Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/share/man/man7/sysctl.7,v rcsdiff: /ftp/cvs/cvsroot/src/share/man/man7/sysctl.7,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.1 retrieving revision 1.12 diff -u -p -r1.1 -r1.12 --- src/share/man/man7/sysctl.7 2006/12/04 08:59:13 1.1 +++ src/share/man/man7/sysctl.7 2007/06/20 15:29:18 1.12 @@ -1,4 +1,4 @@ -.\" $NetBSD: sysctl.7,v 1.1 2006/12/04 08:59:13 pavel Exp $ +.\" $NetBSD: sysctl.7,v 1.12 2007/06/20 15:29:18 christos Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 .\" -.Dd December 4, 2006 +.Dd June 19, 2007 .Dt SYSCTL 7 .Os .Sh NAME @@ -702,8 +702,8 @@ Returns 1 if the POSIX 1003.1b Synchroni on this system, otherwise 0. .It Li kern.ipc ( KERN_SYSVIPC ) -Return information about the SysV IPC parameters. The third -level names for the ipc variables are detailed below. +Return information about the SysV IPC parameters. +The third level names for the ipc variables are detailed below. .Bl -column "KERN_SYSVIPC_MSGXXX" "integerXXX" "noXXX" -offset indent .It Sy Third level name Type Changeable .It kern.ipc.sysvmsg integer no @@ -768,7 +768,8 @@ Max shared memory segments per process. .It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) Max amount of shared memory in pages. .It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) -Locking of shared memory in physical memory. If 0, memory can be swaped +Locking of shared memory in physical memory. +If 0, memory can be swapped out, otherwise it will be locked in physical memory. .El .It Li kern.timex ( KERN_TIMEX ) @@ -936,6 +937,7 @@ The currently defined protocols and name .It ip forwsrcrt integer yes .It ip gifttl integer yes .It ip grettl integer yes +.It ip hashsize integer yes .It ip hostzerobroadcast integer yes .It ip lowportmin integer yes .It ip lowportmax integer yes @@ -967,6 +969,7 @@ The currently defined protocols and name .It tcp keepintvl integer yes .It tcp keepcnt integer yes .It tcp slowhz integer no +.It tcp keepinit integer yes .It tcp log_refused integer yes .It tcp rstppslimit integer yes .It tcp ident struct no @@ -1059,6 +1062,12 @@ tunnel interface. The maximum time-to-live (hop count) value for an IPv4 packet generated by .Xr gre 4 tunnel interface. +.It Li ip.hashsize +The size of IPv4 Fast Forward hash table. +This value must be a power of 2 (64, 256...). +A larger hash table size results in fewer collisions. +Also see +.Li ip.maxflows . .It Li ip.hostzerobroadcast All zeroes address is broadcast address. .It Li ip.lowportmax @@ -1072,8 +1081,8 @@ This cannot be set to less than 0 or gre be smaller than .Li ip.lowportmax . .It Li ip.maxflows -IP Fast Forwarding is enabled by default. -If set to 0, IP Fast Forwarding is disabled. +IPv4 Fast Forwarding is enabled by default. +If set to 0, IPv4 Fast Forwarding is disabled. .Li ip.maxflows controls the maximum amount of flows which can be created. The default value is 256. @@ -1176,6 +1185,8 @@ another probe is sent. See also tcp.slowhz. .It Li tcp.log_refused If set to 1, refused TCP connections to the host will be logged. +.It Li tcp.keepinit +Timeout in seconds during connection establishment. .It Li tcp.mss_ifmtu If set to 1, TCP calculates the outgoing maximum segment size based on the MTU of the appropriate interface. @@ -1188,10 +1199,6 @@ us during connection setup or Path MTU D .Li ( ip.mtudisc ) is disabled. Do not change this value unless you really know what you are doing. -.It Li tcp.newreno -If set to 1, enables the use of J. -Hoe's NewReno congestion control algorithm. -This algorithm improves the start-up behavior of TCP connections. .It Li tcp.recvspace The default TCP receive buffer size. .It Li tcp.rfc1323 @@ -1287,6 +1294,7 @@ The currently defined protocols and name .It ip6 defmcasthlim integer yes .It ip6 forwarding integer yes .It ip6 gifhlim integer yes +.It ip6 hashsize integer yes .It ip6 hlim integer yes .It ip6 hdrnestlimit integer yes .It ip6 kame_version string no @@ -1294,6 +1302,7 @@ The currently defined protocols and name .It ip6 log_interval integer yes .It ip6 lowportmax integer yes .It ip6 lowportmin integer yes +.It ip6 maxflows integer yes .It ip6 maxfragpackets integer yes .It ip6 maxfrags integer yes .It ip6 redirect integer yes @@ -1354,6 +1363,12 @@ tunnel interface. .It Li ip6.hdrnestlimit The number of IPv6 extension headers permitted on incoming IPv6 packets. If set to 0, the node will accept as many extension headers as possible. +.It Li ip6.hashsize +The size of IPv6 Fast Forward hash table. +This value must be a power of 2 (64, 256...). +A larger hash table size results in fewer collisions. +Also see +.Li ip6.maxflows . .It Li ip6.hlim The default hop limit value for an IPv6 unicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. @@ -1384,6 +1399,12 @@ The lowest port number to use for TCP an This cannot be set to less than 0 or greater than 1024, and must be smaller than .Li ip6.lowportmax . +.It Li ip6.maxflows +IPv6 Fast Forwarding is enabled by default. +If set to 0, IPv6 Fast Forwarding is disabled. +.Li ip6.maxflows +controls the maximum amount of flows which can be created. +The default value is 256. .It Li ip6.maxfragpackets The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any fragmented packets. @@ -1915,7 +1936,8 @@ for more details. The .Li security level contains various security-related settings for -the system. Available settings are detailed below. +the system. +Available settings are detailed below. .Pp .Bl -tag -width "123456" .It Li security.curtain @@ -1933,8 +1955,25 @@ and .Dv PF_UNIX PCBs), and .Xr w 1 . +.It Li security.models +.Nx +supports pluggable security models. +Every security model used, whether if loaded as an LKM or built with the system, +is required to add an entry to this node with at least one element, +.Dq name , +indicating the name of the security model. +.Pp +In addition to the name, any settings and other information private to the +security model will be available under this node. +See +.Xr secmodel 9 +for more information. .It Li security.pax Settings for PaX -- exploit mitigation features. +For more information on any of the PaX features, please see +.Xr paxctl 8 +and +.Xr security 8 . .Pp .Bl -tag -width "123456" .It Li security.pax.mprotect.enable @@ -1942,7 +1981,8 @@ Enable PaX MPROTECT restrictions. .Pp These are .Xr mprotect 2 -restrictions to better enforce a W^X policy. The value of this +restrictions to better enforce a W^X policy. +The value of this knob must be non-zero for PaX MPROTECT to be enabled, even if a program is set to explicit enable. .It Li security.pax.mprotect.global @@ -1951,17 +1991,13 @@ explicit enable/disable flag. .Pp When non-zero, all programs will get the PaX MPROTECT restrictions, except those exempted with -.Xr paxctl 1 . +.Xr paxctl 8 . Otherwise, all programs will not get the PaX MPROTECT restrictions, except those specifically marked as such with -.Xr paxctl 1 . +.Xr paxctl 8 . .It Li security.pax.segvguard.enable Enable PaX Segvguard. .Pp -Please see -.Xr security 8 -for more information. -.Pp PaX Segvguard can detect and prevent certain exploitation attempts, where an attacker may try for example to brute-force function return addresses of respawning daemons. @@ -1977,10 +2013,10 @@ explicit enable/disable flag. .Pp When non-zero, all programs will get the PaX Segvguard, except those exempted with -.Xr paxctl 1 . -Otherwise, all programs will not get the PaX Segvguard restrictions, +.Xr paxctl 8 . +Otherwise, no program will get the PaX Segvguard restrictions, except those specifically marked as such with -.Xr paxctl 1 . +.Xr paxctl 8 . .It Li security.pax.segvguard.expiry_timeout If the max number was not reached within this timeout (in seconds), the entry will expire.