version 1.3, 2006/12/23 08:06:54 |
version 1.15, 2008/09/21 11:13:14 |
|
|
.\" |
.\" |
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 |
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 |
.\" |
.\" |
.Dd December 4, 2006 |
.Dd September 21, 2008 |
.Dt SYSCTL 7 |
.Dt SYSCTL 7 |
.Os |
.Os |
.Sh NAME |
.Sh NAME |
Line 154 The changeable column shows whether a pr |
|
Line 154 The changeable column shows whether a pr |
|
privilege may change the value. |
privilege may change the value. |
.Bl -column "Second level nameXXXXXX" "struct disk_sysctlXXX" -offset indent |
.Bl -column "Second level nameXXXXXX" "struct disk_sysctlXXX" -offset indent |
.It Sy Second level name Type Changeable |
.It Sy Second level name Type Changeable |
|
.It hw.acpi.supported_states string no |
.It hw.alignbytes integer no |
.It hw.alignbytes integer no |
.It hw.byteorder integer no |
.It hw.byteorder integer no |
.It hw.cnmagic string yes |
.It hw.cnmagic string yes |
Line 171 privilege may change the value. |
|
Line 172 privilege may change the value. |
|
.El |
.El |
.Pp |
.Pp |
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
|
.It Li hw.acpi.support_states |
|
List of possible |
|
.Tn ACPI |
|
sleep states. |
|
The list can contain the following values: |
|
.Bl -tag -width XS1X |
|
.It S0 |
|
fully running |
|
.It S1 |
|
power on suspend (CPU and hard disks are off) |
|
.It S2 |
|
similar to S3, usually not implemented |
|
.It S3 |
|
suspend-to-RAM |
|
.It S4 |
|
suspend-to-disk (needs BIOS support) |
|
.It S5 |
|
power off |
|
.El |
.It Li hw.alignbytes ( HW_ALIGNBYTES ) |
.It Li hw.alignbytes ( HW_ALIGNBYTES ) |
Alignment constraint for all possible data types. |
Alignment constraint for all possible data types. |
This shows the value |
This shows the value |
Line 937 The currently defined protocols and name |
|
Line 957 The currently defined protocols and name |
|
.It ip forwsrcrt integer yes |
.It ip forwsrcrt integer yes |
.It ip gifttl integer yes |
.It ip gifttl integer yes |
.It ip grettl integer yes |
.It ip grettl integer yes |
|
.It ip hashsize integer yes |
.It ip hostzerobroadcast integer yes |
.It ip hostzerobroadcast integer yes |
.It ip lowportmin integer yes |
.It ip lowportmin integer yes |
.It ip lowportmax integer yes |
.It ip lowportmax integer yes |
Line 968 The currently defined protocols and name |
|
Line 989 The currently defined protocols and name |
|
.It tcp keepintvl integer yes |
.It tcp keepintvl integer yes |
.It tcp keepcnt integer yes |
.It tcp keepcnt integer yes |
.It tcp slowhz integer no |
.It tcp slowhz integer no |
|
.It tcp keepinit integer yes |
.It tcp log_refused integer yes |
.It tcp log_refused integer yes |
.It tcp rstppslimit integer yes |
.It tcp rstppslimit integer yes |
.It tcp ident struct no |
.It tcp ident struct no |
|
.It tcp drop struct no |
.It tcp sack.enable integer yes |
.It tcp sack.enable integer yes |
.It tcp sack.globalholes integer no |
.It tcp sack.globalholes integer no |
.It tcp sack.globalmaxholes integer yes |
.It tcp sack.globalmaxholes integer yes |
Line 1060 tunnel interface. |
|
Line 1083 tunnel interface. |
|
The maximum time-to-live (hop count) value for an IPv4 packet generated by |
The maximum time-to-live (hop count) value for an IPv4 packet generated by |
.Xr gre 4 |
.Xr gre 4 |
tunnel interface. |
tunnel interface. |
|
.It Li ip.hashsize |
|
The size of IPv4 Fast Forward hash table. |
|
This value must be a power of 2 (64, 256...). |
|
A larger hash table size results in fewer collisions. |
|
Also see |
|
.Li ip.maxflows . |
.It Li ip.hostzerobroadcast |
.It Li ip.hostzerobroadcast |
All zeroes address is broadcast address. |
All zeroes address is broadcast address. |
.It Li ip.lowportmax |
.It Li ip.lowportmax |
Line 1073 This cannot be set to less than 0 or gre |
|
Line 1102 This cannot be set to less than 0 or gre |
|
be smaller than |
be smaller than |
.Li ip.lowportmax . |
.Li ip.lowportmax . |
.It Li ip.maxflows |
.It Li ip.maxflows |
IP Fast Forwarding is enabled by default. |
IPv4 Fast Forwarding is enabled by default. |
If set to 0, IP Fast Forwarding is disabled. |
If set to 0, IPv4 Fast Forwarding is disabled. |
.Li ip.maxflows |
.Li ip.maxflows |
controls the maximum amount of flows which can be created. |
controls the maximum amount of flows which can be created. |
The default value is 256. |
The default value is 256. |
Line 1177 another probe is sent. |
|
Line 1206 another probe is sent. |
|
See also tcp.slowhz. |
See also tcp.slowhz. |
.It Li tcp.log_refused |
.It Li tcp.log_refused |
If set to 1, refused TCP connections to the host will be logged. |
If set to 1, refused TCP connections to the host will be logged. |
|
.It Li tcp.keepinit |
|
Timeout in seconds during connection establishment. |
.It Li tcp.mss_ifmtu |
.It Li tcp.mss_ifmtu |
If set to 1, TCP calculates the outgoing maximum segment size based on |
If set to 1, TCP calculates the outgoing maximum segment size based on |
the MTU of the appropriate interface. |
the MTU of the appropriate interface. |
Line 1189 us during connection setup or Path MTU D |
|
Line 1220 us during connection setup or Path MTU D |
|
.Li ( ip.mtudisc ) |
.Li ( ip.mtudisc ) |
is disabled. |
is disabled. |
Do not change this value unless you really know what you are doing. |
Do not change this value unless you really know what you are doing. |
.It Li tcp.newreno |
|
If set to 1, enables the use of J. |
|
Hoe's NewReno congestion control algorithm. |
|
This algorithm improves the start-up behavior of TCP connections. |
|
.It Li tcp.recvspace |
.It Li tcp.recvspace |
The default TCP receive buffer size. |
The default TCP receive buffer size. |
.It Li tcp.rfc1323 |
.It Li tcp.rfc1323 |
|
|
TCP RST packet that exceeded the value are subject to rate limitation |
TCP RST packet that exceeded the value are subject to rate limitation |
and will not go out from the node. |
and will not go out from the node. |
Negative value disables rate limitation. |
Negative value disables rate limitation. |
|
.It Li tcp.ident |
|
Return the user ID of a connected socket pair. |
|
(RFC1413 Identification Protocol lookups.) |
|
.It Li tcp.drop |
|
Drop a TCP socket pair connection. |
.It Li tcp.sack.enable |
.It Li tcp.sack.enable |
If set to 1, enables RFC 2018 Selective ACKnowledgement. |
If set to 1, enables RFC 2018 Selective ACKnowledgement. |
.It Li tcp.sack.globalholes |
.It Li tcp.sack.globalholes |
Line 1288 The currently defined protocols and name |
|
Line 1320 The currently defined protocols and name |
|
.It ip6 defmcasthlim integer yes |
.It ip6 defmcasthlim integer yes |
.It ip6 forwarding integer yes |
.It ip6 forwarding integer yes |
.It ip6 gifhlim integer yes |
.It ip6 gifhlim integer yes |
|
.It ip6 hashsize integer yes |
.It ip6 hlim integer yes |
.It ip6 hlim integer yes |
.It ip6 hdrnestlimit integer yes |
.It ip6 hdrnestlimit integer yes |
.It ip6 kame_version string no |
.It ip6 kame_version string no |
Line 1295 The currently defined protocols and name |
|
Line 1328 The currently defined protocols and name |
|
.It ip6 log_interval integer yes |
.It ip6 log_interval integer yes |
.It ip6 lowportmax integer yes |
.It ip6 lowportmax integer yes |
.It ip6 lowportmin integer yes |
.It ip6 lowportmin integer yes |
|
.It ip6 maxflows integer yes |
.It ip6 maxfragpackets integer yes |
.It ip6 maxfragpackets integer yes |
.It ip6 maxfrags integer yes |
.It ip6 maxfrags integer yes |
.It ip6 redirect integer yes |
.It ip6 redirect integer yes |
Line 1355 tunnel interface. |
|
Line 1389 tunnel interface. |
|
.It Li ip6.hdrnestlimit |
.It Li ip6.hdrnestlimit |
The number of IPv6 extension headers permitted on incoming IPv6 packets. |
The number of IPv6 extension headers permitted on incoming IPv6 packets. |
If set to 0, the node will accept as many extension headers as possible. |
If set to 0, the node will accept as many extension headers as possible. |
|
.It Li ip6.hashsize |
|
The size of IPv6 Fast Forward hash table. |
|
This value must be a power of 2 (64, 256...). |
|
A larger hash table size results in fewer collisions. |
|
Also see |
|
.Li ip6.maxflows . |
.It Li ip6.hlim |
.It Li ip6.hlim |
The default hop limit value for an IPv6 unicast packet sourced by the node. |
The default hop limit value for an IPv6 unicast packet sourced by the node. |
This value applies to all the transport protocols on top of IPv6. |
This value applies to all the transport protocols on top of IPv6. |
Line 1385 The lowest port number to use for TCP an |
|
Line 1425 The lowest port number to use for TCP an |
|
This cannot be set to less than 0 or greater than 1024, and must |
This cannot be set to less than 0 or greater than 1024, and must |
be smaller than |
be smaller than |
.Li ip6.lowportmax . |
.Li ip6.lowportmax . |
|
.It Li ip6.maxflows |
|
IPv6 Fast Forwarding is enabled by default. |
|
If set to 0, IPv6 Fast Forwarding is disabled. |
|
.Li ip6.maxflows |
|
controls the maximum amount of flows which can be created. |
|
The default value is 256. |
.It Li ip6.maxfragpackets |
.It Li ip6.maxfragpackets |
The maximum number of fragmented packets the node will accept. |
The maximum number of fragmented packets the node will accept. |
0 means that the node will not accept any fragmented packets. |
0 means that the node will not accept any fragmented packets. |
|
|
.Dv PF_UNIX |
.Dv PF_UNIX |
PCBs), and |
PCBs), and |
.Xr w 1 . |
.Xr w 1 . |
|
.It Li security.models |
|
.Nx |
|
supports pluggable security models. |
|
Every security model used, whether if loaded as an LKM or built with the system, |
|
is required to add an entry to this node with at least one element, |
|
.Dq name , |
|
indicating the name of the security model. |
|
.Pp |
|
In addition to the name, any settings and other information private to the |
|
security model will be available under this node. |
|
See |
|
.Xr secmodel 9 |
|
for more information. |
.It Li security.pax |
.It Li security.pax |
Settings for PaX -- exploit mitigation features. |
Settings for PaX -- exploit mitigation features. |
|
For more information on any of the PaX features, please see |
|
.Xr paxctl 8 |
|
and |
|
.Xr security 8 . |
.Pp |
.Pp |
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
|
.It Li security.pax.aslr.enable |
|
Enable PaX ASLR (Address Space Layout Randomization). |
|
.Pp |
|
The value of this |
|
knob must be non-zero for PaX ASLR to be enabled, even if a program is set to |
|
explicit enable. |
|
.It Li security.pax.aslr.global |
|
Specifies the default global policy for programs without an |
|
explicit enable/disable flag. |
|
.Pp |
|
When non-zero, all programs will get PaX ASLR, except those exempted with |
|
.Xr paxctl 8 . |
|
Otherwise, all programs will not get PaX ASLR, except those specifically |
|
marked as such with |
|
.Xr paxctl 8 . |
.It Li security.pax.mprotect.enable |
.It Li security.pax.mprotect.enable |
Enable PaX MPROTECT restrictions. |
Enable PaX MPROTECT restrictions. |
.Pp |
.Pp |
Line 1954 explicit enable/disable flag. |
|
Line 2032 explicit enable/disable flag. |
|
.Pp |
.Pp |
When non-zero, all programs will get the PaX MPROTECT restrictions, |
When non-zero, all programs will get the PaX MPROTECT restrictions, |
except those exempted with |
except those exempted with |
.Xr paxctl 1 . |
.Xr paxctl 8 . |
Otherwise, all programs will not get the PaX MPROTECT restrictions, |
Otherwise, all programs will not get the PaX MPROTECT restrictions, |
except those specifically marked as such with |
except those specifically marked as such with |
.Xr paxctl 1 . |
.Xr paxctl 8 . |
.It Li security.pax.segvguard.enable |
.It Li security.pax.segvguard.enable |
Enable PaX Segvguard. |
Enable PaX Segvguard. |
.Pp |
.Pp |
Please see |
|
.Xr security 8 |
|
for more information. |
|
.Pp |
|
PaX Segvguard can detect and prevent certain exploitation attempts, where |
PaX Segvguard can detect and prevent certain exploitation attempts, where |
an attacker may try for example to brute-force function return addresses |
an attacker may try for example to brute-force function return addresses |
of respawning daemons. |
of respawning daemons. |
Line 1980 explicit enable/disable flag. |
|
Line 2054 explicit enable/disable flag. |
|
.Pp |
.Pp |
When non-zero, all programs will get the PaX Segvguard, |
When non-zero, all programs will get the PaX Segvguard, |
except those exempted with |
except those exempted with |
.Xr paxctl 1 . |
.Xr paxctl 8 . |
Otherwise, no program will get the PaX Segvguard restrictions, |
Otherwise, no program will get the PaX Segvguard restrictions, |
except those specifically marked as such with |
except those specifically marked as such with |
.Xr paxctl 1 . |
.Xr paxctl 8 . |
.It Li security.pax.segvguard.expiry_timeout |
.It Li security.pax.segvguard.expiry_timeout |
If the max number was not reached within this timeout (in seconds), the entry |
If the max number was not reached within this timeout (in seconds), the entry |
will expire. |
will expire. |