 2978.It Va defaultrouter_fibN 2979.Pq Vt str 2980If not set to 2981.Dq Li NO , 2982create a default route in FIB N to this host name or IP address. 2983.It Va ipv6_defaultrouter 2984.Pq Vt str 2985The IPv6 equivalent of 2986.Va defaultrouter . 2987.It Va ipv6_defaultrouter_fibN 2988.Pq Vt str 2989The IPv6 equivalent of 2990.Va defaultrouter_fibN . 2991.It Va static_arp_pairs 2992.Pq Vt str 2993Set to the list of static ARP pairs that are to be added at system 2994boot time. 2995For each whitespace separated 2996.Ar element 2997in the value, a 2998.Va static_arp_ Ns Aq Ar element 2999variable is assumed to exist whose contents will later be passed to a 3000.Dq Nm arp Cm -S 3001operation. 3002For example 3003.Bd -literal 3004static_arp_pairs="gw" 3005static_arp_gw="192.168.1.1 00:01:02:03:04:05" 3006.Ed 3007.It Va static_ndp_pairs 3008.Pq Vt str 3009Set to the list of static NDP pairs that are to be added at system 3010boot time. 3011For each whitespace separated 3012.Ar element 3013in the value, a 3014.Va static_ndp_ Ns Aq Ar element 3015variable is assumed to exist whose contents will later be passed to a 3016.Dq Nm ndp Cm -s 3017operation. 3018For example 3019.Bd -literal 3020static_ndp_pairs="gw" 3021static_ndp_gw="2001:db8:3::1 00:01:02:03:04:05" 3022.Ed 3023.It Va static_routes 3024.Pq Vt str 3025Set to the list of static routes that are to be added at system 3026boot time. 3027If not set to 3028.Dq Li NO 3029then for each whitespace separated 3030.Ar element 3031in the value, a 3032.Va route_ Ns Aq Ar element 3033variable is assumed to exist 3034whose contents will later be passed to a 3035.Dq Nm route Cm add 3036operation. 3037For example: 3038.Bd -literal 3039static_routes="ext mcast:gif0 gif0local:gif0" 3040route_ext="-net 10.0.0.0/24 -gateway 192.168.0.1" 3041route_mcast="-net 224.0.0.0/4 -iface gif0" 3042route_gif0local="-host 169.254.1.1 -iface lo0" 3043.Ed 3044.Pp 3045When an 3046.Ar element 3047is in the form of 3048.Li name:ifname , 3049the route is specific to the interface 3050.Li ifname . 3051.It Va ipv6_static_routes 3052.Pq Vt str 3053The IPv6 equivalent of 3054.Va static_routes . 3055If not set to 3056.Dq Li NO 3057then for each whitespace separated 3058.Ar element 3059in the value, a 3060.Va ipv6_route_ Ns Aq Ar element 3061variable is assumed to exist 3062whose contents will later be passed to a 3063.Dq Nm route Cm add Fl inet6 3064operation. 3065.It Va gateway_enable 3066.Pq Vt bool 3067If set to 3068.Dq Li YES , 3069configure host to act as an IP router, e.g.\& to forward packets 3070between interfaces. 3071.It Va ipv6_gateway_enable 3072.Pq Vt bool 3073The IPv6 equivalent of 3074.Va gateway_enable . 3075.It Va routed_enable 3076.Pq Vt bool 3077If set to 3078.Dq Li YES , 3079run a routing daemon of some sort, based on the 3080settings of 3081.Va routed_program 3082and 3083.Va routed_flags . 3084.It Va route6d_enable 3085.Pq Vt bool 3086The IPv6 equivalent of 3087.Va routed_enable . 3088If set to 3089.Dq Li YES , 3090run a routing daemon of some sort, based on the 3091settings of 3092.Va route6d_program 3093and 3094.Va route6d_flags . 3095.It Va routed_program 3096.Pq Vt str 3097If 3098.Va routed_enable 3099is set to 3100.Dq Li YES , 3101this is the name of the routing daemon to use. 3102The default is 3103.Xr routed 8 . 3104.It Va route6d_program 3105.Pq Vt str 3106The IPv6 equivalent of 3107.Va routed_program . 3108The default is 3109.Xr route6d 8 . 3110.It Va routed_flags 3111.Pq Vt str 3112If 3113.Va routed_enable 3114is set to 3115.Dq Li YES , 3116these are the flags to pass to the routing daemon. 3117.It Va route6d_flags 3118.Pq Vt str 3119The IPv6 equivalent of 3120.Va routed_flags . 3121.It Va rtadvd_enable 3122.Pq Vt bool 3123If set to 3124.Dq Li YES , 3125run the 3126.Xr rtadvd 8 3127daemon at boot time. 3128The 3129.Xr rtadvd 8 3130utility sends ICMPv6 Router Advertisement messages to 3131the interfaces specified in 3132.Va rtadvd_interfaces . 3133This should only be enabled with great care. 3134You may want to fine-tune 3135.Xr rtadvd.conf 5 . 3136.It Va rtadvd_flags 3137.Pq Vt str 3138If 3139.Va rtadvd_enable 3140is set to 3141.Dq Li YES , 3142these are the flags to pass to 3143.Xr rtadvd 8 . 3144.It Va rtadvd_interfaces 3145.Pq Vt str 3146If 3147.Va rtadvd_enable 3148is set to 3149.Dq Li YES 3150this is the list of interfaces to use. 3151.It Va arpproxy_all 3152.Pq Vt bool 3153If set to 3154.Dq Li YES , 3155enable global proxy ARP. 3156.It Va forward_sourceroute 3157.Pq Vt bool 3158If set to 3159.Dq Li YES 3160and 3161.Va gateway_enable 3162is also set to 3163.Dq Li YES , 3164source-routed packets are forwarded. 3165.It Va accept_sourceroute 3166.Pq Vt bool 3167If set to 3168.Dq Li YES , 3169the system will accept source-routed packets directed at it. 3170.It Va rarpd_enable 3171.Pq Vt bool 3172If set to 3173.Dq Li YES , 3174run the 3175.Xr rarpd 8 3176daemon at system boot time. 3177.It Va rarpd_flags 3178.Pq Vt str 3179If 3180.Va rarpd_enable 3181is set to 3182.Dq Li YES , 3183these are the flags to pass to the 3184.Xr rarpd 8 3185daemon. 3186.It Va bootparamd_enable 3187.Pq Vt bool 3188If set to 3189.Dq Li YES , 3190run the 3191.Xr bootparamd 8 3192daemon at system boot time. 3193.It Va bootparamd_flags 3194.Pq Vt str 3195If 3196.Va bootparamd_enable 3197is set to 3198.Dq Li YES , 3199these are the flags to pass to the 3200.Xr bootparamd 8 3201daemon. 3202.It Va stf_interface_ipv4addr 3203.Pq Vt str 3204If not set to 3205.Dq Li NO , 3206this is the local IPv4 address for 6to4 (IPv6 over IPv4 tunneling 3207interface). 3208Specify this entry to enable the 6to4 interface. 3209.It Va stf_interface_ipv4plen 3210.Pq Vt int 3211Prefix length for 6to4 IPv4 addresses, to limit peer address range. 3212An effective value is 0-31. 3213.It Va stf_interface_ipv6_ifid 3214.Pq Vt str 3215IPv6 interface ID for 3216.Xr stf 4 . 3217This can be set to 3218.Dq Li AUTO . 3219.It Va stf_interface_ipv6_slaid 3220.Pq Vt str 3221IPv6 Site Level Aggregator for 3222.Xr stf 4 . 3223.It Va ipv6_ipv4mapping 3224.Pq Vt bool 3225If set to 3226.Dq Li YES 3227this enables IPv4 mapped IPv6 address communication (like 3228.Li ::ffff:a.b.c.d ) . 3229.It Va rtsold_enable 3230.Pq Vt bool 3231Set to 3232.Dq Li YES 3233to enable the 3234.Xr rtsold 8 3235daemon to send ICMPv6 Router Solicitation messages. 3236.It Va rtsold_flags 3237.Pq Vt str 3238If 3239.Va rtsold_enable 3240is set to 3241.Dq Li YES , 3242these are the flags to pass to 3243.Xr rtsold 8 . 3244.It Va rtsol_flags 3245.Pq Vt str 3246For interfaces configured with the 3247.Dq Li inet6 accept_rtadv 3248keyword, these are the flags to pass to 3249.Xr rtsol 8 . 3250.Pp 3251Note that 3252.Va rtsold_enable 3253is mutually exclusive to 3254.Va rtsol_flags ; 3255.Va rtsold_enable 3256takes precedence. 3257.It Va keybell 3258.Pq Vt str 3259The keyboard bell sound. 3260Set to 3261.Dq Li normal , 3262.Dq Li visual , 3263.Dq Li off , 3264or 3265.Dq Li NO 3266if the default behavior is desired. 3267For details, refer to the 3268.Xr kbdcontrol 1 3269manpage. 3270.It Va keyboard 3271.Pq Vt str 3272If set to a non-null string, the virtual console's keyboard input is 3273set to this device. 3274.It Va keymap 3275.Pq Vt str 3276If set to 3277.Dq Li NO , 3278no keymap is installed, otherwise the value is used to install 3279the keymap file found in 3280.Pa /usr/share/syscons/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd 3281(if using 3282.Xr syscons 4 ) or 3283.Pa /usr/share/vt/keymaps/ Ns Ao Ar value Ac Ns Pa .kbd 3284(if using 3285.Xr vt 4 ) . 3286.It Va keyrate 3287.Pq Vt str 3288The keyboard repeat speed. 3289Set to 3290.Dq Li slow , 3291.Dq Li normal , 3292.Dq Li fast , 3293or 3294.Dq Li NO 3295if the default behavior is desired. 3296.It Va keychange 3297.Pq Vt str 3298If not set to 3299.Dq Li NO , 3300attempt to program the function keys with the value. 3301The value should 3302be a single string of the form: 3303.Dq Ar funkey_number new_value Op Ar funkey_number new_value ... . 3304.It Va cursor 3305.Pq Vt str 3306Can be set to the value of 3307.Dq Li normal , 3308.Dq Li blink , 3309.Dq Li destructive , 3310or 3311.Dq Li NO 3312to set the cursor behavior explicitly or choose the default behavior. 3313.It Va scrnmap 3314.Pq Vt str 3315If set to 3316.Dq Li NO , 3317no screen map is installed, otherwise the value is used to install 3318the screen map file in 3319.Pa /usr/share/syscons/scrnmaps/ Ns Aq Ar value . 3320This parameter is ignored when using 3321.Xr vt 4 3322as the console driver. 3323.It Va font8x16 3324.Pq Vt str 3325If set to 3326.Dq Li NO , 3327the default 8x16 font value is used for screen size requests, otherwise 3328the value in 3329.Pa /usr/share/syscons/fonts/ Ns Aq Ar value 3330or 3331.Pa /usr/share/vt/fonts/ Ns Aq Ar value 3332is used (depending on the console driver being used). 3333.It Va font8x14 3334.Pq Vt str 3335If set to 3336.Dq Li NO , 3337the default 8x14 font value is used for screen size requests, otherwise 3338the value in 3339.Pa /usr/share/syscons/fonts/ Ns Aq Ar value 3340or 3341.Pa /usr/share/vt/fonts/ Ns Aq Ar value 3342is used (depending on the console driver being used). 3343.It Va font8x8 3344.Pq Vt str 3345If set to 3346.Dq Li NO , 3347the default 8x8 font value is used for screen size requests, otherwise 3348the value in 3349.Pa /usr/share/syscons/fonts/ Ns Aq Ar value 3350or 3351.Pa /usr/share/vt/fonts/ Ns Aq Ar value 3352is used (depending on the console driver being used). 3353.It Va blanktime 3354.Pq Vt int 3355If set to 3356.Dq Li NO , 3357the default screen blanking interval is used, otherwise it is set 3358to 3359.Ar value 3360seconds. 3361.It Va saver 3362.Pq Vt str 3363If not set to 3364.Dq Li NO , 3365this is the actual screen saver to use 3366.Li ( blank , snake , daemon , 3367etc). 3368.It Va moused_nondefault_enable 3369.Pq Vt str 3370If set to 3371.Dq Li NO , 3372the mouse device specified on 3373the command line is not automatically treated as enabled by the 3374.Pa /etc/rc.d/moused 3375script. 3376Having this variable set to 3377.Dq Li YES 3378allows a 3379.Xr usb 4 3380mouse, 3381for example, 3382to be enabled as soon as it is plugged in. 3383.It Va moused_enable 3384.Pq Vt str 3385If set to 3386.Dq Li YES , 3387the 3388.Xr moused 8 3389daemon is started for doing cut/paste selection on the console. 3390.It Va moused_type 3391.Pq Vt str 3392This is the protocol type of the mouse connected to this host. 3393This variable must be set if 3394.Va moused_enable 3395is set to 3396.Dq Li YES , 3397but defaults to 3398.Dq Li auto 3399as the 3400.Xr moused 8 3401daemon 3402is able to detect the appropriate mouse type automatically in many cases. 3403Set this variable to 3404one from the following list if the automatic detection fails. 3405.Pp 3406If the mouse is attached to the PS/2 mouse port, choose 3407.Dq Li auto 3408or 3409.Dq Li ps/2 , 3410regardless of the brand and model of the mouse. 3411Likewise, if the 3412mouse is attached to the bus mouse port, choose 3413.Dq Li auto 3414or 3415.Dq Li busmouse . 3416All other protocols are for serial mice and will not work with 3417the PS/2 and bus mice. 3418If this is a USB mouse, 3419.Dq Li auto 3420is the only protocol type which will work. 3421.Pp 3422.Bl -tag -width ".Li x10mouseremote" -compact 3423.It Li microsoft 3424Microsoft mouse (serial) 3425.It Li intellimouse 3426Microsoft IntelliMouse (serial) 3427.It Li mousesystems 3428Mouse systems Corp.\& mouse (serial) 3429.It Li mmseries 3430MM Series mouse (serial) 3431.It Li logitech 3432Logitech mouse (serial) 3433.It Li busmouse 3434A bus mouse 3435.It Li mouseman 3436Logitech MouseMan and TrackMan (serial) 3437.It Li glidepoint 3438ALPS GlidePoint (serial) 3439.It Li thinkingmouse 3440Kensington ThinkingMouse (serial) 3441.It Li ps/2 3442PS/2 mouse 3443.It Li mmhittab 3444MM HitTablet (serial) 3445.It Li x10mouseremote 3446X10 MouseRemote (serial) 3447.It Li versapad 3448Interlink VersaPad (serial) 3449.El 3450.Pp 3451Even if the mouse is not in the above list, it may be compatible 3452with one in the list. 3453Refer to the manual page for 3454.Xr moused 8 3455for compatibility information. 3456.Pp 3457It should also be noted that while this is enabled, any 3458other client of the mouse (such as an X server) should access 3459the mouse through the virtual mouse device, 3460.Pa /dev/sysmouse , 3461and configure it as a 3462.Dq Li sysmouse 3463type mouse, since all 3464mouse data is converted to this single canonical format when 3465using 3466.Xr moused 8 . 3467If the client program does not support the 3468.Dq Li sysmouse 3469type, 3470specify the 3471.Dq Li mousesystems 3472type. 3473It is the second preferred type. 3474.It Va moused_port 3475.Pq Vt str 3476If 3477.Va moused_enable 3478is set to 3479.Dq Li YES , 3480this is the actual port the mouse is on. 3481It might be 3482.Pa /dev/cuau0 3483for a COM1 serial mouse, or 3484.Pa /dev/psm0 3485for a PS/2 mouse, for example. 3486.It Va moused_flags 3487.Pq Vt str 3488If 3489.Va moused_flags 3490is set, its value is used as an additional set of flags to pass to the 3491.Xr moused 8 3492daemon. 3493.It Va "moused_" Ns Ar XXX Ns Va "_flags" 3494When 3495.Va moused_nondefault_enable 3496is enabled, and a 3497.Xr moused 8 3498daemon is started for a non-default port, the 3499.Va "moused_" Ns Ar XXX Ns Va "_flags" 3500set of options has precedence over and replaces the default 3501.Va moused_flags 3502(where 3503.Ar XXX 3504is the name of the non-default port, i.e.,\& 3505.Ar ums0 ) . 3506By setting 3507.Va "moused_" Ns Ar XXX Ns Va "_flags" 3508it is possible to set up a different set of default flags for each 3509.Xr moused 8 3510instance. 3511For example, you can use 3512.Dq Li "-3" 3513for the default 3514.Va moused_flags 3515to make your laptop's touchpad more comfortable to use, 3516but an empty set of options for 3517.Va moused_ums0_flags 3518when your 3519.Xr usb 4 3520mouse has three or more buttons. 3521.It Va mousechar_start 3522.Pq Vt int 3523If set to 3524.Dq Li NO , 3525the default mouse cursor character range 3526.Li 0xd0 Ns - Ns Li 0xd3 3527is used, 3528otherwise the range start is set 3529to 3530.Ar value 3531character, see 3532.Xr vidcontrol 1 . 3533Use if the default range is occupied in the language code table. 3534.It Va allscreens_flags 3535.Pq Vt str 3536If set, 3537.Xr vidcontrol 1 3538is run with these options for each of the virtual terminals 3539.Pq Pa /dev/ttyv* . 3540For example, 3541.Dq Fl m Cm on 3542will enable the mouse pointer on all virtual terminals 3543if 3544.Va moused_enable 3545is set to 3546.Dq Li YES . 3547.It Va allscreens_kbdflags 3548.Pq Vt str 3549If set, 3550.Xr kbdcontrol 1 3551is run with these options for each of the virtual terminals 3552.Pq Pa /dev/ttyv* . 3553For example, 3554.Dq Fl h Li 200 3555will set the 3556.Xr syscons 4 3557or 3558.Xr vt 4 3559scrollback (history) buffer to 200 lines. 3560.It Va cron_enable 3561.Pq Vt bool 3562If set to 3563.Dq Li YES , 3564run the 3565.Xr cron 8 3566daemon at system boot time. 3567.It Va cron_program 3568.Pq Vt str 3569Path to 3570.Xr cron 8 3571(default 3572.Pa /usr/sbin/cron ) . 3573.It Va cron_flags 3574.Pq Vt str 3575If 3576.Va cron_enable 3577is set to 3578.Dq Li YES , 3579these are the flags to pass to 3580.Xr cron 8 . 3581.It Va cron_dst 3582.Pq Vt bool 3583If set to 3584.Dq Li YES , 3585enable the special handling of transitions to and from the 3586Daylight Saving Time in 3587.Xr cron 8 3588(equivalent to using the flag 3589.Fl s ) . 3590.It Va lpd_program 3591.Pq Vt str 3592Path to 3593.Xr lpd 8 3594(default 3595.Pa /usr/sbin/lpd ) . 3596.It Va lpd_enable 3597.Pq Vt bool 3598If set to 3599.Dq Li YES , 3600run the 3601.Xr lpd 8 3602daemon at system boot time. 3603.It Va lpd_flags 3604.Pq Vt str 3605If 3606.Va lpd_enable 3607is set to 3608.Dq Li YES , 3609these are the flags to pass to the 3610.Xr lpd 8 3611daemon. 3612.It Va chkprintcap_enable 3613.Pq Vt bool 3614If set to 3615.Dq Li YES , 3616run the 3617.Xr chkprintcap 8 3618command before starting the 3619.Xr lpd 8 3620daemon. 3621.It Va chkprintcap_flags 3622.Pq Vt str 3623If 3624.Va lpd_enable 3625and 3626.Va chkprintcap_enable 3627are set to 3628.Dq Li YES , 3629these are the flags to pass to the 3630.Xr chkprintcap 8 3631program. 3632The default is 3633.Dq Li -d , 3634which causes missing directories to be created. 3635.It Va dumpdev 3636.Pq Vt str 3637Indicates the device (usually a swap partition) to which a crash dump 3638should be written in the event of a system crash. 3639If the value of this variable is 3640.Dq Li AUTO , 3641the first suitable swap device listed in 3642.Pa /etc/fstab 3643will be used as dump device. 3644Otherwise, the value of this variable is passed as the argument to 3645.Xr dumpon 8 3646and 3647.Xr savecore 8 . 3648To disable crash dumps, set this variable to 3649.Dq Li NO . 3650.It Va dumpon_flags 3651.Pq Vt str 3652Flags to pass to 3653.Xr dumpon 8 3654when configuring 3655.Va dumpdev 3656as the system dump device. 3657.It Va dumpdir 3658.Pq Vt str 3659When the system reboots after a crash and a crash dump is found on the 3660device specified by the 3661.Va dumpdev 3662variable, 3663.Xr savecore 8 3664will save that crash dump and a copy of the kernel to the directory 3665specified by the 3666.Va dumpdir 3667variable. 3668The default value is 3669.Pa /var/crash . 3670Set to 3671.Dq Li NO 3672to not run 3673.Xr savecore 8 3674at boot time when 3675.Va dumpdir 3676is set. 3677.It Va savecore_enable 3678.Pq Vt bool 3679If set to 3680.Dq Li NO , 3681disable automatic extraction of the crash dump from the 3682.Va dumpdev . 3683.It Va savecore_flags 3684.Pq Vt str 3685If crash dumps are enabled, these are the flags to pass to the 3686.Xr savecore 8 3687utility. 3688.It Va quota_enable 3689.Pq Vt bool 3690Set to 3691.Dq Li YES 3692to turn on user and group disk quotas on system startup via the 3693.Xr quotaon 8 3694command for all file systems marked as having quotas enabled in 3695.Pa /etc/fstab . 3696The kernel must be built with 3697.Cd "options QUOTA" 3698for disk quotas to function. 3699.It Va check_quotas 3700.Pq Vt bool 3701Set to 3702.Dq Li YES 3703to enable user and group disk quota checking via the 3704.Xr quotacheck 8 3705command. 3706.It Va quotacheck_flags 3707.Pq Vt str 3708If 3709.Va quota_enable 3710is set to 3711.Dq Li YES , 3712and 3713.Va check_quotas 3714is set to 3715.Dq Li YES , 3716these are the flags to pass to the 3717.Xr quotacheck 8 3718utility. 3719The default is 3720.Dq Li "-a" , 3721which checks quotas for all file systems with quotas enabled in 3722.Pa /etc/fstab . 3723.It Va quotaon_flags 3724.Pq Vt str 3725If 3726.Va quota_enable 3727is set to 3728.Dq Li YES , 3729these are the flags to pass to the 3730.Xr quotaon 8 3731utility. 3732The default is 3733.Dq Li "-a" , 3734which enables quotas for all file systems with quotas enabled in 3735.Pa /etc/fstab . 3736.It Va quotaoff_flags 3737.Pq Vt str 3738If 3739.Va quota_enable 3740is set to 3741.Dq Li YES , 3742these are the flags to pass to the 3743.Xr quotaoff 8 3744utility when shutting down the quota system. 3745The default is 3746.Dq Li "-a" , 3747which disables quotas for all file systems with quotas enabled in 3748.Pa /etc/fstab . 3749.It Va accounting_enable 3750.Pq Vt bool 3751Set to 3752.Dq Li YES 3753to enable system accounting through the 3754.Xr accton 8 3755facility. 3756.It Va firstboot_sentinel 3757.Pq Vt str 3758This variable specifies the full path to a 3759.Dq first boot 3760sentinel file. 3761If a file exists with this path, 3762.Pa rc.d 3763scripts with the 3764.Dq firstboot 3765keyword will be run on startup and the sentinel file will be deleted 3766after the boot process completes. 3767The sentinel file must be located on a writable file system which is 3768mounted no later than 3769.Va early_late_divider 3770to function properly. 3771The default is 3772.Pa /firstboot . 3773.It Va linux_enable 3774.Pq Vt bool 3775Set to 3776.Dq Li YES 3777to enable Linux/ELF binary emulation at system initial 3778boot time. 3779.It Va sysvipc_enable 3780.Pq Vt bool 3781If set to 3782.Dq Li YES , 3783load System V IPC primitives at boot time. 3784.It Va clear_tmp_enable 3785.Pq Vt bool 3786Set to 3787.Dq Li YES 3788to have 3789.Pa /tmp 3790cleaned at startup. 3791.It Va clear_tmp_X 3792.Pq Vt bool 3793Set to 3794.Dq Li NO 3795to disable removing of X11 lock files, 3796and the removal and (secure) recreation 3797of the various socket directories for X11 3798related programs. 3799.It Va ldconfig_paths 3800.Pq Vt str 3801Set to the list of shared library paths to use with 3802.Xr ldconfig 8 . 3803NOTE: 3804.Pa /lib 3805and 3806.Pa /usr/lib 3807will always be added first, so they need not appear in this list. 3808.It Va ldconfig32_paths 3809.Pq Vt str 3810Set to the list of 32-bit compatibility shared library paths to 3811use with 3812.Xr ldconfig 8 . 3813.It Va ldconfig_insecure 3814.Pq Vt bool 3815The 3816.Xr ldconfig 8 3817utility normally refuses to use directories 3818which are writable by anyone except root. 3819Set this variable to 3820.Dq Li YES 3821to disable that security check during system startup. 3822.It Va ldconfig_local_dirs 3823.Pq Vt str 3824Set to the list of local 3825.Xr ldconfig 8 3826directories. 3827The names of all files in the directories listed will be 3828passed as arguments to 3829.Xr ldconfig 8 . 3830.It Va ldconfig_local32_dirs 3831.Pq Vt str 3832Set to the list of local 32-bit compatibility 3833.Xr ldconfig 8 3834directories. 3835The names of all files in the directories listed will be 3836passed as arguments to 3837.Dq Nm ldconfig Fl 32 . 3838.It Va kern_securelevel_enable 3839.Pq Vt bool 3840Set to 3841.Dq Li YES 3842to set the kernel security level at system startup. 3843.It Va kern_securelevel 3844.Pq Vt int 3845The kernel security level to set at startup. 3846The allowed range of 3847.Ar value 3848ranges from \-1 (the compile time default) to 3 (the 3849most secure). 3850See 3851.Xr security 7 3852for the list of possible security levels and their effect 3853on system operation. 3854.It Va sshd_program 3855.Pq Vt str 3856Path to the SSH server program 3857.Pa ( /usr/sbin/sshd 3858is the default). 3859.It Va sshd_enable 3860.Pq Vt bool 3861Set to 3862.Dq Li YES 3863to start 3864.Xr sshd 8 3865at system boot time. 3866Note, the 3867.Va sshd_oomprotect 3868variable is set to 3869.Dq Li YES 3870by default in 3871.Pa /etc/defaults/rc.conf . 3872.It Va sshd_flags 3873.Pq Vt str 3874If 3875.Va sshd_enable 3876is set to 3877.Dq Li YES , 3878these are the flags to pass to the 3879.Xr sshd 8 3880daemon. 3881.It Va ftpd_program 3882.Pq Vt str 3883Path to the FTP server program 3884.Pa ( /usr/libexec/ftpd 3885is the default). 3886.It Va ftpd_enable 3887.Pq Vt bool 3888Set to 3889.Dq Li YES 3890to start 3891.Xr ftpd 8 3892as a stand-alone daemon at system boot time. 3893.It Va ftpd_flags 3894.Pq Vt str 3895If 3896.Va ftpd_enable 3897is set to 3898.Dq Li YES , 3899these are the additional flags to pass to the 3900.Xr ftpd 8 3901daemon. 3902.It Va watchdogd_enable 3903.Pq Vt bool 3904If set to 3905.Dq Li YES , 3906start the 3907.Xr watchdogd 8 3908daemon at boot time. 3909This requires that the kernel have been compiled with a 3910.Xr watchdog 4 3911compatible device. 3912.It Va watchdogd_flags 3913.Pq Vt str 3914If 3915.Va watchdogd_enable 3916is set to 3917.Dq Li YES , 3918these are the flags passed to the 3919.Xr watchdogd 8 3920daemon. 3921.It Va watchdogd_timeout 3922.Pq Vt int 3923If 3924.Va watchdogd_enable 3925is set to 3926.Dq Li YES , 3927this is a timeout that will be used by the 3928.Xr watchdogd 8 3929daemon. 3930If this option is set, it overrides 3931.Fl t 3932in 3933.Va watchdogd_flags . 3934.It Va watchdogd_shutdown_timeout 3935.Pq Vt int 3936If 3937.Va watchdogd_enable 3938is set to 3939.Dq Li YES , 3940this is a timeout that will be set by the 3941.Xr watchdogd 8 3942daemon when it exits during the system shutdown. 3943This timeout will not be set when returning to the single-user mode 3944or when the watchdogd service is stopped individually using the 3945.Xr service 8 3946command or the rc.d script. 3947Note that the timeout will be applied if 3948.Xr watchdogd 8 3949is stopped outside of 3950.Xr rc 8 3951framework. 3952If this option is set, it overrides 3953.Fl x 3954in 3955.Va watchdogd_flags . 3956.It Va devfs_rulesets 3957.Pq Vt str 3958List of files containing sets of rules for 3959.Xr devfs 8 . 3960.It Va devfs_system_ruleset 3961.Pq Vt str 3962Rule name(s) to apply to the system 3963.Pa /dev 3964itself. 3965.It Va devfs_set_rulesets 3966.Pq Vt str 3967Pairs of already-mounted 3968.Pa dev 3969directories and rulesets that should be applied to them. 3970For example: /mount/dev=ruleset_name 3971.It Va devfs_load_rulesets 3972.Pq Vt bool 3973If set, always load the default rulesets listed in 3974.Va devfs_rulesets . 3975.It Va performance_cx_lowest 3976.Pq Vt str 3977CPU idle state to use while on AC power. 3978The string 3979.Dq Li LOW 3980indicates that 3981.Xr acpi 4 3982should use the lowest power state available while 3983.Dq Li HIGH 3984indicates that the lowest latency state (less power savings) should be used. 3985.It Va performance_cpu_freq 3986.Pq Vt str 3987CPU clock frequency to use while on AC power. 3988The string 3989.Dq Li LOW 3990indicates that 3991.Xr cpufreq 4 3992should use the lowest frequency available while 3993.Dq Li HIGH 3994indicates that the highest frequency (less power savings) should be used. 3995.It Va economy_cx_lowest 3996.Pq Vt str 3997CPU idle state to use when off AC power. 3998The string 3999.Dq Li LOW 4000indicates that 4001.Xr acpi 4 4002should use the lowest power state available while 4003.Dq Li HIGH 4004indicates that the lowest latency state (less power savings) should be used. 4005.It Va economy_cpu_freq 4006.Pq Vt str 4007CPU clock frequency to use when off AC power. 4008The string 4009.Dq Li LOW 4010indicates that 4011.Xr cpufreq 4 4012should use the lowest frequency available while 4013.Dq Li HIGH 4014indicates that the highest frequency (less power savings) should be used. 4015.It Va jail_enable 4016.Pq Vt bool 4017If set to 4018.Dq Li NO , 4019any configured jails will not be started. 4020.It Va jail_conf 4021.Pq Vt str 4022The configuration filename used by 4023.Xr jail 8 4024utility. 4025The default value is 4026.Pa /etc/jail.conf . 4027.Pa /etc/jail\&. Ns Ao Va jname Ac Ns Pa .conf 4028and 4029.Pa /etc/jail.conf.d/ Ns Ao Va jname Ac Ns Pa .conf 4030will also be used if 4031.Ao Va jname Ac 4032is set in 4033.Va jail_list . 4034.It Va jail_parallel_start 4035.Pq Vt bool 4036If set to 4037.Dq Li YES , 4038all configured jails will be started in the background (in parallel). 4039.It Va jail_flags 4040.Pq Vt str 4041Unset by default. 4042When set, use as default value for 4043.Va jail_ Ns Ao Ar jname Ac Ns Va _flags 4044for every jail in 4045.Va jail_list . 4046.It Va jail_list 4047.Pq Vt str 4048A space-delimited list of jail names. 4049When left empty, all of the 4050.Xr jail 8 4051instances defined in the configuration file are started. 4052The names specified in this list control the jail startup order. 4053.Xr jail 8 4054instances missing from 4055.Va jail_list 4056must be started manually. 4057Note that a jail's 4058.Va depend 4059parameter in the configuration file may override this list. 4060.It Va jail_reverse_stop 4061.Pq Vt bool 4062When set to 4063.Dq Li YES , 4064all configured jails in 4065.Va jail_list 4066are stopped in reverse order. 4067.It Va jail_ Ns * variables 4068Note that older releases supported per-jail configuration via 4069.Nm 4070variables. 4071For example, 4072hostname of a jail named 4073.Li vjail 4074was able to be set by 4075.Li jail_vjail_hostname . 4076These per-jail configuration variables are now obsolete in favor of 4077.Xr jail 8 4078configuration file. 4079For backward compatibility, 4080when per-jail configuration variables are defined, 4081.Xr jail 8 4082configuration files are created as 4083.Pa /var/run/jail . Ns Ao Ar jname Ac Ns Pa .conf 4084and used. 4085.Pp 4086The following per-jail parameters are handled by 4087.Pa rc.d/jail 4088script out of their corresponding 4089.Nm 4090variables. 4091In addition to them, parameters in 4092.Va jail_ Ns Ao Ar jname Ac Ns Va _parameters 4093will be added to the configuration file. 4094They must be a semi-colon 4095.Pq Ql \&; 4096delimited list of 4097.Dq key=value . 4098For more details, 4099see 4100.Xr jail 8 4101manual page. 4102.Bl -tag -width "host.hostname" -offset indent 4103.It Li path 4104set from 4105.Va jail_ Ns Ao Ar jname Ac Ns Va _rootdir 4106.It Li host.hostname 4107set from 4108.Va jail_ Ns Ao Ar jname Ac Ns Va _hostname 4109.It Li exec.consolelog 4110set from 4111.Va jail_ Ns Ao Ar jname Ac Ns Va _consolelog . 4112The default value is 4113.Pa /var/log/jail_ Ns Ao Ar jname Ac Ns Pa _console.log . 4114.It Li interface 4115set from 4116.Va jail_ Ns Ao Ar jname Ac Ns Va _interface . 4117.It Li vnet.interface 4118set from 4119.Va jail_ Ns Ao Ar jname Ac Ns Va _vnet_interface . 4120This implies 4121.Li vnet 4122parameter will be enabled and cannot be specified with 4123.Va jail_ Ns Ao Ar jname Ac Ns Va _interface , 4124.Va jail_ Ns Ao Ar jname Ac Ns Va _ip 4125and/or 4126.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n 4127at the same time. 4128.It Li fstab 4129set from 4130.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab 4131.It Li mount 4132set from 4133.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable . 4134.It Li exec.fib 4135set from 4136.Va jail_ Ns Ao Ar jname Ac Ns Va _fib 4137.It Li exec.start 4138set from 4139.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start . 4140The parameter name was 4141.Li command 4142in some older releases. 4143.It Li exec.prestart 4144set from 4145.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart 4146.It Li exec.poststart 4147set from 4148.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart 4149.It Li exec.stop 4150set from 4151.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop 4152.It Li exec.prestop 4153set from 4154.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop 4155.It Li exec.poststop 4156set from 4157.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop 4158.It Li ip4.addr 4159set if 4160.Va jail_ Ns Ao Ar jname Ac Ns Va _ip 4161or 4162.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n 4163contain IPv4 addresses 4164.It Li ip6.addr 4165set if 4166.Va jail_ Ns Ao Ar jname Ac Ns Va _ip 4167or 4168.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n 4169contain IPv6 addresses 4170.It Li allow.mount 4171set from 4172.Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable 4173.It Li mount.devfs 4174set from 4175.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable 4176.It Li devfs_ruleset 4177set from 4178.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset . 4179This must be an integer, 4180not a string. 4181.It Li mount.fdescfs 4182set from 4183.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable 4184.It Li allow.set_hostname 4185set from 4186.Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow 4187.It Li allow.rawsocket 4188set from 4189.Va jail_ Ns Ao Ar jname Ac Ns Va _socket_unixiproute_only 4190.It Li allow.sysvipc 4191set from 4192.Va jail_ Ns Ao Ar jname Ac Ns Va _sysvipc_allow 4193.El 4194.\" ----------------------------------------------------- 4195.It Va harvest_mask 4196.Pq Vt int 4197Set to a bit-mask 4198representing the entropy sources 4199you wish to harvest. 4200Refer to 4201.Xr random 4 4202for more information. 4203.It Va entropy_dir 4204.Pq Vt str 4205Set to 4206.Dq Li NO 4207to disable caching entropy via 4208.Xr cron 8 . 4209Otherwise set to the directory 4210in which the entropy files are stored. 4211To be useful, 4212there must be 4213a system cron job 4214that regularly writes and rotates 4215files here. 4216All files found 4217will be used at boot time. 4218The default is 4219.Pa /var/db/entropy . 4220.It Va entropy_file 4221.Pq Vt str 4222Set to 4223.Dq Li NO 4224to disable caching entropy through reboots. 4225Otherwise set to the name 4226of a file used to store cached entropy. 4227This file should be located 4228on a file system that is readable 4229before all the volumes specified in 4230.Xr fstab 5 4231are mounted. 4232By default, 4233.Pa /entropy 4234is used, 4235but if 4236.Pa /var/db/entropy-file 4237is found it will also be used. 4238This will be of some use to 4239.Xr bsdinstall 8 . 4240.It Va entropy_boot_file 4241.Pq Vt str 4242Set to 4243.Dq Li NO 4244to disable 4245very early caching entropy 4246through reboots. 4247Otherwise set to the filename 4248used to read 4249very early reboot cached entropy. 4250This file should be located where 4251.Xr loader 8 4252can read it. 4253See also 4254.Xr loader.conf 5 . 4255The default location is 4256.Pa /boot/entropy . 4257.It Va entropy_save_sz 4258.Pq Vt int 4259Size of the entropy cache files saved by 4260.Nm save-entropy 4261periodically. 4262.It Va entropy_save_num 4263.Pq Vt int 4264Number of entropy cache files to save by 4265.Nm save-entropy 4266periodically. 4267.It Va ipsec_enable 4268.Pq Vt bool 4269Set to 4270.Dq Li YES 4271to run 4272.Xr setkey 8 4273on 4274.Va ipsec_file 4275at boot time. 4276.It Va ipsec_file 4277.Pq Vt str 4278Configuration file for 4279.Xr setkey 8 . 4280.It Va dmesg_enable 4281.Pq Vt bool 4282Set to 4283.Dq Li YES 4284to save 4285.Xr dmesg 8 4286to 4287.Pa /var/run/dmesg.boot 4288on boot. 4289.It Va rcshutdown_timeout 4290.Pq Vt int 4291If set, start a watchdog timer in the background which will terminate 4292.Pa rc.shutdown 4293if 4294.Xr shutdown 8 4295has not completed within the specified time (in seconds). 4296Notice that in addition to this soft timeout, 4297.Xr init 8 4298also applies a hard timeout for the execution of 4299.Pa rc.shutdown . 4300This is configured via 4301.Xr sysctl 8 4302variable 4303.Va kern.init_shutdown_timeout 4304and defaults to 120 seconds. 4305Setting the value of 4306.Va rcshutdown_timeout 4307to more than 120 seconds will have no effect until the 4308.Xr sysctl 8 4309variable 4310.Va kern.init_shutdown_timeout 4311is also increased. 4312.It Va virecover_enable 4313.Pq Vt bool 4314Set to 4315.Dq Li NO 4316to prevent the system from trying to 4317recover prematurely terminated 4318.Xr vi 1 4319sessions. 4320.It Va ugidfw_enable 4321.Pq Vt bool 4322Set to 4323.Dq Li YES 4324to load the 4325.Xr mac_bsdextended 4 4326module upon system initialization and load a default 4327ruleset file. 4328.It Va bsdextended_script 4329.Pq Vt str 4330The default 4331.Xr mac_bsdextended 4 4332ruleset file to load. 4333The default value of this variable is 4334.Pa /etc/rc.bsdextended . 4335.It Va newsyslog_enable 4336.Pq Vt bool 4337If set to 4338.Dq Li YES , 4339run 4340.Xr newsyslog 8 4341command at startup. 4342.It Va newsyslog_flags 4343.Pq Vt str 4344If 4345.Va newsyslog_enable 4346is set to 4347.Dq Li YES , 4348these are the flags to pass to the 4349.Xr newsyslog 8 4350program. 4351The default is 4352.Dq Li -CN , 4353which causes log files flagged with a 4354.Cm C 4355to be created. 4356.It Va mdconfig_md Ns Aq Ar X 4357.Pq Vt str 4358Arguments to 4359.Xr mdconfig 8 4360for 4361.Xr md 4 4362device 4363.Ar X . 4364At minimum a 4365.Fl t Ar type 4366must be specified and either a 4367.Fl s Ar size 4368for malloc or swap backed 4369.Xr md 4 4370devices or a 4371.Fl f Ar file 4372for vnode backed 4373.Xr md 4 4374devices. 4375Note that 4376.Va mdconfig_md Ns Aq Ar X 4377variables are evaluated until one variable is unset or null. 4378.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _newfs 4379.Pq Vt str 4380Optional arguments passed to 4381.Xr newfs 8 4382to initialize 4383.Xr md 4 4384device 4385.Ar X . 4386.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _owner 4387.Pq Vt str 4388An ownership specification passed to 4389.Xr chown 8 4390after the specified 4391.Xr md 4 4392device 4393.Ar X 4394has been mounted. 4395Both the 4396.Xr md 4 4397device and the mount point will be changed. 4398.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _perms 4399.Pq Vt str 4400A mode string passed to 4401.Xr chmod 1 4402after the specified 4403.Xr md 4 4404device 4405.Ar X 4406has been mounted. 4407Both the 4408.Xr md 4 4409device and the mount point will be changed. 4410.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _files 4411.Pq Vt str 4412Files to be copied to the mount point of the 4413.Xr md 4 4414device 4415.Ar X 4416after it has been mounted. 4417.It Va mdconfig_md Ns Ao Ar X Ac Ns Va _cmd 4418.Pq Vt str 4419Command to execute after the specified 4420.Xr md 4 4421device 4422.Ar X 4423has been mounted. 4424Note that the command is passed to 4425.Ic eval 4426and that both 4427.Va _dev 4428and 4429.Va _mp 4430variables can be used to reference respectively the 4431.Xr md 4 4432device and the mount point. 4433Assuming that the 4434.Xr md 4 4435device is 4436.Li md0 , 4437one could set the following: 4438.Bd -literal 4439mdconfig_md0_cmd="tar xfzC /var/file.tgz \e${_mp}" 4440.Ed 4441.It Va autobridge_interfaces 4442.Pq Vt str 4443Set to the list of bridge interfaces that will have newly arriving interfaces 4444checked against to be automatically added. 4445If not set to 4446.Dq Li NO 4447then for each whitespace separated 4448.Ar element 4449in the value, a 4450.Va autobridge_ Ns Aq Ar element 4451variable is assumed to exist which has a whitespace separated list of interface 4452names to match, these names can use wildcards. 4453For example: 4454.Bd -literal 4455autobridge_interfaces="bridge0" 4456autobridge_bridge0="tap* dc0 vlan[345]" 4457.Ed 4458.It Va mixer_enable 4459.Pq Vt bool 4460If set to 4461.Dq Li YES , 4462enable support for sound mixer. 4463.It Va hcsecd_enable 4464.Pq Vt bool 4465If set to 4466.Dq Li YES , 4467enable Bluetooth security daemon. 4468.It Va hcsecd_config 4469.Pq Vt str 4470Configuration file for 4471.Xr hcsecd 8 . 4472Default 4473.Pa /etc/bluetooth/hcsecd.conf . 4474.It Va sdpd_enable 4475.Pq Vt bool 4476If set to 4477.Dq Li YES , 4478enable Bluetooth Service Discovery Protocol daemon. 4479.It Va sdpd_control 4480.Pq Vt str 4481Path to 4482.Xr sdpd 8 4483control socket. 4484Default 4485.Pa /var/run/sdp . 4486.It Va sdpd_groupname 4487.Pq Vt str 4488Sets 4489.Xr sdpd 8 4490group to run as after it initializes. 4491Default 4492.Dq Li nobody . 4493.It Va sdpd_username 4494.Pq Vt str 4495Sets 4496.Xr sdpd 8 4497user to run as after it initializes. 4498Default 4499.Dq Li nobody . 4500.It Va bthidd_enable 4501.Pq Vt bool 4502If set to 4503.Dq Li YES , 4504enable Bluetooth Human Interface Device daemon. 4505.It Va bthidd_config 4506.Pq Vt str 4507Configuration file for 4508.Xr bthidd 8 . 4509Default 4510.Pa /etc/bluetooth/bthidd.conf . 4511.It Va bthidd_hids 4512.Pq Vt str 4513Path to a file, where 4514.Xr bthidd 8 4515will store information about known HID devices. 4516Default 4517.Pa /var/db/bthidd.hids . 4518.It Va rfcomm_pppd_server_enable 4519.Pq Vt bool 4520If set to 4521.Dq Li YES , 4522enable Bluetooth RFCOMM PPP wrapper daemon. 4523.It Va rfcomm_pppd_server_profile 4524.Pq Vt str 4525The name of the profile to use from 4526.Pa /etc/ppp/ppp.conf . 4527Multiple profiles can be specified here. 4528Also used to specify per-profile overrides. 4529When the profile name contains any of the characters 4530.Dq Li .-/+ 4531they are translated to 4532.Dq Li _ 4533for the proposes of the override variable names. 4534.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _bdaddr 4535.Pq Vt str 4536Overrides local address to listen on. 4537By default 4538.Xr rfcomm_pppd 8 4539will listen on 4540.Dq Li ANY 4541address. 4542The address can be specified as BD_ADDR or name. 4543.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _channel 4544.Pq Vt str 4545Overrides local RFCOMM channel to listen on. 4546By default 4547.Xr rfcomm_pppd 8 4548will listen on RFCOMM channel 1. 4549Must set properly if multiple profiles used in the same time. 4550.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_sp 4551.Pq Vt bool 4552Tells 4553.Xr rfcomm_pppd 8 4554if it should register Serial Port service on the specified RFCOMM channel. 4555Default 4556.Dq Li NO . 4557.It Va rfcomm_pppd_server_ Ns Ao Ar profile Ac Ns _register_dun 4558.Pq Vt bool 4559Tells 4560.Xr rfcomm_pppd 8 4561if it should register Dial-Up Networking service on the specified 4562RFCOMM channel. 4563Default 4564.Dq Li NO . 4565.It Va ubthidhci_enable 4566.Pq Vt bool 4567If set to 4568.Dq Li YES , 4569change the USB Bluetooth controller from HID mode to HCI mode. 4570You also need to specify the location of USB Bluetooth controller with the 4571.Va ubthidhci_busnum 4572and 4573.Va ubthidhci_addr 4574variables. 4575.It Va ubthidhci_busnum 4576Bus number where the USB Bluetooth controller is located. 4577Check the output of 4578.Xr usbconfig 8 4579on your system to find this information. 4580.It Va ubthidhci_addr 4581Bus address of the USB Bluetooth controller. 4582Check the output of 4583.Xr usbconfig 8 4584on your system to find this information. 4585.It Va utx_enable 4586.Pq Vt bool 4587Set to 4588.Dq Li YES 4589to enable user accounting through the 4590.Xr utx 8 4591facility. 4592.It Va netwait_enable 4593.Pq Vt bool 4594If set to 4595.Dq Li YES , 4596delays the start of network-reliant services until 4597.Va netwait_if 4598is up and ICMP packets to a destination defined in 4599.Va netwait_ip 4600are flowing. 4601Link state is examined first, followed by 4602.Dq Li pinging 4603an IP address to verify network usability. 4604If no destination can be reached or timeouts are exceeded, 4605network services are started anyway with no guarantee that 4606the network is usable. 4607Use of this variable requires both 4608.Va netwait_ip 4609and 4610.Va netwait_if 4611to be set. 4612.It Va netwait_ip 4613.Pq Vt str 4614Empty by default. 4615This variable contains a space-delimited list of IP addresses to 4616.Xr ping 8 . 4617DNS hostnames should not be used as resolution is not guaranteed 4618to be functional at this point. 4619If multiple IP addresses are specified, 4620each will be tried until one is successful or the list is exhausted. 4621.It Va netwait_timeout 4622.Pq Vt int 4623Indicates the total number of seconds to perform a 4624.Dq Li ping 4625against each IP address in 4626.Va netwait_ip , 4627at a rate of one ping per second. 4628If any of the pings are successful, 4629full network connectivity is considered reliable. 4630The default is 60. 4631.It Va netwait_if 4632.Pq Vt str 4633Empty by default. 4634Defines the name of the network interface on which watch for link. 4635.Xr ifconfig 8 4636is used to monitor the interface, looking for 4637.Dq Li status: no carrier . 4638Once gone, the link is considered up. 4639This can be a 4640.Xr vlan 4 4641interface if desired. 4642.It Va netwait_if_timeout 4643.Pq Vt int 4644Defines the total number of seconds to wait for link to become usable, 4645polled at a 1-second interval. 4646The default is 30. 4647.It Va rctl_enable 4648.Pq Vt bool 4649If set to 4650.Dq Li YES , 4651load 4652.Xr rctl 8 4653rules from the defined ruleset. 4654The kernel must be built with 4655.Cd "options RACCT" 4656and 4657.Cd "options RCTL" . 4658.It Va rctl_rules 4659.Pq Vt str 4660Set to 4661.Pa /etc/rctl.conf 4662by default. 4663This variables contains the 4664.Xr rctl.conf 5 4665ruleset to load for 4666.Xr rctl 8 . 4667.It Va iovctl_files 4668.Pq Vt str 4669A space-separated list of configuration files used by 4670.Xr iovctl 8 . 4671The default value is an empty string. 4672.It Va autofs_enable 4673.Pq Vt bool 4674If set to 4675.Dq Li YES , 4676start the 4677.Xr automount 8 4678utility and the 4679.Xr automountd 8 4680and 4681.Xr autounmountd 8 4682daemons at boot time. 4683.It Va automount_flags 4684.Pq Vt str 4685If 4686.Va autofs_enable 4687is set to 4688.Dq Li YES , 4689these are the flags to pass to the 4690.Xr automount 8 4691program. 4692By default no flags are passed. 4693.It Va automountd_flags 4694.Pq Vt str 4695If 4696.Va autofs_enable 4697is set to 4698.Dq Li YES , 4699these are the flags to pass to the 4700.Xr automountd 8 4701daemon. 4702By default no flags are passed. 4703.It Va autounmountd_flags 4704.Pq Vt str 4705If 4706.Va autofs_enable 4707is set to 4708.Dq Li YES , 4709these are the flags to pass to the 4710.Xr autounmountd 8 4711daemon. 4712By default no flags are passed. 4713.It Va ctld_enable 4714.Pq Vt bool 4715If set to 4716.Dq Li YES , 4717start the 4718.Xr ctld 8 4719daemon at boot time. 4720.It Va iscsid_enable 4721.Pq Vt bool 4722If set to 4723.Dq Li YES , 4724start the 4725.Xr iscsid 8 4726daemon at boot time. 4727.It Va iscsictl_enable 4728.Pq Vt bool 4729If set to 4730.Dq Li YES , 4731start the 4732.Xr iscsictl 8 4733utility at boot time. 4734.It Va iscsictl_flags 4735.Pq Vt str 4736If 4737.Va iscsictl_enable 4738is set to 4739.Dq Li YES , 4740these are the flags to pass to the 4741.Xr iscsictl 8 4742program. 4743The default is 4744.Dq Li -Aa , 4745which configures sessions based on the 4746.Pa /etc/iscsi.conf 4747configuration file. 4748.It Va cfumass_enable 4749.Pq Vt bool 4750If set to 4751.Dq Li YES , 4752create and export an USB LUN using 4753.Xr cfumass 4 4754at boot time. 4755.It Va cfumass_dir 4756.Pq Vt str 4757The directory where the files exported by USB LUN are located. 4758The default directory is 4759.Pa /var/cfumass . 4760.It Va service_delete_empty 4761.Pq Vt bool 4762If set to 4763.Dq Li YES , 4764.Ql Li service delete 4765removes empty 4766.Dq Li rc.conf.d 4767files. 4768.It Va zfs_bootonce_activate 4769.Pq Vt bool 4770If set to 4771.Dq Li YES , 4772and a boot environment marked bootonce is successfully booted, 4773it will be made permanently active. 4774.It Va zfskeys_enable 4775.Pq Vt bool 4776If set to 4777.Dq Li YES , 4778enable auto-loading of encryption keys for encrypted ZFS datasets. 4779For every dataset the script will first load the appropriate encryption key 4780and then attempt to unlock the dataset. 4781.Pp 4782The script operates only on datasets which are encrypted with 4783ZFS native encryption 4784and have a ZFS 4785.Dq Li keylocation 4786dataset property beginning with 4787.Dq Li file:// . 4788.It Va zfskeys_datasets 4789.Pq Vt str 4790A whitespace-separated list of ZFS datasets to unlock. 4791The list is empty by default, 4792which means that the script will attempt to unlock all datasets. 4793.It Va zfskeys_timeout 4794.Pq Vt int 4795Define the total number of seconds to wait for the zfskeys script 4796to unlock an encrypted dataset. 4797The default is 10. 4798.It Va sendmail_enable 4799.Pq Vt str 4800If set to 4801.Dq Li YES , 4802run the 4803.Xr sendmail 8 4804daemon at system boot time. 4805If set to 4806.Dq Li NO , 4807do not run a 4808.Xr sendmail 8 4809daemon to listen for incoming network mail. 4810This does not preclude a 4811.Xr sendmail 8 4812daemon listening on the SMTP port of the loopback interface. 4813The 4814.Dq Li NONE 4815option sets each 4816.Va sendmail_enable , 4817.Va sendmail_submit_enable , 4818.Va sendmail_outbound_enable , 4819.Va sendmail_msp_queue_enable 4820to 4821.Dq Li NO . 4822.It Va sendmail_cert_create 4823.Pq Vt str 4824If 4825.Va sendmail_enable 4826is set to 4827.Dq Li YES , 4828create a signed certificate 4829.Pa /etc/mail/certs/host.cert 4830representing 4831.Pa /etc/mail/certs/host.key 4832by the CA certificate in 4833.Pa /etc/mail/certs/cacert.pem . 4834This will enable connecting hosts to negotiate STARTTLS allowing incoming 4835email to be encrypted in transit. 4836.Xr sendmail 8 4837needs to be configured to use these generated files. 4838The default configuration in 4839.Pa /etc/mail/freebsd.mc 4840has the required options in it. 4841.It Va sendmail_cert_cn 4842.Pq Vt str 4843If 4844.Va sendmail_enable 4845is set to 4846.Dq Li YES 4847and 4848.Va sendmail_cert_create 4849is set to 4850.Dq Li YES , 4851this is the Common Name (CN) of the certificate that will be created. 4852If 4853.Va sendmail_cert_cn 4854is not set, the system's hostname will be used. 4855If there is no hostname set, 4856.Dq Li amnesiac 4857will be used. 4858.It Va sendmail_flags 4859.Pq Vt str 4860If 4861.Va sendmail_enable 4862is set to 4863.Dq Li YES , 4864these are the flags to pass to the 4865.Xr sendmail 8 4866daemon. 4867.It Va sendmail_submit_enable 4868.Pq Vt bool 4869If set to 4870.Dq Li YES 4871and 4872.Va sendmail_enable 4873is set to 4874.Dq Li NO , 4875run 4876.Xr sendmail 8 4877using 4878.Va sendmail_submit_flags 4879instead of 4880.Va sendmail_flags . 4881This is intended to allow local mail submission via 4882a localhost-only listening SMTP service required for running 4883.Xr sendmail 8 4884as a non-set-user-ID binary. 4885Note that this does not work inside 4886.Xr jail 2 4887systems, as jails do not allow binding to just the localhost interface. 4888.It Va sendmail_submit_flags 4889.Pq Vt str 4890If 4891.Va sendmail_enable 4892is set to 4893.Dq Li NO 4894and 4895.Va sendmail_submit_enable 4896is set to 4897.Dq Li YES , 4898these are the flags to pass to the 4899.Xr sendmail 8 4900daemon. 4901.It Va sendmail_outbound_enable 4902.Pq Vt bool 4903If set to 4904.Dq Li YES 4905and both 4906.Va sendmail_enable 4907and 4908.Va sendmail_submit_enable 4909are set to 4910.Dq Li NO , 4911run 4912.Xr sendmail 8 4913using 4914.Va sendmail_outbound_flags 4915instead of 4916.Va sendmail_flags . 4917This is intended to allow local mail queue management 4918for systems that do not offer a listening SMTP service. 4919.It Va sendmail_outbound_flags 4920.Pq Vt str 4921If both 4922.Va sendmail_enable 4923and 4924.Va sendmail_submit_enable 4925are set to 4926.Dq Li NO 4927and 4928.Va sendmail_outbound_enable 4929is set to 4930.Dq Li YES , 4931these are the flags to pass to the 4932.Xr sendmail 8 4933daemon. 4934.It Va sendmail_msp_queue_enable 4935.Pq Vt bool 4936If set to 4937.Dq Li YES , 4938start a client (MSP) queue runner 4939.Xr sendmail 8 4940daemon at system boot time. 4941As of sendmail 8.12, a separate queue is used for command line 4942submissions. 4943The client queue runner ensures that nothing is 4944left behind in the submission queue. 4945.It Va sendmail_msp_queue_flags 4946.Pq Vt str 4947If 4948.Va sendmail_msp_queue_enable 4949is set to 4950daemon. 4951.Dq Li YES , 4952these are the flags to pass to the 4953.Xr sendmail 8 4954.El 4955.Sh SERVICE JAILS 4956The service jails part of the rc system automatically puts a service 4957into a jail. 4958This jail inherits the filesystem and various other parts of the 4959parent (if you allow child-jails in your jails, service jails 4960can be used in jails) depending on the content of the 4961.Ao Ar name Ac Ns Va _svcj_options 4962variable. 4963Typically this variable is set inside rc scripts, but it can be 4964overriden in the rc config. 4965Valid options for 4966.Ao Ar name Ac Ns Va _svcj_options 4967are: 4968.Bl -tag -width indent-two 4969.It mlock 4970Allows to lock memory pages into the physical memory. 4971.It netv4 4972Inherit the IPv4 address and allows to open reserved ports. 4973This can not be combined with 4974.Pa netv6 . 4975.It netv6 4976Inherit the IPv6 address and allows to open reserved ports. 4977This can not be combined with 4978.Pa netv4 . 4979.It net_basic 4980Inherits the IPv4 and IPv6 addresses and allows to open 4981reserved ports. 4982.It net_raw 4983Allow to open raw sockets. 4984This option can be combined with 4985.Pa netv4 , 4986.Pa netv6 , 4987.Pa net_basic . 4988.It net_all 4989Inherits the IPv4 and IPv6 addresses, allows to open reserved 4990ports, allows to open raw sockets, and allows to open sockets 4991of protocol stacks that have not had jail functionality added 4992to them. 4993.It nfsd 4994Allows to run nfsd and affiliated daemons. 4995.It sysvipc 4996Inherits the SysV semaphores, SysV shared memory and 4997SysV messages from the host or the parent jail. 4998.It sysvipcnew 4999Creates a new namespace for SysV semaphores, SysV shared memory 5000and SysV messages for this particular service jail. 5001.It vmm 5002Allows access to 5003.Xr vmm 4 . 5004This option is only available when 5005.Xr vmm 4 5006is enabled in the kernel. 5007.El 5008 5009All non-network options can be combined with all other options. 5010From the SysV options only one option can be specified. 5011 5012If the 5013.Ao Ar name Ac Ns Va _svcj 5014variable is set to 5015.Dq Li YES , 5016this particular service is started in a 5017service jail named 5018.Va svcj- Ns Ar name . 5019 5020The 5021.Va svcj_all_enable 5022variable allows to enable service jails for all services of the 5023system at once. 5024Services which have 5025.Ao Ar name Ac Ns Va _svcj 5026set to 5027.Dq Li NO 5028are excluded. 5029Some services may set 5030.Ao Ar name Ac Ns Va _svcj 5031to 5032.Dq Li NO 5033in the script to either prevent service jails for this 5034service at all, or may set it to 5035.Dq Li NO 5036if it is not set in the 5037rc config, to exclude it from 5038.Va svcj_all_enable 5039but allow to explicitely enable it. 5040The sshd service for example would not see other jails, if 5041it would run as a service jail. 5042This may or may not be what is needed, and as such it is 5043excluded from 5044.Va svcj_all_enable 5045but can be enabled via setting 5046.Va sshd_svcj 5047to 5048.Dq Li YES . 5049.Sh FILES 5050.Bl -tag -width "/etc/defaults/rc.conf" -compact 5051.It Pa /etc/defaults/rc.conf 5052.It Pa /etc/defaults/vendor.conf 5053.It Pa /etc/rc.conf 5054.It Pa /etc/rc.conf.local 5055.It Pa /etc/rc.conf.d/ 5056.El 5057.Sh SEE ALSO 5058.Xr chmod 1 , 5059.Xr cpuset 1 , 5060.Xr gdb 1 Pq Pa ports/devel/gdb , 5061.Xr kbdcontrol 1 , 5062.Xr limits 1 , 5063.Xr protect 1 , 5064.Xr sh 1 , 5065.Xr umask 1 , 5066.Xr uuidgen 1 , 5067.Xr vi 1 , 5068.Xr vidcontrol 1 , 5069.Xr bridge 4 , 5070.Xr dummynet 4 , 5071.Xr ip 4 , 5072.Xr ipf 4 , 5073.Xr ipfw 4 , 5074.Xr ipnat 4 , 5075.Xr kld 4 , 5076.Xr pf 4 , 5077.Xr pflog 4 , 5078.Xr pfsync 4 , 5079.Xr tcp 4 , 5080.Xr udp 4 , 5081.Xr exports 5 , 5082.Xr fstab 5 , 5083.Xr ipf 5 , 5084.Xr ipnat 5 , 5085.Xr jail.conf 5 , 5086.Xr loader.conf 5 , 5087.Xr login.conf 5 , 5088.Xr motd 5 , 5089.Xr newsyslog.conf 5 , 5090.Xr pf.conf 5 , 5091.Xr firewall 7 , 5092.Xr growfs 7 , 5093.Xr security 7 , 5094.Xr tuning 7 , 5095.Xr accton 8 , 5096.Xr apm 8 , 5097.Xr bsdinstall 8 , 5098.Xr bthidd 8 , 5099.Xr chkprintcap 8 , 5100.Xr chown 8 , 5101.Xr cron 8 , 5102.Xr devfs 8 , 5103.Xr dhclient 8 , 5104.Xr ftpd 8 , 5105.Xr geli 8 , 5106.Xr hcsecd 8 , 5107.Xr ifconfig 8 , 5108.Xr inetd 8 , 5109.Xr iovctl 8 , 5110.Xr ipf 8 , 5111.Xr ipfw 8 , 5112.Xr ipnat 8 , 5113.Xr jail 8 , 5114.Xr kldxref 8 , 5115.Xr loader 8 , 5116.Xr lpd 8 , 5117.Xr makewhatis 8 , 5118.Xr mdconfig 8 , 5119.Xr mdmfs 8 , 5120.Xr mixer 8 , 5121.Xr mountd 8 , 5122.Xr moused 8 , 5123.Xr newfs 8 , 5124.Xr newsyslog 8 , 5125.Xr nfsd 8 , 5126.Xr ntpd 8 , 5127.Xr ntpdate 8 , 5128.Xr pfctl 8 , 5129.Xr pflogd 8 , 5130.Xr ping 8 , 5131.Xr powerd 8 , 5132.Xr quotacheck 8 , 5133.Xr quotaon 8 , 5134.Xr rc 8 , 5135.Xr rc.subr 8 , 5136.Xr rcorder 8 , 5137.Xr rfcomm_pppd 8 , 5138.Xr route 8 , 5139.Xr route6d 8 , 5140.Xr routed 8 , 5141.Xr rpc.lockd 8 , 5142.Xr rpc.statd 8 , 5143.Xr rpc.tlsclntd 8 , 5144.Xr rpc.tlsservd 8 , 5145.Xr rpcbind 8 , 5146.Xr rwhod 8 , 5147.Xr savecore 8 , 5148.Xr sdpd 8 , 5149.Xr sendmail 8 , 5150.Xr service 8 , 5151.Xr sshd 8 , 5152.Xr swapon 8 , 5153.Xr sysctl 8 , 5154.Xr syslogd 8 , 5155.Xr sysrc 8 , 5156.Xr unbound 8 , 5157.Xr usbconfig 8 , 5158.Xr utx 8 , 5159.Xr wlandebug 8 , 5160.Xr yp 8 , 5161.Xr ypbind 8 , 5162.Xr ypserv 8 , 5163.Xr ypset 8 5164.Sh HISTORY 5165The 5166.Nm 5167file appeared in 5168.Fx 2.2.2 . 5169.Sh AUTHORS 5170.An Jordan K. Hubbard . 5171