diff options
Diffstat (limited to 'share/man/man5')
33 files changed, 852 insertions, 2599 deletions
diff --git a/share/man/man5/Makefile b/share/man/man5/Makefile index d9129307bea2..e2abf1d60905 100644 --- a/share/man/man5/Makefile +++ b/share/man/man5/Makefile @@ -1,4 +1,3 @@ - .include <src.opts.mk> #MISSING: dump.5 plot.5 @@ -6,9 +5,7 @@ MAN= acct.5 \ ar.5 \ a.out.5 \ ${_boot.config.5} \ - cd9660.5 \ core.5 \ - devfs.5 \ devfs.conf.5 \ devfs.rules.5 \ device.hints.5 \ @@ -17,41 +14,31 @@ MAN= acct.5 \ elf.5 \ ethers.5 \ eui64.5 \ - ext2fs.5 \ fbtab.5 \ - fdescfs.5 \ forward.5 \ fs.5 \ fstab.5 \ - fusefs.5 \ group.5 \ hosts.5 \ hosts.equiv.5 \ hosts.lpd.5 \ intro.5 \ libmap.conf.5 \ - lindebugfs.5 \ link.5 \ - linprocfs.5 \ - linsysfs.5 \ mailer.conf.5 \ make.conf.5 \ moduli.5 \ motd.5 \ mount.conf.5 \ - mqueuefs.5 \ - msdosfs.5 \ networks.5 \ nsmb.conf.5 \ nsswitch.conf.5 \ - nullfs.5 \ os-release.5 \ passwd.5 \ pbm.5 \ periodic.conf.5 \ phones.5 \ portindex.5 \ - procfs.5 \ protocols.5 \ quota.user.5 \ rc.conf.5 \ @@ -61,21 +48,15 @@ MAN= acct.5 \ resolver.5 \ services.5 \ shells.5 \ - smbfs.5 \ src.conf.5 \ stab.5 \ style.Makefile.5 \ style.mdoc.5 \ sysctl.conf.5 \ - tarfs.5 \ - tmpfs.5 \ - unionfs.5 MLINKS= dir.5 dirent.5 -MLINKS+=ext2fs.5 ext4fs.5 MLINKS+=fs.5 inode.5 MLINKS+=hosts.equiv.5 rhosts.5 -MLINKS+=msdosfs.5 msdos.5 MLINKS+=passwd.5 master.passwd.5 MLINKS+=passwd.5 pwd.db.5 MLINKS+=passwd.5 spwd.db.5 @@ -85,10 +66,6 @@ MLINKS+=rc.conf.5 rc.conf.local.5 MLINKS+=resolver.5 resolv.conf.5 MLINKS+=src.conf.5 src-env.conf.5 -.if ${MK_AUTOFS} != "no" -MAN+= autofs.5 -.endif - .if ${MK_BLUETOOTH} != "no" MAN+= bluetooth.device.conf.5 \ bluetooth.hosts.5 \ diff --git a/share/man/man5/autofs.5 b/share/man/man5/autofs.5 deleted file mode 100644 index e82df1929877..000000000000 --- a/share/man/man5/autofs.5 +++ /dev/null @@ -1,135 +0,0 @@ -.\" Copyright (c) 2014 The FreeBSD Foundation -.\" -.\" This software was developed by Edward Tomasz Napierala under sponsorship -.\" from the FreeBSD Foundation. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd December 2, 2017 -.Dt AUTOFS 5 -.Os -.Sh NAME -.Nm autofs -.Nd "automounter filesystem" -.Sh SYNOPSIS -To compile this driver into the kernel, -place the following line in the -kernel configuration file: -.Bd -ragged -offset indent -.Cd "options AUTOFS" -.Ed -.Pp -Alternatively, to load the driver as a -module at boot time, place the following line in -.Xr loader.conf 5 : -.Bd -literal -offset indent -autofs_load="YES" -.Ed -.Sh DESCRIPTION -The -.Nm -driver is the kernel component of the automounter infrastructure. -Its job is to pass mount requests to the -.Xr automountd 8 -daemon, and pause the processes trying to access the automounted filesystem -until the mount is completed. -It is mounted by the -.Xr automount 8 . -.Sh OPTIONS -These options are available when -mounting -.Nm -file systems: -.Bl -tag -width indent -.It Cm master_options -Mount options for all filesystems specified in the map entry. -.It Cm master_prefix -Filesystem mountpoint prefix. -.El -.Sh SYSCTL VARIABLES -The following variables are available as both -.Xr sysctl 8 -variables and -.Xr loader 8 -tunables: -.Bl -tag -width indent -.It Va vfs.autofs.debug -Verbosity level for log messages from the -.Nm -driver. -Set to 0 to disable logging or 1 to warn about potential problems. -Larger values enable debugging output. -Defaults to 1. -.It Va vfs.autofs.interruptible -Set to 1 to allow mount requests to be interrupted by signal. -Defaults to 1. -.It Va vfs.autofs.retry_delay -Number of seconds before retrying mount requests. -Defaults to 1. -.It Va vfs.autofs.retry_attempts -Number of attempts before failing mount. -Defaults to 3. -.It Va vfs.autofs.cache -Number of seconds to wait before reinvoking -.Xr automountd 8 -for any given file or directory. -Defaults to 600. -.It Va vfs.autofs.timeout -Number of seconds to wait for -.Xr automountd 8 -to handle the mount request. -Defaults to 30. -.It Va vfs.autofs.mount_on_stat -Set to 1 to trigger mount on -.Xr stat 2 -on mountpoint. -Defaults to 0. -.El -.Sh EXAMPLES -To unmount all mounted -.Nm -filesystems: -.Pp -.Dl "umount -At autofs" -.Pp -To mount -.Nm -filesystems specified in -.Xr auto_master 5 : -.Pp -.Dl "automount" -.Sh SEE ALSO -.Xr auto_master 5 , -.Xr automount 8 , -.Xr automountd 8 , -.Xr autounmountd 8 -.Sh HISTORY -The -.Nm -driver first appeared in -.Fx 10.1 . -.Sh AUTHORS -The -.Nm -was developed by -.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org -under sponsorship from the FreeBSD Foundation. diff --git a/share/man/man5/cd9660.5 b/share/man/man5/cd9660.5 deleted file mode 100644 index 224816e16c57..000000000000 --- a/share/man/man5/cd9660.5 +++ /dev/null @@ -1,81 +0,0 @@ -.\" -.\" Copyright (c) 2017 Enji Cooper -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission -.\" -.\" THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd April 25, 2023 -.Dt CD9660 5 -.Os -.Sh NAME -.Nm cd9660 -.Nd "ISO-9660 file system" -.Sh SYNOPSIS -To link into the kernel: -.Bd -ragged -offset indent -.Cd "options CD9660" -.Ed -.Pp -Alternatively, to load the driver as a -module at boot time, place the following line in -.Xr loader.conf 5 : -.Bd -literal -offset indent -cd9660_load="YES" -.Ed -.Sh DESCRIPTION -The -.Nm -driver will permit the -.Fx -kernel to access the -.Tn cd9660 -file system. -.Sh EXAMPLES -To mount a -.Nm -volume located on -.Pa /dev/cd0 : -.Pp -.Dl "mount -t cd9660 /dev/cd0 /mnt" -.Sh SEE ALSO -.Xr nmount 2 , -.Xr unmount 2 , -.Xr cd 4 , -.Xr fstab 5 , -.Xr mount 8 , -.Xr mount_cd9660 8 -.Sh HISTORY -The -.Nm -driver first appeared in -.Bx 4.4 Lite . -.Sh AUTHORS -.An -nosplit -The -.Nm -kernel implementation was originally written by -.An Pace Willisson Aq Mt pace@blitz.com -and -.An Atsushi Murai Aq Mt amurai@spec.co.jp . -.Pp -This manual page was written by -.An Enji Cooper Aq Mt ngie@FreeBSD.org . diff --git a/share/man/man5/devfs.5 b/share/man/man5/devfs.5 deleted file mode 100644 index 0f914f671bf8..000000000000 --- a/share/man/man5/devfs.5 +++ /dev/null @@ -1,147 +0,0 @@ -.\" Copyright (c) 1996 -.\" Mike Pritchard <mpp@FreeBSD.org>. All rights reserved. -.\" -.\" Copyright (c) 1992, 1993, 1994 -.\" The Regents of the University of California. All rights reserved. -.\" All rights reserved. -.\" -.\" This code is derived from software donated to Berkeley by -.\" Jan-Simon Pendry. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. Neither the name of the University nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd June 30, 2022 -.Dt DEVFS 5 -.Os -.Sh NAME -.Nm devfs -.Nd device file system -.Sh SYNOPSIS -.Bd -literal -devfs /dev devfs rw 0 0 -.Ed -.Sh DESCRIPTION -The device file system, or -.Nm , -provides access to kernel's device -namespace in the global file system namespace. -The conventional mount point is -.Pa /dev . -.Pp -The file system includes several directories, links, symbolic links -and devices, some of which can also be written. -In a chroot'ed -environment, -.Xr devfs 8 -can be used to create a new -.Pa /dev -mount point. -.Pp -The -.Xr mknod 8 -tool can be used to recover deleted device entries under -.Nm . -.Pp -The -.Xr fdescfs 5 -filesystem is an alternate means for populating -.Pa /dev/fd . -The character devices that both -.Nm -and -.Xr fdescfs 5 -present in -.Pa /dev/fd -correspond to the open file descriptors of the process -accessing the directory. -.Nm -only creates files for the standard file descriptors -.Pa 0 , -.Pa 1 -and -.Pa 2 . -.Xr fdescfs 5 -creates files for all open descriptors. -.Pp -The options are as follows: -.Bl -tag -width indent -.It Fl o Ar options -Use the specified mount -.Ar options , -as described in -.Xr mount 8 . -The following devfs file system-specific options are available: -.Bl -tag -width indent -.It Cm ruleset Ns No = Ns Ar ruleset -Set ruleset number -.Ar ruleset -as the current ruleset for the mount-point and apply all its rules. -If the ruleset number -.Ar ruleset -does not exist, an empty ruleset with the number -.Ar ruleset -is created. -See -.Xr devfs 8 -for more information on working with devfs rulesets. -.El -.El -.Sh FILES -.Bl -tag -width /dev/XXXX -compact -.It Pa /dev -The normal -.Nm -mount point. -.El -.Sh EXAMPLES -To mount a -.Nm -volume located on -.Pa /mychroot/dev : -.Pp -.Dl "mount -t devfs devfs /mychroot/dev" -.Sh SEE ALSO -.Xr fdescfs 5 , -.Xr devfs 8 , -.Xr mount 8 , -.Xr make_dev 9 -.Sh HISTORY -The -.Nm -file system first appeared in -.Fx 2.0 . -It became the preferred method for accessing devices in -.Fx 5.0 -and the only method in -.Fx 6.0 . -The -.Nm -manual page first appeared in -.Fx 2.2 . -.Sh AUTHORS -The -.Nm -manual page was written by -.An Mike Pritchard Aq Mt mpp@FreeBSD.org . diff --git a/share/man/man5/devfs.conf.5 b/share/man/man5/devfs.conf.5 index e95c7b578bf5..f7141b76c3f6 100644 --- a/share/man/man5/devfs.conf.5 +++ b/share/man/man5/devfs.conf.5 @@ -54,7 +54,7 @@ The action to take for the device. The action names are only significant to the first unique character. .It Ar devname The name of the device created by -.Xr devfs 5 . +.Xr devfs 4 . .It Ar arg The argument of the .Ar action . @@ -68,7 +68,7 @@ This action creates a symbolic link named that points to .Ar devname , the name of the device created by -.Xr devfs 5 . +.Xr devfs 4 . .It Ic own This action changes the ownership of .Ar devname . @@ -118,8 +118,8 @@ perm cd0 0660 .Ed .Sh SEE ALSO .Xr chmod 1 , +.Xr devfs 4 , .Xr devd.conf 5 , -.Xr devfs 5 , .Xr devfs.rules 5 , .Xr chown 8 .Sh AUTHORS diff --git a/share/man/man5/devfs.rules.5 b/share/man/man5/devfs.rules.5 index 368a7696b5cd..e878c2a97738 100644 --- a/share/man/man5/devfs.rules.5 +++ b/share/man/man5/devfs.rules.5 @@ -124,7 +124,7 @@ group, a similar rule may be used: .Dl "add path 'usb/*' mode 0660 group usb" .Sh SEE ALSO .Xr glob 3 , -.Xr devfs 5 , +.Xr devfs 4 , .Xr devfs.conf 5 , .Xr devfs 8 , .Xr service 8 diff --git a/share/man/man5/elf.5 b/share/man/man5/elf.5 index 7ad469a03c3b..d89a917bd96f 100644 --- a/share/man/man5/elf.5 +++ b/share/man/man5/elf.5 @@ -22,7 +22,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd July 25, 2022 +.Dd May 26, 2025 .Dt ELF 5 .Os .Sh NAME @@ -864,6 +864,13 @@ This section holds version control information. This section is of type .Sy SHT_PROGBITS . No attribute types are used. +.It .ctors +This legacy section holds pointers to initialization routines, +executed before calling the main program entry point. +This section is of type +.Sy SHT_PROGBITS . +The attributes used are +.Sy SHF_ALLOC . .It .data This section holds initialized data that contribute to the program's memory image. @@ -889,6 +896,13 @@ are unspecified. This section is of type .Sy SHT_PROGBITS . No attribute types are used. +.It .dtors +This legacy section holds pointers to finalization routines, +executed when the program exits normally. +This section is of type +.Sy SHT_PROGBITS . +The attributes used are +.Sy SHF_ALLOC . .It .dynamic This section holds dynamic linking information. The section's attributes @@ -915,7 +929,7 @@ This section is of type The attribute used is .Sy SHF_ALLOC . .It .fini -This section holds executable instructions that contribute to the process +This legacy section holds executable instructions that contribute to the process termination code. When a program exits normally the system arranges to execute the code in this section. @@ -925,6 +939,19 @@ The attributes used are .Sy SHF_ALLOC and .Sy SHF_EXECINSTR . +.It .fini_array +This section holds pointers to finalization routines. +When a program exits normally +.Xr rtld 1 +executes the code referenced by this section. +This section is of type +.Sy SHT_FINI_ARRAY . +The attributes used are +.Sy SHF_ALLOC . +Refer to +.Dv NT_FREEBSD_NOINIT_TAG +.Pq below +for a description of how initialization and finalization code is invoked. .It .got This section holds the global offset table. This section is of type @@ -937,7 +964,7 @@ This section is of type The attribute used is .Sy SHF_ALLOC . .It .init -This section holds executable instructions that contribute to the process +This legacy section holds executable instructions that contribute to the process initialization code. When a program starts to run the system arranges to execute the code in this section before calling the main program entry point. @@ -947,6 +974,20 @@ The attributes used are .Sy SHF_ALLOC and .Sy SHF_EXECINSTR . +.It .init_array +This section holds pointers to initialization routines. +When a program starts to run +.Xr rtld 1 +executes the code referenced by this section before calling the program entry +point. +This section is of type +.Sy SHT_INIT_ARRAY . +The attributes used are +.Sy SHF_ALLOC . +Refer to +.Dv NT_FREEBSD_NOINIT_TAG +.Pq below +for a description of how initialization and finalization code is invoked. .It .interp This section holds the pathname of a program interpreter. If the file has @@ -1065,6 +1106,9 @@ and .It .jcr This section holds information about Java classes that must be registered. +It is obsolete and binaries created for +.Fx 15 +or later do not process it. .It .eh_frame This section holds information used for C++ exception-handling. .El @@ -1381,6 +1425,10 @@ Disable stack gap. .It NT_FREEBSD_FCTL_WXNEEDED Pq Value: 0x08 Indicate that the binary requires mappings that are simultaneously writeable and executable. +.It NT_FREEBSD_FCTL_LA48 Pq Value: 0x10 +Request 48-bit linear address space on amd64. +.It NT_FREEBSD_FCTL_LA57 Pq Value: 0x40 +Accept 57-bit linear address space on amd64. .El .El .Sh SEE ALSO diff --git a/share/man/man5/ext2fs.5 b/share/man/man5/ext2fs.5 deleted file mode 100644 index 7504a144496f..000000000000 --- a/share/man/man5/ext2fs.5 +++ /dev/null @@ -1,104 +0,0 @@ -.\" -.\" Copyright (c) 2006 Craig Rodrigues -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission -.\" -.\" THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd December 30, 2018 -.Dt EXT2FS 5 -.Os -.Sh NAME -.Nm ext2fs -.Nd "ext2/ext3/ext4 file system" -.Sh SYNOPSIS -To link into the kernel: -.Bd -ragged -offset indent -.Cd "options EXT2FS" -.Ed -.Pp -To load as a kernel loadable module: -.Pp -.Dl "kldload ext2fs" -.Sh DESCRIPTION -The -.Nm -driver will permit the -.Fx -kernel to access -ext2 -file systems and its derivatives. -It currently implements most of the features required by -.Em ext3 -and -.Em ext4 -file systems. -Support for Extended Attributes in -.Em ext4 -is experimental. -Journalling and encryption are currently not supported. -.Sh EXAMPLES -To mount a -.Nm -volume located on -.Pa /dev/ada1s1 : -.Pp -.Dl "mount -t ext2fs /dev/ada1s1 /mnt" -.Sh SEE ALSO -.Xr nmount 2 , -.Xr unmount 2 , -.Xr fstab 5 , -.Xr mount 8 -.Sh HISTORY -The -.Nm -driver first appeared in -.Fx 2.2 . -.Sh AUTHORS -.An -nosplit -The -.Nm -kernel implementation is derived from code written, -or modified, -by -.An Godmar Back -using the UFS CSRG sources for CMU Mach. -.Pp -.An John Dyson -did the initial port to -.Fx . -.An Aditya Sarawgi -merged important parts of the allocation code from a clean-room -.Nx -implementation. -.An Zheng Liu -and -.An Fedor Uporov -implemented the read and write support respectively for -.Em ext4 -filesystems. -The -.Fx -community has contributed a huge amount of modifications. -.Pp -The initial version of this manual page was written by -.An Craig Rodrigues Aq Mt rodrigc@FreeBSD.org . diff --git a/share/man/man5/fdescfs.5 b/share/man/man5/fdescfs.5 deleted file mode 100644 index fa260cbc12f3..000000000000 --- a/share/man/man5/fdescfs.5 +++ /dev/null @@ -1,218 +0,0 @@ -.\" Copyright (c) 2021 The FreeBSD Foundation, Inc. -.\" -.\" Copyright (c) 1996 -.\" Mike Pritchard <mpp@FreeBSD.org>. All rights reserved. -.\" -.\" Copyright (c) 1992, 1993, 1994 -.\" The Regents of the University of California. All rights reserved. -.\" All rights reserved. -.\" -.\" This code is derived from software donated to Berkeley by -.\" Jan-Simon Pendry. -.\" -.\" Parts of this documentation was written by -.\" Konstantin Belousov <kib@FreeBSD.org> under sponsorship -.\" from the FreeBSD Foundation. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. Neither the name of the University nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd Jul 11, 2023 -.Dt FDESCFS 5 -.Os -.Sh NAME -.Nm fdescfs -.Nd file-descriptor file system -.Sh SYNOPSIS -.Bd -literal -fdescfs /dev/fd fdescfs rw 0 0 -.Ed -.Sh DESCRIPTION -The file-descriptor file system, or -.Nm , -provides access to the per-process file descriptor -namespace in the global file system namespace. -The conventional mount point is -.Pa /dev/fd . -.Pp -The file system's contents -appear as a list of numbered files -which correspond to the open files of the process reading the -directory. -The files -.Pa /dev/fd/0 -through -.Pa /dev/fd/# -refer to file descriptors which can be accessed through the file -system. -.Pp -The following mount options can be used when mounting -.Nm -filesystem: -.Bl -tag -width linrdlnk -.It Cm nodup -For file descriptors referencing vnodes, instead of the -.Xr dup 2 -semantic described above, implement re-opening of the referenced vnode. -See below for more details. -.It Cm linrdlnk -Report the type of the -.Nm -vnode as -.Dv VLNK -instead of -.Fx -traditional -.Dv VCHR . -For -.Xr linux 4 -ABI compatibility mount -.Nm -volume with the -.Cm linrdlnk -option. -.It Cm rdlnk -Treat -.Nm -vnodes as symbolic links consistently, in particular, follow -the resolved name for the name lookups. -This option is strictly stronger than the -.Cm linrdlnk -option, it changes not only the type returned by -.Xr stat 2 , -but also causes the -.Nm -files to behave as symlinks. -.El -.Pp -For -.Nm -mounted without the -.Cm nodup -mount option, -if the file descriptor is open and the mode the file is being opened -with is a subset of the mode of the existing descriptor, the call: -.Bd -literal -offset indent -fd = open("/dev/fd/0", mode); -.Ed -.Pp -and the call: -.Bd -literal -offset indent -fd = fcntl(0, F_DUPFD, 0); -.Ed -.Pp -are equivalent. -Flags to the -.Xr open 2 -call other than -.Dv O_RDONLY , -.Dv O_WRONLY -and -.Dv O_RDWR -are ignored. -.Pp -For -.Nm -mounted with the -.Cm nodup -option, and file descriptor referencing a vnode, the call: -.Bd -literal -offset indent -fd = open("/dev/fd/0", mode); -.Ed -.Pp -reopens the referenced vnode with the specified -.Fa mode . -In other words, the -.Fn open -call above is equivalent to -.Bd -literal -offset indent -fd = openat(0, "", O_EMPTY_PATH, mode); -.Ed -.Pp -In particular, if the file descriptor was opened with the -.Dv O_PATH -flag, then either -.Dv O_EMPTY_PATH -or -.Fn open -over -.Nm -mount with -.Cm nodup -option allows one to convert it to a regularly opened file, -assuming that the current permissions allow the requested -.Fa mode . -.Pp -.Em "Note:" -.Pa /dev/fd/0 , -.Pa /dev/fd/1 -and -.Pa /dev/fd/2 -files are created by default when devfs alone is mounted. -.Nm -creates entries for all file descriptors opened by the process. -.Sh FILES -.Bl -tag -width /dev/stderr -compact -.It Pa /dev/fd/# -.El -.Sh EXAMPLES -To mount a -.Nm -volume located on -.Pa /dev/fd : -.Pp -.Dl "mount -t fdescfs none /dev/fd" -.Pp -For -.Xr linux 4 -ABI compatibility: -.Pp -.Dl "mount -t fdescfs -o linrdlnk none /compat/linux/dev/fd" -.Pp -For substitute of -.Dv O_EMPTY_PATH -flag use: -.Pp -.Dl "mount -t fdescfs -o nodup none /dev/fdpath" -.Sh SEE ALSO -.Xr devfs 5 , -.Xr mount 8 -.Sh HISTORY -The -.Nm -file system first appeared in -.Bx 4.4 . -The -.Nm -manual page first appeared in -.Fx 2.2 . -.Sh AUTHORS -.An -nosplit -The -.Nm -manual page was written by -.An Mike Pritchard Aq Mt mpp@FreeBSD.org , -and was based on the -manual page written by -.An Jan-Simon Pendry . diff --git a/share/man/man5/fstab.5 b/share/man/man5/fstab.5 index 6a357e497ca7..787fe3933aca 100644 --- a/share/man/man5/fstab.5 +++ b/share/man/man5/fstab.5 @@ -113,7 +113,7 @@ flag. Other options need both the file system specific flag and its argument, separated by an equal sign. For example, mounting an -.Xr msdosfs 5 +.Xr msdosfs 4 filesystem, the options .Bd -literal -offset indent -o sync -o noatime -m 644 -M 755 -u foo -g bar @@ -423,10 +423,9 @@ resides in # Swap space on a block device. /dev/da0p1 none swap sw 0 0 # -# Swap space using a block device with GBDE/GELI encryption. +# Swap space using a block device with GELI encryption. # aalgo, ealgo, keylen, sectorsize options are available # for .eli devices. -/dev/da1p1.bde none swap sw 0 0 /dev/da1p2.eli none swap sw 0 0 # # tmpfs. diff --git a/share/man/man5/fusefs.5 b/share/man/man5/fusefs.5 deleted file mode 100644 index 987e7f898eca..000000000000 --- a/share/man/man5/fusefs.5 +++ /dev/null @@ -1,136 +0,0 @@ -.\" -.\" SPDX-License-Identifier: BSD-2-Clause -.\" -.\" Copyright (c) 2019 The FreeBSD Foundation -.\" -.\" This documentation was written by BFF Storage Systems, LLC under -.\" sponsorship from the FreeBSD Foundation. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.Dd July 31, 2019 -.Dt FUSEFS 5 -.Os -.Sh NAME -.Nm fusefs -.Nd "File system in USErspace" -.Sh SYNOPSIS -To link into the kernel: -.Bd -ragged -offset indent -.Cd "options FUSEFS" -.Ed -.Pp -To load as a loadable kernel module: -.Pp -.Dl "kldload fusefs" -.Sh DESCRIPTION -The -.Nm -driver implements a file system that is serviced by a userspace program. -.Pp -There are many uses for -.Nm . -Userspace daemons can access libraries or programming languages that cannot run -in kernel-mode, for example. -.Nm -is also useful for developing and debugging file systems, because a crash of -the daemon will not take down the entire operating system. -Finally, the -.Nm -API is portable. -Many daemons can run on multiple operating systems with minimal modifications. -.Sh SYSCTL VARIABLES -The following -.Xr sysctl 8 -variables are available: -.Bl -tag -width indent -.It Va vfs.fusefs.kernelabi_major -Major version of the FUSE kernel ABI supported by this driver. -.It Va vfs.fusefs.kernelabi_minor -Minor version of the FUSE kernel ABI supported by this driver. -.It Va vfs.fusefs.data_cache_mode -Controls how -.Nm -will cache file data for pre-7.23 file systems. -A value of 0 will disable caching entirely. -Every data access will be forwarded to the daemon. -A value of 1 will select write-through caching. -Reads will be cached in the VFS layer as usual. -Writes will be immediately forwarded to the daemon, and also added to the cache. -A value of 2 will select write-back caching. -Reads and writes will both be cached, and writes will occasionally be flushed -to the daemon by the page daemon. -Write-back caching is usually unsafe, especially for FUSE file systems that -require network access. -.Pp -FUSE file systems using protocol 7.23 or later specify their cache behavior -on a per-mountpoint basis, ignoring this sysctl. -.It Va vfs.fusefs.stats.filehandle_count -Current number of open FUSE file handles. -.It Va vfs.fusefs.stats.lookup_cache_hits -Total number of lookup cache hits. -.It Va vfs.fusefs.stats.lookup_cache_misses -Total number of lookup cache misses. -.It Va vfs.fusefs.stats.node_count -Current number of allocated FUSE vnodes. -.It Va vfs.fusefs.stats.ticket_count -Current number of allocated FUSE tickets, which is roughly equal to the number -of FUSE operations currently being processed by daemons. -.\" Undocumented sysctls -.\" ==================== -.\" vfs.fusefs.enforce_dev_perms: I don't understand it well enough. -.\" vfs.fusefs.iov_credit: I don't understand it well enough -.\" vfs.fusefs.iov_permanent_bufsize: I don't understand it well enough -.El -.Sh SEE ALSO -.Xr mount_fusefs 8 -.Sh HISTORY -The -.Nm fuse -driver was written as the part of the -.Fx -implementation of the FUSE userspace file system framework (see -.Lk https://github.com/libfuse/libfuse ) -and first appeared in the -.Pa sysutils/fusefs-kmod -port, supporting -.Fx 6.0 . -It was added to the base system in -.Fx 10.0 , -and renamed to -.Nm -for -.Fx 12.1 . -.Sh AUTHORS -.An -nosplit -The -.Nm fuse -driver was originally written by -.An Csaba Henk -as a Google Summer of Code project in 2005. -It was further developed by -.An Ilya Putsikau -during Google Summer of Code 2011, and that version was integrated into the -base system by -.An Attilio Rao Aq Mt attilio@FreeBSD.org . -.Pp -This manual page was written by -.An Alan Somers Aq Mt asomers@FreeBSD.org . diff --git a/share/man/man5/hosts.equiv.5 b/share/man/man5/hosts.equiv.5 index 319d47718cbf..dbb3bb2f4205 100644 --- a/share/man/man5/hosts.equiv.5 +++ b/share/man/man5/hosts.equiv.5 @@ -124,7 +124,6 @@ and their users except users from netgroup .Dq dau . .Sh SEE ALSO -.Xr rcp 1 , .Xr gethostbyname 3 , .Xr inet 3 , .Xr innetgr 3 , diff --git a/share/man/man5/intro.5 b/share/man/man5/intro.5 index 78e147975e81..3e67b319da14 100644 --- a/share/man/man5/intro.5 +++ b/share/man/man5/intro.5 @@ -1,3 +1,6 @@ +.\" +.\" SPDX-License-Identifier: BSD-3-Clause +.\" .\" Copyright (c) 1983, 1991, 1993 .\" The Regents of the University of California. All rights reserved. .\" @@ -25,25 +28,41 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd February 16, 1997 +.Dd November 17, 2024 .Dt INTRO 5 .Os .Sh NAME .Nm intro -.Nd "introduction to file formats" +.Nd introduction to file formats .Sh DESCRIPTION -This section contains information about file formats. +This section contains information about the file formats +which comprise most data structures in the +.Bx +environment, including: +.Pp +.Bl -bullet -compact +.It +.Xr ascii 7 +configuration and resource files +.It +system binary file and stream structures +.It +composition of database files +.El .Sh FILES -.Bl -tag -width /etc/shells -compact -.It Pa /etc -location of most system configuration files +.Bl -tag -width "/usr/local/etc/" -compact +.It Pa /etc/ +base system software configuration files +.It Pa /usr/local/etc/ +locally installed software configuration files .El .Sh SEE ALSO .Xr apropos 1 , .Xr intro 1 , +.Xr hier 7 , .Xr intro 8 .Sh HISTORY The -.Nm -section manual page appeared in +.Nm Ns Pq 5 +manual page first appeared in .Fx 2.2 . diff --git a/share/man/man5/lindebugfs.5 b/share/man/man5/lindebugfs.5 deleted file mode 100644 index 8e385be7d743..000000000000 --- a/share/man/man5/lindebugfs.5 +++ /dev/null @@ -1,95 +0,0 @@ -.\" SPDX-License-Identifier: BSD-2-Clause -.\" -.\" Copyright (c) 2022, Jake Freeland <jfree@freebsd.org> -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. - -.Dd August 10, 2022 -.Dt LINDEBUGFS 5 -.Os -.Sh NAME -.Nm lindebugfs -.Nd Linux file system for debugging -.Sh SYNOPSIS -.Bd -literal -lindebugfs /sys/kernel/debug lindebugfs rw 0 0 -.Ed -.Sh DESCRIPTION -The debug file system, or debugfs, makes process debugging easier by -providing a simple API for data transfer between the kernel and user -space. -Debugfs is not a general-purpose file system and should not be used as -a storage medium. -Instead, developers can implement the debugfs interface in their code -to generate debug information about their program at runtime. -FreeBSD's -.Nm -uses the -.Xr pseudofs 9 -file system construction kit to model itself after Linux's debugfs. -The -.Nm -API is intended for use with programs that take advantage of FreeBSD's -LinuxKPI compatibility layer. -.Pp -When mounted, -.Nm -will populate with pseudo files from any running process that calls -.Nm debugfs_create_file() . -Since -.Nm -is a pseudo file system, file contents will be generated dynamically -based on program provided file operations. -The current -.Nm -implementation formally supports seq_file and simple_attr_file virtual -file formats. -.Sh EXAMPLES -Load the -.Nm -kernel module: -.Pp -.Dl "kldload lindebugfs" -.Pp -Mount the -.Nm -file system on -.Pa /sys/kernel/debug : -.Pp -.Dl "mount -t lindebugfs lindebugfs /sys/kernel/debug" -.Sh SEE ALSO -.Xr linprocfs 5 , -.Xr linsysfs 5 , -.Xr pseudofs 9 , -.Xr linux 4 , -.Xr mount 1 -.Sh HISTORY -The -.Nm -file system first appeared in -.Fx 12.1 . -.Sh AUTHORS -.An -nosplit -The initial implementation for -.Nm -was created by Matthew Macy. -This manual page was written by Jake Freeland. diff --git a/share/man/man5/linprocfs.5 b/share/man/man5/linprocfs.5 deleted file mode 100644 index 6b30d944b14b..000000000000 --- a/share/man/man5/linprocfs.5 +++ /dev/null @@ -1,98 +0,0 @@ -.\" Written by Garrett Wollman -.\" This file is in the public domain. -.\" -.Dd November 13, 2019 -.Dt LINPROCFS 5 -.Os -.Sh NAME -.Nm linprocfs -.Nd Linux process file system -.Sh SYNOPSIS -.Bd -literal -linproc /compat/linux/proc linprocfs rw 0 0 -.Ed -.Sh DESCRIPTION -The Linux process file system, or -.Nm , -emulates a subset of Linux' process file system and is required for -the complete operation of some Linux binaries. -.Pp -The -.Nm -provides a two-level view of process space. -At the highest level, processes themselves are named, according to -their process ids in decimal, with no leading zeros. -There is also a special node called -.Pa self -which always refers to the process making the lookup request. -.Pp -Each node is a directory containing several files: -.Bl -tag -width status -.It Pa exe -A reference to the vnode from which the process text was read. -This can be used to gain access to the process' symbol table, -or to start another copy of the process. -.It Pa mem -The complete virtual memory image of the process. -Only those addresses which exist in the process can be accessed. -Reads and writes to this file modify the process. -Writes to the text segment remain private to the process. -.El -.Pp -Each node is owned by the process's user, and belongs to that user's -primary group, except for the -.Pa mem -node, which belongs to the -.Li kmem -group. -.Sh FILES -.Bl -tag -width /compat/linux/proc/self/XXXXXXX -compact -.It Pa /compat/linux/proc -The normal mount point for the -.Nm . -.It Pa /compat/linux/proc/cpuinfo -CPU vendor and model information in human-readable form. -.It Pa /compat/linux/proc/meminfo -System memory information in human-readable form. -.It Pa /compat/linux/proc/pid -A directory containing process information for process -.Pa pid . -.It Pa /compat/linux/proc/self -A directory containing process information for the current process. -.It Pa /compat/linux/proc/self/exe -The executable image for the current process. -.It Pa /compat/linux/proc/self/mem -The complete virtual address space of the current process. -.El -.Sh EXAMPLES -To mount a -.Nm -file system on -.Pa /compat/linux/proc : -.Pp -.Dl "mount -t linprocfs linproc /compat/linux/proc" -.Sh SEE ALSO -.Xr mount 2 , -.Xr unmount 2 , -.Xr linux 4 , -.Xr procfs 5 , -.Xr pseudofs 9 -.Sh HISTORY -The -.Nm -first appeared in -.Fx 4.0 . -.Sh AUTHORS -.An -nosplit -The -.Nm -was derived from -.Nm procfs -by -.An Pierre Beyssac . -This manual page was written by -.An Dag-Erling Sm\(/orgrav , -based on the -.Xr procfs 5 -manual page by -.An Garrett Wollman . diff --git a/share/man/man5/linsysfs.5 b/share/man/man5/linsysfs.5 deleted file mode 100644 index f87f791c5f94..000000000000 --- a/share/man/man5/linsysfs.5 +++ /dev/null @@ -1,98 +0,0 @@ -.\" Written by Garrett Wollman -.\" This file is in the public domain. -.\" -.Dd November 13, 2019 -.Dt LINSYSFS 5 -.Os -.Sh NAME -.Nm linsysfs -.Nd Linux kernel objects file system -.Sh SYNOPSIS -.Bd -literal -linsys /compat/linux/sys linsysfs rw 0 0 -.Ed -.Sh DESCRIPTION -The -.Tn Linux -system file system, or -.Nm , -emulates a subset of the -.Tn Linux -sys file system and is required for -the complete operation of some -.Tn Linux -binaries. -.Pp -The -.Nm -provides a two-level view of devices. -At the highest level, PCI devices themselves are named, according to -their bus, slot and function in the system hierarchy. -PCI storage devices are listed in the -.Pa scsi_host -class with a device symlink -to the PCI directories of the devices. -.Pp -Each device node is a directory containing some files and directories: -.Bl -tag -width ".Pa status" -.It Pa host -A place holder for storage host information. -.It Pa pci_id -A directory for the -.Pa pci_id -that contains either the device information or another directory structure -for a PCI bridge. -.El -.Pp -Each host node of scsi_host is a directory containing some files and directories: -.Bl -tag -width ".Pa proc_name" -.It Pa proc_name -The -.Tn Linux -registered driver name for these devices. -.It Pa device -A symlink to the PCI device directory. -.El -.Sh FILES -.Bl -tag -width ".Pa /compat/linux/sys/devices/pci0000:00" -compact -.It Pa /compat/linux/sys -The normal mount point for -.Nm . -.It Pa /compat/linux/sys/class/scsi_host -The storage host node. -.It Pa /compat/linux/sys/devices/pci0000:00 -The PCI device hierarchy node. -.El -.Sh EXAMPLES -The most common usage follows: -.Pp -.Dl "mount -t linsysfs linsys /compat/linux/sys" -.Pp -where -.Pa /compat/linux/sys -is a mount point. -.Sh SEE ALSO -.Xr nmount 2 , -.Xr unmount 2 , -.Xr linux 4 , -.Xr linprocfs 5 , -.Xr pseudofs 9 -.Sh HISTORY -The -.Nm -driver first appeared in -.Fx 6.2 . -.Sh AUTHORS -.An -nosplit -The -.Nm -driver was derived from -.Nm linprocfs -by -.An Doug Ambrisko . -This manual page was edited by -.An Doug Ambrisko , -based on the -.Xr linprocfs 5 -manual page by -.An Garrett Wollman . diff --git a/share/man/man5/make.conf.5 b/share/man/man5/make.conf.5 index ebf1b8a119f7..46bfa91d36ba 100644 --- a/share/man/man5/make.conf.5 +++ b/share/man/man5/make.conf.5 @@ -158,6 +158,15 @@ and .Va COPTFLAGS to contain the appropriate optimization directive to .Xr cc 1 . +To set the +.Va CPUTYPE +value, use +.Dq Li ?= +instead of +.Dq Li = +so that it can be overridden by +.Xr make 1 +targets. The automatic setting of .Va CFLAGS may be overridden using the diff --git a/share/man/man5/motd.5 b/share/man/man5/motd.5 index 86cb8f723634..109fc4e56ca4 100644 --- a/share/man/man5/motd.5 +++ b/share/man/man5/motd.5 @@ -2,7 +2,7 @@ .\" .\" This file is in the public domain. .\" -.Dd October 18, 2020 +.Dd December 14, 2024 .Dt MOTD 5 .Os .Sh NAME @@ -25,9 +25,8 @@ and the contents are written to can be updated without a system reboot by manually restarting the motd service after updating .Pa /etc/motd.template : -.Bd -literal -offset -ident -compact -service motd restart -.Ed +.Pp +.Dl service motd restart .Pp Individual users may suppress the display of this file by creating a file named @@ -35,7 +34,10 @@ creating a file named in their home directories or through .Xr login.conf 5 . .Sh FILES -.Bl -tag -width $HOME/.hushlogin -compact +.Bl -tag -width "/etc/motd.template" -compact +.It Pa /etc/motd +Symbolic link to +.Pa /var/run/motd . .It Pa /etc/motd.template The template file that system administrators can edit. .It Pa /var/run/motd diff --git a/share/man/man5/mount.conf.5 b/share/man/man5/mount.conf.5 index 633a642e37be..4b5c272ef601 100644 --- a/share/man/man5/mount.conf.5 +++ b/share/man/man5/mount.conf.5 @@ -50,7 +50,7 @@ The logic for this is in .Fn vfs_mountroot_conf0 . .It The kernel will first mount -.Xr devfs 5 +.Xr devfs 4 as the root file system. .It Next, the kernel will parse the in-memory config file created in step 1 @@ -60,7 +60,7 @@ See for the format of the config file. .It When the actual root file system is mounted, -.Xr devfs 5 +.Xr devfs 4 will be re-mounted on the .Pa /dev directory. @@ -221,7 +221,7 @@ For each root file system which is mounted, a directory .Em must exist so that the root mount logic can properly re-mount -.Xr devfs 5 . +.Xr devfs 4 . If this directory does not exist, the system may hang during the bootup process. .Sh SEE ALSO diff --git a/share/man/man5/mqueuefs.5 b/share/man/man5/mqueuefs.5 deleted file mode 100644 index 7be49a816968..000000000000 --- a/share/man/man5/mqueuefs.5 +++ /dev/null @@ -1,122 +0,0 @@ -.\" Copyright (c) 2005 David Xu <davidxu@FreeBSD.org> -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice(s), this list of conditions and the following disclaimer as -.\" the first lines of this file unmodified other than the possible -.\" addition of one or more copyright notices. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice(s), this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER(S) ``AS IS'' AND ANY -.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE -.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -.\" BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -.\" OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, -.\" EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd November 30, 2005 -.Dt MQUEUEFS 5 -.Os -.Sh NAME -.Nm mqueuefs -.Nd POSIX message queue file system -.Sh SYNOPSIS -To link into kernel: -.Pp -.Cd "options P1003_1B_MQUEUE" -.Pp -To load as a kernel loadable module: -.Pp -.Dl "kldload mqueuefs" -.Sh DESCRIPTION -The -.Nm -module will permit the -.Fx -kernel to support -.Tn POSIX -message queue. -The module contains system calls to manipulate -.Tn POSIX -message queues. -It also contains a file system to implement a view for all message queues of -the system. -This helps users to keep track of their message queues and make -it more easily usable without having to invent additional tools. -.Pp -The most common usage is as follows: -.Pp -.Dl "mount -t mqueuefs null /mnt/mqueue" -.Pp -where -.Pa /mnt/mqueue -is a mount point. -.Pp -It is possible to define an entry in -.Pa /etc/fstab -that looks similar to: -.Bd -literal -null /mnt/mqueue mqueuefs rw 0 0 -.Ed -.Pp -This will mount -.Nm -at the -.Pa /mnt/mqueue -mount point during system boot. -Using -.Pa /mnt/mqueue -as a permanent mount point is not advised as its intention -has always been to be a temporary mount point. -See -.Xr hier 7 -for more information on -.Fx -directory layout. -.Pp -Some common tools can be used on the file system, e.g.: -.Xr cat 1 , -.Xr chmod 1 , -.Xr chown 8 , -.Xr ls 1 , -.Xr rm 1 , -etc. -To use only the message queue system calls, it is not necessary for -user to mount the file system, just load the module or compile it -into the kernel. -Manually creating a file, for example, -.Dq Li "touch /mnt/mqueue/myqueue" , -will create a message queue named -.Pa myqueue -in the kernel, default -message queue attributes will be applied to the queue. -It is not -advised to use this method to create a queue; -it is better to use the -.Xr mq_open 2 -system call to create a queue as it -allows the user to specify different attributes. -.Pp -To see the queue's attributes, just read the file: -.Pp -.Dl "cat /mnt/mqueue/myqueue" -.Sh SEE ALSO -.Xr mq_open 2 , -.Xr nmount 2 , -.Xr unmount 2 , -.Xr mount 8 , -.Xr umount 8 -.Sh AUTHORS -This manual page was written by -.An David Xu Aq Mt davidxu@FreeBSD.org . diff --git a/share/man/man5/msdosfs.5 b/share/man/man5/msdosfs.5 deleted file mode 100644 index 2856b4b5cc82..000000000000 --- a/share/man/man5/msdosfs.5 +++ /dev/null @@ -1,73 +0,0 @@ -.\" Written by Tom Rhodes -.\" This file is in the public domain. -.\" -.Dd September 27, 2018 -.Dt MSDOSFS 5 -.Os -.Sh NAME -.Nm msdosfs -.Nd MS-DOS file system -.Sh SYNOPSIS -.Cd "options MSDOSFS" -.Sh DESCRIPTION -The -.Nm -driver will permit the -.Fx -kernel to read and write MS-DOS based file systems. -.Pp -The most common usage follows: -.Pp -.Dl "mount -t msdosfs /dev/ada0sN /mnt" -.Pp -where -.Ar N -is the partition number and -.Pa /mnt -is a mount point. -Some users tend to create a -.Pa /dos -directory for -.Nm -mount points. -This helps to keep better track of the file system, -and make it more easily accessible. -.Pp -It is possible to define an entry in -.Pa /etc/fstab -that looks similar to: -.Bd -literal -/dev/ada0sN /dos msdosfs rw 0 0 -.Ed -.Pp -This will mount an MS-DOS based partition at the -.Pa /dos -mount point during system boot. -Using -.Pa /mnt -as a permanent mount point is not advised as its intention -has always been to be a temporary mount point for floppy and -ZIP disks. -See -.Xr hier 7 -for more information on -.Fx -directory layout. -.Sh EXAMPLES -Determine which FAT file system version (e.g, FAT16, FAT32) -is a partition formatted with: -.Bd -literal -offset indent -file -s /dev/da0s1 -.Ed -.Pp -.Xr gpart 8 -may also be used to extract this information. -.Sh SEE ALSO -.Xr mount 2 , -.Xr unmount 2 , -.Xr mount 8 , -.Xr mount_msdosfs 8 , -.Xr umount 8 -.Sh AUTHORS -This manual page was written by -.An Tom Rhodes Aq Mt trhodes@FreeBSD.org . diff --git a/share/man/man5/nsmb.conf.5 b/share/man/man5/nsmb.conf.5 index 1a09743874e5..0da10343ed77 100644 --- a/share/man/man5/nsmb.conf.5 +++ b/share/man/man5/nsmb.conf.5 @@ -1,3 +1,6 @@ +.\"- +.\" SPDX-License-Identifier: BSD-2-Clause +.\" .\" Copyright (c) 2003 .\" Originally written by Sergey A. Osokin .\" Rewritten by Tom Rhodes @@ -28,9 +31,7 @@ .Os .Sh NAME .Nm nsmb.conf -.Nd configuration file for -.Tn SMB -requests +.Nd configuration file for server message block (SMB1/CIFS) requests .Sh DESCRIPTION The .Nm diff --git a/share/man/man5/nullfs.5 b/share/man/man5/nullfs.5 deleted file mode 100644 index 6e2c199aa3b0..000000000000 --- a/share/man/man5/nullfs.5 +++ /dev/null @@ -1,80 +0,0 @@ -.\" -.\" Copyright (c) 2008 Daniel Gerzo -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd March 15, 2022 -.Dt NULLFS 5 -.Os -.Sh NAME -.Nm nullfs -.Nd "null file system" -.Sh SYNOPSIS -To enable support for this driver, -place the following line in the kernel configuration file: -.Bd -ragged -offset indent -.Cd "options NULLFS" -.Ed -.Pp -Alternatively, to load the driver as a -module at boot time, place the following line in -.Xr loader.conf 5 : -.Bd -literal -offset indent -nullfs_load="YES" -.Ed -.Sh DESCRIPTION -The -.Nm -driver will permit the -.Fx -kernel to mount a loopback file system sub-tree. -.Sh EXAMPLES -To mount a -.Nm -file system: -.Pp -.Dl "mount_nullfs /usr/ports /home/devel/ports" -.Pp -It is also possible to define an entry in -.Xr fstab 5 -that looks similar to: -.Pp -.Bd -literal -/usr/ports /home/devel/ports nullfs rw 0 0 -.Ed -.Sh SEE ALSO -.Xr fstab 5 , -.Xr mount_nullfs 8 -.Sh HISTORY -The -.Nm -layer first appeared in -.Bx 4.4 . -.Sh AUTHORS -.An -nosplit -The -.Nm -kernel implementation was written by -.An John Heideman . -.Pp -This manual page was written by -.An Daniel Gerzo Aq Mt danger@FreeBSD.org . diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 9803d96bc5d9..fe848b030484 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 6, 2023 +.Dd July 2, 2025 .Dt PF.CONF 5 .Os .Sh NAME @@ -100,6 +100,8 @@ Macro names may not be reserved words (for example .Ar in , .Ar out ) . Macros are not expanded inside quotes. +Ranges of network addresses used in macros that will be expanded in lists +later on must be quoted with additional simple quotes. .Pp For example, .Bd -literal -offset indent @@ -107,6 +109,11 @@ ext_if = \&"kue0\&" all_ifs = \&"{\&" $ext_if lo0 \&"}\&" pass out on $ext_if from any to any pass in on $ext_if proto tcp from any to any port 25 + +usr_lan_range = "'192.0.2.0/24'" +srv_lan_range = "'198.51.100.0 - 198.51.100.255'" +nat_ranges = \&"{\&" $usr_lan_range $srv_lan_range \&"}\&" +nat on $ext_if from $nat_ranges to any -> ($ext_if) .Ed .Sh TABLES Tables are named structures which can hold a collection of addresses and @@ -132,8 +139,8 @@ Tables can also be used for the redirect address of .Ar nat and .Ar rdr -rules and in the routing options of filter rules, but only for -.Ar round-robin +and in the routing options of filter rules, but not for +.Ar bitmask pools. .Pp Tables can be defined with any of the following @@ -167,7 +174,7 @@ will be cleared on load. .El .Pp Tables may be defined with the following attributes: -.Bl -tag -width persist +.Bl -tag -width counters .It Ar persist The .Ar persist @@ -195,9 +202,9 @@ Note that this feature carries significant memory overhead for large tables. .Pp For example, .Bd -literal -offset indent -table \*(Ltprivate\*(Gt const { 10/8, 172.16/12, 192.168/16 } -table \*(Ltbadhosts\*(Gt persist -block on fxp0 from { \*(Ltprivate\*(Gt, \*(Ltbadhosts\*(Gt } to any +table <private> const { 10/8, 172.16/12, 192.168/16 } +table <badhosts> persist +block on fxp0 from { <private>, <badhosts> } to any .Ed .Pp creates a table called private, to hold RFC 1918 private network @@ -215,8 +222,8 @@ these hosts can be blocked by using A table can also be initialized with an address list specified in one or more external files, using the following syntax: .Bd -literal -offset indent -table \*(Ltspam\*(Gt persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&" -block on fxp0 from \*(Ltspam\*(Gt to any +table <spam> persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&" +block on fxp0 from <spam> to any .Ed .Pp The files @@ -265,7 +272,8 @@ firewall at the risk of dropping valid idle connections. .It Ar tcp.first The state after the first packet. .It Ar tcp.opening -The state before the destination host ever sends a packet. +The state after the second packet but before both endpoints have +acknowledged the connection. .It Ar tcp.established The fully established state. .It Ar tcp.closing @@ -353,8 +361,8 @@ For example: .Bd -literal -offset indent set timeout tcp.first 120 set timeout tcp.established 86400 -set timeout { adaptive.start 6000, adaptive.end 12000 } -set limit states 10000 +set timeout { adaptive.start 60000, adaptive.end 120000 } +set limit states 100000 .Ed .Pp With 9000 state table entries, the timeout values are scaled to 50% @@ -419,13 +427,10 @@ and options) to 2000. Using .Bd -literal -offset indent -set limit tables 1000 set limit table-entries 100000 .Ed .Pp -sets limits on the memory pools used by tables. -The first limits the number of tables that can exist to 1000. -The second limits the overall number of addresses that can be stored +sets the limit on the overall number of addresses that can be stored in tables to 100000. .Pp Various limits can be combined on a single line: @@ -537,6 +542,9 @@ an ICMP UNREACHABLE is returned for blocked UDP packets, and all other packets are silently dropped. .El .Pp +The default value is +.Cm drop . +.Pp For example: .Bd -literal -offset indent set block-policy return @@ -661,6 +669,8 @@ but can be overridden via this option. Setting this option may leave a small period of time where the fingerprints referenced by the currently active ruleset are inconsistent until the new ruleset finishes loading. +The default location for fingerprints is +.Pa /etc/pf.os . .Pp For example: .Pp @@ -705,11 +715,12 @@ and .Ar pass packets based on attributes of their Ethernet (layer 2) header. .Pp -For each packet processed by the packet filter, the filter rules are -evaluated in sequential order, from first to last. +Each time a packet processed by the packet filter comes in on or +goes out through an interface, the filter rules are evaluated in +sequential order, from first to last. The last matching rule decides what action is taken. If no rule matches the packet, the default action is to pass -the packet. +the packet without creating a state. .Pp The following actions can be used in the filter: .Bl -tag -width xxxx @@ -720,12 +731,15 @@ Unlike for layer 3 traffic the packet is always silently dropped. The packet is passed; no state is created for layer 2 traffic. .El -.Sh PARAMETERS +.Ss Parameters applicable to layer 2 rules The rule parameters specify the packets to which a rule applies. A packet always comes in on, or goes out through, one interface. Most parameters are optional. If a parameter is specified, the rule only applies to packets with matching attributes. +The matching for some parameters can be inverted with the +.Cm !\& +operator. Certain parameters can be expressed as lists, in which case .Xr pfctl 8 generates all needed rule combinations. @@ -751,6 +765,8 @@ see the .Ic group keyword in .Xr ifconfig 8 . +.Ar any +will match any existing interface except loopback ones. .It Ar bridge-to Aq interface Packets matching this rule will be sent out of the specified interface without further processing. @@ -1333,29 +1349,18 @@ If the .Xr dummynet 4 module is not loaded any traffic sent into a queue or pipe will be dropped. .Sh TRANSLATION -Translation rules modify either the source or destination address of the -packets associated with a stateful connection. -A stateful connection is automatically created to track packets matching -such a rule as long as they are not blocked by the filtering section of -.Nm pf.conf . -The translation engine modifies the specified address and/or port in the -packet, recalculates IP, TCP and UDP checksums as necessary, and passes -it to the packet filter for evaluation. -.Pp -Since translation occurs before filtering the filter -engine will see packets as they look after any -addresses and ports have been translated. -Filter rules will therefore have to filter based on the translated +Translation options modify either the source or destination address and +port of the packets associated with a stateful connection. +.Xr pf 4 +modifies the specified address and/or port in the packet and recalculates +IP, TCP, and UDP checksums as necessary. +.Pp +If specified on a +.Ic match +rule, subsequent rules will see packets as they look +after any addresses and ports have been translated. +These rules will therefore have to filter based on the translated address and port number. -Packets that match a translation rule are only automatically passed if -the -.Ar pass -modifier is given, otherwise they are -still subject to -.Ar block -and -.Ar pass -rules. .Pp The state entry created permits .Xr pf 4 @@ -1364,15 +1369,72 @@ and correctly direct return traffic for that connection. .Pp Various types of translation are possible with pf: .Bl -tag -width xxxx +.It Ar af-to +Translation between different address families (NAT64) is handled +using +.Ar af-to +rules. +Because address family translation overrides the routing table, it's +only possible to use +.Ar af-to +on inbound rules, and a source address of the resulting translation +must always be specified. +.Pp +The optional second argument is the host or subnet the original +addresses are translated into for the destination. +The lowest bits of the original destination address form the host +part of the new destination address according to the specified subnet. +It is possible to embed a complete IPv4 address into an IPv6 address +using a network prefix of /96 or smaller. +.Pp +When a destination address is not specified it is assumed that the host +part is 32-bit long. +For IPv6 to IPv4 translation this would mean using only the lower 32 +bits of the original IPv6 destination address. +For IPv4 to IPv6 translation the destination subnet defaults to the +subnet of the new IPv6 source address with a prefix length of /96. +See RFC 6052 Section 2.2 for details on how the prefix determines the +destination address encoding. +.Pp +For example, the following rules are identical: +.Bd -literal -offset indent +pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96 +pass in inet af-to inet6 from 2001:db8::1 +.Ed +.Pp +In the above example the matching IPv4 packets will be modified to +have a source address of 2001:db8::1 and a destination address will +get prefixed with 2001:db8::/96, e.g. 198.51.100.100 will be +translated to 2001:db8::c633:6464. +.Pp +In the reverse case the following rules are identical: +.Bd -literal -offset indent +pass in inet6 from any to 64:ff9b::/96 af-to inet \e + from 198.51.100.1 to 0.0.0.0/0 +pass in inet6 from any to 64:ff9b::/96 af-to inet \e + from 198.51.100.1 +.Ed +.Pp +The destination IPv4 address is assumed to be embedded inside the +original IPv6 destination address, e.g. 64:ff9b::c633:6464 will be +translated to 198.51.100.100. +.Pp +The current implementation will only extract IPv4 addresses from the +IPv6 addresses with a prefix length of /96 and greater. .It Ar binat A -.Ar binat +.Ar binat-to rule specifies a bidirectional mapping between an external IP netblock and an internal IP netblock. -.It Ar nat +It expands to an outbound +.Ar nat-to +rule and an inbound +.Ar rdr-to +rule. +.It Ar nat-to A -.Ar nat -rule specifies that IP addresses are to be changed as the packet +.Ar nat-to +option specifies that IP addresses are to be changed as the packet traverses the given interface. This technique allows one or more IP addresses on the translating host to support network traffic for a larger range of @@ -1380,35 +1442,112 @@ machines on an "inside" network. Although in theory any IP address can be used on the inside, it is strongly recommended that one of the address ranges defined by RFC 1918 be used. These netblocks are: -.Bd -literal -10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8) -172.16.0.0 - 172.31.255.255 (i.e., 172.16/12) -192.168.0.0 - 192.168.255.255 (i.e., 192.168/16) +.Bd -literal -offset indent +10.0.0.0 - 10.255.255.255 (all of net 10.0.0.0, i.e., 10.0.0.0/8) +172.16.0.0 - 172.31.255.255 (i.e., 172.16.0.0/12) +192.168.0.0 - 192.168.255.255 (i.e., 192.168.0.0/16) .Ed -.It Pa rdr +.Pp +.Ar nat-to +is usually applied outbound. +If applied inbound, nat-to to a local IP address is not supported. +.It Pa rdr-to The packet is redirected to another destination and possibly a different port. -.Ar rdr -rules can optionally specify port ranges instead of single ports. -rdr ... port 2000:2999 -\*(Gt ... port 4000 +.Ar rdr-to +can optionally specify port ranges instead of single ports. +For instance: +.Bd -literal -offset indent +match in ... port 2000:2999 rdr-to ... port 4000 +.Ed redirects ports 2000 to 2999 (inclusive) to port 4000. -rdr ... port 2000:2999 -\*(Gt ... port 4000:* +.Bd -literal -offset indent +qmatch in ... port 2000:2999 rdr-to ... port 4000:* +.Ed redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999. .El .Pp +.Ar rdr-to +is usually applied inbound. +If applied outbound, rdr-to to a local IP address is not supported. In addition to modifying the address, some translation rules may modify source or destination ports for .Xr tcp 4 or .Xr udp 4 connections; implicitly in the case of -.Ar nat -rules and explicitly in the case of -.Ar rdr -rules. +.Ar nat-to +options and both implicitly and explicitly in the case of +.Ar rdr-to +ones. +A +.Ar rdr-to +opion may cause the source port to be modified if doing so avoids a conflict +with an existing connection. +A random source port in the range 50001-65535 is chosen in this case. Port numbers are never translated with a -.Ar binat -rule. +.Ar binat-to +option. +.Pp +Note that redirecting external incoming connections to the loopback +address, as in +.Bd -literal -offset indent +pass in on egress proto tcp from any to any port smtp \e + rdr-to 127.0.0.1 port spamd +.Ed +.Pp +will effectively allow an external host to connect to daemons +bound solely to the loopback address, circumventing the traditional +blocking of such connections on a real interface. +Unless this effect is desired, any of the local non-loopback addresses +should be used as redirection target instead, which allows external +connections only to daemons bound to this address or not bound to +any address. +.Pp +See +.Sx TRANSLATION EXAMPLES +below. +.Ss NAT ruleset (pre-FreeBSD 15) +In order to maintain compatibility with older releases of FreeBSD +.Ar NAT +rules can also be specified in their own ruleset. +A stateful connection is automatically created to track packets matching +such a rule as long as they are not blocked by the filtering section of +.Nm pf.conf . +Since translation occurs before filtering the filter +engine will see packets as they look after any +addresses and ports have been translated. +Filter rules will therefore have to filter based on the translated +address and port number. +Packets that match a translation rule are only automatically passed if +the +.Ar pass +modifier is given, otherwise they are +still subject to +.Ar block +and +.Ar pass +rules. +.Pp +The following rules can be defined in the NAT ruleset: +.Ar binat , +.Ar nat , +and +.Ar rdr . +They have the same effect as +.Ar binat-to , +.Ar nat-to +and +.Ar rdr-to +options for filter rules. +.Pp +The +.Ar no +option prefixed to a translation rule causes packets to remain untranslated, +much in the same way as +.Ar drop quick +works in the packet filter. +If no rule matches the packet it is passed to the filter engine unmodified. .Pp Evaluation order of the translation rules is dependent on the type of the translation rules and of the direction of a packet. @@ -1423,14 +1562,6 @@ Rules of the same type are evaluated in the same order in which they appear in the ruleset. The first matching rule decides what action is taken. .Pp -The -.Ar no -option prefixed to a translation rule causes packets to remain untranslated, -much in the same way as -.Ar drop quick -works in the packet filter (see below). -If no rule matches the packet it is passed to the filter engine unmodified. -.Pp Translation rules apply only to packets that pass through the specified interface, and if no interface is specified, translation is applied to packets on all interfaces. @@ -1443,22 +1574,8 @@ Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself. .Pp -Note that redirecting external incoming connections to the loopback -address, as in -.Bd -literal -offset indent -rdr on ne3 inet proto tcp to port smtp -\*(Gt 127.0.0.1 port spamd -.Ed -.Pp -will effectively allow an external host to connect to daemons -bound solely to the loopback address, circumventing the traditional -blocking of such connections on a real interface. -Unless this effect is desired, any of the local non-loopback addresses -should be used as redirection target instead, which allows external -connections only to daemons bound to this address or not bound to -any address. -.Pp See -.Sx TRANSLATION EXAMPLES +.Sx COMPATIBILITY TRANSLATION EXAMPLES below. .Sh PACKET FILTERING .Xr pf 4 @@ -1554,6 +1671,9 @@ rules in that parameters are set for every rule a packet matches, not only on the last matching rule. For the following parameters, this means that the parameter effectively becomes "sticky" until explicitly overridden: +.Ar nat-to , +.Ar binat-to , +.Ar rdr-to , .Ar queue , .Ar dnpipe , .Ar dnqueue , @@ -1600,10 +1720,6 @@ allows echo requests (such as those created by out statefully, and matches incoming echo replies correctly to states. .Pp Also, looking up states is usually faster than evaluating rules. -If there are 50 rules, all of them are evaluated sequentially in O(n). -Even with 50000 states, only 16 comparisons are needed to match a -state, since states are stored in a binary search tree that allows -searches in O(log2 n). .Pp Furthermore, correct handling of ICMP error messages is critical to many protocols, particularly TCP. @@ -1635,7 +1751,7 @@ handles state tracking. See .Sx STATEFUL TRACKING OPTIONS below for further details. -.Sh PARAMETERS +.Ss Parameters The rule parameters specify the packets to which a rule applies. A packet always comes in on, or goes out through, one interface. Most parameters are optional. @@ -1652,34 +1768,49 @@ If neither nor .Ar out are specified, the rule will match packets in both directions. -.It Ar log -In addition to the action specified, a log message is generated. +.It Ar log Pq Cm all | matches | to Ao Ar interface Ac | Cm user +In addition to any action specified, +log the packet. Only the packet that establishes the state is logged, unless the .Ar no state option is specified. The logged packets are sent to a .Xr pflog 4 -interface, by default -.Ar pflog0 . -This interface is monitored by the +interface, by default pflog0; +pflog0 is monitored by the .Xr pflogd 8 -logging daemon, which dumps the logged packets to the file +logging daemon which logs to the file .Pa /var/log/pflog in .Xr pcap 3 binary format. -.It Ar log (all) -Used to force logging of all packets for a connection. +.Pp +The keywords +.Cm all , matches , to , +and +.Cm user +are optional and can be combined using commas, +but must be enclosed in parentheses if given. +.Pp +Use +.Cm all +to force logging of all packets for a connection. This is not necessary when .Ar no state is explicitly specified. -As with -.Ar log , -packets are logged to -.Xr pflog 4 . -.It Ar log (user) -Logs the +.Pp +If +.Cm matches +is specified, +it logs the packet on all subsequent matching rules. +It is often combined with +.Cm to Aq Ar interface +to avoid adding noise to the default log file. +.Pp +The keyword +.Cm user +logs the .Ux user ID of the user that owns the socket and the PID of the process that has the socket open where the packet is sourced from or destined to @@ -1690,11 +1821,10 @@ Only the first packet logged via .Ar log (all, user) will have the user credentials logged when using stateful matching. -.It Ar log (to Aq Ar interface ) -Send logs to the specified -.Xr pflog 4 -interface instead of -.Ar pflog0 . +.Pp +To specify a logging interface other than pflog0, +use the syntax +.Cm to Aq Ar interface . .It Ar quick If a packet matches a rule which has the .Ar quick @@ -1709,6 +1839,8 @@ see the .Ic group keyword in .Xr ifconfig 8 . +.Ar any +will match any existing interface except loopback ones. .It Aq Ar af This rule applies only to packets of this address family. Supported values are @@ -1751,6 +1883,8 @@ Any address which is not currently routable. Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. +.It Ar self +Expands to all addresses assigned to all interfaces. .It Aq Ar table Any address that matches the given table. .El @@ -1763,7 +1897,9 @@ For instance: means all addresses from 10.1.1.10 to 10.1.1.12, hence addresses 10.1.1.10, 10.1.1.11, and 10.1.1.12. .Pp -Interface names and interface group names can have modifiers appended: +Interface names and interface group names, and +.Ar self +can have modifiers appended: .Pp .Bl -tag -width xxxxxxxxxxxx -compact .It Ar :network @@ -1806,17 +1942,17 @@ Ports and ranges of ports are specified by using these operators: .Bd -literal -offset indent = (equal) != (unequal) -\*(Lt (less than) -\*(Le (less than or equal) -\*(Gt (greater than) -\*(Ge (greater than or equal) +< (less than) +<= (less than or equal) +> (greater than) +>= (greater than or equal) : (range including boundaries) -\*(Gt\*(Lt (range excluding boundaries) -\*(Lt\*(Gt (except range) +>< (range excluding boundaries) +<> (except range) .Ed .Pp -.Sq \*(Gt\*(Lt , -.Sq \*(Lt\*(Gt +.Sq >< , +.Sq <> and .Sq \&: are binary operators (they take two arguments). @@ -1824,15 +1960,15 @@ For instance: .Bl -tag -width Fl .It Ar port 2000:2004 means -.Sq all ports \*(Ge 2000 and \*(Le 2004 , +.Sq all ports >= 2000 and <= 2004 , hence ports 2000, 2001, 2002, 2003 and 2004. -.It Ar port 2000 \*(Gt\*(Lt 2004 +.It Ar port 2000 >< 2004 means -.Sq all ports \*(Gt 2000 and \*(Lt 2004 , +.Sq all ports > 2000 and < 2004 , hence ports 2001, 2002 and 2003. -.It Ar port 2000 \*(Lt\*(Gt 2004 +.It Ar port 2000 <> 2004 means -.Sq all ports \*(Lt 2000 or \*(Gt 2004 , +.Sq all ports < 2000 or > 2004 , hence ports 1-1999 and 2005-65535. .El .Pp @@ -1848,9 +1984,9 @@ The host, port and OS specifications are optional, as in the following examples: .Bd -literal -offset indent pass in all pass in from any to any -pass in proto tcp from any port \*(Le 1024 to any +pass in proto tcp from any port < 1024 to any pass in proto tcp from any to any port 25 -pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e +pass in proto tcp from 10.0.0.0/8 port >= 1024 \e to ! 10.1.2.3 port != ssh pass in proto tcp from any os "OpenBSD" .Ed @@ -1909,7 +2045,7 @@ The following example allows only selected users to open outgoing connections: .Bd -literal -offset indent block out proto { tcp, udp } all -pass out proto { tcp, udp } all user { \*(Lt 1000, dhartmei } +pass out proto { tcp, udp } all user { < 1000, dhartmei } .Ed .It Xo Ar flags Aq Ar a .Pf / Ns Aq Ar b @@ -1960,7 +2096,10 @@ if one flushes the state table. However, states created from such intermediate packets may be missing connection details such as the TCP window scaling factor. States which modify the packet flow, such as those affected by -.Ar nat , binat No or Ar rdr +.Ar af-to , +.Ar nat , +.Ar binat or +.Ar rdr rules, .Ar modulate No or Ar synproxy state options, or scrubbed with @@ -2017,20 +2156,21 @@ pass all tos 0x10 pass all tos 16 .Ed .It Ar allow-opts -By default, IPv4 packets with IP options or IPv6 packets with routing -extension headers are blocked. +By default, packets with IPv4 options or IPv6 hop-by-hop or destination +options header are blocked. When .Ar allow-opts is specified for a .Ar pass rule, packets that pass the filter based on that rule (last matching) -do so even if they contain IP options or routing extension headers. +do so even if they contain options. For packets that match state, the rule that initially created the state is used. The implicit .Ar pass -rule that is used when a packet does not match any rules does not -allow IP options. +rule, that is used when a packet does not match +any rules, does not allow IP options or option headers. +Note that IPv6 packets with type 0 routing headers are always dropped. .It Ar label Aq Ar string Adds a label (name) to the rule, which can be used to identify the rule. For instance, @@ -2060,15 +2200,15 @@ For example: .Bd -literal -offset indent ips = \&"{ 1.2.3.4, 1.2.3.5 }\&" pass in proto tcp from any to $ips \e - port \*(Gt 1023 label \&"$dstaddr:$dstport\&" + port > 1023 label \&"$dstaddr:$dstport\&" .Ed .Pp expands to .Bd -literal -offset indent pass in inet proto tcp from any to 1.2.3.4 \e - port \*(Gt 1023 label \&"1.2.3.4:\*(Gt1023\&" + port > 1023 label \&"1.2.3.4:>1023\&" pass in inet proto tcp from any to 1.2.3.5 \e - port \*(Gt 1023 label \&"1.2.3.5:\*(Gt1023\&" + port > 1023 label \&"1.2.3.5:>1023\&" .Ed .Pp The macro expansion for the @@ -2077,6 +2217,24 @@ directive occurs only at configuration file parse time, not during runtime. .It Ar ridentifier Aq Ar number Add an identifier (number) to the rule, which can be used to correlate the rule to pflog entries, even after ruleset updates. +.It Cm max-pkt-rate Ar number Ns / Ns Ar seconds +Measure the rate of packets matching the rule and states created by it. +When the specified rate is exceeded, the rule stops matching. +Only packets in the direction in which the state was created are considered, +so that typically requests are counted and replies are not. +For example, +to pass up to 100 ICMP packets per 10 seconds: +.Bd -literal -offset indent +block in proto icmp +pass in proto icmp max-pkt-rate 100/10 +.Ed +.Pp +When the rate is exceeded, all ICMP is blocked until the rate falls below +100 per 10 seconds again. +.Pp +.It Ar max-pkt-size Aq Ar number +Limit each packet to be no more than the specified number of bytes. +This includes the IP header, but not any layer 2 header. .It Xo Ar queue Aq Ar queue .No \*(Ba ( Aq Ar queue , .Aq Ar queue ) @@ -2103,15 +2261,22 @@ If the packet is transmitted on a .Xr vlan 4 interface, the queueing priority will be written as the priority code point in the 802.1Q VLAN header. -If two priorities are given, packets which have a TOS of +If two priorities are given, TCP ACKs with no data payload and packets +which have a TOS of .Cm lowdelay -and TCP ACKs with no data payload will be assigned to the second one. +will be assigned to the second one. .Pp For example: .Bd -literal -offset indent pass in proto tcp to port 25 set prio 2 pass in proto tcp to port 22 set prio (2, 5) .Ed +.It Oo Cm \&! Oc Ns Cm received-on Ar interface +Only match packets which were received on the specified +.Ar interface +(or interface group). +.Ar any +will match any existing interface except loopback ones. .It Ar tag Aq Ar string Packets matching this rule will be tagged with the specified string. @@ -2139,12 +2304,6 @@ Tags take the same macros as labels (see above). Used with filter, translation or scrub rules to specify that packets must already be tagged with the given tag in order to match the rule. -Inverse tag matching can also be done -by specifying the -.Cm !\& -operator before the -.Ar tagged -keyword. .It Ar rtable Aq Ar number Used to select an alternate routing table for the routing lookup. Only effective before the route lookup happened, i.e. when filtering inbound. @@ -2259,8 +2418,8 @@ The option loops through the redirection address(es). .Pp When more than one redirection address is specified, -.Ar round-robin -is the only permitted pool type. +.Ar bitmask +is not permitted as a pool type. .It Ar static-port With .Ar nat @@ -2289,6 +2448,16 @@ nat on $gif_mape_if from $int_if:network to any \e .Ed .Pp sets PSID offset 6, PSID length 8, PSID 0x34. +.It Ar endpoint-independent +With +.Ar nat +rules, the +.Ar endpoint-independent +option caues +.Xr pf 4 +to always map connections from a UDP source address and port to the same +NAT address and port. +This feature implements "full-cone" NAT behavior. .El .Pp Additionally, the @@ -2410,7 +2579,7 @@ must be specified explicitly to apply options to a rule. .It Ar max Aq Ar number Limits the number of concurrent states the rule may create. When this limit is reached, further packets that would create -state will not match this rule until existing states time out. +state are dropped until existing states time out. .It Ar no-sync Prevent state changes for states created by this rule from appearing on the .Xr pfsync 4 @@ -2433,6 +2602,10 @@ Cannot be used with modulate or synproxy state. States created by this rule are exported on the .Xr pflow 4 interface. +.It Ar allow-related +Automatically allow connections related to this one, regardless of rules that +might otherwise affect them. +This currently only applies to SCTP multihomed connection. .El .Pp Multiple options can be specified, separated by commas: @@ -2492,6 +2665,9 @@ Limit the rate of new connections over a time interval. The connection rate is an approximation calculated as a moving average. .El .Pp +When one of these limits is reached, further packets that would create +state are dropped until existing states time out. +.Pp Because the 3-way handshake ensures that the source address is not being spoofed, more aggressive action can be taken based on these limits. With the @@ -2520,9 +2696,9 @@ table and have all states originating from it flushed. Any new packets arriving from this host will be dropped unconditionally by the block rule. .Bd -literal -offset indent -block quick from \*(Ltbad_hosts\*(Gt +block quick from <bad_hosts> pass in on $ext_if proto tcp to $webserver port www keep state \e - (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global) + (max-src-conn-rate 100/10, overload <bad_hosts> flush global) .Ed .Sh OPERATING SYSTEM FINGERPRINTING Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP @@ -2914,12 +3090,13 @@ anchor, if any, before finally evaluating the .Ar pass rule. .Pp -Filter rule -.Ar anchors -can also be loaded inline in the ruleset within a brace ('{' '}') delimited -block. +An +.Ar anchor +rule can also contain a filter ruleset in a brace-delimited block. +In that case, no separate loading of rules into the anchor +is required. Brace delimited blocks may contain rules or other brace-delimited blocks. -When anchors are loaded this way the anchor name becomes optional. +When an anchor is populated this way the anchor name becomes optional. .Bd -literal -offset indent anchor "external" on $ext_if { block @@ -2948,21 +3125,24 @@ Doing so would break SCTP multihoming. This example maps incoming requests on port 80 to port 8080, on which a daemon is running (because, for example, it is not run as root, and therefore lacks permission to bind to port 80). -.Bd -literal +.Bd -literal -offset indent # use a macro for the interface name, so it can be changed easily ext_if = \&"ne3\&" # map daemon on 8080 to appear to be on 80 -rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080 +match in on $ext_if proto tcp from any to any port 80 \e + rdr-to 127.0.0.1 port 8080 .Ed .Pp -If the +If a .Ar pass -modifier is given, packets matching the translation rule are passed without -inspecting the filter rules: -.Bd -literal -rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e - port 8080 +rule is used with the +.Ar quick +modifier, packets matching the translation rule are passed without +inspecting subsequent filter rules: +.Bd -literal -offset indent +pass in quick on $ext_if proto tcp from any to any port 80 \e + rdr-to 127.0.0.1 port 8080 .Ed .Pp In the example below, vlan12 is configured as 192.168.168.1; @@ -2973,29 +3153,8 @@ network appear as though it is the Internet routable address 204.92.77.111 to nodes behind any interface on the router except for the nodes on vlan12. (Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.) -.Bd -literal -nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111 -.Ed -.Pp -In the example below, the machine sits between a fake internal 144.19.74.* -network, and a routable external IP of 204.92.77.100. -The -.Ar no nat -rule excludes protocol AH from being translated. -.Bd -literal -# NO NAT -no nat on $ext_if proto ah from 144.19.74.0/24 to any -nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100 -.Ed -.Pp -In the example below, packets bound for one specific server, as well as those -generated by the sysadmins are not proxied; all other connections are. -.Bd -literal -# NO RDR -no rdr on $int_if proto { tcp, udp } from any to $server port 80 -no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 -rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e - port 80 +.Bd -literal -offset indent +match out on ! vlan12 from 192.168.168.0/24 to any nat-to 204.92.77.111 .Ed .Pp This longer example uses both a NAT and a redirection. @@ -3008,62 +3167,84 @@ The three mandatory anchors for are omitted from this example; see the .Xr ftp-proxy 8 manpage. -.Bd -literal +.Bd -literal -offset indent # NAT # Translate outgoing packets' source addresses (any protocol). # In this case, any address but the gateway's external address is mapped. -nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if) +pass out on $ext_if inet from ! ($ext_if) to any nat-to ($ext_if) # NAT PROXYING # Map outgoing packets' source port to an assigned proxy port instead of # an arbitrary port. # In this case, proxy outgoing isakmp with port 500 on the gateway. -nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e - port 500 +pass out on $ext_if inet proto udp from any port = isakmp to any \e + nat-to ($ext_if) port 500 # BINAT # Translate outgoing packets' source address (any protocol). # Translate incoming packets' destination address to an internal machine # (bidirectional). -binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if +pass on $ext_if from 10.1.2.150 to any binat-to $ext_if # Translate packets arriving on $peer_if addressed to 172.22.16.0/20 # to the corresponding address in 172.21.16.0/20 (bidirectional). -binat on $peer_if from 172.21.16.0/20 to any -> 172.22.16.0/20 +pass on $peer_if from 172.21.16.0/20 to any binat-to 172.22.16.0/20 # RDR # Translate incoming packets' destination addresses. # As an example, redirect a TCP and UDP port to an internal machine. -rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e - -\*(Gt 10.1.2.151 port 22 -rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e - -\*(Gt 10.1.2.151 port 53 +pass in on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e + rdr-to 10.1.2.151 port 22 +pass in on $ext_if inet proto udp from any to ($ext_if) port 8080 \e + rdr-to 10.1.2.151 port 53 # RDR # Translate outgoing ftp control connections to send them to localhost # for proxying with ftp-proxy(8) running on port 8021. -rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021 +pass in on $int_if proto tcp from any to any port 21 \e + rdr-to 127.0.0.1 port 8021 .Ed .Pp In this example, a NAT gateway is set up to translate internal addresses using a pool of public addresses (192.0.2.16/28) and to redirect incoming web server connections to a group of web servers on the internal network. -.Bd -literal +.Bd -literal -offset indent # NAT LOAD BALANCE # Translate outgoing packets' source addresses using an address pool. # A given source address is always translated to the same pool address by # using the source-hash keyword. -nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash +pass out on $ext_if inet from any to any nat-to 192.0.2.16/28 source-hash # RDR ROUND ROBIN # Translate incoming web server connections to a group of web servers on # the internal network. -rdr on $ext_if proto tcp from any to any port 80 \e - -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin +pass in on $ext_if proto tcp from any to any port 80 \e + rdr-to { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin +.Ed +.Sh COMPATIBILITY TRANSLATION EXAMPLES +In the example below, the machine sits between a fake internal 144.19.74.* +network, and a routable external IP of 204.92.77.100. +The +.Ar no nat +rule excludes protocol AH from being translated. +.Bd -literal -offset indent +# NAT +no nat on $ext_if proto ah from 144.19.74.0/24 to any +nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100 +.Ed +.Pp +In the example below, packets bound for one specific server, as well as those +generated by the sysadmins are not proxied; all other connections are. +.Bd -literal -offset indent +# RDR +no rdr on $int_if proto { tcp, udp } from any to $server port 80 +no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 +rdr on $int_if proto { tcp, udp } from any to any port 80 \e + -> 127.0.0.1 port 80 .Ed .Sh FILTER EXAMPLES -.Bd -literal +.Bd -literal -offset indent # The external interface is kue0 # (157.161.48.183, the only routable address) # and the private network is 10.0.0.0/8, for which we are doing NAT. @@ -3153,12 +3334,26 @@ pass out on $ext_if proto tcp from any to any port 80 # tag incoming packets as they are redirected to spamd(8). use the tag # to pass those packets through the packet filter. -rdr on $ext_if inet proto tcp from \*(Ltspammers\*(Gt to port smtp \e - tag SPAMD -\*(Gt 127.0.0.1 port spamd +rdr on $ext_if inet proto tcp from <spammers> to port smtp \e + tag SPAMD -> 127.0.0.1 port spamd block in on $ext_if pass in on $ext_if inet proto tcp tagged SPAMD .Ed +.Pp +In the example below, a router handling both address families +translates an internal IPv4 subnet to IPv6 using the well-known +64:ff9b::/96 prefix: +.Bd -literal -offset 4n +pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96 +.Ed +.Pp +Paired with the example above, the example below can be used on +another router handling both address families to translate back +to IPv4: +.Bd -literal -offset 4n +pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if) +.Ed .Sh GRAMMAR Syntax for .Nm @@ -3187,16 +3382,16 @@ option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | ether-rule = "ether" etheraction [ ( "in" | "out" ) ] [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ] - [ etherprotospec ] etherhosts [ "l3" hosts ] + [ etherprotospec ] [ etherhosts ] [ "l3" hosts ] [ etherfilteropt-list ] pf-rule = action [ ( "in" | "out" ) ] [ "log" [ "(" logopts ")"] ] [ "quick" ] [ "on" ifspec ] [ route ] [ af ] [ protospec ] - hosts [ filteropt-list ] + [ hosts ] [ filteropt-list ] logopts = logopt [ "," logopts ] -logopt = "all" | "user" | "to" interface-name +logopt = "all" | "matches" | "user" | "to" interface-name etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt etherfilteropt = "tag" string | "tagged" string | "queue" ( string ) | @@ -3204,23 +3399,28 @@ etherfilteropt = "tag" string | "tagged" string | "queue" ( string ) | filteropt-list = filteropt-list filteropt | filteropt filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos | + "af-to" af "from" ( redirhost | "{" redirhost-list "}" ) + [ "to" ( redirhost | "{" redirhost-list "}" ) ] | ( "no" | "keep" | "modulate" | "synproxy" ) "state" [ "(" state-opts ")" ] | "fragment" | "no-df" | "min-ttl" number | "set-tos" tos | "max-mss" number | "random-id" | "reassemble tcp" | fragmentation | "allow-opts" | - "label" string | "tag" string | [ ! ] "tagged" string | + "label" string | "tag" string | [ "!" ] "tagged" string | + "max-pkt-rate" number "/" seconds | "set prio" ( number | "(" number [ [ "," ] number ] ")" ) | + "max-pkt-size" number | "queue" ( string | "(" string [ [ "," ] string ] ")" ) | "rtable" number | "probability" number"%" | "prio" number | "dnpipe" ( number | "(" number "," number ")" ) | "dnqueue" ( number | "(" number "," number ")" ) | - "ridentifier" number + "ridentifier" number | + [ ! ] "received-on" ( interface-name | interface-group ) nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] - [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" ) + [ "->" ( redirhost | "{" redirhost-list "}" ) [ portspec ] [ pooltype ] [ "static-port" ] [ "map-e-portset" number "/" number "/" number ] ] @@ -3229,19 +3429,19 @@ binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "proto" ( proto-name | proto-number ) ] "from" address [ "/" mask-bits ] "to" ipspec [ "tag" string ] [ "tagged" string ] - [ "-\*(Gt" address [ "/" mask-bits ] ] + [ "->" address [ "/" mask-bits ] ] rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] - [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" ) + [ "->" ( redirhost | "{" redirhost-list "}" ) [ portspec ] [ pooltype ] ] antispoof-rule = "antispoof" [ "log" ] [ "quick" ] "for" ifspec [ af ] [ "label" string ] [ "ridentifier" number ] -table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ] +table-rule = "table" "<" string ">" [ tableopts-list ] tableopts-list = tableopts-list tableopts | tableopts tableopts = "persist" | "const" | "counters" | "file" string | "{" [ tableaddr-list ] "}" @@ -3305,7 +3505,7 @@ hosts = "all" | "{" host-list "}" ) [ port ] ipspec = "any" | host | "{" host-list "}" -host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) +host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" ) redirhost = address [ "/" mask-bits ] routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")" address = ( interface-name | interface-group | @@ -3321,9 +3521,9 @@ os = "os" ( os-name | "{" os-list "}" ) user = "user" ( unary-op | binary-op | "{" op-list "}" ) group = "group" ( unary-op | binary-op | "{" op-list "}" ) -unary-op = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ] +unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ] ( name | number ) -binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number +binary-op = number ( "<>" | "><" | ":" ) number op-list = ( unary-op | binary-op ) [ [ "," ] op-list ] os-name = operating-system-name @@ -3348,7 +3548,7 @@ state-opt = ( "max" number | "no-sync" | timeout | "sloppy" | "max-src-nodes" number | "max-src-states" number | "max-src-conn" number | "max-src-conn-rate" number "/" number | - "overload" "\*(Lt" string "\*(Gt" [ "flush" ] | + "overload" "<" string ">" [ "flush" ] | "if-bound" | "floating" | "pflow" ) fragmentation = [ "fragment reassemble" ] @@ -3412,8 +3612,8 @@ Service name database. .Xr pf 4 , .Xr pflow 4 , .Xr pfsync 4 , -.Xr tcp 4 , .Xr sctp 4 , +.Xr tcp 4 , .Xr udp 4 , .Xr hosts 5 , .Xr pf.os 5 , diff --git a/share/man/man5/procfs.5 b/share/man/man5/procfs.5 deleted file mode 100644 index 5977a8bced81..000000000000 --- a/share/man/man5/procfs.5 +++ /dev/null @@ -1,308 +0,0 @@ -.\" Written by Garrett Wollman -.\" This file is in the public domain. -.\" -.Dd April 10, 2023 -.Dt PROCFS 5 -.Os -.Sh NAME -.Nm procfs -.Nd process file system -.Sh SYNOPSIS -.Bd -literal -proc /proc procfs rw 0 0 -.Ed -.Sh DESCRIPTION -.Bf -symbolic -This functionality is deprecated. -Users are advised to use -.Xr libprocstat 3 -and -.Xr kvm 3 -instead. -.Ef -.Pp -The process file system, or -.Nm , -implements a view of the system process table inside the file system. -It is normally mounted on -.Pa /proc . -.Pp -The -.Nm -provides a two-level view of process space, unlike the previous -.Fx 1.1 -.Nm -implementation. -At the highest level, processes themselves are named, according to -their process ids in decimal, with no leading zeros. -There is also a -special node called -.Pa curproc -which always refers to the process making the lookup request. -.Pp -Each node is a directory which contains the following entries: -.Bl -tag -width status -.It Pa dbregs -The debug registers as defined by -.Dv "struct dbregs" -in -.In machine/reg.h . -.Pa dbregs -is currently only implemented on the i386 architecture. -.It Pa etype -The type of the executable referenced by the -.Pa file -entry. -.It Pa file -A symbolic link to the file from which the process text was read. -This can be used to gain access to the process' symbol table, -or to start another copy of the process. -If the file cannot be found, the link target is -.Ql unknown . -.It Pa fpregs -The floating point registers as defined by -.Dv "struct fpregs" -in -.In machine/reg.h . -.Pa fpregs -is only implemented on machines which have distinct general -purpose and floating point register sets. -.It Pa map -A collection of lines describing the memory regions of the process, -where each line contains the following fields: -.Bl -tag -compact -width private-resident -.It start-address -The starting address for the region (inclusive). -.It end-address -The ending address for the region (exclusive). -.It resident -The number of resident pages. -.It private-resident -The number of resident pages that were private to the process. -.It obj -The virtual address of the -.Vt struct vm_object -kernel data structure describing the memory region. -.It access -A three character string comprising the characters -.Sq r , -.Sq w -and -.Sq x , -denoting read, write, and execute permissions respectively. -The lack of a permission is represented by -.Sq - . -.It ref_count -The number of references to the region. -.It shadow_count -The number of VM objects that this region is a shadow for. -.It flags -The flags for the object, see the flags named -.Sy OBJ_* -in -.In vm/vm_object.h . -.It copy-on-write -Whether the region is copy-on-write. -One of: -.Bl -tag -compact -width NCOW -.It COW -A copy-on-write region. -.It NCOW -A non-copy-on-write region. -.El -.It needs-copy -Whether the region needs a copy. -One of: -.Bl -tag -compact -width NNC -.It NC -The region needs a copy. -.It NNC -The region does not need a copy. -.El -.It type -The type of the region. -One of: -.Bl -tag -compact -width unknown -.It dead -A region associated with a dead VM object. -.It device -A region backed by device memory. -.It none -A region not backed by anything. -.It phys -A region backed by physical memory. -.It swap -A region backed by swap. -.It unknown -A region of unknown type. -.It vnode -A region backed by a file. -.El -.It fullpath -The path to the file backing the memory region, or -.Sq - -if there is no such file. -.It cred -One of: -.Bl -tag -compact -width NCH -.It CH -The region is being charged to the user specified in the -.Sq charged-uid -field. -.It NCH -The region is not being charged to any user. -.El -.It charged-uid -The UID of the user being charged, or -1 if no user is being charged. -.El -.It Pa mem -The complete virtual memory image of the process. -Only those address which exist in the process can be accessed. -Reads and writes to this file modify the process. -Writes to the text segment remain private to the process. -.It Pa note -Used for sending signals to the process. -Not implemented. -.It Pa notepg -Used for sending signal to the process group. -Not implemented. -.It Pa osrel -Allows read and write of the kernel osrel value assigned to the process. -It affects the compatibility shims that are turned on and off -depending on the value. -Initial process value is read from the ABI note tag in the executed ELF image, -and is zero if the tag not supported by binary format or was not found. -.It Pa regs -Allows read and write access to the process' register set. -This file contains a binary data structure -.Dv "struct regs" -defined in -.In machine/reg.h . -.Pa regs -can only be written when the process is stopped. -.It Pa rlimit -This is a read-only file containing the process current and maximum -limits. -Each line is of the format -.Ar rlimit current max , -with -1 -indicating infinity. -.It Pa status -The process status. -This file is read-only and returns a single line containing -multiple space-separated fields as follows: -.Pp -.Bl -bullet -compact -.It -command name -.It -process id -.It -parent process id -.It -process group id -.It -session id -.It -device name -of the controlling terminal, or -a minus sign -.Pq Dq - -if there is no controlling terminal. -.It -a list of process flags: -.Dv ctty -if there is a controlling terminal, -.Dv sldr -if the process is a session leader, -.Dv noflags -if neither of the other two flags are set. -.It -the process start time in seconds and microseconds, -comma separated. -.It -the user time in seconds and microseconds, -comma separated. -.It -the system time in seconds and microseconds, -comma separated. -.It -the wait channel message -.It -the process credentials consisting of -the effective user id -and the list of groups (whose first member -is the effective group id) -all comma separated. -.It -the hostname of the jail in which the process runs, or -.Ql - -to indicate that the process is not running within a jail. -.El -.El -.Pp -Each node is owned by the process's user, and belongs to that user's -primary group. -.Sh FILES -.Bl -tag -width /proc/curproc/XXXXXXX -compact -.It Pa /proc -normal mount point for the -.Nm . -.It Pa /proc/pid -directory containing process information for process -.Pa pid . -.It Pa /proc/curproc -directory containing process information for the current process -.It Pa /proc/self -directory containing process information for the current process -.It Pa /proc/curproc/cmdline -the process executable name -.It Pa /proc/curproc/etype -executable type -.It Pa /proc/curproc/exe -executable image -.It Pa /proc/curproc/file -executable image -.It Pa /proc/curproc/fpregs -the process floating point register set -.It Pa /proc/curproc/map -virtual memory map of the process -.It Pa /proc/curproc/mem -the complete virtual address space of the process -.It Pa /proc/curproc/note -used for signaling the process -.It Pa /proc/curproc/notepg -used for signaling the process group -.It Pa /proc/curproc/osrel -the process osrel value -.It Pa /proc/curproc/regs -the process register set -.It Pa /proc/curproc/rlimit -the process current and maximum rlimit -.It Pa /proc/curproc/status -the process' current status -.El -.Sh EXAMPLES -To mount a -.Nm -file system on -.Pa /proc : -.Pp -.Dl "mount -t procfs proc /proc" -.Sh SEE ALSO -.Xr procstat 1 , -.Xr mount 2 , -.Xr sigaction 2 , -.Xr unmount 2 , -.Xr kvm 3 , -.Xr libprocstat 3 , -.Xr pseudofs 9 -.Sh AUTHORS -.An -nosplit -This manual page written by -.An Garrett Wollman , -based on the description -provided by -.An Jan-Simon Pendry , -and revamped later by -.An Mike Pritchard . diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index a45c60cca410..2fd63e4f743d 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -22,7 +22,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd May 4, 2024 +.Dd May 21, 2025 .Dt RC.CONF 5 .Os .Sh NAME @@ -103,9 +103,8 @@ and will be loaded. If .Ao Ar dir Ac Ns Pa /rc.conf.d/ Ns Ao Ar name Ac -is a directory, -all of the files in the directory will be loaded. -Also see the +is a directory then all of the files in the directory will be loaded. +See also the .Va rc_conf_files variable below. .Pp @@ -263,6 +262,24 @@ value. .It Ao Ar name Ac Ns Va _user .Pq Vt str Run the service under this user account. +.It Ao Ar name Ac Ns Va _svcj +.Pq Vt bool +If set to +.Dq Li YES , +auto-jail the service with inherited filesystem and other +jail properties depending on +.Ao Ar name Ac Ns Va _svcj_options . +.It Ao Ar name Ac Ns Va _svcj_ipaddrs +.Pq Vt str +A list of IP addresses that the service jail will be permitted to use. +If this is not specified, the service jail will be permitted to use all +assigned IP addresses if networking is enabled in the jail. +.It Ao Ar name Ac Ns Va _svcj_options +.Pq Vt str +A list of jail properties for the service. +See +.Sx SERVICE JAILS +for a list of valid properties. .It Va apm_enable .Pq Vt bool If set to @@ -334,10 +351,6 @@ A whitespace-separated list of kernel modules to load right after the local disks are mounted, without any .Pa .ko extension or path. -Loading modules at this point in the boot process is -much faster than doing it via -.Pa /boot/loader.conf -for those modules not necessary for mounting local disks. .It Va kldxref_enable .Pq Vt bool Set to @@ -396,6 +409,12 @@ is set to these are the flags to pass to the .Xr powerd 8 daemon. +.It Va svcj_all_enable +Enable auto-jailing of all services which are not explicitly +excluded. +See +.Sx SERVICE JAILS +for more info. .It Va tmpmfs Controls the creation of a .Pa /tmp @@ -603,6 +622,15 @@ When specified, this variable overrides the variable for interface .Ar iface only. +.It Va dhclient_arpwait +.Pq Vt bool +Set to +.Dq Li NO +to stop +.Xr dhclient 8 +from waiting for ARP resolution, to make the system boot faster. +This may be done on networks where the DHCP server is certain to +know whether an address is available. .It Va synchronous_dhclient .Pq Vt bool Set to @@ -1723,7 +1751,7 @@ is added to all of .Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 and the .Va ipv6_activate_all_interfaces -is defined as +variable is defined as .Dq Li YES . .It Va ipv6_prefer .Pq Vt bool @@ -2181,43 +2209,6 @@ which had the attribute set using .Xr gpart 8 utility. -.It Va gbde_autoattach_all -.Pq Vt bool -If set to -.Dq Li YES , -.Pa /etc/rc.d/gbde -will attempt to automatically initialize the .bde devices specified in -.Pa /etc/fstab . -.It Va gbde_devices -.Pq Vt str -List the devices that the script should try to attach, -or -.Dq Li AUTO . -.It Va gbde_lockdir -.Pq Vt str -The directory where the -.Xr gbde 4 -lockfiles are located. -The default lockfile directory is -.Pa /etc . -.Pp -The lockfile for each individual -.Xr gbde 4 -device can be overridden by setting the variable -.Va gbde_lock_ Ns Aq Ar device , -where -.Ar device -is the encrypted device without the -.Dq Pa /dev/ -and -.Dq Pa .bde -parts. -.It Va gbde_attach_attempts -.Pq Vt int -Number of times to attempt attaching to a -.Xr gbde 4 -device, i.e., how many times the user is asked for the pass-phrase. -Default is 3. .It Va geli_devices .Pq Vt str List of devices to automatically attach on boot. @@ -2722,22 +2713,6 @@ is set to these are the flags to pass to the .Xr rpcbind 8 daemon. -.It Va keyserv_enable -.Pq Vt bool -If set to -.Dq Li YES , -run the -.Xr keyserv 8 -daemon on boot for running Secure RPC. -.It Va keyserv_flags -.Pq Vt str -If -.Va keyserv_enable -is set to -.Dq Li YES , -these are the flags to pass to -.Xr keyserv 8 -daemon. .It Va pppoed_enable .Pq Vt bool If set to @@ -3147,6 +3122,14 @@ the interfaces specified in This should only be enabled with great care. You may want to fine-tune .Xr rtadvd.conf 5 . +.It Va rtadvd_flags +.Pq Vt str +If +.Va rtadvd_enable +is set to +.Dq Li YES , +these are the flags to pass to +.Xr rtadvd 8 . .It Va rtadvd_interfaces .Pq Vt str If @@ -4957,7 +4940,127 @@ daemon. .Dq Li YES , these are the flags to pass to the .Xr sendmail 8 +.It Va precious_machine +If set to +.Dq Li YES , +some destructive actions require removal of the action-specific safe-belts +before being allowed. +For instance, the file +.Pa /var/run/noshutdown +is created to prevent +.Xr shutdown 8 +targeted at the wrong machine. .El +.Sh SERVICE JAILS +The service jails part of the rc system automatically puts a service +into a jail. +This jail inherits the filesystem and various other parts of the +parent (if you allow child-jails in your jails, service jails +can be used in jails) depending on the content of the +.Ao Ar name Ac Ns Va _svcj_options +variable. +Typically this variable is set inside rc scripts, but it can be +overriden in the rc config. +Valid options for +.Ao Ar name Ac Ns Va _svcj_options +are: +.Bl -tag -width indent-two +.It mlock +Allows to lock memory pages into the physical memory. +.It netv4 +Allows IPv4 network access and the ability to bind to reserved ports. +If +.Ao Ar name Ac Ns Va _svcj_ipaddrs +is set, only the IPv4 addresses listed there will be visible to the jail, +otherwise all assigned IPv4 addresses will be visible. +This can not be combined with +.Pa netv6 . +.It netv6 +Allows IPv6 network access and the ability to bind to reserved ports. +If +.Ao Ar name Ac Ns Va _svcj_ipaddrs +is set, only the IPv6 addresses listed there will be visible to the jail, +otherwise all assigned IPv6 addresses will be visible. +This can not be combined with +.Pa netv4 . +.It net_basic +Equivalent to enabling both +.Pa netv6 +and +.Pa netv4 . +.It net_raw +Allow to open raw sockets. +This option can be combined with +.Pa netv4 , +.Pa netv6 , +.Pa net_basic . +.It net_all +Allows IPv6 and IPv4 network access as for +.Pa netv4 +and +.Pa netv6 , +allows to open raw sockets, and allows to open sockets of protocol stacks that +have not had jail functionality added to them. +.It nfsd +Allows to run nfsd and affiliated daemons. +.It routing +Allows to modify the system routing table. +.It settime +Allows to set and slew the system time. +.It sysvipc +Inherits the SysV semaphores, SysV shared memory and +SysV messages from the host or the parent jail. +.It sysvipcnew +Creates a new namespace for SysV semaphores, SysV shared memory +and SysV messages for this particular service jail. +.It vmm +Allows access to +.Xr vmm 4 . +This option is only available when +.Xr vmm 4 +is enabled in the kernel. +.El + +All non-network options can be combined with all other options. +From the SysV options only one option can be specified. + +If the +.Ao Ar name Ac Ns Va _svcj +variable is set to +.Dq Li YES , +this particular service is started in a +service jail named +.Va svcj- Ns Ar name . + +The +.Va svcj_all_enable +variable allows to enable service jails for all services of the +system at once. +Services which have +.Ao Ar name Ac Ns Va _svcj +set to +.Dq Li NO +are excluded. +Some services may set +.Ao Ar name Ac Ns Va _svcj +to +.Dq Li NO +in the script to either prevent service jails for this +service at all, or may set it to +.Dq Li NO +if it is not set in the +rc config, to exclude it from +.Va svcj_all_enable +but allow to explicitely enable it. +The sshd service for example would not see other jails, if +it would run as a service jail. +This may or may not be what is needed, and as such it is +excluded from +.Va svcj_all_enable +but can be enabled via setting +.Va sshd_svcj +to +.Dq Li YES . .Sh FILES .Bl -tag -width "/etc/defaults/rc.conf" -compact .It Pa /etc/defaults/rc.conf diff --git a/share/man/man5/resolver.5 b/share/man/man5/resolver.5 index f7f1b1d6f9ea..9f8c0d689a0a 100644 --- a/share/man/man5/resolver.5 +++ b/share/man/man5/resolver.5 @@ -236,7 +236,7 @@ nameserver 192.168.2.1 # Fallback nameservers, in this case these from Google. nameserver 8.8.8.8 -nameserver 4.4.4.4 +nameserver 8.8.4.4 # Attach an OPT pseudo-RR for the EDNS0 extension, # as specified in RFC 2671. diff --git a/share/man/man5/smbfs.5 b/share/man/man5/smbfs.5 deleted file mode 100644 index 7be90c3ba882..000000000000 --- a/share/man/man5/smbfs.5 +++ /dev/null @@ -1,96 +0,0 @@ -.\" Copyright (c) 2020 Gordon Bergling -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd April 6, 2022 -.Dt SMBFS 5 -.Os -.Sh NAME -.Nm smbfs -.Nd "SMB FS" -.Sh SYNOPSIS -To compile this driver into the kernel, -place the following lines in your -kernel configuration file: -.Bd -ragged -offset indent -.Cd "option NETSMB" -.Ed -.Pp -Alternatively, to load the driver as a -module at boot time, place the following line in -.Xr loader.conf 5 : -.Bd -literal -offset indent -smbfs_load="YES" -.Ed -.Sh DESCRIPTION -The SMB driver is an implementation of the CIFS (Common Internet Filesystem) -network protocol. -.Pp -.Bf -symbolic -The -.Nm -filesystem driver supports only the obsolete SMBv1 protocol. -.Nm -has known bugs and likely has security vulnerabilities. -.Nm -and userspace counterparts -.Xr smbutil 1 -and -.Xr mount_smbfs 8 -may be removed from a future version of -.Fx . -Users are advised to evaluate the -.Pa sysutils/fusefs-smbnetfs -port instead. -.Ef -.Sh SEE ALSO -.Xr smbutil 1 , -.Xr mount_smbfs 8 -.Sh STANDARDS -.Rs -.%U https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/ -.%T Common Internet File System (CIFS) Protocol -.%R MS-CIFS -.%D December 2018 -.Re -.Pp -.Rs -.%U https://tools.ietf.org/html/draft-heizer-cifs-v1-spec-00 -.%T Common Internet File System Protocol (CIFS/1.0) -.%D June 13, 1996 -.%A I. Heizer -.%A P. Leach -.%A D. Perry -.Re -.Sh HISTORY -The -.Nm -device driver first appeared in -.Fx 4.4 . -.Sh AUTHORS -.An -nosplit -The -.Nm -device driver was written by -.An Boris Popov Aq Mt bp@FreeBSD.org . -The manual page was contributed by -.An Gordon Bergling Aq Mt gbe@FreeBSD.org . diff --git a/share/man/man5/src.conf.5 b/share/man/man5/src.conf.5 index 5301fc488021..63e9f471f1f1 100644 --- a/share/man/man5/src.conf.5 +++ b/share/man/man5/src.conf.5 @@ -1,5 +1,5 @@ .\" DO NOT EDIT-- this file is @generated by tools/build/options/makeman. -.Dd April 23, 2024 +.Dd July 5, 2025 .Dt SRC.CONF 5 .Os .Sh NAME @@ -137,7 +137,7 @@ Do not build .Xr authpf 8 . .It Va WITHOUT_AUTOFS Do not build -.Xr autofs 5 +.Xr autofs 4 related programs, libraries, and kernel modules. .It Va WITHOUT_AUTO_OBJ Disable automatic creation of objdirs. @@ -158,6 +158,25 @@ This library is currently only used to perform signature verification and related operations for Verified Exec and .Xr loader 8 . +.Pp +Due to size constraints in the BIOS environment on x86, one may need to set +.Va LOADERSIZE +larger than the +default 500000, although often loader is under the 500k limit even with +this option. +Setting +.Va LOADERSIZE +larger than 500000 may cause +.Xr pxeboot 8 +to be too large to work. +Careful testing of the loader in the target environment when built with a larger +limit to establish safe limits is critical because different BIOS environments +reserve differing amounts of the low 640k space, making a precise limit for +everybody impossible. +.Pp +See also +.Va WITH_LOADER_PXEBOOT +for other considerations. When set, these options are also in effect: .Pp .Bl -inset -compact @@ -234,6 +253,11 @@ Do not build or install .It Va WITHOUT_BOOTPD Do not build or install .Xr bootpd 8 . +.It Va WITH_BRANCH_PROTECTION +Build with branch protection enabled. +On arm64 enable the use of pointer authentication and +branch target identification instructions on arm64. +These can be used to help mitigate some exploit techniques. .It Va WITHOUT_BSDINSTALL Do not build .Xr bsdinstall 8 , @@ -275,11 +299,18 @@ Use for the build. No configuration is required except to install the .Sy devel/ccache +or +.Sy devel/sccache package. When using with .Xr distcc 1 , set .Sy CCACHE_PREFIX=/usr/local/bin/distcc . +When using with sccache +set +.Sy CCACHE_NAME=sccache +in +.Xr src.conf 5 . The default cache directory of .Pa $HOME/.ccache will be used, which can be overridden by setting @@ -325,6 +356,8 @@ When set, it enforces these options: .Va WITHOUT_LOADER_ZFS .It .Va WITHOUT_ZFS +.It +.Va WITHOUT_ZFS_TESTS .El .It Va WITHOUT_CLANG Do not build the Clang C/C++ compiler during the regular phase of the build. @@ -378,8 +411,8 @@ Build clang-format. .It Va WITHOUT_CLANG_FULL Avoid building the ARCMigrate, Rewriter and StaticAnalyzer components of the Clang C/C++ compiler. -.It Va WITHOUT_CLEAN -Do not clean before building world and/or kernel. +.It Va WITH_CLEAN +Clean before building world and/or kernel. .It Va WITHOUT_CPP Do not build .Xr cpp 1 . @@ -424,6 +457,8 @@ When set, it enforces these options: .It .Va WITHOUT_LOADER_ZFS .It +.Va WITHOUT_MITKRB5 +.It .Va WITHOUT_OPENSSH .It .Va WITHOUT_OPENSSL @@ -435,6 +470,8 @@ When set, it enforces these options: .Va WITHOUT_UNBOUND .It .Va WITHOUT_ZFS +.It +.Va WITHOUT_ZFS_TESTS .El .Pp When set, these options are also in effect: @@ -618,7 +655,7 @@ and .Xr efivar 8 . .Pp This is a default setting on -i386/i386, powerpc/powerpc, powerpc/powerpc64, powerpc/powerpc64le and riscv/riscv64. +i386/i386, powerpc/powerpc, powerpc/powerpc64 and powerpc/powerpc64le. .It Va WITH_EFI Build .Xr efivar 3 @@ -626,7 +663,7 @@ and .Xr efivar 8 . .Pp This is a default setting on -amd64/amd64, arm/armv7 and arm64/aarch64. +amd64/amd64, arm/armv7, arm64/aarch64 and riscv/riscv64. .It Va WITHOUT_ELFTOOLCHAIN_BOOTSTRAP Do not build ELF Tool Chain tools (addr2line, nm, size, strings and strip) @@ -684,15 +721,12 @@ and .Xr ftpd 8 . .It Va WITHOUT_GAMES Do not build games. -.It Va WITHOUT_GH_BC -Install the traditional FreeBSD -.Xr bc 1 -and -.Xr dc 1 -programs instead of the enhanced versions. .It Va WITHOUT_GNU_DIFF Do not build GNU -.Xr diff3 1 . +.Xr diff3 1 ; +build BSD +.Xr diff3 1 +instead. .It Va WITHOUT_GOOGLETEST Neither build nor install .Lb libgmock , @@ -791,6 +825,12 @@ and related utilities. .It Va WITHOUT_JAIL Do not build tools for the support of jails; e.g., .Xr jail 8 . +.It Va WITHOUT_JEMALLOC_LG_VADDR_WIDE +Disallow programs to use more than 48 address bits on amd64. +Incompatible with LA57 mode. +Enabling this option might result in a slight reduction in memory +consumption for jemalloc metadata, but also requires disabling LA57 +(if hardware supports it). .It Va WITHOUT_KDUMP Do not build .Xr kdump 1 @@ -902,9 +942,8 @@ the build. To be able to build the system an alternate linker must be provided via XLD. .It Va WITHOUT_LLVM_ASSERTIONS Disable debugging assertions in LLVM. -.It Va WITH_LLVM_BINUTILS -Install LLVM's binutils (without an llvm- prefix), -instead of ELF Tool Chain's tools. +.It Va WITHOUT_LLVM_BINUTILS +Install ELF Tool Chain's binary utilities instead of LLVM's. This includes .Xr addr2line 1 , .Xr ar 1 , @@ -988,10 +1027,9 @@ Do not build LLVM target support for X86. The .Va LLVM_TARGET_ALL option should be used rather than this in most cases. -.It Va WITH_LOADER_BIOS_TEXTONLY -Use the old, FreeBSD 12 vidconsole.c. -This only supports text mode without teken, without any graphics, font or video mode support. -This setting only affects the i386 and amd64 BIOS boot loader. +.It Va WITHOUT_LOADER_BIOS_TEXTONLY +Include graphics, font and video mode support in the i386 and amd64 BIOS +boot loader. .It Va WITH_LOADER_EFI_SECUREBOOT Enable building .Xr loader 8 @@ -1006,6 +1044,16 @@ Build GELI bootloader support. .Pp This is a default setting on amd64/amd64, arm/armv7, arm64/aarch64, i386/i386 and riscv/riscv64. +.It Va WITHOUT_LOADER_IA32 +Do not build the 32-bit UEFI loader. +.Pp +This is a default setting on +arm/armv7, arm64/aarch64, i386/i386, powerpc/powerpc, powerpc/powerpc64, powerpc/powerpc64le and riscv/riscv64. +.It Va WITH_LOADER_IA32 +Build the 32-bit UEFI loader. +.Pp +This is a default setting on +amd64/amd64. .It Va WITHOUT_LOADER_KBOOT Do not build kboot, a linuxboot environment loader .Pp @@ -1036,6 +1084,17 @@ Build openfirmware bootloader components. .Pp This is a default setting on powerpc/powerpc, powerpc/powerpc64 and powerpc/powerpc64le. +.It Va WITHOUT_LOADER_PXEBOOT +Do not build pxeboot on i386/amd64. +When the pxeboot is too large, or unneeded, it may be disabled with this option. +See +.Va WITH_LOADER_PXEBOOT +for how to adjust the defaults when you need both a larger +.Pa /boot/loader +and +.Pa /boot/pxeboot +.Pp +This option only has an effect on x86. .It Va WITHOUT_LOADER_UBOOT Disable building of ubldr. .Pp @@ -1057,6 +1116,8 @@ with support for verification similar to Verified Exec. .Pp Depends on .Va WITH_BEARSSL . +May require a larger +.Va LOADERSIZE . When set, these options are also in effect: .Pp .Bl -inset -compact @@ -1137,7 +1198,12 @@ for more details. .It Va WITH_MALLOC_PRODUCTION Disable assertions and statistics gathering in .Xr malloc 3 . -It also defaults the A and J runtime options to off. +The run-time options +.Dv opt.abort , +.Dv opt.abort_conf , +and +.Dv opt.junk +also default to false. .It Va WITHOUT_MAN Do not build manual pages. When set, these options are also in effect: @@ -1236,6 +1302,8 @@ This must be set in the environment, make command line, or .Pa /etc/src-env.conf , not .Pa /etc/src.conf . +.It Va WITH_MITKRB5 +Set this to build MIT Kerberos 5 instead of KTH Heimdal. .It Va WITHOUT_MLX5TOOL Do not build .Xr mlx5tool 8 @@ -1370,6 +1438,8 @@ When set, it enforces these options: .It .Va WITHOUT_LOADER_ZFS .It +.Va WITHOUT_MITKRB5 +.It .Va WITHOUT_OPENSSH .It .Va WITHOUT_OPENSSL_KTLS @@ -1379,6 +1449,8 @@ When set, it enforces these options: .Va WITHOUT_UNBOUND .It .Va WITHOUT_ZFS +.It +.Va WITHOUT_ZFS_TESTS .El .Pp When set, these options are also in effect: @@ -1449,11 +1521,6 @@ and related programs. Do not build .Xr ppp 8 and related programs. -.It Va WITH_PROFILE -Build profiled libraries for use with -.Xr gprof 8 . -This option is deprecated and may not be present in a future version of -.Fx . .It Va WITHOUT_PTHREADS_ASSERTIONS Disable debugging assertions in pthreads library. .It Va WITHOUT_QUOTAS @@ -1503,6 +1570,8 @@ utility. Build .Xr rpcbind 8 with warmstart support. +.It Va WITH_RUN_TESTS +Run tests as part of the build. .It Va WITHOUT_SCTP_SUPPORT Disable support in the kernel for the .Xr sctp 4 @@ -1552,6 +1621,9 @@ When set, it enforces these options: .El .It Va WITHOUT_SSP Do not build world with stack smashing protection. +See +.Xr mitigations 7 +for more information. .It Va WITH_STAGING Enable staging of files to a stage tree. This can be best thought of as auto-install to @@ -1655,6 +1727,8 @@ When set, it enforces these options: .Bl -item -compact .It .Va WITHOUT_DTRACE_TESTS +.It +.Va WITHOUT_ZFS_TESTS .El .Pp When set, these options are also in effect: @@ -1707,6 +1781,15 @@ When set, it enforces these options: .It .Va WITHOUT_LLVM_COV .El +.Pp +When set, these options are also in effect: +.Pp +.Bl -inset -compact +.It Va WITHOUT_LLVM_BINUTILS +(unless +.Va WITH_LLVM_BINUTILS +is set explicitly) +.El .It Va WITH_UBSAN Build the base system with Undefined Behavior Sanitizer (UBSan) to detect various kinds of undefined behavior at runtime. @@ -1716,9 +1799,11 @@ and that the runtime support library is available Do not build .Xr unbound 8 and related programs. -.It Va WITHOUT_UNDEFINED_VERSION -Link libraries with --no-undefined-version to ensure all symbols are -provided. +.It Va WITH_UNDEFINED_VERSION +Link libraries with --undefined-version which permits version maps to +contain symbols that are not present in the library. +If this is necessary to build a particular configuration, a bug is +present and the configuration should be reported. .It Va WITHOUT_UNIFIED_OBJDIR Use the historical object directory format for .Xr build 7 @@ -1799,6 +1884,11 @@ Build without support for the IEEE 802.1X protocol and without support for EAP-PEAP, EAP-TLS, EAP-LEAP, and EAP-TTLS protocols (usable only via 802.1X). +.It Va WITH_ZEROREGS +Build the basesystem with code to zero caller-used register contents +on function return. +This prevents leaking temporary values for side channel attacks. +Additionally this reduces the number of usable ROP gadgets for attackers. .It Va WITHOUT_ZFS Do not build the ZFS file system kernel module, libraries such as .Xr libbe 3 , @@ -1808,6 +1898,14 @@ or .Xr zfs 8 . Also disable ZFS support in utilities and libraries which implement ZFS-specific functionality. +When set, it enforces these options: +.Pp +.Bl -item -compact +.It +.Va WITHOUT_ZFS_TESTS +.El +.It Va WITHOUT_ZFS_TESTS +Do not build and install the legacy ZFS test suite. .It Va WITHOUT_ZONEINFO Do not build the timezone database. When set, it enforces these options: @@ -1818,6 +1916,11 @@ When set, it enforces these options: .El .It Va WITH_ZONEINFO_LEAPSECONDS_SUPPORT Build leapsecond information in to the timezone database. +This option violates +.St -p1003.1 +and all other applicable standards, and is known to cause unexpected +issues with date/time handling in many applications and programming +languages. .El .Pp The following options accept a single value from a list of valid values. diff --git a/share/man/man5/style.mdoc.5 b/share/man/man5/style.mdoc.5 index 42dbc940074c..1c3ec2012118 100644 --- a/share/man/man5/style.mdoc.5 +++ b/share/man/man5/style.mdoc.5 @@ -1,4 +1,4 @@ -.\"- +.\" .\" SPDX-License-Identifier: BSD-2-Clause .\" .\" Copyright (c) 2018-2022 Mateusz Piotrowski <0mp@FreeBSD.org> @@ -24,15 +24,12 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd April 12, 2024 +.Dd December 21, 2024 .Dt STYLE.MDOC 5 .Os .Sh NAME .Nm style.mdoc -.Nd -.Fx -.Xr mdoc 7 -manual page style guide +.Nd FreeBSD manual page style guide .Sh DESCRIPTION This file specifies the preferred style for manual pages in the .Fx @@ -74,6 +71,33 @@ Historically, was the preferred way before the deprecation of .Sy \&Li . .El +.Ss HARDWARE Section +Driver manuals in section four should have a +.Sx HARDWARE +section describing hardware known to work with the driver. +This section is drawn verbatim into the Release Hardware Notes, +therefore there are several things to note: +.Bl -dash -width "" +.It +The introductory sentence should be in the form: +.Bd -literal -offset indent +The +\&.Nm +driver supports the following $device_class: +.Ed +.Pp +Followed by the list of supported hardware. +.Pp +This defines what driver the subsection is referring to, +and allows the reader to search through the Hardware Notes +not only for the device models they have, +but also for the device type they are looking to acquire. +.It +The supported hardware should be listed as a bullet list, +or if complexity requires, a column list. +These two list types create very neat subsections +with clean starting and stopping points. +.El .Ss EXAMPLES Section .Bl -dash -width "" .It @@ -124,7 +148,8 @@ The .Fl width argument to the .Sy \&.Bl -macro should match the length of the longest item in the list, e.g.: +macro should match the length of the longest rendered item in the list, +e.g.: .Bd -literal -offset indent \&.Bl -tag -width "-a address" \&.It Fl a Ar address diff --git a/share/man/man5/tarfs.5 b/share/man/man5/tarfs.5 deleted file mode 100644 index 56c56ac43287..000000000000 --- a/share/man/man5/tarfs.5 +++ /dev/null @@ -1,126 +0,0 @@ -.\"- -.\" SPDX-License-Identifier: BSD-2-Clause -.\" -.\" Copyright (c) 2022 Klara, Inc. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd February 14, 2023 -.Dt TARFS 5 -.Os -.Sh NAME -.Nm tarfs -.Nd tarball filesystem -.Sh SYNOPSIS -To compile this driver into the kernel, place the following line in -your kernel configuration file: -.Bd -ragged -offset indent -.Cd "options TARFS" -.Ed -.Pp -Alternatively, to load the driver as a module at boot time, place the -following line in -.Xr loader.conf 5 : -.Bd -literal -offset indent -tarfs_load="YES" -.Ed -.Sh DESCRIPTION -The -.Nm -driver implements a read-only filesystem backed by a -.Xr tar 5 -file. -Currently, only POSIX archives, optionally compressed with -.Xr zstd 1 , -are supported. -.Pp -The preferred I/O size for -.Nm -filesystems can be adjusted using the -.Va vfs.tarfs.ioshift -sysctl setting and tunable. -Setting it to 0 will reset it to its default value. -Note that changes to this setting only apply to filesystems mounted -after the change. -.Pp -When the backing tar file is compressed with -.Xr zstd 1 , -I/O performance can be improved by ensuring that compressed data is -broken up into multiple frames. -This helps minimize unnecessary decompression work. -When using -.Xr bsdtar 1 -to create the tar file, this can be achieved using the -.Cm zstd:max-frame-size -and -.Cm ztsd:frame-per-file -options. -Sensible frame sizes are powers of 2 between the system's base page size -(see -.Xr arch 7 ) -and the value of the -.Sy kern.maxphys -sysctl. -Smaller frames will generally yield a worse compression ratio and require extra -kernel memory to maintain an index, and larger frames will on average require -more CPU time to access data when performing random I/O. -.Sh DIAGNOSTICS -If enabled by the -.Dv TARFS_DEBUG -kernel option, the -.Va vfs.tarfs.debug -sysctl setting can be used to control debugging output from the -.Nm -driver. -Debugging output for individual sections of the driver can be enabled -by adding together the relevant values from the table below. -.Bl -column Value Description -.It 0x01 Ta Memory allocations -.It 0x02 Ta Checksum calculations -.It 0x04 Ta Filesystem operations (vfsops) -.It 0x08 Ta Path lookups -.It 0x10 Ta File operations (vnops) -.It 0x20 Ta General I/O -.It 0x40 Ta Decompression -.It 0x80 Ta Decompression index -.It 0x100 Ta Sparse file mapping -.It 0x200 Ta Bounce buffer usage -.El -.Sh SEE ALSO -.Xr tar 1 , -.Xr zstd 1 , -.Xr fstab 5 , -.Xr tar 5 , -.Xr mount 8 , -.Xr sysctl 8 -.Sh HISTORY -.An -nosplit -The -.Nm -driver was developed by -.An Stephen J. Kiernan Aq Mt stevek@FreeBSD.org -and -.An Dag-Erling Smørgrav Aq Mt des@FreeBSD.org -for Juniper Networks and Klara Systems. -This manual page was written by -.An Dag-Erling Smørgrav Aq Mt des@FreeBSD.org -for Juniper Networks and Klara Systems. diff --git a/share/man/man5/tmpfs.5 b/share/man/man5/tmpfs.5 deleted file mode 100644 index f3d6a2f6c2b5..000000000000 --- a/share/man/man5/tmpfs.5 +++ /dev/null @@ -1,229 +0,0 @@ -.\"- -.\" Copyright (c) 2007 Xin LI -.\" Copyright (c) 2017 The FreeBSD Foundation, Inc. -.\" -.\" Part of this documentation was written by -.\" Konstantin Belousov <kib@FreeBSD.org> under sponsorship -.\" from the FreeBSD Foundation. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\"- -.\" Copyright (c) 2005, 2006 The NetBSD Foundation, Inc. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS -.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS -.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -.\" POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd September 18, 2023 -.Dt TMPFS 5 -.Os -.Sh NAME -.Nm tmpfs -.Nd "in-memory file system" -.Sh SYNOPSIS -To compile this driver into the kernel, -place the following line in your -kernel configuration file: -.Bd -ragged -offset indent -.Cd "options TMPFS" -.Ed -.Pp -Alternatively, to load the driver as a -module at boot time, place the following line in -.Xr loader.conf 5 : -.Bd -literal -offset indent -tmpfs_load="YES" -.Ed -.Sh DESCRIPTION -The -.Nm -driver implements an in-memory, or -.Nm -file system. -The filesystem stores both file metadata and data in main memory. -This allows very fast and low latency accesses to the data. -The data is volatile. -An umount or system reboot invalidates it. -These properties make the filesystem's mounts suitable for fast -scratch storage, like -.Pa /tmp . -.Pp -If the system becomes low on memory and swap is configured -.Po see -.Xr swapon 8 Pc , -the system can transfer file data to swap space, freeing memory -for other needs. -Metadata, including the directory content, is never swapped out by the -current implementation. -Keep this in mind when planning the mount limits, especially when expecting -to place many small files on a tmpfs mount. -.Pp -When -.Xr mmap 2 -is used on a file from a tmpfs mount, the swap VM object managing the -file pages is used to implement mapping and avoid double-copying of -the file data. -This quirk causes process inspection tools, like -.Xr procstat 1 , -to report anonymous memory mappings instead of file mappings. -.Sh OPTIONS -The following options are available when -mounting -.Nm -file systems: -.Bl -tag -width "maxfilesize" -.It Cm easize -Set the maximum memory size used by extended attributes in bytes. -The default is 16 megabytes. -.It Cm export -Accept the -.Cm export -option for compatibility with -.Xr nfsv4 4 . -This option does nothing. -.It Cm gid -Set the group ID of the root inode of the file system. -The default is the mount point's GID. -.It Cm inodes -Set the maximum number of nodes available to the file system. -If not specified, the file system chooses a reasonable maximum based on -the file system size, which can be limited with the -.Cm size -option. -.It Cm maxfilesize -Set the maximum file size in bytes. -The default is the maximum possible value. -.It Cm mode -Set the mode (in octal notation) of the root inode of the file system. -The default is the mount point's mode. -.It Cm nomtime -Disable the tracking of mtime updates caused by writes to the -shared mapped areas backed by -.Nm -files. -This option removes periodic scans, -which downgrade read-write-mapped pages to read-only to note the writes. -.It Cm nonc -Do not use namecache to resolve names to files for the created mount. -This saves memory, but currently might impair scalability for highly -used mounts on large machines. -.It Cm nosymfollow -Do not follow -.Xr symlink 7 Ap s -on the mounted file system. -.It Cm pgread -Enable pgcache read for the mount. -.It Cm size -Set the total file system size in bytes, unless suffixed -with one of k, m, g, t, or p, which denote byte, kilobyte, -megabyte, gigabyte, terabyte and petabyte respectively. -If zero (the default) or a value larger than SIZE_MAX - PAGE_SIZE -is given, the available amount of memory (including -main memory and swap space) will be used. -.It Cm uid -Set the user ID of the root inode of the file system. -The default is the mount point's UID. -.It Cm union -Refer to -.Xr mount 8 . -.El -.Sh SYSCTL VARIABLES -The following -.Xr sysctl 8 -variables are available: -.Bl -tag -width indent -.It Va vfs.tmpfs.memory_percent -The percentage of memory plus swap space available at kernel file system -initialization that can be used by a file system with a size of 0. -When this amount of space in use is reached, new files cannot be created -and files cannot be extended. -The default is 95%. -Changing this value also changes -.Va vfs.tmpfs.memory_reserved . -.It Va vfs.tmpfs.memory_reserved -The currently-reserved amount of memory plus swap space -based on the memory percentage. -The minimum is compiled into the system, and defaults to 4 MB. -.El -.Sh EXAMPLES -Mount a -.Nm -memory file system: -.Pp -.Dl "mount -t tmpfs tmpfs /tmp" -.Pp -Configure a -.Nm -mount via -.Xr fstab 5 : -.Bd -literal -offset indent -tmpfs /tmp tmpfs rw 0 0 -.Ed -.Sh SEE ALSO -.Xr procstat 1 , -.Xr mmap 2 , -.Xr nmount 2 , -.Xr unmount 2 , -.Xr fstab 5 , -.Xr mdmfs 8 , -.Xr mount 8 , -.Xr swapinfo 8 , -.Xr swapon 8 -.Sh HISTORY -The -.Nm -driver first appeared in -.Fx 7.0 . -.Sh AUTHORS -.An -nosplit -The -.Nm -kernel implementation was written by -.An Julio M. Merino Vidal Aq Mt jmmv@NetBSD.org -as a Google Summer of Code project. -.Pp -.An Rohit Jalan -and others ported it from -.Nx -to -.Fx . -.Pp -This manual page was written by -.An Xin LI Aq Mt delphij@FreeBSD.org . diff --git a/share/man/man5/unionfs.5 b/share/man/man5/unionfs.5 deleted file mode 100644 index a20889d54839..000000000000 --- a/share/man/man5/unionfs.5 +++ /dev/null @@ -1,86 +0,0 @@ -.\" Copyright (c) 2020 Gordon Bergling -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd April 27, 2020 -.Dt UNIONFS 5 -.Os -.Sh NAME -.Nm unionfs -.Nd "UNION FS" -.Sh SYNOPSIS -To compile this driver into the kernel, -place the following lines in your -kernel configuration file: -.Bd -ragged -offset indent -.Cd "option UNIONFS" -.Ed -.Pp -Alternatively, to load the driver as a -module at boot time, place the following line in -.Xr loader.conf 5 : -.Bd -literal -offset indent -unionfs_load="YES" -.Ed -.Sh DESCRIPTION -The UNIONFS driver is an implementation of a stackable unification filesystem. -.Sh SEE ALSO -.Xr mount_unionfs 8 -.Sh STANDARDS -.Rs -.%T Union mounts in 4.4BSD-Lite -.%A J. S. Pendry -.%A M. K. McKusick -.%R Proceedings of the USENIX Technical Conference on UNIX and Advanced Computing Systems -.%D December 1995 -.Re -.Pp -.Rs -.%T Jails: Confining the omnipotent root -.%A P. H. Kamp -.%A R. N. M. Watson -.%R Proceedings of the Second International System Administration and Networking Conference (SANE2000) -.%D May 2000 -.Re -.Sh HISTORY -The -.Nm -device driver first appeared in -.Fx 5.0 . -.Sh AUTHORS -.An -nosplit -The -.Nm -device driver was written by Jan-Simon Pendry for -.Bx 4.4 -and -.An Masanori OZAWA Aq Mt ozawa@ongs.co.jp -reimplemented the handling of the locking for -.Fx 7.0 . -The manual page was written by -.An Gordon Bergling Aq Mt gbe@FreeBSD.org . -.Sh BUGS -Please see the -.Xr mount_unionfs 8 -manual page for a list of bugs regarding the -.Nm -filesystem. |