diff options
Diffstat (limited to 'share/man/man5')
| -rw-r--r-- | share/man/man5/group.5 | 3 | ||||
| -rw-r--r-- | share/man/man5/pf.conf.5 | 45 | ||||
| -rw-r--r-- | share/man/man5/src.conf.5 | 36 |
3 files changed, 54 insertions, 30 deletions
diff --git a/share/man/man5/group.5 b/share/man/man5/group.5 index 044164a3c955..8f7c59c59d52 100644 --- a/share/man/man5/group.5 +++ b/share/man/man5/group.5 @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd February 8, 2013 +.Dd August 29, 2025 .Dt GROUP 5 .Os .Sh NAME @@ -145,6 +145,7 @@ may still have this limit. .Sh SEE ALSO .Xr newgrp 1 , .Xr passwd 1 , +.Xr setcred 2 , .Xr setgroups 2 , .Xr crypt 3 , .Xr getgrent 3 , diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index a9ae823257a4..02114b3eaf3c 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd July 30, 2025 +.Dd August 25, 2025 .Dt PF.CONF 5 .Os .Sh NAME @@ -92,14 +92,20 @@ keyword, for example: include "/etc/pf/sub.filter.conf" .Ed .Sh MACROS -Macros can be defined that will later be expanded in context. -Macro names must start with a letter, and may contain letters, digits -and underscores. -Macro names may not be reserved words (for example +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, .Ar pass , .Ar in , +or .Ar out ) . -Macros are not expanded inside quotes. +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . Ranges of network addresses used in macros that will be expanded in lists later on must be quoted with additional simple quotes. .Pp @@ -267,6 +273,10 @@ which corresponds to the connection state. Each packet which matches this state will reset the TTL. Tuning these values may improve the performance of the firewall at the risk of dropping valid idle connections. +Alternatively, these values may be adjusted collectively +in a manner suitable for a specific environment using +.Cm set optimization +(see above). .Pp .Bl -tag -width xxxx -compact .It Ar tcp.first @@ -274,6 +284,9 @@ The state after the first packet. .It Ar tcp.opening The state after the second packet but before both endpoints have acknowledged the connection. +.It Ar tcp.tsdiff +Maximum allowed time difference between RFC 1323 compliant packet timestamps. +30 seconds by default. .It Ar tcp.established The fully established state. .It Ar tcp.closing @@ -2470,7 +2483,13 @@ NAT address and port. This feature implements "full-cone" NAT behavior. .El .Pp -Additionally, the +Additionally, options +.Ar sticky-address +and +.Ar prefer-ipv6-nexthop +can be specified to influence how IP addresses selected from pools. +.Pp +The .Ar sticky-address option can be specified to help ensure that multiple connections from the same source are mapped to the same redirection address. @@ -2486,6 +2505,14 @@ beyond the lifetime of the states, increase the global options with See .Sx STATEFUL TRACKING OPTIONS for more ways to control the source tracking. +.Pp +The +.Ar prefer-ipv6-nexthop +option allows for IPv6 addresses to be used as the nexthop +for IPv4 packets routed with the +.Ar route-to +rule option. If a table is used with IPv4 and IPv6 addresses, first the IPv6 addresses +will be used in round-robin fashion, then IPv4 addresses. .Sh STATE MODULATION Much of the security derived from TCP is attributable to how well the initial sequence numbers (ISNs) are chosen. @@ -3566,7 +3593,7 @@ fragmentation = [ "fragment reassemble" ] timeout-list = timeout [ [ "," ] timeout-list ] timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" | - "tcp.closing" | "tcp.finwait" | "tcp.closed" | + "tcp.closing" | "tcp.finwait" | "tcp.closed" | "tcp.tsdiff" | "sctp.first" | "sctp.opening" | "sctp.established" | "sctp.closing" | "sctp.closed" | "udp.first" | "udp.single" | "udp.multiple" | @@ -3580,7 +3607,7 @@ limit-item = ( "states" | "frags" | "src-nodes" ) number pooltype = ( "bitmask" | "random" | "source-hash" [ ( hex-key | string-key ) ] | - "round-robin" ) [ sticky-address ] + "round-robin" ) [ sticky-address | prefer-ipv6-nexthop ] subqueue = string | "{" queue-list "}" queue-list = string [ [ "," ] string ] diff --git a/share/man/man5/src.conf.5 b/share/man/man5/src.conf.5 index 94e5a0cfc8b9..ded16c9cf436 100644 --- a/share/man/man5/src.conf.5 +++ b/share/man/man5/src.conf.5 @@ -1,5 +1,5 @@ .\" DO NOT EDIT-- this file is @generated by tools/build/options/makeman. -.Dd August 4, 2025 +.Dd September 10, 2025 .Dt SRC.CONF 5 .Os .Sh NAME @@ -29,8 +29,11 @@ variables that control the aspects of how the system builds. .Pp The default location of .Nm -is -.Pa /etc/src.conf , +is the top level of the source tree, or +.Pa /etc/src.conf +if no +.Nm +is found in the source tree itself, though an alternative location can be specified in the .Xr make 1 variable @@ -413,6 +416,9 @@ Avoid building the ARCMigrate, Rewriter and StaticAnalyzer components of the Clang C/C++ compiler. .It Va WITH_CLEAN Clean before building world and/or kernel. +Note that recording a new epoch in +.Pa .clean_build_epoch +in the root of the source tree will also force a clean world build. .It Va WITHOUT_CPP Do not build .Xr cpp 1 . @@ -449,8 +455,6 @@ When set, it enforces these options: .It .Va WITHOUT_KERBEROS .It -.Va WITHOUT_KERBEROS_SUPPORT -.It .Va WITHOUT_LDNS .It .Va WITHOUT_LDNS_UTILS @@ -477,9 +481,9 @@ When set, it enforces these options: When set, these options are also in effect: .Pp .Bl -inset -compact -.It Va WITHOUT_GSSAPI +.It Va WITHOUT_KERBEROS_SUPPORT (unless -.Va WITH_GSSAPI +.Va WITH_KERBEROS_SUPPORT is set explicitly) .El .It Va WITH_CTF @@ -736,8 +740,6 @@ and dependent tests. Do not build .Xr gpioctl 8 as part of the base system. -.It Va WITHOUT_GSSAPI -Do not build libgssapi. .It Va WITHOUT_HAST Do not build .Xr hastd 8 @@ -837,14 +839,10 @@ Do not build and .Xr truss 1 . .It Va WITHOUT_KERBEROS -Set this to not build Kerberos 5 (KTH Heimdal). +Set this to not build Kerberos. When set, these options are also in effect: .Pp .Bl -inset -compact -.It Va WITHOUT_GSSAPI -(unless -.Va WITH_GSSAPI -is set explicitly) .It Va WITHOUT_KERBEROS_SUPPORT (unless .Va WITH_KERBEROS_SUPPORT @@ -1217,8 +1215,8 @@ is set explicitly) .It Va WITHOUT_MANCOMPRESS Do not install compressed man pages. Only the uncompressed versions will be installed. -.It Va WITHOUT_MANSPLITPKG -Do not split man pages into their own packages during make package. +.It Va WITH_MANSPLITPKG +Split man pages into their own packages during make package. .It Va WITHOUT_MAN_UTILS Do not build utilities for manual pages, .Xr apropos 1 , @@ -1430,8 +1428,6 @@ When set, it enforces these options: .It .Va WITHOUT_KERBEROS .It -.Va WITHOUT_KERBEROS_SUPPORT -.It .Va WITHOUT_LDNS .It .Va WITHOUT_LDNS_UTILS @@ -1456,9 +1452,9 @@ When set, it enforces these options: When set, these options are also in effect: .Pp .Bl -inset -compact -.It Va WITHOUT_GSSAPI +.It Va WITHOUT_KERBEROS_SUPPORT (unless -.Va WITH_GSSAPI +.Va WITH_KERBEROS_SUPPORT is set explicitly) .El .It Va WITHOUT_OPENSSL_KTLS |