[BACK]Return to sysctl.7 CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / src / share / man / man7

Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.

Diff for /src/share/man/man7/sysctl.7 between version 1.3 and 1.6

version 1.3, 2006/12/23 08:06:54 version 1.6, 2007/03/12 14:37:28
Line 29 
Line 29 
 .\"  .\"
 .\"     @(#)sysctl.3    8.4 (Berkeley) 5/9/95  .\"     @(#)sysctl.3    8.4 (Berkeley) 5/9/95
 .\"  .\"
 .Dd December 4, 2006  .Dd February 2, 2007
 .Dt SYSCTL 7  .Dt SYSCTL 7
 .Os  .Os
 .Sh NAME  .Sh NAME
Line 1073  This cannot be set to less than 0 or gre
Line 1073  This cannot be set to less than 0 or gre
 be smaller than  be smaller than
 .Li ip.lowportmax .  .Li ip.lowportmax .
 .It Li ip.maxflows  .It Li ip.maxflows
 IP Fast Forwarding is enabled by default.  IPv4 Fast Forwarding is enabled by default.
 If set to 0, IP Fast Forwarding is disabled.  If set to 0, IPv4 Fast Forwarding is disabled.
 .Li ip.maxflows  .Li ip.maxflows
 controls the maximum amount of flows which can be created.  controls the maximum amount of flows which can be created.
 The default value is 256.  The default value is 256.
Line 1295  The currently defined protocols and name
Line 1295  The currently defined protocols and name
 .It ip6 log_interval    integer yes  .It ip6 log_interval    integer yes
 .It ip6 lowportmax      integer yes  .It ip6 lowportmax      integer yes
 .It ip6 lowportmin      integer yes  .It ip6 lowportmin      integer yes
   .It ip6 maxflows        integer yes
 .It ip6 maxfragpackets  integer yes  .It ip6 maxfragpackets  integer yes
 .It ip6 maxfrags        integer yes  .It ip6 maxfrags        integer yes
 .It ip6 redirect        integer yes  .It ip6 redirect        integer yes
Line 1385  The lowest port number to use for TCP an
Line 1386  The lowest port number to use for TCP an
 This cannot be set to less than 0 or greater than 1024, and must  This cannot be set to less than 0 or greater than 1024, and must
 be smaller than  be smaller than
 .Li ip6.lowportmax .  .Li ip6.lowportmax .
   .It Li ip6.maxflows
   IPv6 Fast Forwarding is enabled by default.
   If set to 0, IPv6 Fast Forwarding is disabled.
   .Li ip6.maxflows
   controls the maximum amount of flows which can be created.
   The default value is 256.
 .It Li ip6.maxfragpackets  .It Li ip6.maxfragpackets
 The maximum number of fragmented packets the node will accept.  The maximum number of fragmented packets the node will accept.
 0 means that the node will not accept any fragmented packets.  0 means that the node will not accept any fragmented packets.
Line 1935  and
Line 1942  and
 .Dv PF_UNIX  .Dv PF_UNIX
 PCBs), and  PCBs), and
 .Xr w 1 .  .Xr w 1 .
   .It Li security.models
   .Nx
   supports pluggable security models.
   Every security model used, whether if loaded as an LKM or built with the system,
   is required to add an entry to this node with at least one element,
   .Dq name ,
   indicating the name of the security model.
   .Pp
   In addition to the name, any settings and other information private to the
   security model will be available under this node.
   See
   .Xr secmodel 9
   for more information.
 .It Li security.pax  .It Li security.pax
 Settings for PaX -- exploit mitigation features.  Settings for PaX -- exploit mitigation features.
   For more information on any of the PaX features, please see
   .Xr paxctl 8
   and
   .Xr security 8 .
 .Pp  .Pp
 .Bl -tag -width "123456"  .Bl -tag -width "123456"
 .It Li security.pax.mprotect.enable  .It Li security.pax.mprotect.enable
Line 1954  explicit enable/disable flag.
Line 1978  explicit enable/disable flag.
 .Pp  .Pp
 When non-zero, all programs will get the PaX MPROTECT restrictions,  When non-zero, all programs will get the PaX MPROTECT restrictions,
 except those exempted with  except those exempted with
 .Xr paxctl 1  .  .Xr paxctl 8  .
 Otherwise, all programs will not get the PaX MPROTECT restrictions,  Otherwise, all programs will not get the PaX MPROTECT restrictions,
 except those specifically marked as such with  except those specifically marked as such with
 .Xr paxctl 1 .  .Xr paxctl 8 .
 .It Li security.pax.segvguard.enable  .It Li security.pax.segvguard.enable
 Enable PaX Segvguard.  Enable PaX Segvguard.
 .Pp  .Pp
 Please see  
 .Xr security 8  
 for more information.  
 .Pp  
 PaX Segvguard can detect and prevent certain exploitation attempts, where  PaX Segvguard can detect and prevent certain exploitation attempts, where
 an attacker may try for example to brute-force function return addresses  an attacker may try for example to brute-force function return addresses
 of respawning daemons.  of respawning daemons.
Line 1980  explicit enable/disable flag.
Line 2000  explicit enable/disable flag.
 .Pp  .Pp
 When non-zero, all programs will get the PaX Segvguard,  When non-zero, all programs will get the PaX Segvguard,
 except those exempted with  except those exempted with
 .Xr paxctl 1  .  .Xr paxctl 8  .
 Otherwise, no program will get the PaX Segvguard restrictions,  Otherwise, no program will get the PaX Segvguard restrictions,
 except those specifically marked as such with  except those specifically marked as such with
 .Xr paxctl 1 .  .Xr paxctl 8 .
 .It Li security.pax.segvguard.expiry_timeout  .It Li security.pax.segvguard.expiry_timeout
 If the max number was not reached within this timeout (in seconds), the entry  If the max number was not reached within this timeout (in seconds), the entry
 will expire.  will expire.

Legend:
Removed from v.1.3  
changed lines
  Added in v.1.6

CVSweb <webmaster@jp.NetBSD.org>