Home | History | Annotate | Download | only in sysctl
History log of /src/sbin/sysctl/sysctl.8
RevisionDateAuthorComments
 1.162  03-Aug-2011  christos allow -q flag to work for reads.
 1.161  30-Sep-2009  elad Remove stale references to the "read only at securelevel [12]" flags in
the documentation and code comments.
 1.160  01-Apr-2009  christos Don't print an error with sysctl -w name?=value if name does not exist.
Should be pulled up to 5.0
 1.159  11-Nov-2008  reed branches: 1.159.2;
Reference secmodel_securelevel(9) manual page.
 1.158  02-May-2008  martin branches: 1.158.4;
Move TNF licenses to 2 clause form
 1.157  04-Dec-2006  pavel branches: 1.157.12; 1.157.14;
Move the description of sysctl MIBs from sysctl.3 to a new manual page
sysctl.7. Remove the list of MIBs from sysctl.8 so we don't have to
maintain duplicate information, as proposed by YAMAMOTO Takashi on
tech-userlevel. Also remove references to header files from sysctl.8.

The numeric constants remain documented, they are still needed in some
cases. See the discussion on tech-userlevel. ("mib list in sysctl.8")

OK by YAMAMOTO Takashi.
 1.156  25-Nov-2006  christos branches: 1.156.2;
PR/34837: Mindaguas: Add SysV SHM dynamic reallocation and locking to the
physical memory
 1.155  22-Nov-2006  elad Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).
 1.154  26-Sep-2006  elad Change the PaX mprotect(2) restrictions' "global_protection" knob to
just "global" -- it's shorter and more readable. Update documentation.
 1.153  05-Sep-2006  rpaulo Import of TCP ECN algorithm for congestion control.
Both available for IPv4 and IPv6.
Basic implementation test results are available at
http://netbsd-soc.sourceforge.net/projects/ecn/testresults.html.

Work sponsored by the Google Summer of Code project 2006.
Special thanks to Kentaro Kurahone, Allen Briggs and Matt Thomas for their
help, comments and support during the project.
 1.152  04-Sep-2006  liamjfoy add net.inet.ip.maxflows. Bump date.
 1.151  08-Aug-2006  wiz Bump date for previous.
 1.150  08-Aug-2006  kardel document timecounter sysctls
 1.149  14-Jul-2006  elad branches: 1.149.2;
move security.setid_core.* to kern.coredump.setid.*, as requested by yamt@.
 1.148  14-Jul-2006  elad okay, since there was no way to divide this to two commits, here it goes..

introduce fileassoc(9), a kernel interface for associating meta-data with
files using in-kernel memory. this is very similar to what we had in
veriexec till now, only abstracted so it can be used more easily by more
consumers.

this also prompted the redesign of the interface, making it work on vnodes
and mounts and not directly on devices and inodes. internally, we still
use file-id but that's gonna change soon... the interface will remain
consistent.

as a result, veriexec went under some heavy changes to conform to the new
interface. since we no longer use device numbers to identify file-systems,
the veriexec sysctl stuff changed too: kern.veriexec.count.dev_N is now
kern.veriexec.tableN.* where 'N' is NOT the device number but rather a
way to distinguish several mounts.

also worth noting is the plugging of unmount/delete operations
wrt/fileassoc and veriexec.

tons of input from yamt@, wrstuden@, martin@, and christos@.
 1.147  29-May-2006  liamjfoy bump date (.Dd)
 1.146  29-May-2006  liamjfoy document Common Address Redundancy Protocol sysctls, aka CARP

ok joerg@
 1.145  16-May-2006  elad Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.
 1.144  06-Mar-2006  christos add the 3 opencrypto sysctls.
 1.143  04-Feb-2006  wiz Bump date for security.*
 1.142  02-Feb-2006  elad - make use of the recently added mode_bits for security.setid_core.mode;
- document setid_core variables.
 1.141  14-Jan-2006  elad add some more to kern.
 1.140  14-Jan-2006  elad remove dup cnmagic.
 1.139  14-Jan-2006  elad Sync and sort ddb, hw, kern, vm.
 1.138  13-Jan-2006  elad oops - this should not have been commited. remove sugid_coredump line.
 1.137  13-Jan-2006  elad grrr... another space -> tab...
 1.136  13-Jan-2006  elad space -> tab
 1.135  13-Jan-2006  elad Sync net.{inet,inet6,key}
 1.134  21-Dec-2005  yamt add vm.inactivepct.
 1.133  13-Dec-2005  yamt add vm.idlezero. noted by Hubert Feyrer.
 1.132  27-Nov-2005  yamt bump date for the previous.
 1.131  27-Nov-2005  yamt add ddb.commandonenter.
 1.130  15-Oct-2005  xtraeme Mention "kern.bufq.strategies", bump date.
 1.129  06-Oct-2005  wiz Add missing comma.
 1.128  03-Oct-2005  elad Document security level for sysctl and security.curtain.

Hi Hubert! :)
 1.127  24-Sep-2005  rpaulo Document kern.hardclock_ticks. Pointed out by Hubert.
 1.126  23-Sep-2005  wiz Drop trailing whitespace.
 1.125  21-Sep-2005  xtraeme Mention vfs.sync.*, bump date.
 1.124  06-Sep-2005  rpaulo Handle net.inet.tcp.debug, net.inet.tcp.debx, net.ns.spp.debug and
net.ns.spp.debx. Bump man page date.
 1.123  04-Aug-2005  rpaulo Added net.bpf.peers and net.bpf.stats and bumped the date.
 1.122  24-May-2005  wiz Bump date for previous. <> -> \*[Lt]\*[Gt].
 1.121  24-May-2005  elad Add man-page bits about the 'count' node.
 1.120  20-May-2005  elad Remove common code for returning supported fingerprints. This is done now
via sysctl(8) using kern.veriexec.algorithms.

Also add an entry for the 'algorithms' variable in sysctl.8 forgotten in
the last commit.
 1.119  19-May-2005  elad Some changes in veriexec.

New features:

- Add a veriexec_report() routine to make most reporting consistent and
remove some common code.
- Add 'strict' mode that controls how veriexec behaves.
- Add sysctl knobs:
o kern.veriexec.verbose controls verbosity levels. Value: 0, 1.
o kern.veriexec.strict controls strict level. Values: 0, 1, 2. See
documentation in sysctl(3) for details.
o kern.veriexec.algorithms returns a string with a space separated
list of supported hashing algorithms in veriexec.
- Updated documentation in man pages for sysctl(3) and sysctl(8).

Bug fixes:

- veriexec_removechk(): Code cleanup + handle FINGERPRINT_NOTEVAL
correctly.
- exec_script(): Don't pass 0 as flag when executing a script; use the
defined VERIEXEC_INDIRECT - which is 1. Makes indirect execution
enforcement work.
- Fix some printing formats and types..
 1.118  26-Dec-2004  christos branches: 1.118.2;
PR/28782: OBATA Akio: Document that kern.rtc_offset is writable.
 1.117  21-Nov-2004  jdolecek add vfs.cd9660.utf8_joliet, and couple other vfs.* entries while here

bump date and add TNF copyright
 1.116  15-Oct-2004  daniel Add vm.bufcache, vm.bufmem, vm.bufmem_lowater, m.bufmem_hiwater (PR misc/27247, misc/27233).
 1.115  27-Aug-2004  wiz Bump date for removal of net.key.random_int.
 1.114  27-Aug-2004  itojun remove net.key.random_int
 1.113  28-Apr-2004  snj Bump date for last.
 1.112  28-Apr-2004  ragge Note net.inet.arp.* entries.
 1.111  24-Mar-2004  wiz branches: 1.111.2;
Remove duplicate and superfluous words.
 1.110  24-Mar-2004  snj Bump date for last.
 1.109  24-Mar-2004  atatat Bring sysctl man pages up to date (wrt new query interface, the
versioning, and descriptions).
 1.108  22-Jan-2004  wiz Bump date for previous.
 1.107  22-Jan-2004  jonathan Document net.bpf.maxbufsize in sysctl(8).
NB: bpf isn't a PF_, so where to list it in sysctl(3)?
 1.106  08-Jan-2004  atatat Used to say "type=", but now says "size=" since that's what it's
supposed to say.
 1.105  31-Dec-2003  wiz Simplify Oo/Oc to Op, since it has only one simple short argument.
 1.104  30-Dec-2003  atatat Update sysctl.8 man page to cover all the new stuff.
 1.103  15-Oct-2003  wiz Slight option ordering change.
 1.102  27-Sep-2003  dsl Forgot the date....
 1.101  27-Sep-2003  dsl Add kern.drivers and kern.root_partition to match recent kern_sysctl.c
Add kern.root_device which was absent.
 1.100  21-Sep-2003  wiz Combine multiple single-letter options.
 1.99  20-Sep-2003  grant add -e flag to set the separator to '=' where the default is ' = '.
this allows sysctl output to fed back into itself. inspired by
FreeBSD's sysctl(8).

ok'd by atatat.
 1.98  17-Sep-2003  grant put flags in a list with descriptions. add proper description of -w.
 1.97  07-Aug-2003  wiz Mention /etc/sysctl.conf. Bump date. Closes PR 22213.
 1.96  07-Aug-2003  agc Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22308, verified by myself.
 1.95  04-Jul-2003  wiz Bump date for last, and replace some \*[Lt]/\*[Gt] with .Aq.
 1.94  03-Jul-2003  ragge Add somaxkva.
 1.93  19-Apr-2003  christos add tcp.ident.
 1.92  12-Apr-2003  christos add checkinterface
 1.91  17-Mar-2003  wiz Consistent tab usage.
 1.90  15-Mar-2003  wiz Use "its" instead of "it's" where appropriate.
From Soren Jacobsen in PR 20730.
 1.89  06-Mar-2003  thorpej hw.physpages -> hw.physmem64, hw.userpages -> hw.usermem64
 1.88  01-Mar-2003  thorpej Document net.inet.tcp.init_win_local.
 1.87  27-Feb-2003  thorpej Document hw.physpages and hw.userpages.
 1.86  02-Feb-2003  kleink Add sysconf(3) knobs for recent additions.
 1.85  01-Feb-2003  kleink Add several missing items, and be less rageous about memory locking.
 1.84  11-Dec-2002  jdolecek Add kern.forkfsleep sysctl - set/get time (in miliseconds) for which
process would be forced to sleep in fork() if it hits either global
or user maxproc limit. Default is zero (no forced sleep).
Maximum is 20 seconds.
 1.83  11-Dec-2002  scw Add two sysctls: kern.labelsector and kern.labeloffset.
These are of use to userland code which previously depended on the
hard-coded values of LABELSECTOR and LABELOFFSET to figure out the
location of the disklabel for a particular platform.

With the introduction of umbrella ports such as evbarm, evbmips, etc,
the location of the disklabel may vary between kernels for the same
MACHINE. This sysctl will allow userland programs to remain independent
of the particular flavour of MACHINE in such cases.
 1.82  07-Nov-2002  manu Added two sysctl-able flags: proc.curproc.stopfork and proc.curproc.stopexec
that can be used to block a process after fork(2) or exec(2) calls. The
new process is created in the SSTOP state and is never scheduled for running.

This feature is designed so that it is esay to attach the process using gdb
before it has done anything.

It works also with sproc, kthread_create, clone...
 1.81  03-Oct-2002  wiz New sentence, new line. From Robert Elz.
 1.80  01-Oct-2002  wiz Replace some \*[Lt]...\*[Gt] with .Aq ...
 1.79  29-May-2002  msaitoh document vfs.nfs.iothreads
 1.78  28-May-2002  itojun document net.inet6.ip6.maxfrags
 1.77  19-May-2002  itojun branches: 1.77.2;
document net.key.* sysctl. provide sysctl MIB for controlling
proposal payload on ACQUIRE message. sync w/kame
 1.76  14-May-2002  itojun rename: net.inet6.ip6.bindv6only -> net.inet6.ip6.v6only
sync w/kame.
 1.75  24-Mar-2002  sommerfeld Add -q flag, for use with -w and -f, which suppresses output after a set.
 1.74  08-Feb-2002  ross Generate <>& symbolically. I'm avoiding .../dist/... directories for now.
 1.73  28-Jan-2002  simonb Document the new kern.tkstat.* sysctls.
 1.72  27-Jan-2002  simonb Prod from lukem - remember to add hw.disk* here too.
 1.71  24-Dec-2001  chs update for changed vm knobs.
 1.70  30-Oct-2001  wiz Sort sections, whitespace nits.
 1.69  30-Oct-2001  kml Added descriptions of the new sysctls for controlling the disposition
of IPv4 routes added via redirects, rediraccept and redirtimeout.
 1.68  20-Aug-2001  hubertf Remove duplicate listing of "net.inet.tcp.init_win" system variable as
reported in PR 13760 by Don Yuniskis <auryn@gci-net.com>
 1.67  16-Jun-2001  jdolecek Add port of high performance pipe implementation written by John S. Dyson
for FreeBSD project. Besides huge speed boost compared with socketpair-based
pipes, this implementation also uses pagable kernel memory instead of mbufs.

Significant differences to FreeBSD version:
* uses uvm_loan() facility for direct write
* async/SIGIO handling correct also for sync writer, async reader
* limits settable via sysctl, amountpipekva and nbigpipes available via sysctl
* pipes are unidirectional - this is enforced on file descriptor level
for now only, the code would be updated to take advantage of it
eventually
* uses lockmgr(9)-based locks instead of home brew variant
* scatter-gather write is handled correctly for direct write case, data
is transferred by PIPE_DIRECT_CHUNK bytes maximum, to avoid running out of kva

All FreeBSD/NetBSD specific code is within appropriate #ifdef, in preparation
to feed changes back to FreeBSD tree.

This pipe implementation is optional for now, add 'options NEW_PIPE'
to your kernel config to use it.
 1.66  27-Mar-2001  itojun net.inet.ip.maxfragpackets defines the maximum size of ip reass queue
(prevents fragment flood from chewing up mbuf memory space).
derived from KAME net.inet6.ip6.maxfragpackets.
 1.65  09-Mar-2001  chs add UBC memory-usage balancing. we track the number of pages in use for
each of the basic types (anonymous data, executable image, cached files)
and prevent the pagedaemon from reusing a given page if that would reduce
the count of that type of page below a sysctl-setable minimum threshold.
the thresholds are controlled via three new sysctl tunables:
vm.anonmin, vm.vnodemin, and vm.vtextmin. these tunables are the
percentages of pageable memory reserved for each usage, and we do not allow
the sum of the minimums to be more than 95% so that there's always some
memory that can be reused.
 1.64  07-Feb-2001  itojun during ip6/icmp6 inbound packet processing, do not call log() nor printf() in
normal operation (/var can get filled up by flodding bogus packets).
sysctl net.inet6.icmp6.nd6_debug will turn on diagnostic messages.
(#define ND6_DEBUG will turn it on by default)

improve stats in ND6 code.

lots of synchronziation with kame (including comments and cometic ones).
 1.63  26-Jan-2001  hubertf Document that there's currently no registry for vendor sysctls.
After discussion with John Hawkinson and Frank van der Linden.
 1.62  10-Jan-2001  hubertf * Document the vendor.* sysctl branch
* in sysctl.3, sort the list of CTL_ prefixes and sync with sysctl.h
 1.61  21-Dec-2000  itojun document net.inet6.icmp6.mtudisc_{lo,hi}wat.
 1.60  08-Nov-2000  eeh Document new hw.cnmagic sysctl(8) variable.
 1.59  26-Oct-2000  jdolecek add couple of missing entries, update kern.maxptys entry - it is not raise only
 1.58  15-Oct-2000  bjh21 Ah, so _that_'s how you get a backslash in a macro argument.
Thanks to itojun for pointing it out.
 1.57  15-Oct-2000  bjh21 Various formatting cleanups (mostly to use .Ql).
Note that getting a single backslash inside Ql seems to need SIXTEEN
of them in the source!
 1.56  26-Sep-2000  jdolecek fix typo (remplaced --> replaced)
 1.55  09-Sep-2000  jdolecek document kern.maxptys/KERN_MAXPTYS
note that kern.maxvnodes is raise only
 1.54  26-Aug-2000  itojun implement net.inet6.ip6.{anon,low}port{min,max} sysctl variable.
 1.53  26-Aug-2000  itojun document net.inet.ip.lowport{min,max}
 1.52  28-Jul-2000  itojun nuke net.inet*.ip*.*ratelimit.
 1.51  27-Jul-2000  itojun add net.inet.tcp.rstppslimit
 1.50  10-Jul-2000  itojun document sysctl variable "net.inet.icmp.errppslimit".
 1.49  09-Jul-2000  itojun add description for net.inet6.icmp6.{errppslimit,nd6_maxnudhint}
 1.48  27-Jun-2000  mrg <vm/vm_param.h> is now <uvm/uvm_param.h>
 1.47  23-May-2000  itojun branches: 1.47.4;
correct FILES section. mention IPv6/IPsec headers.
 1.46  08-Apr-2000  soren Update usage with -f.
 1.45  12-Mar-2000  tsarna Add a "-f file" flag to process directives from a file.
 1.44  27-Feb-2000  itojun add hw.alignbytes sysctl mib. this gives you the value of ALIGNBYTES
at the kernel compilation time (ALIGNBYTES that the kernel uses).
 1.43  26-Feb-2000  itojun remove net.inet6.ip6.nd6_proxyall sysctl.
support "ndp -s <ip6> <mac> proxy" for proxy NDP.
 1.42  17-Feb-2000  fvdl List vfs.generic.usermount in manpage. Don't try to handle machdep.diskinfo
for the i386, thus avoiding a warning message in 'sysctl -a'.
 1.41  15-Feb-2000  thorpej Note net.inet.icmp.errratelimit and net.inet.tcp.rstratelimit.
 1.40  09-Feb-2000  jdolecek Add reference to the include file with TCP sysctl constants. Fixes bin/9378.
 1.39  06-Feb-2000  fair Document KERN_LOGSIGEXIT.
sort sysctl variable list in sysctl.8
 1.38  17-Jan-2000  itojun Moved from usr.sbin/sysctl/sysctl.8,v
 1.37  06-Jan-2000  itojun make IPV6_BINDV6ONLY setsockopt available. it controls behavior of
AF_INET6 wildcard listening socket. heavily documented in ip6(4).
net.inet6.ip6.bindv6only defines default value. default is 1.

"options INET6_BINDV6ONLY" removes any code fragment that supports
IPV6_BINDV6ONLY == 0 case (not defopt'ed as use of this is rare).
 1.36  06-Jan-2000  itojun add missing variables under net.inet6.ip6.
 1.35  02-Jan-2000  itojun add net.inet6.icmp6.nodeinfo sysctl.
this allows you to disable/enable ICMPv6 node information query/reply
processing (which tells remote end the gethostname(3) setting, interface
addresses on the node, and some other things - documented in
draft-ietf-ipngwg-icmp-name-lookup* or something alike).

to test it, try ping6 -w ::1 with nodeinfo=0 and nodeinfo=1.
(sync with kame change)
 1.34  17-Dec-1999  garbled Fix some minor typos and word usage nits.
 1.33  18-Nov-1999  kristerw Typos (from OpenBSD)
 1.32  14-Oct-1999  jdolecek document ddb.fromconsole & DBCTL_FROMCONSOLE, description taken from options(4)
 1.31  28-Sep-1999  bouyer Add handling of the proc hierarchy. Document it, as well as kern.defcorename.
 1.30  02-Jul-1999  itojun branches: 1.30.2;
IPv6/IPsec sysctl MIB support.
 1.29  23-May-1999  ad Add new sysctl (net.inet.tcp.log_refused) that when set, causes refused TCP
connections to be logged.
 1.28  26-Apr-1999  thorpej Add support for kern.mbuf.*
 1.27  28-Mar-1999  kleink Forgot to add these a while ago.
 1.26  10-Sep-1998  mouse Create tcp.keepidle, tcp.keepintvl, tcp.keepcnt, tcp.slowhz sysctls.
 1.25  28-Jun-1998  nathanw Document shortcorename support and control.
 1.24  24-May-1998  kleink Permit checking the availability of the POSIX File Synchronization Option
(a/k/a fsync(2)), System V style message queues, semaphores and shared memory
at runtime by adding a sysctl variable for each.
 1.23  02-May-1998  thorpej Note net.inet.tcp.ack_on_push.
 1.22  30-Apr-1998  thorpej Note the existence of net.inet.ip.mtudisctimeout.
 1.21  30-Apr-1998  thorpej Note the presence of net.inet.tcp.: mssdflt, sack, win_scale, timestamps,
compat_42, cwm, cwm_burstsize.
 1.20  13-Apr-1998  kml Fix to ensure that the correct MSS is advertised for loopback
TCP connections by using the MTU of the interface. Also added
a knob, mss_ifmtu, to force all connections to use the MTU of
the interface to calculate the advertised MSS.
 1.19  06-Feb-1998  perry macroize BSD, NetBSD, FreeBSD and misc cleanup
 1.18  05-Jan-1998  lukem document net.inet.ip.anonport{min,max}
 1.17  11-Dec-1997  thorpej Mention net.inet.tcp.init_win.
 1.16  11-Dec-1997  thorpej Fix a paste-o.
 1.15  18-Oct-1997  kml branches: 1.15.2;
change sysctl net.inet.icmp.mtudisc to net.inet.ip.mtudisc
 1.14  17-Oct-1997  thorpej Note net.inet.ip.subnetsarelocal.
 1.13  19-Sep-1997  leo Commit userland part of pr-1891.
 1.12  28-Jul-1997  thorpej Document new UDP and TCP tunables.
 1.11  06-Jun-1997  veego Update the manpage for hw.machine_arch.
 1.10  29-May-1997  cgd Fix broken uses of Dd. Both the mdoc and mdoc.samples pages agree:
.Dd is supposed to be invoked like:
.Dd month day, year
e.g. ".Dd January 25, 1989", rather than:
.Dd "month day, year"
which is what these pages did.
 1.9  23-Apr-1997  cjs added net.inet.ip.allowsrcrt
 1.8  09-Jan-1997  thorpej Grok and document CTL_DDB.
 1.7  17-Jul-1996  explorer Document the new autonice sysctls
 1.6  16-Jan-1996  thorpej Add a net.inet.ip.directed-broadcast sysctl as suggested by
Darren Reed <darrenr@vitruvius.arbld.unimelb.edu.au> in PR #1227.
This change is slightly different than the one submitted by Darren in
that the DIRECTED_BROADCAST compile-time option will behave like it used
to so that existing configurations utilizing it won't have to change.
 1.5  15-Jan-1996  thorpej Add net.inet.ip.forwsrcrt: if zero, the system will not forward
source-routed packets. Note this value is protected by kernel security
level; it can only be changed if securelevel < 1.
 1.4  30-Sep-1995  thorpej New-style RCS ids.
 1.3  30-Sep-1995  thorpej Add support for the net.inet.tcp sysctl group and document. From
John Kohl <jtk@kolvir.blrc.ma.us>.
 1.2  04-Aug-1995  thorpej Mention the `kern.maxpartitions' and `kern.rawpartition' variables.
 1.1  09-May-1994  cgd branches: 1.1.1;
Initial revision
 1.1.1.1  09-May-1994  cgd sysctl-of-fish
 1.15.2.1  11-Dec-1997  thorpej Pull up from trunk: fix paste-o.
 1.30.2.1  27-Dec-1999  wrstuden Pull up to last week's -current.
 1.47.4.9  15-Mar-2003  he Pull up revision 1.79 (via patch, requested by msaitoh in ticket #18):
Document vfs.nfs.iothreads.
 1.47.4.8  07-Jun-2001  he Apply patch (requested by he):
Typo correction; add a plural ``s'' to ``maxfragpacket''.
 1.47.4.7  24-Apr-2001  he Pull up revision 1.66 (requested by itojun):
Introduce net.inet.ip.maxfragpackets, which controls the maximum
number of IPv4 fragment reassembly queue entries. Defends against
certain DoS attacks.
 1.47.4.6  26-Feb-2001  he Um, undo one more commit done in error.
 1.47.4.5  26-Feb-2001  he Pull up revisions 1.62-1.63 (requested by hubertf):
Document the vendor.* sysctl branch, and note that we currently
have no registry for these sysctl values.
 1.47.4.4  26-Sep-2000  jdolecek pullup rev. 1.56 (approved by thorpej):
fix typo (remplaced --> replaced)
 1.47.4.3  27-Aug-2000  itojun pullup (approved by releng-1-5)

> implement net.inet6.ip6.{anon,low}port{min,max} sysctl variable.

> cvs rdiff -r1.67 -r1.68 basesrc/lib/libc/gen/sysctl.3
> cvs rdiff -r1.53 -r1.54 basesrc/sbin/sysctl/sysctl.8
> cvs rdiff -r1.18 -r1.19 syssrc/sys/netinet6/in6.h
> cvs rdiff -r1.29 -r1.30 syssrc/sys/netinet6/in6_pcb.c
> cvs rdiff -r1.3 -r1.4 syssrc/sys/netinet6/in6_src.c
> cvs rdiff -r1.25 -r1.26 syssrc/sys/netinet6/ip6_input.c
> cvs rdiff -r1.14 -r1.15 syssrc/sys/netinet6/ip6_var.h
 1.47.4.2  27-Aug-2000  itojun pullup (approved by releng-1-5)
> document net.inet.ip.lowport{min,max}
> cvs rdiff -r1.66 -r1.67 basesrc/lib/libc/gen/sysctl.3
> cvs rdiff -r1.52 -r1.53 basesrc/sbin/sysctl/sysctl.8
 1.47.4.1  16-Aug-2000  itojun pullup (approved by releng-1-5)

document *ppslimit.

sbin/sysctl/sysctl.8 1.48 -> 1.52
lib/libc/gen/sysctl.3 1.60 -> 1.63, 1.64 -> 1.65
 1.77.2.1  30-May-2002  tv Pull up revision 1.79 (requested by msaitoh in ticket #81):
document vfs.nfs.iothreads
 1.111.2.2  04-Jun-2007  bouyer Pull up following revision(s) (requested by adrianp in ticket #11330):
sys/netinet6/ip6_input.c: revision 1.102 via patch
sys/netinet6/route6.c: revision 1.18 via patch
sys/netinet6/ip6_var.h: revisions 1.41-1.42 via patch
sbin/sysctl/sysctl.8: patch
Disable processing of routing header type 0 packets since they can be used
of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).
Information from:
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
 1.111.2.1  12-Nov-2004  jmc branches: 1.111.2.1.2;
Pullup rev 1.116 (requested by daniel in ticket #926)

Add vm.bufcache, vm.bufmem, vm.bufmem_lowater, m.bufmem_hiwater
 1.111.2.1.2.2  04-Jun-2007  bouyer Pull up following revision(s) (requested by adrianp in ticket #11330):
sys/netinet6/ip6_input.c: revision 1.102 via patch
sys/netinet6/route6.c: revision 1.18 via patch
sys/netinet6/ip6_var.h: revisions 1.41-1.42 via patch
sbin/sysctl/sysctl.8: patch
Disable processing of routing header type 0 packets since they can be used
of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).
Information from:
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
 1.111.2.1.2.1  18-Jun-2005  riz branches: 1.111.2.1.2.1.2;
Pull up revision 1.118 (requested by peter in ticket #1998):
PR/28782: OBATA Akio: Document that kern.rtc_offset is writable.
 1.111.2.1.2.1.2.1  04-Jun-2007  bouyer Pull up following revision(s) (requested by adrianp in ticket #11330):
sys/netinet6/ip6_input.c: revision 1.102 via patch
sys/netinet6/route6.c: revision 1.18 via patch
sys/netinet6/ip6_var.h: revisions 1.41-1.42 via patch
sbin/sysctl/sysctl.8: patch
Disable processing of routing header type 0 packets since they can be used
of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).
Information from:
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
 1.118.2.5  26-Apr-2007  ghen Pull up following revision(s) (requested by christos in ticket #1766):
sys/netinet6/ip6_input.c: revision 1.102 via patch
sys/netinet6/route6.c: revision 1.18 via patch
sys/netinet6/ip6_var.h: revision 1.41 via patch
sys/netinet6/ip6_var.h: revision 1.42 via patch
sbin/sysctl/sysctl.8: patch
Disable processing of routing header type 0 packets since they can be used
of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).
Information from:
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
fix typo.
 1.118.2.4  10-Jun-2005  tron branches: 1.118.2.4.2; 1.118.2.4.4;
Pull up revision 1.122 (requested by elad in ticket #389):
Bump date for previous. <> -> *[Lt]*[Gt].
 1.118.2.3  10-Jun-2005  tron Pull up revision 1.121 (requested by elad in ticket #389):
Add man-page bits about the 'count' node.
 1.118.2.2  10-Jun-2005  tron Pull up revision 1.120 (requested by elad in ticket #389):
Remove common code for returning supported fingerprints. This is done now
via sysctl(8) using kern.veriexec.algorithms.
Also add an entry for the 'algorithms' variable in sysctl.8 forgotten in
the last commit.
 1.118.2.1  10-Jun-2005  tron Pull up revision 1.119 (requested by elad in ticket #389):
Some changes in veriexec.
New features:
- Add a veriexec_report() routine to make most reporting consistent and
remove some common code.
- Add 'strict' mode that controls how veriexec behaves.
- Add sysctl knobs:
o kern.veriexec.verbose controls verbosity levels. Value: 0, 1.
o kern.veriexec.strict controls strict level. Values: 0, 1, 2. See
documentation in sysctl(3) for details.
o kern.veriexec.algorithms returns a string with a space separated
list of supported hashing algorithms in veriexec.
- Updated documentation in man pages for sysctl(3) and sysctl(8).
Bug fixes:
- veriexec_removechk(): Code cleanup + handle FINGERPRINT_NOTEVAL
correctly.
- exec_script(): Don't pass 0 as flag when executing a script; use the
defined VERIEXEC_INDIRECT - which is 1. Makes indirect execution
enforcement work.
- Fix some printing formats and types..
 1.118.2.4.4.1  26-Apr-2007  ghen Pull up following revision(s) (requested by christos in ticket #1766):
sys/netinet6/ip6_input.c: revision 1.102 via patch
sys/netinet6/route6.c: revision 1.18 via patch
sys/netinet6/ip6_var.h: revision 1.41 via patch
sys/netinet6/ip6_var.h: revision 1.42 via patch
sbin/sysctl/sysctl.8: patch
Disable processing of routing header type 0 packets since they can be used
of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).
Information from:
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
fix typo.
 1.118.2.4.2.1  26-Apr-2007  ghen Pull up following revision(s) (requested by christos in ticket #1766):
sys/netinet6/ip6_input.c: revision 1.102 via patch
sys/netinet6/route6.c: revision 1.18 via patch
sys/netinet6/ip6_var.h: revision 1.41 via patch
sys/netinet6/ip6_var.h: revision 1.42 via patch
sbin/sysctl/sysctl.8: patch
Disable processing of routing header type 0 packets since they can be used
of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).
Information from:
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
fix typo.
 1.149.2.2  08-Sep-2006  rpaulo Pull up following revision(s) (requested by liamjfoy in ticket #127):
lib/libc/gen/sysctl.3: revision 1.181
sbin/sysctl/sysctl.8: revision 1.152
add net.inet.ip.maxflows. Bump date.
document net.inet.ip.maxflows. dump date.
 1.149.2.1  12-Aug-2006  riz Pull up following revision(s) (requested by kardel in ticket #14):
sbin/sysctl/sysctl.8: revision 1.150 - 1.151
document timecounter sysctls
Bump date for previous.
 1.156.2.1  28-Apr-2007  bouyer Pull up following revision(s) (requested by christos in ticket #587):
sys/netinet6/ip6_input.c: revision 1.102
sys/netinet6/route6.c: revision 1.18
sys/netinet6/ip6_var.h: revision 1.41
sys/netinet6/ip6_var.h: revision 1.42
sbin/sysctl/sysctl.8: patch
Disable processing of routing header type 0 packets since they can be used
of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).
Information from:
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
fix typo.
 1.157.14.1  18-May-2008  yamt sync with head.
 1.157.12.2  17-Jan-2009  mjf Sync with HEAD.
 1.157.12.1  02-Jun-2008  mjf Sync with HEAD.
 1.158.4.2  01-Apr-2009  snj Pull up following revision(s) (requested by christos in ticket #635):
sbin/sysctl/sysctl.8: revision 1.160
sbin/sysctl/sysctl.c: revision 1.129
Don't print an error with sysctl -w name?=value if name does not exist.
Should be pulled up to 5.0
 1.158.4.1  12-Nov-2008  snj Pull up following revision(s) (requested by reed in ticket #46):
sbin/sysctl/sysctl.8: revision 1.159
lib/libc/gen/sysctl.3: revision 1.195
Reference secmodel_securelevel(9) manual page.
 1.159.2.1  13-May-2009  jym Sync with HEAD.

Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html

RSS XML Feed