Home | History | Annotate | Download | only in gen
History log of /src/lib/libc/gen/sysctl.3
RevisionDateAuthorComments
 1.207  04-Dec-2022  uwe lib: Mark up error names in man pages with .Er
 1.206  15-Sep-2019  wiz Fix markup, and remove two superfluous Pp.
 1.205  15-Sep-2019  christos fix wrong names and add markup
 1.204  06-Sep-2018  maxv fix references, the things were moved into netipsec/ a while ago
 1.203  03-Jul-2017  wiz branches: 1.203.4; 1.203.6;
Remove workaround for ancient HTML generation code.
 1.202  13-Jun-2014  wiz Remove trailing whitespace. Use more markup. Merge sections describing
the same error code.
 1.201  13-Jun-2014  joerg Add asysctl(3) and asysctlbyname(3) wrappers for the common idiom of
fetching dynamically sized data via sysctl.
 1.200  22-Mar-2010  joerg branches: 1.200.12; 1.200.22;
Use .In for header files instead of .Ar Pa and variations.
 1.199  26-Sep-2009  elad CTLFLAG_READONLY[12] are long gone.
 1.198  22-Jul-2009  alc Bump date.
 1.197  22-Jul-2009  alc Constify the fourth argument of sysctlbtname(3) (ie. `newp', the pointer to
the new value).

This change sync sysctl(3) and sysctlbtname(3) prototypes.

No objection on <tech-userlevel>
 1.196  11-Jan-2009  christos merge christos-time_t
 1.195  11-Nov-2008  reed Reference secmodel_securelevel(9) manual page.
 1.194  17-Sep-2008  christos branches: 1.194.4; 1.194.6;
From Ilya Dogolazky: Fix return value doc.
 1.193  18-Dec-2006  wiz branches: 1.193.12;
Sort error descriptions.
 1.192  04-Dec-2006  pavel Move the description of sysctl MIBs from sysctl.3 to a new manual page
sysctl.7. Remove the list of MIBs from sysctl.8 so we don't have to
maintain duplicate information, as proposed by YAMAMOTO Takashi on
tech-userlevel. Also remove references to header files from sysctl.8.

The numeric constants remain documented, they are still needed in some
cases. See the discussion on tech-userlevel. ("mib list in sysctl.8")

OK by YAMAMOTO Takashi.
 1.191  27-Nov-2006  elad branches: 1.191.2; 1.191.6;
Adapt to recent Veriexec sysctl(9) changes.
 1.190  25-Nov-2006  christos PR/34837: Mindaguas: Add SysV SHM dynamic reallocation and locking to the
physical memory
 1.189  23-Nov-2006  elad Add note about Segvguard interface/implementation being experimental and
with the potential to change in future releases.
 1.188  22-Nov-2006  elad Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).
 1.187  19-Oct-2006  yamt document tcp.abc.
 1.186  13-Oct-2006  wiz Bump date for previous.
 1.185  09-Oct-2006  rpaulo Modular (I tried ;-) TCP congestion control API. Whenever certain conditions
happen in the TCP stack, this interface calls the specified callback to
handle the situation according to the currently selected congestion
control algorithm.
A new sysctl node was created: net.inet.tcp.congctl.{available,selected}
with obvious meanings.
The old net.inet.tcp.newreno MIB was removed.
The API is discussed in tcp_congctl(9).

In the near future, it will be possible to selected a congestion control
algorithm on a per-socket basis.

Discussed on tech-net and reviewed by <yamt>.
 1.184  08-Oct-2006  elad PR/27233: Arto Selonen: 'options BUFCACHE' vs. 'sysctl vm.bufcache'
documentation differs
 1.183  26-Sep-2006  elad Change the PaX mprotect(2) restrictions' "global_protection" knob to
just "global" -- it's shorter and more readable. Update documentation.
 1.182  06-Sep-2006  wiz Only mark up one word, not the whole sentence.
 1.181  06-Sep-2006  liamjfoy document net.inet.ip.maxflows. dump date.
 1.180  05-Sep-2006  rpaulo Import of TCP ECN algorithm for congestion control.
Both available for IPv4 and IPv6.
Basic implementation test results are available at
http://netbsd-soc.sourceforge.net/projects/ecn/testresults.html.

Work sponsored by the Google Summer of Code project 2006.
Special thanks to Kentaro Kurahone, Allen Briggs and Matt Thomas for their
help, comments and support during the project.
 1.179  04-Sep-2006  liamjfoy Update for carp(4). Bump date.

from openbsd
 1.178  11-Aug-2006  christos Pretending to be Elad's keyboard:

fileassoc.diff adds a fileassoc_table_run() routine that allows you to
pass a callback to be called with every entry on a given mount.

veriexec.diff adds some raw device access policies: if raw disk is
opened at strict level 1, all fingerprints on this disk will be
invalidated as a safety measure. level 2 will not allow opening disk
for raw writing if we monitor it, and prevent raw writes to memory.
level 3 will not allow opening any disk for raw writing.

both update all relevant documentation.

veriexec concept is okay blymn@.
 1.177  24-Jul-2006  wiz branches: 1.177.2;
Remove superfluous word, add comma to make it easier to parse.
 1.176  24-Jul-2006  elad blymn made ips mode prevent execution of non-monitored files; document
that.
 1.175  24-Jul-2006  elad ugh.. forgot to document no removal in ids mode.
 1.174  22-Jul-2006  elad "verified exec" -> "veriexec" + some minor tweaks.
 1.173  14-Jul-2006  wiz Punctuation nits.
 1.172  14-Jul-2006  elad move security.setid_core.* to kern.coredump.setid.*, as requested by yamt@.
 1.171  14-Jul-2006  elad okay, since there was no way to divide this to two commits, here it goes..

introduce fileassoc(9), a kernel interface for associating meta-data with
files using in-kernel memory. this is very similar to what we had in
veriexec till now, only abstracted so it can be used more easily by more
consumers.

this also prompted the redesign of the interface, making it work on vnodes
and mounts and not directly on devices and inodes. internally, we still
use file-id but that's gonna change soon... the interface will remain
consistent.

as a result, veriexec went under some heavy changes to conform to the new
interface. since we no longer use device numbers to identify file-systems,
the veriexec sysctl stuff changed too: kern.veriexec.count.dev_N is now
kern.veriexec.tableN.* where 'N' is NOT the device number but rather a
way to distinguish several mounts.

also worth noting is the plugging of unmount/delete operations
wrt/fileassoc and veriexec.

tons of input from yamt@, wrstuden@, martin@, and christos@.
 1.170  16-May-2006  elad Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.
 1.169  26-Apr-2006  wiz Bump date for previous, uppercase I/O, serial comma, remove trailing space.
 1.168  25-Apr-2006  blymn Change DISKSTATS to IOSTATS, document new i/o stats sysctl.
 1.167  24-Feb-2006  wiz Bump date for previous.
 1.166  24-Feb-2006  drochner complete constification of the sysctl() user side
 1.165  02-Feb-2006  elad document knobs for security.setid_core.

while i'm here... catch up with reality: no more SECURITY_CURTAIN;
now we have security.curtain. (no constant)
 1.164  14-Jan-2006  wiz Replace statfs(2) with statvfs(2).
 1.163  14-Jan-2006  elad sync & sort kern.
 1.162  14-Jan-2006  elad sort vm.
 1.161  14-Jan-2006  elad sync & sort hw.
 1.160  13-Jan-2006  elad Sync net.{inet,inet6}.
 1.159  01-Dec-2005  wiz Bump date for previous. Remove trailing whitespace.
 1.158  01-Dec-2005  elad Change the entry from "foobar" to "not applicable" in the "Changeable"
field of kern.veriexec.count.. no idea how that went unnoticed. :)
 1.157  06-Oct-2005  simonb Add a full-stop to the end of a sentence.
 1.156  06-Oct-2005  wiz Fix typo. Add some commas. Improve markup.
 1.155  03-Oct-2005  elad Document security level for sysctl and security.curtain.

Hi Hubert! :)
 1.154  24-Sep-2005  rpaulo Document kern.hardclock_ticks. Pointed out by Hubert.
 1.153  17-Jul-2005  isaki Correct a typo.
 1.152  20-Jun-2005  elad - Use more calls to veriexec_report() where possible.

- Change #ifdef VERIFIED_EXEC_VERBOSE to another verbose level, 2. Add
sysctl(3) bits.

- Simplify access type conflict handling during load. This depends on
the values of access type defines to be ordered from least to most
'strict'.
 1.151  17-Jun-2005  wiz New sentence, new line.
 1.150  17-Jun-2005  elad More veriexec changes:

- Better organize strict level. Now we have 4 levels:
- Level 0, learning mode: Warnings only about anything that might've
resulted in 'access denied' or similar in a higher strict level.

- Level 1, IDS mode:
- Deny access on fingerprint mismatch.
- Deny modification of veriexec tables.

- Level 2, IPS mode:
- All implications of strict level 1.
- Deny write access to monitored files.
- Prevent removal of monitored files.
- Enforce access type - 'direct', 'indirect', or 'file'.

- Level 3, lockdown mode:
- All implications of strict level 2.
- Prevent creation of new files.
- Deny access to non-monitored files.

- Update sysctl(3) man-page with above. (date bumped too :)

- Remove FINGERPRINT_INDIRECT from possible fp_status values; it's no
longer needed.

- Simplify veriexec_removechk() in light of new strict level policies.

- Eliminate use of 'securelevel'; veriexec now behaves according to
its strict level only.
 1.149  24-May-2005  wiz New sentence, new line. <> -> Aq. Bump date for previous.
 1.148  24-May-2005  elad Add man-page bits about the 'count' node.
 1.147  19-May-2005  elad Some changes in veriexec.

New features:

- Add a veriexec_report() routine to make most reporting consistent and
remove some common code.
- Add 'strict' mode that controls how veriexec behaves.
- Add sysctl knobs:
o kern.veriexec.verbose controls verbosity levels. Value: 0, 1.
o kern.veriexec.strict controls strict level. Values: 0, 1, 2. See
documentation in sysctl(3) for details.
o kern.veriexec.algorithms returns a string with a space separated
list of supported hashing algorithms in veriexec.
- Updated documentation in man pages for sysctl(3) and sysctl(8).

Bug fixes:

- veriexec_removechk(): Code cleanup + handle FINGERPRINT_NOTEVAL
correctly.
- exec_script(): Don't pass 0 as flag when executing a script; use the
defined VERIEXEC_INDIRECT - which is 1. Makes indirect execution
enforcement work.
- Fix some printing formats and types..
 1.146  09-Apr-2005  atatat Mention that the number after CTL_NET is "usually the protocol", but
may not be (see net.bpf).
 1.145  30-Mar-2005  yamt s of sack is selective, not selection. pointed by Michael Eriksson.
 1.144  22-Mar-2005  wiz Wording improvements, from yamt@
 1.143  21-Mar-2005  yamt update tcp.sack. noted by Hubert Feyrer.
 1.142  27-Dec-2004  christos branches: 1.142.2;
RTC_OFFSET is writable; sync with sysctl.8
 1.141  15-Oct-2004  enami Fix some typos.
 1.140  15-Oct-2004  daniel Add vm.bufcache, vm.bufmem, vm.bufmem_lowater, m.bufmem_hiwater (PR misc/27247, misc/27233).
 1.139  27-Aug-2004  wiz Bump date for removal of net.key.random_int.
 1.138  27-Aug-2004  itojun remove net.key.random_int
 1.137  05-Jul-2004  cube KERN_CP_TIME returns an arry of uint64_ts, not longs, as noted by Adam
Sampson in PR 23190. Also, tell about ``kern.cp_time.#CPU''.
 1.136  02-Jul-2004  heas UDP checksums are always checked (RFC1122 S4.1.3.4), it is not controllable
by net.inet.udp.checksum.
 1.135  25-Mar-2004  wiz branches: 1.135.2;
Bump date for previous; new sentence, new line;
remove duplicate word and fix a punctuation typo.
 1.134  25-Mar-2004  atatat Move sysctlbyname(), sysctlnametomib(), and sysctlgetmibinfo() from
sysctl(8) into libc, making the minor number jump. Add prototypes to
sys/sysctl.h, fix sets, modify man pages, etc. That oughta cover it.
 1.133  24-Mar-2004  snj Bump date for last; avoid direct use of &, < and >; drop trailing space.
 1.132  24-Mar-2004  atatat Bring sysctl man pages up to date (wrt new query interface, the
versioning, and descriptions).
 1.131  08-Jan-2004  wiz There is no sysctl(9) (yet?), comment it out;
fix a typo.
 1.130  07-Jan-2004  atatat Add descriptions of flags.
 1.129  03-Jan-2004  wiz Uppercase CPU; mark up NULL; remove superfluous word; simplify macro usage.
 1.128  03-Jan-2004  atatat At long last, add descriptions of new "dynamic" operations.
 1.127  09-Dec-2003  wiz Bump date for previous (hi andrew!).
 1.126  09-Dec-2003  atatat Update man page to correct PROC_* names (addresses PR lib/23645) and
also describe the new PROC_PID_STOPEXIT variable.

Man page still not updated to include new features. I'm still working
on that.
 1.125  23-Nov-2003  wiz New sentence, new line. Remove trailing spaces.
 1.124  23-Nov-2003  jhawk Bump Dd.
better explain the interactions between ip.mtudisc and tcp.mssdflt,
with regards to the TCP segment size.
ip.mtudisc is not read-only, as was implied by "returns"
XXX: this ("returns") should be corrected for other parameters, too.
Xr tcp(4)
 1.123  15-Oct-2003  wiz Slight improvements.
 1.122  28-Sep-2003  dsl Simon has persuaded me to remove the 'sizeof (struct kinfo_drivers)' field.
 1.121  27-Sep-2003  dsl Add KERN_ROOT_PARTITION and KERN_DRIVERS
 1.120  07-Sep-2003  wiz Consistently use 'RFC 1234' instead of 'RFC1234' or 'RFC-1234'.
From jmc@openbsd.
 1.119  07-Aug-2003  agc Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22280, verified by myself.
 1.118  27-Jun-2003  wiz Pa Aq -> Aq Pa; Sy Pa -> Sy.
 1.117  03-May-2003  wiz Misc. fixes from jmc@openbsd.
 1.116  19-Apr-2003  christos add ident.
 1.115  16-Apr-2003  wiz Use
.In header.h
instead of
.Fd #include \*[Lt]header.h\*[Gt]
Much easier to read and write, and supported by groff for ages.
Okayed by ross.
 1.114  12-Apr-2003  dogcow Document ip.checkinterface
 1.113  11-Apr-2003  salo Document HW_CNMAGIC, fix HW_PHYSMEM64 and HW_USERMEM64 format in the table,
describe HW_MACHINE_ARCH and HW_ALIGNBYTES in the same order as listed in the
table.
 1.112  17-Mar-2003  wiz Consistent tab usage.
 1.111  06-Mar-2003  thorpej HW_PHYSPAGES -> HW_PHYSMEM64, HW_USERPAGES -> HW_USERMEM64.
 1.110  01-Mar-2003  thorpej Document net.inet.tcp.init_win_local.
 1.109  27-Feb-2003  thorpej Document hw.physpages and hw.userpages.
 1.108  02-Feb-2003  kleink Add sysconf(3) knobs for recent additions.
 1.107  02-Jan-2003  jschauma Fix typos pointed out by Igor Sobrado in PR misc/19621.
 1.106  19-Dec-2002  kleink Add a sysconf(3) knob for {ATEXIT_MAX}.
 1.105  18-Dec-2002  wiz new sentence, new line.
 1.104  18-Dec-2002  wiz exec lives in section 3, not 2.
 1.103  11-Dec-2002  jdolecek Add kern.forkfsleep sysctl - set/get time (in miliseconds) for which
process would be forced to sleep in fork() if it hits either global
or user maxproc limit. Default is zero (no forced sleep).
Maximum is 20 seconds.
 1.102  11-Dec-2002  scw Add two sysctls: kern.labelsector and kern.labeloffset.
These are of use to userland code which previously depended on the
hard-coded values of LABELSECTOR and LABELOFFSET to figure out the
location of the disklabel for a particular platform.

With the introduction of umbrella ports such as evbarm, evbmips, etc,
the location of the disklabel may vary between kernels for the same
MACHINE. This sysctl will allow userland programs to remain independent
of the particular flavour of MACHINE in such cases.
 1.101  07-Nov-2002  wiz New sentence, new line (hi manu!). Drop trailing whitespace.
 1.100  07-Nov-2002  manu Added two sysctl-able flags: proc.curproc.stopfork and proc.curproc.stopexec
that can be used to block a process after fork(2) or exec(2) calls. The
new process is created in the SSTOP state and is never scheduled for running.

This feature is designed so that it is esay to attach the process using gdb
before it has done anything.

It works also with sproc, kthread_create, clone...
 1.99  01-Oct-2002  wiz \-1 and .Dv NULL.
 1.98  01-Oct-2002  wiz New sentence, new line. From Robert Elz.
 1.97  20-Aug-2002  wiz Fix Ns abuse.
 1.96  10-Jul-2002  wiz Drop trailing space.
 1.95  13-Jun-2002  itojun net.inet.ip.redirtimeout default value changed
 1.94  28-May-2002  itojun document net.inet6.ip6.maxfrags
 1.93  19-May-2002  itojun branches: 1.93.2;
document net.key.* sysctl. provide sysctl MIB for controlling
proposal payload on ACQUIRE message. sync w/kame
 1.92  14-May-2002  itojun rename: net.inet6.ip6.bindv6only -> net.inet6.ip6.v6only
sync w/kame.
 1.91  14-May-2002  itojun s/IPV6_BINDV6ONLY/IPV6_V6ONLY/
 1.90  26-Feb-2002  martin Note ip.grettl
 1.89  10-Feb-2002  ross fix <> string names
 1.88  07-Feb-2002  ross generate & symbolically
 1.87  07-Feb-2002  ross Generate <>& symbolically.
 1.86  07-Feb-2002  ross Edit -mdoc usage.

* There is no -indent option to .Bd or .Bl, although you would
never know that from its frequent use in this tree. There is a
"-offset indent" combination that makes sense, and you can certainly
say "-width indent".

* Also, you can't markup the -width option argument, tho you CAN
use a callable macro. So "-width Ar filename" doesn't make sense,
but either "-width Ar" or "-width filename" does, as might something
like "-width xxfilename" for a little extra space.

* There are a lot of needlessly complex hanging tag macros in man4 used
to create simple item lists. Those should be simplified one of these
days before someone copies and edits yet another man4 page.
 1.85  31-Jan-2002  kleink Add {POSIX_MONOTONIC_CLOCK} variables.
 1.84  28-Jan-2002  simonb Document the new kern.tkstat.* sysctls.
 1.83  27-Jan-2002  simonb Implement the hw.disknames and hw.diskstats sysctl's that have been listed
in <sys/sysctl.h> since day one but never implemented.
 1.82  15-Jan-2002  wiz Whitespace nit.
 1.81  24-Dec-2001  chs update vm entries.
 1.80  30-Oct-2001  kml Added descriptions of the new sysctls for controlling the disposition
of IPv4 routes added via redirects, rediraccept and redirtimeout.
 1.79  18-Oct-2001  itojun bring in new net.inet6.icmp6.nodeinfo description.
 1.78  16-Sep-2001  wiz Standardize section headers, sort sections, sort SEE ALSO, punctuation
and misc. fixes.
 1.77  16-Sep-2001  wiz Boring whitespace fixes.
 1.76  12-Apr-2001  toshii KERN_RTC_OFFSET sysctl has been readonly.
 1.75  27-Mar-2001  itojun net.inet.ip.maxfragpackets defines the maximum size of ip reass queue
(prevents fragment flood from chewing up mbuf memory space).
derived from KAME net.inet6.ip6.maxfragpackets.
 1.74  08-Feb-2001  itojun branches: 1.74.2;
implement upper limit to icmp6 redirects (experimental, turned off)
negative value to {mtudisc,redirect}_{hi,lo}wat will turn off the limitation.
sync with kame.
 1.73  07-Feb-2001  itojun during ip6/icmp6 inbound packet processing, do not call log() nor printf() in
normal operation (/var can get filled up by flodding bogus packets).
sysctl net.inet6.icmp6.nd6_debug will turn on diagnostic messages.
(#define ND6_DEBUG will turn it on by default)

improve stats in ND6 code.

lots of synchronziation with kame (including comments and cometic ones).
 1.72  10-Jan-2001  hubertf * Document the vendor.* sysctl branch
* in sysctl.3, sort the list of CTL_ prefixes and sync with sysctl.h
 1.71  21-Dec-2000  itojun document net.inet6.icmp6.mtudisc_{lo,hi}wat.
 1.70  26-Oct-2000  jdolecek rewrite KERN_MAXPTYS description to match reality
 1.69  09-Sep-2000  jdolecek document kern.maxptys/KERN_MAXPTYS
note that kern.maxvnodes is raise only
 1.68  26-Aug-2000  itojun implement net.inet6.ip6.{anon,low}port{min,max} sysctl variable.
 1.67  26-Aug-2000  itojun document net.inet.ip.lowport{min,max}
 1.66  04-Aug-2000  kml Correct the documentation for SACK; although we have some preliminary
code in the tree, it doesn't do anything, and setting the sack sysctl
won't have any effect.
 1.65  02-Aug-2000  itojun pps rate limitation can be turned off by negative value.
 1.64  28-Jul-2000  itojun nuke net.inet*.ip*.*ratelimit.
 1.63  27-Jul-2000  itojun add net.inet.tcp.rstppslimit
 1.62  10-Jul-2000  itojun document sysctl variable "net.inet.icmp.errppslimit".
 1.61  09-Jul-2000  itojun add desription for net.inet6.icmp6.{errppslimit,nd6_maxnudhint}.
 1.60  03-Jul-2000  enami - One more s/vm/uvm/ substitution.
- Sort SEE ALSO list first by section.
 1.59  27-Jun-2000  mrg <vm/vm_param.h> is now <uvm/uvm_param.h>
 1.58  16-Jun-2000  simonb branches: 1.58.2;
Document KERN_MSGBUF sysctl.
 1.57  13-Jun-2000  simonb Bring a little closer to current reality - includes my recent sysctl
additions and well as a number of other small additions/changes/deletions.
 1.56  23-May-2000  itojun branches: 1.56.2;
correct FILES section. mention IPv6/IPsec headers.
 1.55  23-May-2000  itojun s/udp6.sendmax/udp6.sendspace/
 1.54  22-May-2000  itojun correct table formatting for net.inet.*.
we do not have net.inet6.tcp6.
 1.53  29-Mar-2000  jdolecek kill reference to getvfsbyname(3) - it's no longer present on NetBSD
 1.52  27-Feb-2000  itojun add hw.alignbytes sysctl mib. this gives you the value of ALIGNBYTES
at the kernel compilation time (ALIGNBYTES that the kernel uses).
 1.51  26-Feb-2000  itojun remove net.inet6.ip6.nd6_proxyall sysctl.
support "ndp -s <ip6> <mac> proxy" for proxy NDP.
 1.50  15-Feb-2000  thorpej Note net.inet.icmp.errratelimit and net.inet.tcp.rstratelimit.
 1.49  06-Feb-2000  fair Document KERN_LOGSIGEXIT.
sort sysctl variable list in sysctl.8
 1.48  23-Jan-2000  ad Change how the purpose of net.inet.tcp.log_refused is expressed so that it's
consistant with its neighbours.
 1.47  19-Jan-2000  itojun warning about net.inet6.ip6.forwarding.
 1.46  06-Jan-2000  itojun make IPV6_BINDV6ONLY setsockopt available. it controls behavior of
AF_INET6 wildcard listening socket. heavily documented in ip6(4).
net.inet6.ip6.bindv6only defines default value. default is 1.

"options INET6_BINDV6ONLY" removes any code fragment that supports
IPV6_BINDV6ONLY == 0 case (not defopt'ed as use of this is rare).
 1.45  06-Jan-2000  itojun wording fix in net.inet6.icmp6.errratelim.
 1.44  06-Jan-2000  itojun add missing variables under net.inet6.ip6.
 1.43  02-Jan-2000  itojun add net.inet6.icmp6.nodeinfo sysctl.
this allows you to disable/enable ICMPv6 node information query/reply
processing (which tells remote end the gethostname(3) setting, interface
addresses on the node, and some other things - documented in
draft-ietf-ipngwg-icmp-name-lookup* or something alike).

to test it, try ping6 -w ::1 with nodeinfo=0 and nodeinfo=1.
(sync with kame change)
 1.42  02-Jan-2000  itojun typo fix
 1.41  01-Jan-2000  itojun document PF_INET6 items (net.inet6.*).
 1.40  14-Oct-1999  jdolecek document ddb.fromconsole & DBCTL_FROMCONSOLE, description taken from options(4)
 1.39  10-Oct-1999  hwr Mention ipsec(4), as there are the ipsec mib variables documented.
 1.38  28-Sep-1999  bouyer Document CTL_PROC, the core filename format it core(5), and xref sysctl(8),
sysctl(3), core(5) in various place.
Document 'options DEFCORENAME' inj options(4) and $defcorename in rc.conf(5).
 1.37  27-Sep-1999  kleink 1003.1c: add {LOGIN_NAME_MAX}.
 1.36  24-Jun-1999  kleink branches: 1.36.2;
Add compile-time and run-time feature test knobs for the 1003.1 Mapped Files,
Process Memory Locking, Range Memory Locking and Memory Protection options.
 1.35  23-May-1999  ad Add new sysctl (net.inet.tcp.log_refused) that when set, causes refused TCP
connections to be logged.
 1.34  09-Mar-1999  erh branches: 1.34.2;
Add missing .El lines.
 1.33  06-Oct-1998  matt Add a sysctl for newreno (default to off).
 1.32  10-Sep-1998  mouse Create tcp.keepidle, tcp.keepintvl, tcp.keepcnt, tcp.slowhz sysctls.
 1.31  03-Aug-1998  kleink Add support to query the
* availability of POSIX Synchronized I/O (kern.synchronized_io),
* maximum number of iovec structures to be used in readv(2) etc. (kern.iov_max)
via sysctl().
 1.30  28-Jun-1998  nathanw Document shortcorename support and control.
 1.29  24-May-1998  kleink Permit checking the availability of the POSIX File Synchronization Option
(a/k/a fsync(2)), System V style message queues, semaphores and shared memory
at runtime by adding a sysctl variable for each.
 1.28  02-May-1998  thorpej Document tcp.cwm_burstsize and tcp.ack_on_push.
 1.27  30-Apr-1998  thorpej Document net.inet.ip.mtudisc and net.inet.ip.mtudisctimeout.
 1.26  30-Apr-1998  thorpej Rework some of the documentation pertaining to tcp.init_win and
tcp.mss_ifmtu, in an attempt to make it a little more clear. Also,
document tcp.mssdflt, tcp.sack, tcp.win_scale, tcp.timestamps,
tcp.compat_42, tcp.cwm, and tcp.cwm_burstsize.
 1.25  28-Apr-1998  fair Fix mdoc .Xr reference for syntax or correctness (e.g. exec(2) versus exec(3)).
Make other mdoc corrections as inspection dictated.
 1.24  13-Apr-1998  kml Fix to ensure that the correct MSS is advertised for loopback
TCP connections by using the MTU of the interface. Also added
a knob, mss_ifmtu, to force all connections to use the MTU of
the interface to calculate the advertised MSS.
 1.23  05-Feb-1998  perry add LIBRARY section to man page
 1.22  05-Feb-1998  perry remove illegal quotes from .Dd directives
 1.21  03-Feb-1998  perry .Bx'ize
 1.20  02-Feb-1998  perry merge/update to lite-2
 1.19  05-Jan-1998  lukem document net.inet.ip.anonport{min,max}
 1.18  11-Dec-1997  thorpej Document net.inet.tcp.init_win.
 1.17  17-Oct-1997  thorpej Document net.inet.ip.allowsrcrt and net.inet.ip.subnetsarelocal.
 1.16  19-Sep-1997  leo Commit userland part of pr-1891.
 1.15  28-Jul-1997  thorpej Document new UDP and TCP tunables.
 1.14  06-Jun-1997  veego Update the manpage for HW_MACHINE_ARCH.
 1.13  29-May-1997  cgd Fix broken uses of Dd. Both the mdoc and mdoc.samples pages agree:
.Dd is supposed to be invoked like:
.Dd month day, year
e.g. ".Dd January 25, 1989", rather than:
.Dd "month day, year"
which is what these pages did.
 1.12  09-Jan-1997  thorpej Document CTL_DDB MIB nodes.
 1.11  17-Jul-1996  explorer document AUTONICETIME and AUTONICEVAL sysctls
 1.10  13-Apr-1996  thorpej Document that "<sys/sysctl.h>" isn't enough ... suggest including
<sys/param.h>, too. Suggested my Kevin M. Lahey <kml@nas.nasa.gov>
in PR #1999.
 1.9  16-Jan-1996  thorpej Add a net.inet.ip.directed-broadcast sysctl as suggested by
Darren Reed <darrenr@vitruvius.arbld.unimelb.edu.au> in PR #1227.
This change is slightly different than the one submitted by Darren in
that the DIRECTED_BROADCAST compile-time option will behave like it used
to so that existing configurations utilizing it won't have to change.
 1.8  15-Jan-1996  thorpej Add net.inet.ip.forwsrcrt: if zero, the system will not forward
source-routed packets. Note this value is protected by kernel security
level; it can only be changed if securelevel < 1.
 1.7  30-Sep-1995  thorpej Document new RFC1323 sysctl variable.
 1.6  04-Aug-1995  thorpej Add and document a `kern.rawpartition' sysctl.
 1.5  25-Feb-1995  cgd clean up Id's on files previously imported...
 1.4  25-Jan-1995  cgd document sysctl variable kern.maxpartitions
 1.3  24-Jan-1995  cgd note KERN_DOMAINNAME, the addition of tickadj to KERN_CLOCKINFO.
 1.2  15-Dec-1994  jtc Fixed cross reference: sysctl(1) -> sysctl(8).
 1.1  07-May-1994  cgd branches: 1.1.1;
Initial revision
 1.1.1.2  02-Feb-1998  perry import lite-2
 1.1.1.1  07-May-1994  cgd various sysctl-related libc functions
 1.34.2.1  30-May-2001  he Pull up revision 1.75 (via patch, requested by he):
Introduce net.inet.ip.maxfragpackets, which controls the maximum
number of IPv4 fragment reassembly queue entries. Defends against
certain DoS attacks. Fixes SA#2001-006.
 1.36.2.1  27-Dec-1999  wrstuden Pull up to last week's -current.
 1.56.2.1  23-Jun-2000  minoura Sync w/ netbsd-1-5-base.
 1.58.2.7  24-Apr-2001  he Pull up revision 1.75 (requested by itojun):
Introduce net.inet.ip.maxfragpackets, which controls the maximum
number of IPv4 fragment reassembly queue entries. Defends against
certain DoS attacks.
 1.58.2.6  26-Feb-2001  he Um, undo last commit; done in error.
 1.58.2.5  26-Feb-2001  he Pull up revision 1.72 (via patch, requested by hubertf):
Document the vendor.* sysctl branch, and note that we currently
have no registry for these sysctl values. Sort list of CTL_
prefixes, and sync with sysctl.h.
 1.58.2.4  27-Aug-2000  itojun pullup (approved by releng-1-5)

> implement net.inet6.ip6.{anon,low}port{min,max} sysctl variable.

> cvs rdiff -r1.67 -r1.68 basesrc/lib/libc/gen/sysctl.3
> cvs rdiff -r1.53 -r1.54 basesrc/sbin/sysctl/sysctl.8
> cvs rdiff -r1.18 -r1.19 syssrc/sys/netinet6/in6.h
> cvs rdiff -r1.29 -r1.30 syssrc/sys/netinet6/in6_pcb.c
> cvs rdiff -r1.3 -r1.4 syssrc/sys/netinet6/in6_src.c
> cvs rdiff -r1.25 -r1.26 syssrc/sys/netinet6/ip6_input.c
> cvs rdiff -r1.14 -r1.15 syssrc/sys/netinet6/ip6_var.h
 1.58.2.3  27-Aug-2000  itojun pullup (approved by releng-1-5)
> document net.inet.ip.lowport{min,max}
> cvs rdiff -r1.66 -r1.67 basesrc/lib/libc/gen/sysctl.3
> cvs rdiff -r1.52 -r1.53 basesrc/sbin/sysctl/sysctl.8
 1.58.2.2  16-Aug-2000  itojun pullup (approved by releng-1-5)

document *ppslimit.

sbin/sysctl/sysctl.8 1.48 -> 1.52
lib/libc/gen/sysctl.3 1.60 -> 1.63, 1.64 -> 1.65
 1.58.2.1  04-Aug-2000  kml Pullup of rev 1.66 approved by jhawk:
Correct the documentation for SACK; although we have some preliminary
code in the tree, it doesn't do anything, and setting the sack sysctl
won't have any effect.
 1.74.2.14  08-Jan-2003  thorpej Sync with HEAD.
 1.74.2.13  29-Dec-2002  thorpej Sync with HEAD.
 1.74.2.12  19-Dec-2002  thorpej Sync with HEAD.
 1.74.2.11  11-Dec-2002  thorpej Sync with HEAD.
 1.74.2.10  11-Nov-2002  nathanw Catch up to -current
 1.74.2.9  18-Oct-2002  nathanw Catch up to -current.
 1.74.2.8  27-Aug-2002  nathanw Catch up to -current.
 1.74.2.7  01-Aug-2002  nathanw Catch up to -current.
 1.74.2.6  21-Jun-2002  nathanw Catch up to -current.
 1.74.2.5  22-Mar-2002  nathanw Catch up to -current.
 1.74.2.4  08-Mar-2002  nathanw Catch up to -current.
 1.74.2.3  28-Jan-2002  nathanw Catch up to -current.
 1.74.2.2  14-Nov-2001  nathanw Catch up to -current.
 1.74.2.1  08-Oct-2001  nathanw Catch up to -current.
 1.93.2.1  15-Jun-2002  lukem Pull up revision 1.95 (requested by itojun in ticket #266):
set IPv4 parameter to modern value.
- ICMPv4 redirect entry timeout = 600 sec (previous: never timeout)
 1.135.2.1  12-Nov-2004  jmc branches: 1.135.2.1.2;
Pullup rev 1.140 (requested by daniel in ticket #926)

Add vm.bufcache, vm.bufmem, vm.bufmem_lowater, m.bufmem_hiwater
 1.135.2.1.2.1  18-Jun-2005  riz Pull up revision 1.142 (requested by peter in ticket #1998):
RTC_OFFSET is writable; sync with sysctl.8
 1.142.2.7  06-Dec-2005  riz Pull up following revision(s) (requested by elad in ticket #1016):
lib/libc/gen/sysctl.3: revision 1.158
Change the entry from "foobar" to "not applicable" in the "Changeable"
field of kern.veriexec.count.. no idea how that went unnoticed. :)
 1.142.2.6  02-Jul-2005  tron Pull up revision 1.152 (requested by elad in ticket #487):
- Use more calls to veriexec_report() where possible.
- Change #ifdef VERIFIED_EXEC_VERBOSE to another verbose level, 2. Add
sysctl(3) bits.
- Simplify access type conflict handling during load. This depends on
the values of access type defines to be ordered from least to most
'strict'.
 1.142.2.5  02-Jul-2005  tron Pull up revision 1.151 (requested by elad in ticket #487):
New sentence, new line.
 1.142.2.4  02-Jul-2005  tron Pull up revision 1.150 (requested by elad in ticket #487):
More veriexec changes:
- Better organize strict level. Now we have 4 levels:
- Level 0, learning mode: Warnings only about anything that might've
resulted in 'access denied' or similar in a higher strict level.
- Level 1, IDS mode:
- Deny access on fingerprint mismatch.
- Deny modification of veriexec tables.
- Level 2, IPS mode:
- All implications of strict level 1.
- Deny write access to monitored files.
- Prevent removal of monitored files.
- Enforce access type - 'direct', 'indirect', or 'file'.
- Level 3, lockdown mode:
- All implications of strict level 2.
- Prevent creation of new files.
- Deny access to non-monitored files.
- Update sysctl(3) man-page with above. (date bumped too :)
- Remove FINGERPRINT_INDIRECT from possible fp_status values; it's no
longer needed.
- Simplify veriexec_removechk() in light of new strict level policies.
- Eliminate use of 'securelevel'; veriexec now behaves according to
its strict level only.
 1.142.2.3  10-Jun-2005  tron Pull up revision 1.149 (requested by elad in ticket #389):
New sentence, new line. <> -> Aq. Bump date for previous.
 1.142.2.2  10-Jun-2005  tron Pull up revision 1.148 (requested by elad in ticket #389):
Add man-page bits about the 'count' node.
 1.142.2.1  10-Jun-2005  tron Pull up revision 1.147 (requested by elad in ticket #389):
Some changes in veriexec.
New features:
- Add a veriexec_report() routine to make most reporting consistent and
remove some common code.
- Add 'strict' mode that controls how veriexec behaves.
- Add sysctl knobs:
o kern.veriexec.verbose controls verbosity levels. Value: 0, 1.
o kern.veriexec.strict controls strict level. Values: 0, 1, 2. See
documentation in sysctl(3) for details.
o kern.veriexec.algorithms returns a string with a space separated
list of supported hashing algorithms in veriexec.
- Updated documentation in man pages for sysctl(3) and sysctl(8).
Bug fixes:
- veriexec_removechk(): Code cleanup + handle FINGERPRINT_NOTEVAL
correctly.
- exec_script(): Don't pass 0 as flag when executing a script; use the
defined VERIEXEC_INDIRECT - which is 1. Makes indirect execution
enforcement work.
- Fix some printing formats and types..
 1.177.2.3  08-Sep-2006  rpaulo Pull up following revision(s) (requested by liamjfoy in ticket #127):
lib/libc/gen/sysctl.3: revision 1.181
sbin/sysctl/sysctl.8: revision 1.152
add net.inet.ip.maxflows. Bump date.
document net.inet.ip.maxflows. dump date.
 1.177.2.2  06-Sep-2006  rpaulo Pull up following revision(s) (requested by liamjfoy in ticket #119):
lib/libc/gen/sysctl.3: revision 1.179
Update for carp(4). Bump date.
from openbsd
 1.177.2.1  14-Aug-2006  tron Pull up following revision(s) (requested by elad in ticket #15):
sys/miscfs/specfs/spec_vnops.c: revision 1.88
share/man/man9/fileassoc.9: revision 1.7
sys/kern/kern_verifiedexec.c: revision 1.66
sys/sys/verified_exec.h: revision 1.39
sys/sys/fileassoc.h: revision 1.3
lib/libc/gen/sysctl.3: revision 1.178
share/man/man9/veriexec.9: revision 1.4
sys/kern/kern_fileassoc.c: revision 1.6
Pretending to be Elad's keyboard:
fileassoc.diff adds a fileassoc_table_run() routine that allows you to
pass a callback to be called with every entry on a given mount.
veriexec.diff adds some raw device access policies: if raw disk is
opened at strict level 1, all fingerprints on this disk will be
invalidated as a safety measure. level 2 will not allow opening disk
for raw writing if we monitor it, and prevent raw writes to memory.
level 3 will not allow opening any disk for raw writing.
both update all relevant documentation.
veriexec concept is okay blymn@.
 1.191.6.1  18-May-2009  bouyer Apply patch, requested by snj in ticket #1318:
lib/libc/gen/sysctl.3: patch
document PROC_PID_LIMIT_SBSIZE. Addresses PR 36463.
 1.191.2.1  18-May-2009  bouyer Apply patch, requested by snj in ticket #1318:
lib/libc/gen/sysctl.3: patch
document PROC_PID_LIMIT_SBSIZE. Addresses PR 36463.
 1.193.12.1  24-Sep-2008  wrstuden Merge in changes between wrstuden-revivesa-base-2 and
wrstuden-revivesa-base-3.
 1.194.6.2  04-Jan-2009  christos merge with head.
 1.194.6.1  17-Sep-2008  christos file sysctl.3 was added on branch christos-time_t on 2009-01-04 17:02:19 +0000
 1.194.4.1  12-Nov-2008  snj Pull up following revision(s) (requested by reed in ticket #46):
sbin/sysctl/sysctl.8: revision 1.159
lib/libc/gen/sysctl.3: revision 1.195
Reference secmodel_securelevel(9) manual page.
 1.200.22.1  10-Aug-2014  tls Rebase.
 1.200.12.1  20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.203.6.2  13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.203.6.1  10-Jun-2019  christos Sync with HEAD
 1.203.4.1  30-Sep-2018  pgoyette Ssync with HEAD

RSS XML Feed