| version 1.3, 2006/12/23 08:06:54 |
version 1.15, 2008/09/21 11:13:14 |
|
|
| .\" |
.\" |
| .\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 |
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 |
| .\" |
.\" |
| .Dd December 4, 2006 |
.Dd September 21, 2008 |
| .Dt SYSCTL 7 |
.Dt SYSCTL 7 |
| .Os |
.Os |
| .Sh NAME |
.Sh NAME |
| Line 154 The changeable column shows whether a pr |
|
| Line 154 The changeable column shows whether a pr |
|
| privilege may change the value. |
privilege may change the value. |
| .Bl -column "Second level nameXXXXXX" "struct disk_sysctlXXX" -offset indent |
.Bl -column "Second level nameXXXXXX" "struct disk_sysctlXXX" -offset indent |
| .It Sy Second level name Type Changeable |
.It Sy Second level name Type Changeable |
| |
.It hw.acpi.supported_states string no |
| .It hw.alignbytes integer no |
.It hw.alignbytes integer no |
| .It hw.byteorder integer no |
.It hw.byteorder integer no |
| .It hw.cnmagic string yes |
.It hw.cnmagic string yes |
| Line 171 privilege may change the value. |
|
| Line 172 privilege may change the value. |
|
| .El |
.El |
| .Pp |
.Pp |
| .Bl -tag -width "123456" |
.Bl -tag -width "123456" |
| |
.It Li hw.acpi.support_states |
| |
List of possible |
| |
.Tn ACPI |
| |
sleep states. |
| |
The list can contain the following values: |
| |
.Bl -tag -width XS1X |
| |
.It S0 |
| |
fully running |
| |
.It S1 |
| |
power on suspend (CPU and hard disks are off) |
| |
.It S2 |
| |
similar to S3, usually not implemented |
| |
.It S3 |
| |
suspend-to-RAM |
| |
.It S4 |
| |
suspend-to-disk (needs BIOS support) |
| |
.It S5 |
| |
power off |
| |
.El |
| .It Li hw.alignbytes ( HW_ALIGNBYTES ) |
.It Li hw.alignbytes ( HW_ALIGNBYTES ) |
| Alignment constraint for all possible data types. |
Alignment constraint for all possible data types. |
| This shows the value |
This shows the value |
| Line 937 The currently defined protocols and name |
|
| Line 957 The currently defined protocols and name |
|
| .It ip forwsrcrt integer yes |
.It ip forwsrcrt integer yes |
| .It ip gifttl integer yes |
.It ip gifttl integer yes |
| .It ip grettl integer yes |
.It ip grettl integer yes |
| |
.It ip hashsize integer yes |
| .It ip hostzerobroadcast integer yes |
.It ip hostzerobroadcast integer yes |
| .It ip lowportmin integer yes |
.It ip lowportmin integer yes |
| .It ip lowportmax integer yes |
.It ip lowportmax integer yes |
| Line 968 The currently defined protocols and name |
|
| Line 989 The currently defined protocols and name |
|
| .It tcp keepintvl integer yes |
.It tcp keepintvl integer yes |
| .It tcp keepcnt integer yes |
.It tcp keepcnt integer yes |
| .It tcp slowhz integer no |
.It tcp slowhz integer no |
| |
.It tcp keepinit integer yes |
| .It tcp log_refused integer yes |
.It tcp log_refused integer yes |
| .It tcp rstppslimit integer yes |
.It tcp rstppslimit integer yes |
| .It tcp ident struct no |
.It tcp ident struct no |
| |
.It tcp drop struct no |
| .It tcp sack.enable integer yes |
.It tcp sack.enable integer yes |
| .It tcp sack.globalholes integer no |
.It tcp sack.globalholes integer no |
| .It tcp sack.globalmaxholes integer yes |
.It tcp sack.globalmaxholes integer yes |
| Line 1060 tunnel interface. |
|
| Line 1083 tunnel interface. |
|
| The maximum time-to-live (hop count) value for an IPv4 packet generated by |
The maximum time-to-live (hop count) value for an IPv4 packet generated by |
| .Xr gre 4 |
.Xr gre 4 |
| tunnel interface. |
tunnel interface. |
| |
.It Li ip.hashsize |
| |
The size of IPv4 Fast Forward hash table. |
| |
This value must be a power of 2 (64, 256...). |
| |
A larger hash table size results in fewer collisions. |
| |
Also see |
| |
.Li ip.maxflows . |
| .It Li ip.hostzerobroadcast |
.It Li ip.hostzerobroadcast |
| All zeroes address is broadcast address. |
All zeroes address is broadcast address. |
| .It Li ip.lowportmax |
.It Li ip.lowportmax |
| Line 1073 This cannot be set to less than 0 or gre |
|
| Line 1102 This cannot be set to less than 0 or gre |
|
| be smaller than |
be smaller than |
| .Li ip.lowportmax . |
.Li ip.lowportmax . |
| .It Li ip.maxflows |
.It Li ip.maxflows |
| IP Fast Forwarding is enabled by default. |
IPv4 Fast Forwarding is enabled by default. |
| If set to 0, IP Fast Forwarding is disabled. |
If set to 0, IPv4 Fast Forwarding is disabled. |
| .Li ip.maxflows |
.Li ip.maxflows |
| controls the maximum amount of flows which can be created. |
controls the maximum amount of flows which can be created. |
| The default value is 256. |
The default value is 256. |
| Line 1177 another probe is sent. |
|
| Line 1206 another probe is sent. |
|
| See also tcp.slowhz. |
See also tcp.slowhz. |
| .It Li tcp.log_refused |
.It Li tcp.log_refused |
| If set to 1, refused TCP connections to the host will be logged. |
If set to 1, refused TCP connections to the host will be logged. |
| |
.It Li tcp.keepinit |
| |
Timeout in seconds during connection establishment. |
| .It Li tcp.mss_ifmtu |
.It Li tcp.mss_ifmtu |
| If set to 1, TCP calculates the outgoing maximum segment size based on |
If set to 1, TCP calculates the outgoing maximum segment size based on |
| the MTU of the appropriate interface. |
the MTU of the appropriate interface. |
| Line 1189 us during connection setup or Path MTU D |
|
| Line 1220 us during connection setup or Path MTU D |
|
| .Li ( ip.mtudisc ) |
.Li ( ip.mtudisc ) |
| is disabled. |
is disabled. |
| Do not change this value unless you really know what you are doing. |
Do not change this value unless you really know what you are doing. |
| .It Li tcp.newreno |
|
| If set to 1, enables the use of J. |
|
| Hoe's NewReno congestion control algorithm. |
|
| This algorithm improves the start-up behavior of TCP connections. |
|
| .It Li tcp.recvspace |
.It Li tcp.recvspace |
| The default TCP receive buffer size. |
The default TCP receive buffer size. |
| .It Li tcp.rfc1323 |
.It Li tcp.rfc1323 |
|
|
| TCP RST packet that exceeded the value are subject to rate limitation |
TCP RST packet that exceeded the value are subject to rate limitation |
| and will not go out from the node. |
and will not go out from the node. |
| Negative value disables rate limitation. |
Negative value disables rate limitation. |
| |
.It Li tcp.ident |
| |
Return the user ID of a connected socket pair. |
| |
(RFC1413 Identification Protocol lookups.) |
| |
.It Li tcp.drop |
| |
Drop a TCP socket pair connection. |
| .It Li tcp.sack.enable |
.It Li tcp.sack.enable |
| If set to 1, enables RFC 2018 Selective ACKnowledgement. |
If set to 1, enables RFC 2018 Selective ACKnowledgement. |
| .It Li tcp.sack.globalholes |
.It Li tcp.sack.globalholes |
| Line 1288 The currently defined protocols and name |
|
| Line 1320 The currently defined protocols and name |
|
| .It ip6 defmcasthlim integer yes |
.It ip6 defmcasthlim integer yes |
| .It ip6 forwarding integer yes |
.It ip6 forwarding integer yes |
| .It ip6 gifhlim integer yes |
.It ip6 gifhlim integer yes |
| |
.It ip6 hashsize integer yes |
| .It ip6 hlim integer yes |
.It ip6 hlim integer yes |
| .It ip6 hdrnestlimit integer yes |
.It ip6 hdrnestlimit integer yes |
| .It ip6 kame_version string no |
.It ip6 kame_version string no |
| Line 1295 The currently defined protocols and name |
|
| Line 1328 The currently defined protocols and name |
|
| .It ip6 log_interval integer yes |
.It ip6 log_interval integer yes |
| .It ip6 lowportmax integer yes |
.It ip6 lowportmax integer yes |
| .It ip6 lowportmin integer yes |
.It ip6 lowportmin integer yes |
| |
.It ip6 maxflows integer yes |
| .It ip6 maxfragpackets integer yes |
.It ip6 maxfragpackets integer yes |
| .It ip6 maxfrags integer yes |
.It ip6 maxfrags integer yes |
| .It ip6 redirect integer yes |
.It ip6 redirect integer yes |
| Line 1355 tunnel interface. |
|
| Line 1389 tunnel interface. |
|
| .It Li ip6.hdrnestlimit |
.It Li ip6.hdrnestlimit |
| The number of IPv6 extension headers permitted on incoming IPv6 packets. |
The number of IPv6 extension headers permitted on incoming IPv6 packets. |
| If set to 0, the node will accept as many extension headers as possible. |
If set to 0, the node will accept as many extension headers as possible. |
| |
.It Li ip6.hashsize |
| |
The size of IPv6 Fast Forward hash table. |
| |
This value must be a power of 2 (64, 256...). |
| |
A larger hash table size results in fewer collisions. |
| |
Also see |
| |
.Li ip6.maxflows . |
| .It Li ip6.hlim |
.It Li ip6.hlim |
| The default hop limit value for an IPv6 unicast packet sourced by the node. |
The default hop limit value for an IPv6 unicast packet sourced by the node. |
| This value applies to all the transport protocols on top of IPv6. |
This value applies to all the transport protocols on top of IPv6. |
| Line 1385 The lowest port number to use for TCP an |
|
| Line 1425 The lowest port number to use for TCP an |
|
| This cannot be set to less than 0 or greater than 1024, and must |
This cannot be set to less than 0 or greater than 1024, and must |
| be smaller than |
be smaller than |
| .Li ip6.lowportmax . |
.Li ip6.lowportmax . |
| |
.It Li ip6.maxflows |
| |
IPv6 Fast Forwarding is enabled by default. |
| |
If set to 0, IPv6 Fast Forwarding is disabled. |
| |
.Li ip6.maxflows |
| |
controls the maximum amount of flows which can be created. |
| |
The default value is 256. |
| .It Li ip6.maxfragpackets |
.It Li ip6.maxfragpackets |
| The maximum number of fragmented packets the node will accept. |
The maximum number of fragmented packets the node will accept. |
| 0 means that the node will not accept any fragmented packets. |
0 means that the node will not accept any fragmented packets. |
|
|
| .Dv PF_UNIX |
.Dv PF_UNIX |
| PCBs), and |
PCBs), and |
| .Xr w 1 . |
.Xr w 1 . |
| |
.It Li security.models |
| |
.Nx |
| |
supports pluggable security models. |
| |
Every security model used, whether if loaded as an LKM or built with the system, |
| |
is required to add an entry to this node with at least one element, |
| |
.Dq name , |
| |
indicating the name of the security model. |
| |
.Pp |
| |
In addition to the name, any settings and other information private to the |
| |
security model will be available under this node. |
| |
See |
| |
.Xr secmodel 9 |
| |
for more information. |
| .It Li security.pax |
.It Li security.pax |
| Settings for PaX -- exploit mitigation features. |
Settings for PaX -- exploit mitigation features. |
| |
For more information on any of the PaX features, please see |
| |
.Xr paxctl 8 |
| |
and |
| |
.Xr security 8 . |
| .Pp |
.Pp |
| .Bl -tag -width "123456" |
.Bl -tag -width "123456" |
| |
.It Li security.pax.aslr.enable |
| |
Enable PaX ASLR (Address Space Layout Randomization). |
| |
.Pp |
| |
The value of this |
| |
knob must be non-zero for PaX ASLR to be enabled, even if a program is set to |
| |
explicit enable. |
| |
.It Li security.pax.aslr.global |
| |
Specifies the default global policy for programs without an |
| |
explicit enable/disable flag. |
| |
.Pp |
| |
When non-zero, all programs will get PaX ASLR, except those exempted with |
| |
.Xr paxctl 8 . |
| |
Otherwise, all programs will not get PaX ASLR, except those specifically |
| |
marked as such with |
| |
.Xr paxctl 8 . |
| .It Li security.pax.mprotect.enable |
.It Li security.pax.mprotect.enable |
| Enable PaX MPROTECT restrictions. |
Enable PaX MPROTECT restrictions. |
| .Pp |
.Pp |
| Line 1954 explicit enable/disable flag. |
|
| Line 2032 explicit enable/disable flag. |
|
| .Pp |
.Pp |
| When non-zero, all programs will get the PaX MPROTECT restrictions, |
When non-zero, all programs will get the PaX MPROTECT restrictions, |
| except those exempted with |
except those exempted with |
| .Xr paxctl 1 . |
.Xr paxctl 8 . |
| Otherwise, all programs will not get the PaX MPROTECT restrictions, |
Otherwise, all programs will not get the PaX MPROTECT restrictions, |
| except those specifically marked as such with |
except those specifically marked as such with |
| .Xr paxctl 1 . |
.Xr paxctl 8 . |
| .It Li security.pax.segvguard.enable |
.It Li security.pax.segvguard.enable |
| Enable PaX Segvguard. |
Enable PaX Segvguard. |
| .Pp |
.Pp |
| Please see |
|
| .Xr security 8 |
|
| for more information. |
|
| .Pp |
|
| PaX Segvguard can detect and prevent certain exploitation attempts, where |
PaX Segvguard can detect and prevent certain exploitation attempts, where |
| an attacker may try for example to brute-force function return addresses |
an attacker may try for example to brute-force function return addresses |
| of respawning daemons. |
of respawning daemons. |
| Line 1980 explicit enable/disable flag. |
|
| Line 2054 explicit enable/disable flag. |
|
| .Pp |
.Pp |
| When non-zero, all programs will get the PaX Segvguard, |
When non-zero, all programs will get the PaX Segvguard, |
| except those exempted with |
except those exempted with |
| .Xr paxctl 1 . |
.Xr paxctl 8 . |
| Otherwise, no program will get the PaX Segvguard restrictions, |
Otherwise, no program will get the PaX Segvguard restrictions, |
| except those specifically marked as such with |
except those specifically marked as such with |
| .Xr paxctl 1 . |
.Xr paxctl 8 . |
| .It Li security.pax.segvguard.expiry_timeout |
.It Li security.pax.segvguard.expiry_timeout |
| If the max number was not reached within this timeout (in seconds), the entry |
If the max number was not reached within this timeout (in seconds), the entry |
| will expire. |
will expire. |
![[BACK]](/icons/back.gif){kind=icon}
Return to sysctl.7 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / share / man / man7