diff options
Diffstat (limited to 'share/man/man5')
| -rw-r--r-- | share/man/man5/Makefile | 8 | ||||
| -rw-r--r-- | share/man/man5/group.5 | 3 | ||||
| -rw-r--r-- | share/man/man5/pf.conf.5 | 54 | ||||
| -rw-r--r-- | share/man/man5/rc.conf.5 | 49 | ||||
| -rw-r--r-- | share/man/man5/src.conf.5 | 27 |
5 files changed, 83 insertions, 58 deletions
diff --git a/share/man/man5/Makefile b/share/man/man5/Makefile index 0f6559b236c6..c13a8b7afde2 100644 --- a/share/man/man5/Makefile +++ b/share/man/man5/Makefile @@ -73,9 +73,11 @@ MANGROUPS+= BOOTLOADER BOOTLOADER= device.hints.5 BOOTLOADERPACKAGE=bootloader -MANGROUPS+= CLANG -CLANG= ar.5 -CLANGPACKAGE= clang +.if ${MK_TOOLCHAIN} != "no" +MANGROUPS+= TOOLCHAIN +TOOLCHAIN= ar.5 +TOOLCHAINPACKAGE=toolchain +.endif MANGROUPS+= LP LP= hosts.lpd.5 diff --git a/share/man/man5/group.5 b/share/man/man5/group.5 index 044164a3c955..8f7c59c59d52 100644 --- a/share/man/man5/group.5 +++ b/share/man/man5/group.5 @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd February 8, 2013 +.Dd August 29, 2025 .Dt GROUP 5 .Os .Sh NAME @@ -145,6 +145,7 @@ may still have this limit. .Sh SEE ALSO .Xr newgrp 1 , .Xr passwd 1 , +.Xr setcred 2 , .Xr setgroups 2 , .Xr crypt 3 , .Xr getgrent 3 , diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index a9ae823257a4..da02f10aac01 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd July 30, 2025 +.Dd August 28, 2025 .Dt PF.CONF 5 .Os .Sh NAME @@ -92,14 +92,20 @@ keyword, for example: include "/etc/pf/sub.filter.conf" .Ed .Sh MACROS -Macros can be defined that will later be expanded in context. -Macro names must start with a letter, and may contain letters, digits -and underscores. -Macro names may not be reserved words (for example +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, .Ar pass , .Ar in , +or .Ar out ) . -Macros are not expanded inside quotes. +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . Ranges of network addresses used in macros that will be expanded in lists later on must be quoted with additional simple quotes. .Pp @@ -267,6 +273,10 @@ which corresponds to the connection state. Each packet which matches this state will reset the TTL. Tuning these values may improve the performance of the firewall at the risk of dropping valid idle connections. +Alternatively, these values may be adjusted collectively +in a manner suitable for a specific environment using +.Cm set optimization +(see above). .Pp .Bl -tag -width xxxx -compact .It Ar tcp.first @@ -274,6 +284,9 @@ The state after the first packet. .It Ar tcp.opening The state after the second packet but before both endpoints have acknowledged the connection. +.It Ar tcp.tsdiff +Maximum allowed time difference between RFC 1323 compliant packet timestamps. +30 seconds by default. .It Ar tcp.established The fully established state. .It Ar tcp.closing @@ -2245,6 +2258,13 @@ When the rate is exceeded, all ICMP is blocked until the rate falls below .It Ar max-pkt-size Aq Ar number Limit each packet to be no more than the specified number of bytes. This includes the IP header, but not any layer 2 header. +.It Ar once +Create a one shot rule. +The first matching packet marks the rule as expired. +Expired rules are skipped and hidden, unless +.Xr pfctl 8 +is used in debug or verbose mode. +.Pp .It Xo Ar queue Aq Ar queue .No \*(Ba ( Aq Ar queue , .Aq Ar queue ) @@ -2470,7 +2490,13 @@ NAT address and port. This feature implements "full-cone" NAT behavior. .El .Pp -Additionally, the +Additionally, options +.Ar sticky-address +and +.Ar prefer-ipv6-nexthop +can be specified to influence how IP addresses selected from pools. +.Pp +The .Ar sticky-address option can be specified to help ensure that multiple connections from the same source are mapped to the same redirection address. @@ -2486,6 +2512,14 @@ beyond the lifetime of the states, increase the global options with See .Sx STATEFUL TRACKING OPTIONS for more ways to control the source tracking. +.Pp +The +.Ar prefer-ipv6-nexthop +option allows for IPv6 addresses to be used as the nexthop +for IPv4 packets routed with the +.Ar route-to +rule option. If a table is used with IPv4 and IPv6 addresses, first the IPv6 addresses +will be used in round-robin fashion, then IPv4 addresses. .Sh STATE MODULATION Much of the security derived from TCP is attributable to how well the initial sequence numbers (ISNs) are chosen. @@ -3416,7 +3450,7 @@ filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos | [ "(" state-opts ")" ] | "fragment" | "no-df" | "min-ttl" number | "set-tos" tos | "max-mss" number | "random-id" | "reassemble tcp" | - fragmentation | "allow-opts" | + fragmentation | "allow-opts" | "once" | "label" string | "tag" string | [ "!" ] "tagged" string | "max-pkt-rate" number "/" seconds | "set prio" ( number | "(" number [ [ "," ] number ] ")" ) | @@ -3566,7 +3600,7 @@ fragmentation = [ "fragment reassemble" ] timeout-list = timeout [ [ "," ] timeout-list ] timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" | - "tcp.closing" | "tcp.finwait" | "tcp.closed" | + "tcp.closing" | "tcp.finwait" | "tcp.closed" | "tcp.tsdiff" | "sctp.first" | "sctp.opening" | "sctp.established" | "sctp.closing" | "sctp.closed" | "udp.first" | "udp.single" | "udp.multiple" | @@ -3580,7 +3614,7 @@ limit-item = ( "states" | "frags" | "src-nodes" ) number pooltype = ( "bitmask" | "random" | "source-hash" [ ( hex-key | string-key ) ] | - "round-robin" ) [ sticky-address ] + "round-robin" ) [ sticky-address | prefer-ipv6-nexthop ] subqueue = string | "{" queue-list "}" queue-list = string [ [ "," ] string ] diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index de2181d638d1..edbfa937f8df 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -22,7 +22,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd July 15, 2025 +.Dd October 5, 2025 .Dt RC.CONF 5 .Os .Sh NAME @@ -3867,27 +3867,6 @@ is set to these are the flags to pass to the .Xr sshd 8 daemon. -.It Va ftpd_program -.Pq Vt str -Path to the FTP server program -.Pa ( /usr/libexec/ftpd -is the default). -.It Va ftpd_enable -.Pq Vt bool -Set to -.Dq Li YES -to start -.Xr ftpd 8 -as a stand-alone daemon at system boot time. -.It Va ftpd_flags -.Pq Vt str -If -.Va ftpd_enable -is set to -.Dq Li YES , -these are the additional flags to pass to the -.Xr ftpd 8 -daemon. .It Va watchdogd_enable .Pq Vt bool If set to @@ -4584,20 +4563,16 @@ If set to .Dq Li YES , delays the start of network-reliant services until .Va netwait_if -is up and ICMP packets to a destination defined in +is up, duplicate address discovery (DAD) has completed, and ICMP +packets to a destination defined in .Va netwait_ip are flowing. -Link state is examined first, followed by +Link state is examined first, followed by DAD, then .Dq Li pinging an IP address to verify network usability. If no destination can be reached or timeouts are exceeded, network services are started anyway with no guarantee that the network is usable. -Use of this variable requires both -.Va netwait_ip -and -.Va netwait_if -to be set. .It Va netwait_ip .Pq Vt str Empty by default. @@ -4633,6 +4608,21 @@ interface if desired. Defines the total number of seconds to wait for link to become usable, polled at a 1-second interval. The default is 30. +.It Va netwait_dad +.Pq Vt str +Set to +.Dq Li NO +by default. +Set to +.Dq Li YES +to enable waiting for DAD to complete. +.It Va netwait_dad_timeout +.Pq Vt int +Unset by default. +Indicates the maximum number of seconds to wait for DAD to complete. +If zero or unset, the timeout will be one more than the value of the +.Va net.inet6.ip6.dad_count +sysctl variable. .It Va rctl_enable .Pq Vt bool If set to @@ -5116,7 +5106,6 @@ to .Xr cron 8 , .Xr devfs 8 , .Xr dhclient 8 , -.Xr ftpd 8 , .Xr geli 8 , .Xr hcsecd 8 , .Xr ifconfig 8 , diff --git a/share/man/man5/src.conf.5 b/share/man/man5/src.conf.5 index 2895c0cf4746..5c8ae5b83e5f 100644 --- a/share/man/man5/src.conf.5 +++ b/share/man/man5/src.conf.5 @@ -1,5 +1,5 @@ .\" DO NOT EDIT-- this file is @generated by tools/build/options/makeman. -.Dd August 20, 2025 +.Dd September 25, 2025 .Dt SRC.CONF 5 .Os .Sh NAME @@ -29,8 +29,11 @@ variables that control the aspects of how the system builds. .Pp The default location of .Nm -is -.Pa /etc/src.conf , +is the top level of the source tree, or +.Pa /etc/src.conf +if no +.Nm +is found in the source tree itself, though an alternative location can be specified in the .Xr make 1 variable @@ -239,8 +242,7 @@ is set explicitly) Build some programs without .Xr libblacklist 3 support, like -.Xr fingerd 8 , -.Xr ftpd 8 , +.Xr fingerd 8 and .Xr sshd 8 . .It Va WITHOUT_BLUETOOTH @@ -717,9 +719,7 @@ Do not build .Xr freebsd-update 8 . .It Va WITHOUT_FTP Do not build or install -.Xr ftp 1 -and -.Xr ftpd 8 . +.Xr ftp 1 . .It Va WITHOUT_GAMES Do not build games. .It Va WITHOUT_GNU_DIFF @@ -1212,8 +1212,8 @@ is set explicitly) .It Va WITHOUT_MANCOMPRESS Do not install compressed man pages. Only the uncompressed versions will be installed. -.It Va WITHOUT_MANSPLITPKG -Do not split man pages into their own packages during make package. +.It Va WITH_MANSPLITPKG +Split man pages into their own packages during make package. .It Va WITHOUT_MAN_UTILS Do not build utilities for manual pages, .Xr apropos 1 , @@ -1478,10 +1478,9 @@ When set, these options are also in effect: is set explicitly) .El .It Va WITHOUT_PAM_SUPPORT -Build some programs without PAM support, particularly -.Xr ftpd 8 -and -.Xr ppp 8 . +Build +.Xr ppp 8 +without PAM support. .It Va WITHOUT_PF Do not build PF firewall package. When set, it enforces these options: |