feat: Added NetBSD man pages

31 files changed, 11966 insertions, 0 deletions

diff --git a/static/netbsd/man7/Makefile b/static/netbsd/man7/Makefile
new file mode 100644
index 00000000..69f91bd7
--- /dev/null
+++ b/static/netbsd/man7/Makefile
@@ -0,0 +1,4 @@
+MAN = $(wildcard *.7)
+
+include ../../mandoc.mk
+
diff --git a/static/netbsd/man7/ascii.7 b/static/netbsd/man7/ascii.7
new file mode 100644
index 00000000..0c69f511
--- /dev/null
+++ b/static/netbsd/man7/ascii.7
@@ -0,0 +1,199 @@
+.\" $NetBSD: ascii.7,v 1.15 2019/11/19 05:11:33 christos Exp $
+.\" Copyright (c) 1989, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)ascii.7	8.1 (Berkeley) 6/5/93
+.\" $FreeBSD: head/share/man/man7/ascii.7 325217 2017-10-31 06:43:37Z eadler $
+.\"
+.Dd November 19, 2019
+.Dt ASCII 7
+.Os
+.Sh NAME
+.Nm ascii
+.Nd octal, hexadecimal, decimal and binary
+.Tn ASCII
+character sets
+.Sh DESCRIPTION
+The
+.Nm octal
+set:
+.Bd -literal -offset left
+000 NUL  001 SOH  002 STX  003 ETX  004 EOT  005 ENQ  006 ACK  007 BEL
+010 BS   011 HT   012 LF   013 VT   014 FF   015 CR   016 SO   017 SI
+020 DLE  021 DC1  022 DC2  023 DC3  024 DC4  025 NAK  026 SYN  027 ETB
+030 CAN  031 EM   032 SUB  033 ESC  034 FS   035 GS   036 RS   037 US
+040 SP   041  !   042  "   043  #   044  $   045  %   046  &   047  '
+050  (   051  )   052  *   053  +   054  ,   055  -   056  .   057  /
+060  0   061  1   062  2   063  3   064  4   065  5   066  6   067  7
+070  8   071  9   072  :   073  ;   074  <   075  =   076  >   077  ?
+100  @   101  A   102  B   103  C   104  D   105  E   106  F   107  G
+110  H   111  I   112  J   113  K   114  L   115  M   116  N   117  O
+120  P   121  Q   122  R   123  S   124  T   125  U   126  V   127  W
+130  X   131  Y   132  Z   133  [   134  \e\   135  ]   136  ^   137  _
+140  `   141  a   142  b   143  c   144  d   145  e   146  f   147  g
+150  h   151  i   152  j   153  k   154  l   155  m   156  n   157  o
+160  p   161  q   162  r   163  s   164  t   165  u   166  v   167  w
+170  x   171  y   172  z   173  {   174  |   175  }   176  ~   177 DEL
+.Ed
+.Pp
+The
+.Nm hexadecimal
+set:
+.Bd -literal -offset left
+00 NUL   01 SOH   02 STX   03 ETX   04 EOT   05 ENQ   06 ACK   07 BEL
+08 BS    09 HT    0a LF    0b VT    0c FF    0d CR    0e SO    0f SI
+10 DLE   11 DC1   12 DC2   13 DC3   14 DC4   15 NAK   16 SYN   17 ETB
+18 CAN   19 EM    1a SUB   1b ESC   1c FS    1d GS    1e RS    1f US
+20 SP    21  !    22  "    23  #    24  $    25  %    26  &    27  '
+28  (    29  )    2a  *    2b  +    2c  ,    2d  -    2e  .    2f  /
+30  0    31  1    32  2    33  3    34  4    35  5    36  6    37  7
+38  8    39  9    3a  :    3b  ;    3c  <    3d  =    3e  >    3f  ?
+40  @    41  A    42  B    43  C    44  D    45  E    46  F    47  G
+48  H    49  I    4a  J    4b  K    4c  L    4d  M    4e  N    4f  O
+50  P    51  Q    52  R    53  S    54  T    55  U    56  V    57  W
+58  X    59  Y    5a  Z    5b  [    5c  \e\    5d  ]    5e  ^    5f  _
+60  \`    61  a    62  b    63  c    64  d    65  e    66  f    67  g
+68  h    69  i    6a  j    6b  k    6c  l    6d  m    6e  n    6f  o
+70  p    71  q    72  r    73  s    74  t    75  u    76  v    77  w
+78  x    79  y    7a  z    7b  {    7c  |    7d  }    7e  ~    7f DEL
+.Ed
+.Pp
+The
+.Nm decimal
+set:
+.Bd -literal -offset left
+  0 NUL    1 SOH    2 STX    3 ETX    4 EOT    5 ENQ    6 ACK    7 BEL
+  8 BS     9 HT    10 LF    11 VT    12 FF    13 CR    14 SO    15 SI
+ 16 DLE   17 DC1   18 DC2   19 DC3   20 DC4   21 NAK   22 SYN   23 ETB
+ 24 CAN   25 EM    26 SUB   27 ESC   28 FS    29 GS    30 RS    31 US
+ 32 SP    33  !    34  "    35  #    36  $    37  %    38  &    39  '
+ 40  (    41  )    42  *    43  +    44  ,    45  -    46  .    47  /
+ 48  0    49  1    50  2    51  3    52  4    53  5    54  6    55  7
+ 56  8    57  9    58  :    59  ;    60  <    61  =    62  >    63  ?
+ 64  @    65  A    66  B    67  C    68  D    69  E    70  F    71  G
+ 72  H    73  I    74  J    75  K    76  L    77  M    78  N    79  O
+ 80  P    81  Q    82  R    83  S    84  T    85  U    86  V    87  W
+ 88  X    89  Y    90  Z    91  [    92  \e\    93  ]    94  ^    95  _
+ 96  `    97  a    98  b    99  c   100  d   101  e   102  f   103  g
+104  h   105  i   106  j   107  k   108  l   109  m   110  n   111  o
+112  p   113  q   114  r   115  s   116  t   117  u   118  v   119  w
+120  x   121  y   122  z   123  {   124  |   125  }   126  ~   127 DEL
+.Ed
+.Pp
+The
+.Nm binary
+set:
+.Bd -literal -offset left
+ 00     01     10     11
+
+NUL     SP      @      `     00000
+SOH      !      A      a     00001
+STX      "      B      b     00010
+ETX      #      C      c     00011
+EOT      $      D      d     00100
+ENQ      %      E      e     00101
+ACK      &      F      f     00110
+BEL      '      G      g     00111
+ BS      (      H      h     01000
+ HT      )      I      i     01001
+ LF      *      J      j     01010
+ VT      +      K      k     01011
+ FF      ,      L      l     01100
+ CR      -      M      m     01101
+ SO      .      N      n     01110
+ SI      /      O      o     01111
+DLE      0      P      p     10000
+DC1      1      Q      q     10001
+DC2      2      R      r     10010
+DC3      3      S      s     10011
+DC4      4      T      t     10100
+NAK      5      U      u     10101
+SYN      6      V      v     10110
+ETB      7      W      w     10111
+CAN      8      X      x     11000
+ EM      9      Y      y     11001
+SUB      :      Z      z     11010
+ESC      ;      [      {     11011
+ FS      <      \e\      |     11100
+ GS      =      ]      }     11101
+ RS      >      ^      -     11110
+ US      ?      _    DEL     11111
+.Ed
+.Pp
+The full
+.Nm names
+of the control character set:
+.Bd -literal -offset left
+NUL      NULl
+SOH      Start Of Heading
+STX      Start Of Text
+ETX      End Of Text
+EOT      End Of Transmission
+ENQ      ENQuiry
+ACK      ACKnowledge
+BEL      BELl
+ BS      BackSpace
+ HT      Horizontal Tab
+ LF      Line Feed (new line)
+ VT      Vertical Tab
+ FF      new page Form Feed
+ CR      Carriage Return
+ SO      Shift Out
+ SI      Shift In
+DLE      Data Link Escape
+DC1      Device Control 1
+DC2      Device Control 2
+DC3      Device Control 3
+DC4      Device Control 4
+NAK      Negative AcKnowledge
+SYN      SYNchronous idle
+ETB      End of Transmission Block
+CAN      CANcel
+ EM      End of Medium
+SUB      SUBstitute
+ESC      ESCape
+ FS      File Separator
+ GS      Group Separator
+ RS      Record Separator
+ US      Unit Separator
+.Ed
+.Sh FILES
+.Bl -tag -width /usr/share/misc/ascii -compact
+.It Pa /usr/share/misc/ascii
+.El
+.Sh STANDARDS
+.Rs
+.%T Information Systems - Coded Character Sets - 7-Bit American National\
+Standard Code for Information Interchange (7-Bit ASCII)
+.%R INCITS 4-1986[R2017]
+.%Q InterNational Committee for Information Technology Standards
+.Re
+.Sh HISTORY
+An
+.Nm
+manual page appeared in
+.At v2 .
diff --git a/static/netbsd/man7/c.7 b/static/netbsd/man7/c.7
new file mode 100644
index 00000000..70762ddc
--- /dev/null
+++ b/static/netbsd/man7/c.7
@@ -0,0 +1,250 @@
+.\" $NetBSD: c.7,v 1.15 2023/08/27 15:50:47 rillig Exp $
+.\"
+.\" Copyright (C) 2007, 2010 Gabor Kovesdan. All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD: src/share/man/man7/c99.7,v 1.1 2010/06/17 12:05:47 gabor Exp $
+.\"
+.Dd March 30, 2011
+.Dt C 7
+.Os
+.Sh NAME
+.Nm c, c78, c89, c90, c99, c11
+.Nd The C programming language
+.Sh DESCRIPTION
+C is a general-purpose programming language, which has a strong connection
+with the UNIX operating system and its derivatives, since the vast
+majority of those systems were written in the C language.
+The C language contains some basic ideas from the BCPL language through
+the B language written by Ken Thompson in 1970 for the DEC PDP-7 machines.
+The development of the UNIX operating system was started on a PDP-7
+machine in assembly language, but this choice made it very difficult
+to port the existing code to other systems.
+.Pp
+In 1972, Dennis M. Ritchie worked out the C programming language for
+further development of the UNIX operating system.
+The idea was to implement only the C compiler for different
+platforms, and implement most parts of the operating system
+in the new programming language to simplify the portability between
+different architectures.
+It follows that C is very well adapted for (but not limited to) writing
+operating systems and low-level applications.
+.Pp
+The C language did not have a specification or standardized version for
+a long time.
+It went through a lot of changes and improvements for ages.
+In 1978, Brian W. Kernighan and Dennis M. Ritchie published the
+first book about C under the title
+.Dq The C Programming Language .
+We can think of this book as the first specification of the language.
+This version is often referred to as
+.Dq K&R C
+after the names of the authors.
+Sometimes it is referred to as C78, as well, after the publishing year of
+the first edition of the book.
+.Pp
+It is important to notice that the instruction set of the language is
+limited to the most fundamental elements for simplicity.
+Handling of the standard I/O and similar common functions are implemented in
+the libraries shipped with the compiler.
+As these functions are also widely used, it was demanded to include into
+the description what requisites the library should conform to, not just
+strictly the language itself.
+Accordingly, the aforementioned standards cover the library elements, as well.
+The elements of this standard library are still not enough for more
+complicated tasks.
+In this case the provided system calls of the given operating system can be
+used.
+To not lose the portability by using these system calls, the POSIX
+(Portable Operating System Interface (for Unix)) standard evolved.
+It describes what functions should be available to keep portability.
+Note that POSIX is not a C standard, but an operating system standard
+and thus is beyond the scope of this manual.
+The standards discussed below are all C standards and only cover
+the C programming language and the accompanying library.
+.Pp
+After the publication of the book mentioned before,
+the American National Standards Institute (ANSI) started to work on
+standardizing the language, and in 1989 they announced ANSI X3.159-1989.
+It is usually referred to as ANSI C or C89.
+The main difference in this standard were the function prototypes,
+which was a new way of declaring functions.
+With the old-style function declarations, the compiler was unable to
+check the sanity of the actual parameters of a function call.
+The old syntax was highly error-prone because incompatible parameters
+were hard to detect in the program code and the problem only showed up
+at run-time.
+.Pp
+In 1990, the International Organization for Standardization (ISO) adopted
+the ANSI standard as ISO/IEC 9899:1990.
+This is also referred to as ISO C or C90.
+It only contains negligible minor modifications against ANSI C,
+so the two standards are often considered to be fully equivalent.
+This was a very important milestone in the history of the C language, but the
+development of the language did not stop.
+.Pp
+The ISO C standard was later extended with an amendment as
+ISO/IEC 9899 AM1 in 1995.
+This contained, for example, the wide-character support in
+.In wchar.h
+and
+.In wctype.h .
+Two corrigenda were also published:
+Technical Corrigendum 1 as ISO/IEC 9899 TCOR1 in 1995,
+and Technical Corrigendum 2 as ISO/IEC 9899 TCOR2 in 1996.
+The continuous development and growth made it necessary to work out a new
+standard, which contains the new features and fixes the known defects and
+deficiencies of the language.
+As a result, ISO/IEC 9899:1999 was born in 1999.
+Similarly to the other standards, this is referred to after the
+publication year as C99.
+The improvements include the following:
+.Bl -bullet -offset indent
+.It
+Inline functions.
+.It
+Support for variable length arrays.
+.It
+New large-range integer type named
+.Vt long long int ,
+and other integer types described in
+.Xr stdint 3
+and
+.Xr inttypes 3 .
+.It
+New boolean data type; see
+.Xr stdbool 3 .
+.It
+One-line comments taken from the C++ language.
+.It
+Some new preprocessor features.
+.It
+A predefined identifier
+.Va __func__
+and a
+.Vt restrict
+type qualifier.
+.It
+Declarations are allowed after statements, not just in the beginning of the
+program or program blocks.
+.It
+No implicit
+.Vt int
+type.
+.El
+.Pp
+In 2011, another revision of ISO/IEC 9899 was published, nicknamed C11,
+adding features such as:
+.Bl -bullet -offset indent
+.It
+Compile-time assertions.
+.It
+Type-generic expressions.
+.It
+Unnamed struct and union members.
+.El
+.Pp
+In 2017, another revision of ISO/IEC 9899 was published, nicknamed C17,
+containing corrections to C11, but no new features.
+.Pp
+Since then no new standards have been published, but the C language is still
+evolving.
+.Pp
+Most of the UNIX-like operating systems use GNU C as a system compiler,
+but the various extensions of GNU C, such as
+.Xr attribute 3
+or
+.Xr typeof 3 ,
+should not be considered standard features.
+.Sh SEE ALSO
+.Xr c89 1 ,
+.Xr c99 1 ,
+.Xr c11 1 ,
+.Xr cc 1 ,
+.Xr cdefs 3
+.Rs
+.%A Brian W. Kernighan
+.%A Dennis M. Ritchie
+.%B The C Programming Language
+.%D 1988
+.%N Second Edition, 40th printing
+.%I Prentice Hall
+.Re
+.Sh STANDARDS
+.Rs
+.%A ANSI
+.%T X3.159-1989
+.Re
+.Pp
+.Rs
+.%A ISO/IEC
+.%T 9899:1990, Programming languages -- C
+.Re
+.Pp
+.Rs
+.%A ISO/IEC
+.%T 9899 AM1
+.Re
+.Pp
+.Rs
+.%A ISO/IEC
+.%T 9899 TCOR1, Programming languages -- C, Technical Corrigendum 1
+.Re
+.Pp
+.Rs
+.%A ISO/IEC
+.%T 9899 TCOR2, Programming languages -- C, Technical Corrigendum 2
+.Re
+.Pp
+.Rs
+.%A ISO/IEC
+.%T 9899:1999, Programming languages -- C
+.Re
+.Pp
+.Rs
+.%A ISO/IEC
+.%T 9899:1999 TCOR1, Programming languages -- C, Technical Corrigendum 1
+.Re
+.Pp
+.Rs
+.%A ISO/IEC
+.%T 9899:1999 TCOR2, Programming languages -- C, Technical Corrigendum 2
+.Re
+.Pp
+.Rs
+.%A ISO/IEC
+.%T 9899:1999 TCOR3, Programming languages -- C, Technical Corrigendum 3
+.Re
+.Pp
+.Rs
+.%A ISO/IEC
+.%T 9899:2011, Programming languages -- C
+.Re
+.Sh HISTORY
+This manual page first appeared in
+.Fx 9.0
+and
+.Nx 6.0 .
+.Sh AUTHORS
+This manual page was written by
+.An Gabor Kovesdan Aq Mt gabor@FreeBSD.org .
diff --git a/static/netbsd/man7/entropy.7 b/static/netbsd/man7/entropy.7
new file mode 100644
index 00000000..c67d5293
--- /dev/null
+++ b/static/netbsd/man7/entropy.7
@@ -0,0 +1,286 @@
+.\"	$NetBSD: entropy.7,v 1.10 2023/07/20 04:16:14 gutteridge Exp $
+.\"
+.\" Copyright (c) 2021 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd June 30, 2023
+.Dt ENTROPY 7
+.Os
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.Sh NAME
+.Nm entropy
+.Nd random unpredictable secrets needed for security
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.Sh DESCRIPTION
+Computers need random unpredictable secrets for the security of
+software such as web browsers and
+.Xr ssh 1 .
+.Pp
+Computers are designed to behave in highly predictable ways, so they
+rely on observations of random physical phenomena around them, called
+.Nm entropy sources ,
+to derive unpredictable secrets for cryptography.
+.Pp
+While some computers have reliable entropy sources such as hardware
+random number generators based on thermal noise in silicon circuits,
+others may require operator intervention for security.
+.\""""""""""""""""""""""""""""""""""""""
+.Ss Threats
+.Bl -bullet
+.It
+Web browsers and programs such as
+.Xr ssh 1
+rely on unpredictable secrets in cryptography to prevent eavesdropping
+and detect tampering of sessions over the network.
+.It
+.Xr ssh-keygen 1
+relies on unpredictable secrets to create keys that allow you to log in
+but keep out malicious adversaries; if an adversary could guess the key
+then they could impersonate you.
+.It
+.Nx
+relies on unpredictable secrets to make sure that private user data
+stored on nonvolatile media when memory is scarce
+.Po
+.Xr swapctl 8 ,
+using
+.Ql vm.swap_encrypt=1 ;
+see
+.Xr sysctl 7
+.Pc
+cannot be recovered by forensic tools after shutdown.
+.El
+.\""""""""""""""""""""""""""""""""""""""
+.Ss Entropy in NetBSD
+.Nx
+gathers samples from various kinds of entropy sources, including:
+.Bl -bullet -compact
+.It
+hardware random number generators
+.It
+network traffic timing
+.It
+user input (keystrokes, mouse movements, etc.)
+.It
+disk I/O latency
+.It
+environment sensors
+.Pq Xr envsys 4
+.El
+The samples are mixed together with cryptography to yield unpredictable
+secrets through
+.Pa /dev/urandom
+.Pq see Xr rnd 4
+and related interfaces used by programs like
+.Xr ssh 1 ,
+Firefox, and so on.
+.Pp
+.Nx
+also stores a random seed at
+.Pa /var/db/entropy-file
+to carry unpredictable secrets over from one boot to the next, as long
+as the medium remains secret and can be updated on boot.
+The seed is maintained automatically by
+.Pa /etc/rc.d/random_seed
+.Pq see Xr rc.conf 5 .
+.\""""""""""""""""""""""""""""""""""""""
+.Ss Ensuring enough entropy
+Entropy is measured in bits, and only 256 bits of entropy are needed
+for security, thanks to modern cryptography.
+.Pp
+To detect potentially insecure systems,
+.Nx
+takes measures to alert the operator if there isn't definitely enough
+for security:
+.Bl -bullet
+.It
+.Nx
+issues warnings on the console if there's not enough entropy when
+programs need it; see
+.Xr rnd 4 .
+.It
+The
+.Xr motd 5
+has a warning if there was not enough entropy when network daemons such as
+.Xr sshd 8
+first generated keys.
+.It
+The daily security report includes an alert if there's still not enough
+entropy; see
+.Xr security.conf 5 .
+.El
+.Pp
+Since it is hard to know how unpredictable most physical systems are,
+only devices specifically designed to be hardware random number
+generators, or a seed file stored on disk, count toward these alerts.
+.Pp
+At boot,
+.Nx
+will wait, when
+.Ql entropy=wait
+is set in
+.Xr rc.conf 5 ,
+or fail to single-user mode, when
+.Ql entropy=check
+is set, if there is not enough entropy from
+.Em any
+sources, including devices not designed to be unpredictable, such as
+the CPU cycle counter sampled by a periodic timer, provided the samples
+pass a simple filter called the
+.Sq entropy estimator ,
+like other operating systems.
+Sources known to be predictable, which could give a false sense of
+security, can be disabled from unblocking boot by setting
+.Li rndctl_flags
+in
+.Xr rc.conf 5 .
+.Pp
+Many new computers have hardware random number generators, such as
+RDRAND/RDSEED in Intel/AMD CPUs, or ARMv8.5-RNDRRS;
+.Xr virtio 4 Ns -based
+virtualization platforms such as QEMU can expose entropy from the host
+with
+.Xr viornd 4 ;
+bootloader firmware such as UEFI may also expose an underlying
+platform's random number generator.
+.Pp
+However, many older computers have no reliable entropy sources.
+Some have the hardware, but have it off by default, such as a disabled
+.Xr tpm 4 .
+On computers with no built-in reliable entropy source, you may wish to
+transfer a seed from another computer with
+.Xr rndctl 8 ,
+or manually enter samples into
+.Pa /dev/urandom
+\(em see below.
+.\""""""""""""""""""""""""""""""""""""""
+.Ss Adding entropy
+.Pp
+You can manually save and load seeds with the
+.Xr rndctl 8
+tool.
+For example, you might use
+.Dl rndctl -S seed
+to save a seed from one machine, transfer it \(em over a medium where
+you are confident there are no eavesdroppers \(em to another machine,
+and load it with
+.Dl rndctl -L seed
+on the target machine; then run
+.Dl /etc/rc.d/random_seed stop
+on the target machine to ensure that the entropy will be saved for next
+boot, even if the system later crashes or otherwise shuts down
+uncleanly.
+.Ic rndctl -S
+records the number of bits of entropy in the seed so that
+.Ic rndctl -L
+can count it.
+.Pp
+Users can write data to
+.Pa /dev/urandom
+to be mixed together with all other samples.
+For example, no matter what entropy sources are built into a computer,
+you can ensure it has enough entropy (as long as there are no
+surveillance cameras watching you) by flipping a coin 256 times and
+running:
+.Dl echo thttthhhhttththtttht... > /dev/urandom
+Then run
+.Dl /etc/rc.d/random_seed stop
+to ensure that the effort will be saved for next boot.
+.Pp
+Inputs from the superuser (uid 0) to
+.Pa /dev/urandom
+count toward the system's entropy estimate, at the maximum rate of one
+bit of entropy per bit of data; inputs from unprivileged users will
+affect subsequent outputs but will be counted as having zero entropy.
+.Pp
+After adding entropy,
+.Sy make sure to regenerate any long-term keys
+that might be predictable because they were previously generated with
+too little entropy.
+For example, if
+.Ql sshd=YES
+is enabled in
+.Pa /etc/rc.conf ,
+then
+.Nx
+will automatically generate ssh host keys on boot; if they were
+generated with too little entropy, then you may wish to delete them and
+create new ones before allowing anyone to log in via
+.Xr ssh 1 .
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.Sh DIAGNOSTICS
+.Nx
+may print the following warnings to the console:
+.Bl -diag
+.It WARNING: system needs entropy for security; see entropy(7)
+Some process tried to draw use entropy from
+.Nx ,
+e.g. to generate a key for cryptography, before enough inputs from
+reliable entropy sources have been obtained.
+The entropy may be low enough that an adversary could guess keys by
+brute force.
+.Pp
+This message is rate-limited, so if you have added entropy and want to
+verify that the problem is resolved, you should consult the
+.Dv kern.entropy.needed
+.Xr sysctl 7
+variable to confirm it is zero, rather than just look for the absence
+of this message; see
+.Xr rnd 4
+for details.
+.El
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.Sh SEE ALSO
+.Xr getrandom 2 ,
+.Xr arc4random 3 ,
+.Xr rnd 4 ,
+.Xr rc.conf 5 ,
+.Xr rc 8 ,
+.Xr rndctl 8
+.Rs
+.%A Nadia Heninger
+.%A Zakir Durumeric
+.%A Eric Wustrow
+.%A J. Alex Halderman
+.%T Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices
+.%B Proceedings of the 21st USENIX Security Symposium
+.%I USENIX
+.%D August 2012
+.%P 205-220
+.%U https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/heninger
+.%U https://factorable.net/
+.Re
+.Rs
+.%T openssl \(em predictable random number generator
+.%I Debian Security Advisory
+.%O DSA-1571-1
+.%D 2008-05-13
+.%U https://www.debian.org/security/2008/dsa-1571.html
+.Re
+.Rs
+.%T Features/VirtIORNG
+.%I QEMU Wiki
+.%U https://wiki.qemu.org/Features/VirtIORNG
+.%D 2016-10-17
+.Re
diff --git a/static/netbsd/man7/environ.7 b/static/netbsd/man7/environ.7
new file mode 100644
index 00000000..b1c06f50
--- /dev/null
+++ b/static/netbsd/man7/environ.7
@@ -0,0 +1,295 @@
+.\"	$NetBSD: environ.7,v 1.27 2017/06/27 01:13:44 kre Exp $
+.\"
+.\" Copyright (c) 1983, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)environ.7	8.3 (Berkeley) 4/19/94
+.\"
+.Dd January 21, 2011
+.Dt ENVIRON 7
+.Os
+.Sh NAME
+.Nm environ
+.Nd user process environment
+.Sh SYNOPSIS
+.Vt extern char ** Ns Dv environ ;
+.Sh DESCRIPTION
+An array of strings called the
+.Em environment
+is made available by
+.Xr execve 2
+when a process begins.
+By convention these strings have the form
+.Dq Ar name=value .
+The following names are used by various commands:
+.Bl -tag -width ".Ev LIBC_DIAGASSERT"
+.It Ev AUDIOCTLDEVICE
+The name of the audio control device to be used by
+.Xr audioctl 1 ,
+.Xr audioplay 1
+and
+.Xr audiorecord 1 .
+.It Ev AUDIODEVICE
+The name of the audio device to be used by
+.Xr audioplay 1
+and
+.Xr audiorecord 1 .
+.It Ev BLOCKSIZE
+The size of the block units used by several commands, most notably
+.Xr df 1 ,
+.Xr du 1
+and
+.Xr ls 1 .
+.Ev BLOCKSIZE
+may be specified in units of a byte by specifying a number,
+in units of a kilobyte by specifying a number followed by
+.Ql K
+or
+.Ql k ,
+in units of a megabyte by specifying a number followed by
+.Ql M
+or
+.Ql m
+and in units of a gigabyte by specifying a number followed
+by
+.Ql G
+or
+.Ql g .
+Sizes less than 512 bytes or greater than a gigabyte are ignored.
+.It Ev EDITRC
+Gives the path name of the file used by
+.Xr editline 7
+when command line editing is enabled in various programs.
+See
+.Xr editrc 5
+for information on the format of the file.
+.It Ev EXINIT
+A startup list of commands read by
+.Xr ex 1
+and
+.Xr vi 1 .
+.It Ev HOME
+A user's login directory, set by
+.Xr login 1
+from the password file
+.Xr passwd 5 .
+.It Ev LANG
+Default for all NLS categories.
+Only used if
+.Ev LC_ALL
+or the environment variable for a particular NLS category
+is not provided
+.Ev ( LC_COLLATE ,
+.Ev LC_CTYPE ,
+.Ev LC_MESSAGES ,
+.Ev LC_MONETARY ,
+.Ev LC_NUMERIC ,
+or
+.Ev LC_TIME ) .
+.It Ev LC_ALL
+Override for all NLS categories.
+If set, overrides the values of
+.Ev LC_COLLATE ,
+.Ev LC_CTYPE ,
+.Ev LC_MESSAGES ,
+.Ev LC_MONETARY ,
+.Ev LC_NUMERIC ,
+and
+.Ev LC_TIME .
+.It Ev LC_COLLATE
+NLS string-collation order information.
+.It Ev LC_CTYPE
+NLS character classification, case conversion, and other character attributes.
+.It Ev LC_MESSAGES
+NLS format for affirmative and negative responses.
+.It Ev LC_MONETARY
+NLS rules and symbols for formatting monetary numeric information.
+.It Ev LC_NUMERIC
+NLS rules and symbols for formatting nonmonetary numeric information.
+.It Ev LC_TIME
+NLS rules and symbols for formatting time and date information.
+.It Ev LIBC_DIAGASSERT
+Control how the
+.Fn _DIAGASSERT
+macro (from
+.In assert.h )
+behaves once the assertion is raised.
+Refer to
+.Xr _DIAGASSERT 3
+for more information.
+.It Ev LOGNAME
+The login name of the user.
+.It Ev MALLOC_OPTIONS
+Control the behaviour of the
+.Fn malloc
+function.
+Refer to
+.Xr jemalloc 3
+for more information.
+.It Ev MIXERDEVICE
+The name of the audio mixer device to be used by
+.Xr mixerctl 1 .
+.It Ev PAGER
+The program used for paginating the output of several commands
+such as
+.Xr man 1 .
+If null or not set, the standard pagination program
+.Xr more 1
+will be used.
+.It Ev PATH
+The sequence of directories, separated by colons, searched by
+.Xr csh 1 ,
+.Xr sh 1 ,
+.Xr system 3 ,
+.Xr execvp 3 ,
+etc, when looking for an executable file.
+.Ev PATH
+is set to
+.Pp
+.Dl /usr/bin:/bin:/usr/pkg/bin:/usr/local/bin
+.Pp
+initially by
+.Xr login 1 .
+.It Ev PRINTER
+The name of the default printer to be used by
+.Xr lpr 1 ,
+.Xr lpq 1 ,
+and
+.Xr lprm 1 .
+.It Ev RCMD_CMD
+When using the
+.Xr rcmd 3
+function, this variable is used as the program to run instead of
+.Xr rcmd 1 .
+.It Ev SHELL
+The full pathname of the user's login shell.
+.It Ev TERM
+The kind of terminal for which output is to be prepared.
+This information is used by commands, such as
+.Xr nroff 1
+.\" or
+.\" .Xr plot 1
+which may exploit special terminal capabilities.
+See
+.Pa /usr/share/misc/terminfo
+.Pq Xr terminfo 5
+for a list of terminal types.
+.It Ev TERMCAP
+The string describing the terminal in
+.Ev TERM ,
+or, if it begins with a
+.Ql / ,
+the name of the termcap file.
+This is only checked if
+.Ev TERMINFO
+is not set.
+.It Ev TERMINFO
+The string describing the terminal in
+.Ev TERM ,
+or, if it begins with a
+.Ql / ,
+the name of the terminfo file.
+.It Ev TIMEFORMAT
+A
+.Xr strftime 3
+format string that may be used by programs such as
+.Xr dump 8
+for formatting timestamps.
+.It Ev TMPDIR
+The directory in which to store temporary files.
+Most applications use either
+.Pa /tmp
+or
+.Pa /var/tmp .
+Setting this variable will make them use another directory.
+.It Ev TZ
+The timezone to use when displaying dates.
+The normal format is a pathname relative to
+.Pa /usr/share/zoneinfo .
+For example, the command
+.Pp
+.Dl env TZ=US/Pacific date
+.Pp
+displays the current time in California.
+See
+.Xr tzset 3
+for more information.
+.It Ev USER
+The login name of the user.
+It is recommended that portable applications use
+.Ev LOGNAME
+instead.
+.El
+.Pp
+Further names may be placed in the environment by the
+.Ic export
+command and
+.Ar name=value
+arguments in
+.Xr sh 1 ,
+or by the
+.Ic setenv
+command if you use
+.Xr csh 1 .
+It is unwise to change certain
+.Xr sh 1
+variables that are frequently exported by
+.Pa .profile
+files, such as
+.Ev MAIL ,
+.Ev PS1 ,
+.Ev PS2 ,
+and
+.Ev IFS ,
+unless you know what you are doing.
+.Sh SEE ALSO
+.Xr audioctl 1 ,
+.Xr audioplay 1 ,
+.Xr audiorecord 1 ,
+.Xr csh 1 ,
+.Xr ex 1 ,
+.Xr login 1 ,
+.Xr man 1 ,
+.Xr more 1 ,
+.Xr sh 1 ,
+.Xr execve 2 ,
+.Xr _DIAGASSERT 3 ,
+.Xr execle 3 ,
+.Xr jemalloc 3 ,
+.Xr rcmd 3 ,
+.Xr system 3 ,
+.Xr termcap 3 ,
+.Xr terminfo 3 ,
+.Xr audio 4 ,
+.Xr terminfo 5 ,
+.Xr nls 7 ,
+.Xr dump 8
+.Sh HISTORY
+The
+.Nm
+manual page appeared in
+.Bx 4.2 .
diff --git a/static/netbsd/man7/glob.7 b/static/netbsd/man7/glob.7
new file mode 100644
index 00000000..4b1ecdc2
--- /dev/null
+++ b/static/netbsd/man7/glob.7
@@ -0,0 +1,154 @@
+.\" $NetBSD: glob.7,v 1.4 2021/11/02 22:13:14 abs Exp $
+.\"
+.\"	$OpenBSD: glob.7,v 1.3 2009/12/26 15:24:54 schwarze Exp $
+.\"
+.\" Copyright (c) 2009 Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd November 2, 2021
+.Dt GLOB 7
+.Os
+.Sh NAME
+.Nm glob
+.Nd shell-style pattern matching
+.Sh DESCRIPTION
+Globbing characters
+.Pq wildcards
+are special characters used to perform pattern matching of pathnames and
+command arguments in the
+.Xr csh 1 ,
+.Xr ksh 1 ,
+and
+.Xr sh 1
+shells as well as
+the C library functions
+.Xr fnmatch 3
+and
+.Xr glob 3 .
+A glob pattern is a word containing one or more unquoted
+.Ql \&?
+or
+.Ql *
+characters, or
+.Dq Li [..]
+sequences.
+.Pp
+Globs should not be confused with the more powerful
+regular expressions used by programs such as
+.Xr grep 1 .
+While there is some overlap in the special characters used in regular
+expressions and globs, their meaning is different.
+.Pp
+The pattern elements have the following meaning:
+.Bl -tag -width Ds
+.It Li \&?
+Matches any single character.
+.It Li \&*
+Matches any sequence of zero or more characters.
+.It Li [..]
+Matches any of the characters inside the brackets.
+Ranges of characters can be specified by separating two characters by a
+.Ql \-
+(e.g.\&
+.Dq Li [a0-9]
+matches the letter
+.Sq a
+or any digit).
+In order to represent itself, a
+.Ql \-
+must either be quoted or the first or last character in the character list.
+Similarly, a
+.Ql \&]
+must be quoted or the first character in the list if it is to represent itself
+instead of the end of the list.
+Also, a
+.Ql \&!
+appearing at the start of the list has special meaning (see below), so to
+represent itself it must be quoted or appear later in the list.
+.Pp
+Within a bracket expression, the name of a
+.Em character class
+enclosed in
+.Ql [:
+and
+.Ql :]
+stands for the list of all characters belonging to that class.
+Supported character classes:
+.Bl -column ".Li xdigit" ".Li xdigit" ".Li xdigit" -offset indent
+.It Li "alnum" Ta Li "cntrl" Ta Li "lower" Ta Li "space"
+.It Li "alpha" Ta Li "digit" Ta Li "print" Ta Li "upper"
+.It Li "blank" Ta Li "graph" Ta Li "punct" Ta Li "xdigit"
+.El
+.Pp
+These match characters using the macros specified in
+.Xr ctype 3 .
+A character class may not be used as an endpoint of a range.
+.It Li [!..]
+Like
+.Li [..] ,
+except it matches any character not inside the brackets.
+.It Li \e
+Matches the character following it verbatim.
+This is useful to quote the special characters
+.Ql \&? ,
+.Ql \&* ,
+.Ql \&[ ,
+and
+.Ql \e
+such that they lose their special meaning.
+For example, the pattern
+.Dq Li \e\e\e\&*\e[x]\e\&?
+matches the string
+.Dq \e\&*[x]\&? .
+.El
+.Pp
+Note that when matching a pathname, the path separator
+.Ql / ,
+is not matched by a
+.Ql \&? ,
+or
+.Ql * ,
+character or by a
+.Dq Li [..]
+sequence.
+Thus,
+.Pa /usr/*/*/X11
+would match
+.Pa /usr/X11R7/lib/X11
+and
+.Pa /usr/X11R7/include/X11
+while
+.Pa /usr/*/X11
+would not match either.
+Likewise,
+.Pa /usr/*/bin
+would match
+.Pa /usr/local/bin
+but not
+.Pa /usr/bin .
+.Sh SEE ALSO
+.Xr fnmatch 3 ,
+.Xr glob 3 ,
+.Xr re_format 7
+.Sh HISTORY
+In early versions of
+.Ux ,
+the shell did not do pattern expansion itself.
+A dedicated program,
+.Pa /etc/glob ,
+was used to perform the expansion and pass the results to a command.
+In
+.At v7 ,
+with the introduction of the Bourne shell,
+this functionality was incorporated into the shell itself.
diff --git a/static/netbsd/man7/groups.7 b/static/netbsd/man7/groups.7
new file mode 100644
index 00000000..3ec4cd22
--- /dev/null
+++ b/static/netbsd/man7/groups.7
@@ -0,0 +1,330 @@
+.\"	$NetBSD: groups.7,v 1.8 2020/04/02 20:57:20 roy Exp $
+.\"
+.\" Copyright (c) 2020 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd April 2, 2020
+.Dt GROUPS 7
+.Os
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.Sh NAME
+.Nm groups
+.Nd standard group names
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.Sh DESCRIPTION
+A standard
+.Nx
+installation has the following user group names:
+.\" These are currently sorted by gid; perhaps they should be sorted
+.\" lexicographically by name instead.
+.Bl -tag -width ".Em _tcpdump"
+.It Em wheel
+Users authorized to elevate themselves to the super-user privileges of
+the root user, meaning uid\~0.
+Normally the
+.Em wheel
+group has gid\~0.
+.Pp
+Users who are not in the group
+.Em wheel
+are never allowed by
+.Xr su 1
+to gain root privileges.
+.It Em daemon
+Used by the set-group-id
+.Pq Xr setuid 7
+programs
+.Xr lpq 1 ,
+.Xr lpr 1 ,
+and
+.Xr lprm 1 .
+.\" Unclear why.  Maybe used to be used by uucp stuff too, since
+.\" /var/spool/lock ownership is uucp:daemon?
+.It Em sys
+Historic group.
+Unused in modern
+.Nx .
+.It Em tty
+Used by the set-group-id
+.Pq Xr setuid 7
+programs
+.Xr wall 1
+and
+.Xr write 1
+to allow users to send messages to another tty even if they don't own
+it.
+Static tty device nodes in
+.Pa /dev
+are all in the group
+.Em tty ,
+and the
+.Xr mount_ptyfs 8
+program passes the gid of the
+.Em tty
+group to the kernel so that all nodes in
+.Pa /dev/pts
+or equivalent are in the group too.
+.It Em operator
+Users authorized to take backups of disk devices and shut down the
+machine.
+.Pp
+The disk device nodes in
+.Pa /dev
+such as
+.Pa /dev/rwd0a
+are in the group
+.Em operator
+and group-readable so users in the group can read from disk devices,
+for example with
+.Xr dump 8 .
+The tape device nodes in
+.Pa /dev
+such as
+.Pa /dev/rst0
+are in the group
+.Em operator
+and are both group-readable and group-writable so users in the group
+can write to tape devices.
+.Pp
+The
+.Xr shutdown 8
+program is executable only by root and members of the
+.Em operator
+group.
+.It Em mail
+Historic group.
+Unused in modern
+.Nx .
+.\" Is this true?  Hard to grep for this in src...
+.It Em bin
+Historic group.
+Unused in modern
+.Nx .
+.It Em wsrc
+Historic group.
+Unused in modern
+.Nx .
+.\" Actually it seems to be used in the set lists somehow, but it's
+.\" unclear to me how what the significance is.
+.It Em maildrop
+Used by the set-group-id
+.Pq Xr setuid 7
+programs
+.Xr postdrop 1
+and
+.Xr postqueue 1
+to submit to and examine the
+.Xr postfix 1
+mail queue at
+.Pa /var/spool/postfix/maildrop
+and
+.Pa /var/spool/postfix/public .
+.It Em postfix
+Primary group for the
+.Em postfix
+pseudo-user used by the
+.Xr postfix 1
+mail transfer agent.
+.\" Why are various subdirectories of /var/spool/postfix owned by
+.\" postfix:wheel and not postfix:postfix?
+.It Em games
+Used by various set-group-id
+.Pq Xr setuid 7
+games to maintain high-scores files and other common files in
+.Pa /var/games .
+.It Em named
+Primary group for the
+.Em named
+pseudo-user used by the
+.Xr named 8
+DNS nameserver daemon.
+.It Em ntpd
+Primary group for the
+.Em ntpd
+pseudo-user used by the
+.Xr ntpd 8
+network time protocol daemon.
+.It Em sshd
+Primary group for the
+.Em sshd
+pseudo-user used by the
+.Xr sshd 8
+secure shell daemon.
+.It Em _pflogd
+Primary group for the
+.Em _pflogd
+pseudo-user used by the
+.Xr pflogd 8
+log daemon with the
+.Xr pf 4
+packet filter.
+.It Em _rwhod
+Primary group for the
+.Em _rwhod
+pseudo-user used by the
+.Xr rwhod 8
+system status daemon.
+.It Em staff
+Staff users, in contrast to regular or guest users.
+Not used by
+.Nx ;
+available for the administrator's interpretation.
+.It Em _proxy
+Primary group for the
+.Em _proxy
+pseudo-user used by the
+.Xr ftp-proxy 8
+and
+.Xr tftp-proxy 8
+proxy daemons with packet filters such as
+.Xr pf 4
+or
+.Xr ipnat 4 .
+.It Em _timedc
+Primary group for the
+.Em _timedc
+pseudo-user used by the
+.Xr timedc 8
+tool to communicate with the
+.Xr timed 8
+time server daemon.
+.It Em _sdpd
+Primary group for the
+.Em _sdpd
+pseudo-user used by the
+.Xr sdpd 8
+Bluetooth service discovery protocol daemon.
+.It Em _httpd
+Primary group for the
+.Em _httpd
+pseudo-user used by the
+.Xr httpd 8 Pq bozohttpd
+web server.
+.It Em _mdnsd
+Primary group for the
+.Em _mdnsd
+pseudo-user used by the
+.Xr mdnsd 8
+multicast DNS and DNS service discovery daemon.
+.It Em _tests
+Primary group for the
+.Em _tests
+pseudo-user used by
+.Xr atf 7
+automatic tests that request to run unprivileged.
+.It Em _tcpdump
+Primary group for the
+.Em _tcpdump
+pseudo-user used by the
+.Xr tcpdump 8
+network traffic dumper and analyzer.
+.It Em _tss
+Primary group for the
+.Em _tss
+pseudo-user used by the
+.Xr tcsd 8
+.Sq Trusted Computing
+daemon to manage a TPM.
+.It Em _gpio
+Users authorized to read and write GPIO pins; see
+.Xr gpio 4
+and
+.Xr gpioctl 8 .
+.It Em _dhcpcd
+Primary group for the
+.Em _dhcpcd
+pseudo-user used by the
+.Xr dhcpcd 8
+DHCP Client Daemon.
+.It Em _rtadvd
+Primary group for the
+.Em _rtadvd
+pseudo-user used by the
+.Xr rtadvd 8
+IPv6 network router advertisement daemon.
+.It Em guest
+Guest users, in contrast to staff or regular users.
+Not used by
+.Nx ;
+available for the administrator's interpretation.
+.It Em _unbound
+Primary group for the
+.Em _unbound
+pseudo-user used by the
+.Xr unbound 8
+recursive DNS resolver.
+.It Em _nsd
+Primary group for the
+.Em _nsd
+pseudo-user used by the
+.Xr nsd 8
+authoritative DNS nameserver.
+.It Em nvmm
+Users authorized to use the
+.Xr nvmm 4
+.Nx
+Virtual Machine Monitor.
+.It Em nobody
+Primary group for the traditional
+.Em nobody
+pseudo-user.
+Modern practice is to assign to each different daemon its own separate
+pseudo-user account and group so that if one daemon is compromised it
+does not compromise all the other daemons.
+.It Em utmp
+Group of
+.Xr utmp 5
+login records.
+.\" Why?
+.It Em authpf
+Used by the set-group-id
+.Pq Xr setuid 7
+program
+.Xr authpf 8
+to configure authenticated gateways.
+.\" Does it actually use the sgid bit?  It's also suid root...
+.It Em users
+Regular users, in contrast to staff or guest users.
+.Pp
+Default primary group for new users, as set in the default
+.Xr usermgmt.conf 5
+file.
+Some administrators may instead prefer to assign to each user a unique
+group with the same name as the user by passing the
+.So
+.Fl g Cm "=uid"
+.Sc
+option to
+.Xr useradd 8 .
+.It Em dialer
+Users authorized to make outgoing modem calls.
+Unused in modern
+.Nx .
+.It Em nogroup
+Pseudo-group.
+.\" For...?
+.El
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.Sh SEE ALSO
+.Xr users 7
diff --git a/static/netbsd/man7/hier.7 b/static/netbsd/man7/hier.7
new file mode 100644
index 00000000..acccfece
--- /dev/null
+++ b/static/netbsd/man7/hier.7
@@ -0,0 +1,1302 @@
+.\"	$NetBSD: hier.7,v 1.145 2025/08/26 06:04:37 mrg Exp $
+.\"
+.\" Copyright (c) 1990, 1993, 1994
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)hier.7	8.5 (Berkeley) 6/1/94
+.\"
+.Dd August 26, 2025
+.Dt HIER 7
+.Os
+.Sh NAME
+.Nm hier
+.Nd layout of file systems
+.Sh DESCRIPTION
+An outline of the file system hierarchy.
+.Pp
+Naming is very important.
+The
+.Ux
+System relies on filename conventions for much of its power as a system.
+The following file system layout describes generally where things are
+and what they are, with references to other man pages for more detailed
+documentation.
+.Pp
+Not all files will be in every system.
+.Bl -tag -width "/altroot/"
+.It Pa \&/
+Root directory of the system.
+.It Pa /COPYRIGHT
+System copyright notice, most often put on CD-ROM distributions.
+.It Pa "/[a-z]/"
+User file systems.
+.It Pa /altroot/
+Alternate root file system, in case of disaster.
+.\" .It Pa /amd/
+.\" Home directories mount point; see
+.\" .Xr amd 8 .
+.It Pa /bin/
+Utilities used in both single and multi-user environments.
+.It Pa /boot*
+Second-stage boot loader(s) for some platforms; see
+.Xr installboot 8 .
+.It Pa /cdrom/
+Empty directory commonly used by
+system administrators as a temporary mount point for ISO-9660 file
+systems on CD (or DVD) media.
+.It Pa /dev/
+Block, character, and other special device files.
+.Pp
+.Bl -tag -width "MAKEDEV" -compact
+.It Pa MAKEDEV
+Script for creating device files;
+see
+.Xr makedev 8 .
+.It Pa console
+The computer's console device.
+.It Pa drum
+The computer's swap space device; see
+.Xr drum 4 .
+.It Pa fd/
+File descriptor files;
+see
+.Xr fd 4 .
+.It Pa klog
+Kernel logging device; see
+.Xr syslog 3 .
+.It Pa kmem
+Kernel virtual memory device; see
+.Xr mem 4 .
+.It Pa log
+.Ux
+domain datagram log socket; see
+.Xr syslogd 8 .
+.It Pa mem
+Kernel physical memory device; see
+.Xr mem 4 .
+.It Pa null
+The null device; see
+.Xr null 4 .
+.It Pa pts/
+Mount point for the pseudo-terminal device file system; see
+.Xr mount_ptyfs 8 .
+.It Pa stderr
+.It Pa stdin
+.It Pa stdout
+File descriptor files;
+see
+.Xr fd 4 .
+.It Pa tty
+Device pointing to each process's own controlling terminal; see
+.Xr tty 4 .
+.It Pa zero
+The zero device; see
+.Xr zero 4 .
+.El
+.\" .It Pa /dump/
+.\" Online
+.\" .Xr dump 8
+.\" repository.
+.It Pa /etc/
+System configuration files and scripts.
+.Pp
+.Bl -tag -width "master.passwd" -compact
+.It Pa amd*
+Configuration files for
+.Xr amd 8 .
+.It Pa changelist
+Files backed up by the
+.Pa security
+script.
+.It Pa crontab
+Schedule used by the
+.Xr cron 8
+daemon.
+.It Pa csh.cshrc
+.It Pa csh.login
+.It Pa csh.logout
+System-wide scripts for
+.Xr csh 1 .
+.It Pa daily
+Script run each day by
+.Xr cron 8 .
+.It Pa daily.conf
+Configuration file for
+.Pa daily ;
+see
+.Xr daily.conf 5 .
+.It Pa defaults/
+Default configuration files read by various
+.Pa /etc/*.conf
+files.
+.It Pa disktab
+Disk description file; see
+.Xr disktab 5 .
+.It Pa dm.conf
+Dungeon master configuration; see
+.Xr dm.conf 5 .
+.It Pa dumpdates
+Dump history; see
+.Xr dump 8 .
+.It Pa exports
+File system export information; see
+.Xr mountd 8 .
+.It Pa fstab
+File system mounting table; see
+.Xr fstab 5
+and
+.Xr mount 8 .
+.It Pa ftpusers
+Users denied
+.Xr ftp 1
+access; see
+.Xr ftpd 8 .
+.It Pa ftpwelcome
+.Xr ftp 1
+initial message; see
+.Xr ftpd 8 .
+.It Pa gettytab
+Terminal configuration database; see
+.Xr gettytab 5 .
+.It Pa group
+Group permissions file; see
+.Xr group 5 .
+.It Pa hosts
+Host name database backup for
+.Xr named 8 ;
+see
+.Xr hosts 5 .
+.It Pa hosts.equiv
+Trusted machines with equivalent user IDs.
+(Obsolete.)
+.It Pa hosts.lpd
+Trusted machines with printing privileges.
+.It Pa inetd.conf
+Internet server configuration file; see
+.Xr inetd 8 .
+.It Pa kerberosV/
+Configuration files for Kerberos version V;
+see
+.Xr kerberos 8 .
+.It Pa localtime
+Local time zone;
+see
+.Xr ctime 3 .
+.It Pa login.conf
+Configuration of user classes and limits; see
+.Xr login.conf 5 .
+.It Pa mail/
+Configuration files for
+.Xr sendmail 1 .
+.Pp
+.Bl -tag -width "sendmail.*" -compact
+.It Pa aliases*
+Username alias files.
+.It Pa sendmail.*
+.Xr sendmail 1
+configuration information.
+.El
+.It Pa mail.rc
+System-wide initialization script for
+.Xr mail 1 .
+.It Pa man.conf
+Configuration file for
+.Xr man 1 ;
+see
+.Xr man.conf 5 .
+.It Pa master.passwd
+Main password file, readable only by root; see
+.Xr passwd 5 .
+.It Pa mk.conf
+Optional file containing
+.Xr make 1
+variables, used to configure pkgsrc and the system sources.
+.It Pa monthly
+Script run each month by
+.Xr cron 8 .
+.It Pa monthly.conf
+Configuration file for
+.Pa monthly ;
+see
+.Xr monthly.conf 5 .
+.It Pa motd
+System message of the day.
+.It Pa mtree/
+.Xr mtree 8
+configuration files.
+.It Pa named.*
+.It Pa namedb/
+.Xr named 8
+configuration files and databases.
+.It Pa netgroup
+Network groups; see
+.Xr netgroup 5 .
+.It Pa networks
+Network name database; see
+.Xr networks 5 .
+.It Pa openssl/
+OpenSSL TLS trust anchors, configuration file, private keys, and
+more.
+Returned by
+.Xr X509_get_default_cert_area 3 .
+.Bl -tag -width "certs/" -compact
+.It Pa certs/
+Hashed directory of trust anchors for TLS certificate validation.
+Managed by
+.Xr certctl 8
+according to
+.Pa certs.conf .
+See
+.Xr openssl_rehash 1 .
+Returned by
+.Xr X509_get_default_cert_dir 3 .
+.It Pa certs/ca-certificates.crt
+Bundle of TLS anchors in PEM format formed by concatenation of
+PEM-format certificates.
+Managed by
+.Xr certctl 8
+according to
+.Pa certs.conf .
+.It Pa certs.conf
+Configuration file for
+.Xr certctl 8 .
+.It Pa misc/
+Miscellaneous OpenSSL scripts.
+Unused in
+.Nx
+base.
+.It Pa openssl.cnf
+Optional default OpenSSL configuration file.
+See
+.Xr openssl_config 5 .
+Returned by
+.Xr CONF_get1_default_config_file 3 .
+.It Pa private/
+Private key area.
+Read/write/execute permitted only by root.
+Unused in
+.Nx
+base.
+Returned by
+.Xr X509_get_default_private_dir 3 .
+.El
+.It Pa passwd
+World readable password file generated from master.passwd; see
+.Xr passwd 5 ,
+.Xr pwd_mkdb 8 .
+.It Pa phones
+Remote host telephone number data base; see
+.Xr phones 5 .
+.It Pa printcap
+Printer configuration for
+.Xr lpr 1 ;
+see
+.Xr printcap 5 .
+.It Pa profile
+System-wide scripts for
+.Xr sh 1 .
+.It Pa protocols
+Protocol name database; see
+.Xr protocols 5 .
+.It Pa pwd.db
+Database form of passwd file; see
+.Xr pwd_mkdb 8 .
+.It Pa rc
+Master system startup script invoked by
+.Xr init 8 ;
+see
+.Xr rc 8 .
+.It Pa rc.conf
+Configuration file for system startup and shutdown scripts; see
+.Xr rc.conf 5 .
+.It Pa rc.d/
+Directory containing per-subsystem startup and shutdown scripts; see
+.Xr rc 8 .
+.It Pa rc.local
+Locally editable system startup script.
+.It Pa rc.shutdown
+Master system shutdown script invoked by
+.Xr shutdown 8 ;
+see
+.Xr rc 8 .
+.It Pa remote
+Remote host description file; see
+.Xr remote 5 .
+.It Pa security
+Daily (in)security script run by
+.Xr cron 8 .
+.It Pa security.conf
+Configuration file for
+.Pa security ;
+see
+.Xr security.conf 5 .
+.It Pa services
+Service name data base; see
+.Xr services 5 .
+.It Pa shells
+List of permitted shells; see
+.Xr shells 5 .
+.It Pa skel/
+Sample initialization files for new user accounts.
+.It Pa sliphome/
+SLIP login/logout scripts; see
+.Xr sliplogin 8 .
+.It Pa spwd.db
+Database form of master.passwd file; see
+.Xr pwd_mkdb 8 .
+.It Pa syslog.conf
+.Xr syslogd 8
+Configuration file; see
+.Xr syslog.conf 5 .
+.It Pa ttyaction
+Login hooks for specific ttys, typically used to chown console
+devices.
+See
+.Xr ttyaction 5 .
+.It Pa ttys
+Terminal initialization information; see
+.Xr ttys 5 .
+.It Pa weekly
+Script run each week by
+.Xr cron 8 .
+.It Pa weekly.conf
+Configuration file for
+.Pa weekly ;
+see
+.Xr weekly.conf 5 .
+.El
+.It Pa /home/
+Default location for user home directories.
+.It Pa /kern/
+Mount point for the kern file system; see
+.Xr mount_kernfs 8 .
+.It Pa /lib/
+Dynamic linked libraries used by dynamically linked programs
+that cannot rely upon
+.Pa /usr/lib/
+being available, such as those in
+.Pa /bin/
+and
+.Pa /sbin/ .
+.It Pa /libdata/
+Non-executable files
+.Pq such as device firmware
+required at boot time, when
+.Pa /usr/libdata
+may not be available.
+.It Pa /libexec/
+System utilities (such as the dynamic linker) required by programs
+and libraries that cannot rely upon
+.Pa /usr/libexec/
+being available.
+.It Pa /mnt/
+Empty directory commonly used by
+system administrators as a temporary mount point.
+.It Pa /net/
+automounted NFS shares;
+see
+.Xr auto_master 5
+.It Pa /netbsd
+Kernel executable image (the operating system loaded into memory
+at boot time).
+.It Pa /proc/
+Mount point for the process file system; see
+.Xr mount_procfs 8 .
+.It Pa /rescue/
+Statically linked rescue tools, for use in system recovery.
+.It Pa /root/
+Home directory for the super-user.
+.Pp
+.Bl -tag -width ".profile" -compact
+.It Pa \&.cshrc
+Super-user start-up file for
+.Xr csh 1 .
+.It Pa \&.login
+super-user start-up file for
+.Xr csh 1 .
+.It Pa \&.profile
+super-user start-up file for
+.Xr sh 1 .
+.It Pa \&.rhosts
+Super-user id mapping between machines.
+(Obsolete.)
+.El
+.It Pa /sbin/
+System programs and administration utilities
+used in both single-user and multi-user environments.
+.It Pa /stand/
+Programs used in a standalone environment, that is, things that run on
+bare hardware without a kernel.
+Currently kernel modules are also placed here (except when building with
+.Sy KERNEL_DIR ,
+see
+.Xr mk.conf 5 ) ,
+although this remains somewhat controversial and they may yet get moved.
+.It Pa /tmp/
+Temporary files.
+The contents of
+.Pa /tmp
+are usually
+.Em not
+preserved across a system reboot.
+.It Pa /usr/
+Contains the majority of the system utilities and files.
+.Pp
+.Bl -tag -width "libdata/" -compact
+.It Pa X11R7/
+X11 files (for X11 revision 7).
+.Pp
+.Bl -tag -width "include/" -compact
+.It Pa bin/
+X11 binaries.
+.It Pa include/
+X11 include files.
+.It Pa lib/
+X11 libraries.
+.El
+.Pp
+.It Pa bin/
+Common utilities, programming tools, and applications.
+.It Pa games/
+The important stuff.
+.It Pa include/
+Standard C (and extension) include files.
+.Pp
+.Bl -tag -width "protocols/" -compact
+.It Pa arpa/
+Include files for Internet service protocols.
+.It Pa atf/
+Include files for the Automated Testing Framework; see
+.Xr atf 7 .
+.It Pa g++/
+Include files for the GNU C++ compiler.
+.It Pa machine/
+Machine specific include files.
+.It Pa net/
+Miscellaneous network include files.
+.It Pa netatalk/
+C include files for AppleTalk protocols
+see
+.Xr atalk 4 .
+.It Pa netinet/
+Include files for Internet standard protocols; see
+.Xr inet 4 .
+.It Pa netinet6/
+Include files for Internet protocol version 6; see
+.Xr inet6 4 .
+.It Pa netipsec/
+Include files for secret key management, used for security protocols; see
+.Xr ipsec 4 .
+.It Pa nfs/
+C include files for NFS (Network File System).
+.It Pa protocols/
+C include files for Berkeley service protocols.
+.It Pa sys/
+``System-level'' C include files.
+.It Pa ufs/
+C include files for several mutually related file systems.
+(The `u' was originally for
+.Ux . )
+.El
+.Pp
+.It Pa lib/
+Archive, profiled, position independent archive, and shared libraries.
+.Pp
+.Bl -tag -width "lua/" -compact
+.It Pa lua/
+.Bl -tag -width "5.3/" -compact
+.It Pa 5.3/
+Lua 5.3 modules.
+.El
+.El
+.Pp
+.It Pa libdata/
+Miscellaneous utility data files.
+.It Pa libexec/
+System daemons & system utilities (executed by other programs).
+.Pp
+.It Pa mdec/
+Boot blocks, etc.
+.It Pa obj/
+Architecture-specific target tree produced by building the
+.Pa /usr/src
+tree; often a symbolic link or mounted file system.
+.It Pa pkg/
+Installed third-party software packages.
+.Pp
+.Bl -tag -width "include/" -compact
+.It Pa bin/
+Package binaries.
+.It Pa etc/
+Package configuration files.
+.It Pa include/
+Package include files.
+.It Pa lib/
+Package libraries.
+.It Pa libdata/
+Package data files.
+.It Pa libexec/
+Package daemons.
+.It Pa sbin/
+Package system utilities.
+.El
+.Pp
+.It Pa pkgsrc/
+Build descriptions (packaging) for the
+.Nx
+package system.
+.Pp
+.Bl -tag -width "distfilesX" -compact
+.It Pa distfiles/
+Downloaded upstream source archives.
+.It Pa packages/
+Compiled binary packages.
+.El
+.Pp
+There are also several other subdirectories which contain packages of
+a certain category, e.g., archivers, graphics, ...
+.Pp
+.It Pa sbin/
+System daemons and system utilities (normally executed by the super-user).
+.It Pa share/
+Architecture-independent files, mostly text.
+.Pp
+.Bl -tag -width "calendar/" -compact
+.It Pa calendar/
+A variety of calendar files; see
+.Xr calendar 1 .
+.It Pa certs/mozilla/
+X.509 certificates from Mozilla's curated set of certificate
+authorities (CAs),
+.Pa certdata.txt ,
+in PEM format.
+See
+.%U https://wiki.mozilla.org/CA/Included_Certificates
+for details.
+Used by
+.Xr certctl 8
+to populate OpenSSL trust anchors at
+.Pa /etc/openssl/certs .
+.Bl -tag -width "server/" -compact
+.It Pa all/
+Certificates of all CAs in Mozilla
+.Pa certdata.txt ,
+for all purposes, including CAs Mozilla may no longer trust.
+.It Pa code/
+Certificates of CAs trusted by Mozilla for code-signing.
+.It Pa email/
+Certificates of CAs trusted by Mozilla for email with S/MIME.
+.It Pa code/
+Certificates of CAs trusted by Mozilla for TLS server authentication.
+.El
+.It Pa dict/
+Word lists;
+see
+.Xr look 1
+and
+.Xr spell 1 .
+.Pp
+.Bl -tag -width "special/" -compact
+.It Pa words
+Common words.
+.It Pa web2
+Words from Webster's Second International Dictionary.
+.It Pa papers/
+Reference databases;
+see
+.Xr refer 1 .
+.It Pa special/
+Custom word lists;
+see
+.Xr spell 1 .
+.El
+.Pp
+.It Pa doc/
+Miscellaneous documentation.
+.It Pa games/
+Data files used by various games.
+.It Pa i18n/
+internationalization databases; see
+.Xr iconv 3 .
+.It Pa locale/
+Locale databases and gettext message catalogs; see
+.Xr setlocale 3
+and
+.Xr gettext 3 .
+.It Pa man/
+Manual pages.
+.It Pa me/
+Macros for use with the
+.Xr me 7
+roff macro package.
+.It Pa misc/
+Miscellaneous system-wide text files.
+.Pp
+.Bl -tag -width "terminfo.cdb" -compact
+.It Pa terminfo
+Terminal characteristics database;
+see
+.Xr terminfo 5 .
+.It Pa terminfo.cdb
+database form of terminfo file; see
+.Xr tic 1 .
+.El
+.Pp
+.It Pa mk/
+Include files for
+.Xr make 1 .
+.It Pa ms/
+Macros for use with the
+.Xr ms 7
+roff macro package.
+.It Pa nls/
+Message catalogs; see
+.Xr catgets 3 .
+.It Pa tmac/
+Text processing macros;
+see
+.Xr nroff 1
+and
+.Xr troff 1 .
+.It Pa zoneinfo/
+Time zone database;
+see
+.Xr tzfile 5 .
+.El
+.It Pa tests/
+Test programs; see
+.Xr tests 7
+for information on how to run them.
+.El
+.It Pa /usr/src/
+.Nx
+and local source files.
+.Pp
+.Bl -tag -width "domestic/" -compact
+.It Pa bin/
+Source for utilities/files in
+.Pa /bin .
+.It Pa common/
+Sources shared between kernel and userland.
+.It Pa crypto/
+Cryptographic source, which may have import or export restrictions.
+.It Pa dist/
+Third-party
+.Sq virgin
+source code, referenced by other parts of the source tree.
+(Deprecated; use
+.Pa external/
+instead.)
+.It Pa distrib/
+Tools and data files for making
+.Nx
+releases and distributions.
+.It Pa doc/
+Documentation about the source tree (i.e., about the tree, not about
+how to use the software in the tree.)
+.It Pa etc/
+Source (usually example files) for files in
+.Pa /etc .
+.It Pa external/
+Source for programs from external third parties
+(where
+.Nx
+is the not the primary maintainer),
+grouped by license, and then products per license.
+.Pp
+.Bl -tag -width "intel-fw-public/" -compact
+.It Pa apache2/
+Apache 2.0 license.
+.It Pa bsd/
+BSD (or equivalent) licensed software,
+possibly with the
+.Dq advertising clause .
+.It Pa broadcom/
+Broadcom firmware license.
+.It Pa cddl/
+Common Development and Distribution License (the Sun license which is
+based on the Mozilla Public License version 1.1).
+.It Pa gpl2/
+GNU Public License, version 2 (or earlier).
+.It Pa gpl3/
+GNU Public License, version 3.
+.It Pa historical/
+Lucent's old license.
+.It Pa ibm-public/
+IBM's public license.
+.It Pa intel-fw-eula/
+Intel firmware license with redistribution restricted to OEM.
+.It Pa intel-fw-public/
+Intel firmware license permitting redistribution with
+terms similar to BSD licensed software.
+.It Pa intel-public/
+Intel license permitting redistribution with terms similar to
+BSD licensed software.
+.It Pa lgpl3/
+GNU lesser general public license, version 3.
+.It Pa mit/
+MIT (X11) style license.
+.It Pa mpl/
+Mozilla Public License.
+.It Pa zlib/
+BSD-like zlib license.
+.El
+.Pp
+.It Pa games/
+Source for utilities/files in
+.Pa /usr/games .
+.It Pa include/
+Source for files in
+.Pa /usr/include .
+.It Pa lib/
+Source for libraries in
+.Pa /usr/lib .
+.It Pa libexec/
+Source for utilities/files in
+.Pa /usr/libexec .
+.It Pa regress/
+Various legacy regression tests.
+.It Pa rescue/
+Source/makefiles for
+.Pa /rescue .
+.It Pa sbin/
+Source for utilities/files in
+.Pa /sbin .
+.It Pa share/
+Source for files in
+.Pa /usr/share .
+.Pp
+.Bl -tag -width "doc/" -compact
+.It Pa doc/
+.Pp
+.Bl -tag -width "papers/" -compact
+.It Pa papers/
+Source for various historical technical papers (many from Berkeley).
+.It Pa psd/
+Source for Programmer's Supplementary Documents.
+.It Pa smm/
+Source for System Manager's Manual.
+.It Pa usd/
+Source for User's Supplementary Documents.
+.El
+.El
+.It Pa sys/
+Kernel source files.
+.Pp
+.Bl -tag -width "gdbscripts/" -compact
+.It Pa arch/
+Architecture-specific support.
+.Pp
+.Bl -tag -width "playstation2/" -compact
+.It Pa acorn32/
+Acorn RiscPC/A7000 and VLSI RC7500.
+.It Pa algor/
+Algorithmics Ltd. MIPS evaluations boards.
+.It Pa alpha/
+Digital/Compaq Alpha.
+.It Pa amd64/
+Computers with x86_64 capable CPUs.
+.It Pa amiga/
+Commodore Amiga and MacroSystem DraCo.
+.It Pa amigappc/
+PowerPC based Amiga boards.
+.It Pa arc/
+MIPS-based machines following the Advanced RISC Computing spec.
+.It Pa arm/
+ARM processor general support.
+.It Pa atari/
+Atari TT030, Falcon and Hades.
+.It Pa bebox/
+Be Inc. BeBox.
+.It Pa cats/
+Chalice Technology's CATS and Intel's EBSA-285 evaluation boards.
+.It Pa cesfic/
+CES FIC8234 VME processor board.
+.It Pa cobalt/
+Cobalt Networks' MIPS-based Microserver.
+.It Pa dreamcast/
+Sega Dreamcast game console.
+.It Pa emips/
+Machines based on Extensible MIPS.
+.It Pa evbarm/
+ARM based evaluation boards.
+.It Pa evbmips/
+MIPS based evaluation boards.
+.It Pa evbppc/
+PowerPC based evaluation boards and appliances.
+.It Pa evbsh3/
+SH3/SH4 based evaluation boards.
+.It Pa ews4800mips/
+NEC's MIPS based EWS4800 workstations.
+.It Pa hp300/
+Hewlett-Packard 9000/300 and 400 680x0-based workstations.
+.It Pa hppa/
+Hewlett-Packard 9000/700 and 9000/800 HPPA based workstations.
+.It Pa hpcarm/
+StrongARM based WinCE PDA machines.
+.It Pa hpcmips/
+MIPS based WinCE PDA machines.
+.It Pa hpcsh/
+Hitachi SH3/4 based WinCE PDA machines.
+.It Pa hppa/
+HPPA processor general support.
+.It Pa i386/
+32-bit 80x86-based IBM PCs and clones.
+.It Pa ibmnws/
+IBM Network Station 1000.
+.It Pa iyonix/
+Castle Technology's Iyonix ARM based PCs.
+.It Pa luna68k/
+Omron Tateishi Electric's 680x0-based LUNA workstations.
+.It Pa m68k/
+680x0 processor general support.
+.It Pa mac68k/
+Apple Macintosh with 68k CPU.
+.It Pa macppc/
+Apple Power Macintosh and clones.
+.It Pa mips/
+MIPS processor general support.
+.It Pa mipsco/
+MIPS Computer Systems Inc. family of workstations and servers.
+.It Pa mmeye/
+Brains Inc. SH3 based mmEye multimedia server.
+.It Pa mvme68k/
+Motorola MVME 680x0-based SBCs.
+.It Pa mvmeppc/
+Motorola PowerPC VME SBCs.
+.It Pa netwinder/
+StrongARM based NetWinder machines.
+.It Pa news68k/
+Sony's 680x0-based NEWS workstations.
+.It Pa newsmips/
+Sony's MIPS-based NEWS workstations.
+.It Pa next68k/
+NeXT 68k "black" hardware.
+.It Pa ofppc/
+Open Firmware PowerPC workstations.
+.It Pa playstation2/
+SONY PlayStation 2.
+.It Pa pmax/
+Digital MIPS-based DECstations and DECsystems.
+.It Pa powerpc/
+PowerPC processor general support.
+.It Pa prep/
+PReP (PowerPC Reference Platform) and CHRP (Common Hardware Reference
+Platform) machines.
+.It Pa sandpoint/
+Motorola Sandpoint reference platform.
+.It Pa sbmips/
+Broadcom/SiByte evaluation boards.
+.It Pa sgimips/
+Silicon Graphics' MIPS-based workstations.
+.It Pa sh3/
+SH3/SH4 processor general support.
+.It Pa shark/
+Digital DNARD ("Shark").
+.It Pa sparc/
+Sun Microsystems SPARC (32-bit) and UltraSPARC (in 32-bit mode).
+.It Pa sparc64/
+Sun Microsystems UltraSPARC (in native 64-bit mode).
+.It Pa sun2/
+Sun Microsystems 68010-based Sun 2 architecture.
+.It Pa sun3/
+Sun Microsystems 68020/68030-based Sun 3/3x architecture.
+.It Pa sun68k/
+680x0-based Sun architecture general support.
+.It Pa vax/
+Digital VAX.
+.It Pa x68k/
+Sharp X680x0 680x0-based workstations.
+.It Pa x86/
+General support for PC/AT compatibles with ia32 or x86_64 CPUs.
+.It Pa xen/
+The Xen virtual machine monitor.
+.It Pa zaurus/
+Sharp C3x00 Arm based PDA.
+.El
+.Pp
+.It Pa compat/
+Kernel compatibility modules directory.
+.Pp
+.Bl -tag -width "ossaudio/" -compact
+.It Pa common/
+Common compatibility routines, old
+.Bx 4
+and
+.Nx
+routines.
+.It Pa freebsd/
+Support for
+.Fx
+binaries; see
+.Xr compat_freebsd 8 .
+.It Pa hpux/
+Support for 68000 HP-UX binaries.
+.It Pa linux/
+Support for Linux binaries; see
+.Xr compat_linux 8 .
+.It Pa m68k4k/
+Support for 4KB page 68000 binaries.
+.It Pa netbsd32/
+Support for
+.Nx
+32-bit binaries on 64 bit platforms with compatible CPU families.
+.It Pa ossaudio/
+Support for OSS audio.
+.It Pa sunos/
+Support for SunOS 4.x binaries; see
+.Xr compat_sunos 8 .
+.It Pa ultrix/
+Support for ULTRIX binaries.
+.It Pa vax1k/
+Support for older VAX binaries that started on a 1 KB boundary.
+.El
+.Pp
+.It Pa conf/
+Architecture independent configuration directory.
+.It Pa crypto/
+Cryptographic kernel source, which may have import or export restrictions.
+.It Pa ddb/
+In-kernel debugger.
+.It Pa dev/
+Architecture independent device support.
+.It Pa fs/
+File systems.
+See also
+.Pa ufs/
+and
+.Pa miscfs/ .
+.Bl -tag -width "filecorefs/" -compact
+.It Pa adosfs/
+AmigaDOS file-system support; see
+.Xr mount_ados 8 .
+.It Pa cd9660/
+Support for the ISO-9660 file system; see
+.Xr mount_cd9660 8 .
+.It Pa filecorefs/
+Support for the Acorn RISC OS filecore file system; see
+.Xr mount_filecore 8 .
+.It Pa msdosfs/
+MS-DOS file system; see
+.Xr mount_msdos 8 .
+.It Pa ntfs/
+NTFS file system support; see
+.Xr mount_ntfs 8 .
+.It Pa ptyfs/
+Pseudo-terminal device file system; see
+.Xr mount_ptyfs 8 .
+.It Pa union/
+Union file system; see
+.Xr mount_union 8 .
+.El
+.It Pa gdbscripts/
+Support for accessing kernel structures from within the debugger
+.Xr gdb 1 .
+.Pp
+.It Pa kern/
+Primary kernel source code.
+.It Pa lib/
+Libraries supporting the kernel.
+.Pp
+.Bl -tag -width "libkern/" -compact
+.It Pa libkern/
+C library routines used in the kernel.
+.It Pa libsa/
+Machine-independent standalone library, used by boot loaders.
+.It Pa libz/
+Compression library.
+.El
+.Pp
+.It Pa miscfs/
+More file systems.
+.Pp
+.Bl -tag -width "deadfs/" -compact
+.It Pa deadfs/
+Kernel only dead file system.
+.It Pa fdesc/
+File descriptor file system; see
+.Xr mount_fdesc 8 .
+.It Pa fifofs/
+POSIX FIFO (named pipe) support.
+.It Pa genfs/
+Generic file system code that supports other file systems.
+.It Pa kernfs/
+Kernel namespace file system; see
+.Xr mount_kernfs 8 .
+.It Pa nullfs/
+Loop back file system; see
+.Xr mount_null 8 .
+.It Pa overlay/
+Overlay file system; see
+.Xr mount_overlay 8 .
+.It Pa procfs/
+Process file system; see
+.Xr mount_procfs 8 .
+.It Pa specfs/
+Support for block and character special files.
+.It Pa syncfs/
+Kernel trickle sync algorithm.
+.It Pa umapfs/
+User and group re-mapping file system; see
+.Xr mount_umap 8 .
+.El
+.Pp
+.It Pa net/
+Miscellaneous networking support.
+.It Pa netatalk/
+AppleTalk networking support.
+.It Pa netinet/
+IP networking support.
+.It Pa netinet6/
+IPv6 networking support.
+.It Pa netipsec/
+Key database for IPsec networking support.
+.It Pa nfs/
+NFS (network file system) support, both client and server.
+.It Pa stand/
+Kernel standalone support.
+.It Pa sys/
+Kernel (and system) include files.
+.It Pa ufs/
+Still more file systems.
+.Pp
+.Bl -tag -width "ffs/" -compact
+.It Pa chfs/
+A FFS-based file system for use on raw flash.
+.It Pa ext2fs/
+The Linux ext2 file system.
+.It Pa ffs/
+The Berkeley Fast File System.
+.It Pa lfs/
+The Berkeley log-structured file system.
+.It Pa mfs/
+The in-memory file system.
+.It Pa ufs/
+Shared
+.Ux
+file system support.
+.El
+.It Pa uvm/
+UVM virtual memory system.
+.El
+.It Pa tests/
+Source for test programs in
+.Pa /usr/tests .
+.It Pa usr.bin/
+Source for utilities/files in
+.Pa /usr/bin .
+.It Pa usr.sbin/
+Source for utilities/files in
+.Pa /usr/sbin .
+.El
+.It Pa /var/
+Multi-purpose log, temporary, transient, and spool files.
+.Pp
+.Bl -tag -width "preserve/" -compact
+.It Pa account/
+System accounting files.
+.Pp
+.Bl -tag -width "acct" -compact
+.It Pa acct
+Execution accounting file;
+see
+.Xr acct 5 .
+.El
+.Pp
+.It Pa at/
+Timed command scheduling files;
+see
+.Xr at 1 .
+.It Pa backups/
+Miscellaneous backup files, largely of files found in
+.Pa /etc .
+.It Pa chroot/
+Home directories of applications which are run in a
+.Xr chroot 8
+.Dq cage .
+.It Pa crash/
+System (kernel) crash dumps; see
+.Xr savecore 8 .
+.It Pa cron/
+Scheduled commands configuration files; see
+.Xr cron 8
+and
+.Xr crontab 5 .
+.It Pa db/
+Miscellaneous automatically generated system-specific database files,
+and persistent files used in the maintenance of third party software.
+.It Pa games/
+Miscellaneous game status, log, and high score files.
+.It Pa heimdal/
+Kerberos 5 KDC database; see
+.Xr kdc 8 .
+.It Pa log/
+Miscellaneous system log files.
+.Pp
+.Bl -tag -width "monthly.out" -compact
+.It Pa amd.*
+.Xr amd 8
+logs.
+.It Pa daily.out
+Output of the last run of the
+.Pa /etc/daily
+script.
+.It Pa ftp.*
+.Xr ftp 1
+logs.
+.It Pa kerberos.*
+.Xr kerberos 8
+logs.
+.It Pa lastlog
+System last-time-logged-in database; see
+.Xr utmp 5 .
+.It Pa lpd-errs.*
+Printer daemon error logs; see
+.Xr lpd 8 .
+.It Pa maillog.*
+.Xr sendmail 1
+and
+.Xr postfix 1
+(and other mail-related)
+log files.
+.It Pa messages.*
+General system information log.
+.It Pa monthly.out
+Output of the last run of the
+.Pa /etc/monthly
+script.
+.It Pa secure
+Sensitive security information log.
+.It Pa sendmail.st
+.Xr sendmail 1
+statistics.
+.It Pa timed.*
+.Xr timed 8
+logs.
+.It Pa weekly.out
+Output of the last run of the
+.Pa /etc/weekly
+script.
+.It Pa wtmp
+Login and logout log;
+see
+.Xr utmp 5 .
+.It Pa wtmpx
+Another login and logout log; see
+.Xr utmpx 5 .
+.El
+.Pp
+.It Pa mail/
+User e-mail inboxes.
+.It Pa msgs/
+System messages; see
+.Xr msgs 1 .
+.\" since we use nvi (now called vi) this isn't the place any more, is it?
+.It Pa preserve/
+Temporary home of files preserved after an accidental death of
+.Xr ex 1
+or
+.Xr vi 1 .
+.It Pa quotas/
+File system quota information.
+(Legacy.)
+.It Pa run/
+System information files, rebuilt after each reboot.
+.Pp
+.Bl -tag -width "utmp" -compact
+.It Pa dmesg.boot
+A dump from
+.Xr dmesg 8
+taken at boot time.
+.It Pa utmp
+Database of currently logged in users; see
+.Xr utmp 5 .
+.It Pa utmpx
+Another database of currently logged in users; see
+.Xr utmpx 5 .
+.El
+.Pp
+.It Pa rwho/
+Rwho data files; see
+.Xr rwhod 8 ,
+.Xr rwho 1 ,
+and
+.Xr ruptime 1 .
+.Pp
+.It Pa shm/
+Used as backing store for POSIX shared memory; see
+.Xr shm_open 3 .
+.Pp
+.It Pa spool/
+Miscellaneous printer and mail system spooling directories.
+.Pp
+.Bl -tag -width "postfix/" -compact
+.It Pa ftp/
+Commonly
+.Dq ~ftp ,
+the anonymous ftp root directory; see
+.Xr ftpd 8 .
+.It Pa mqueue/
+Sendmail mail queue;
+see
+.Xr sendmail 1 .
+.It Pa news/
+Network news archival and spooling directories.
+.It Pa output/
+Printer spooling directories.
+.It Pa postfix/
+Postfix mail queue;
+see
+.Xr postfix 1 .
+.El
+.Pp
+.It Pa tmp/
+Temporary files that are not discarded between system reboots.
+.Pp
+.Bl -tag -width "vi.recover/" -compact
+.It Pa vi.recover/
+Recovery directory for new (current)
+.Xr vi 1 .
+.El
+.Pp
+.It Pa yp/
+Databases and configuration for the NIS (YP) system; see
+.Xr nis 8 .
+.El
+.El
+.Sh SEE ALSO
+.Xr apropos 1 ,
+.Xr ls 1 ,
+.Xr whatis 1 ,
+.Xr whereis 1 ,
+.Xr which 1 ,
+.Xr paths 3
+.Sh HISTORY
+A
+.Nm
+manual page appeared in
+.At v7 .
diff --git a/static/netbsd/man7/hostname.7 b/static/netbsd/man7/hostname.7
new file mode 100644
index 00000000..38bab06a
--- /dev/null
+++ b/static/netbsd/man7/hostname.7
@@ -0,0 +1,185 @@
+.\" $NetBSD: hostname.7,v 1.13 2012/03/29 18:37:21 wiz Exp $
+.\"
+.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" Copyright (c) 1987 The Regents of the University of California.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms are permitted
+.\" provided that the above copyright notice and this paragraph are
+.\" duplicated in all such forms and that any documentation,
+.\" advertising materials, and other materials related to such
+.\" distribution and use acknowledge that the software was developed
+.\" by the University of California, Berkeley.  The name of the
+.\" University may not be used to endorse or promote products derived
+.\" from this software without specific prior written permission.
+.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+.\"
+.\"	@(#)hostname.7	6.4 (Berkeley) 1/16/90
+.\"
+.Dd February 16, 1994
+.Dt HOSTNAME 7
+.Os
+.Sh NAME
+.Nm hostname
+.Nd host name resolution description
+.Sh DESCRIPTION
+Hostnames are domains.
+A domain is a hierarchical, dot-separated list of subdomains.
+For example, the machine
+.Dq Li monet ,
+in the
+.Dq Li Berkeley
+subdomain of the
+.Dq Li EDU
+subdomain of the Internet Domain Name System would be represented as
+.Pp
+.Dl monet.Berkeley.EDU
+.Pp
+(with no trailing dot).
+.Pp
+Hostnames are often used with network client and server programs,
+which must generally translate the name to an address for use.
+(This task is usually performed by the library routine
+.Xr gethostbyname 3 . )
+The default method for resolving hostnames by the Internet name resolver is
+to follow RFC 1535's security recommendations.
+Actions can be taken by the administrator to override these
+recommendations and to have the resolver behave the same as earlier,
+non-RFC 1535 resolvers.
+.Pp
+The default method (using RFC 1535 guidelines) follows:
+.Pp
+If the name consists of a single component, i.e. contains no dot, and if the
+environment variable
+.Dq Ev HOSTALIASES
+is set to the name of a file,
+that file is searched for a string matching the input hostname.
+The file
+should consist of lines made up of two strings separated by white-space, the
+first of which is the hostname alias, and the second of which is the complete
+hostname to be substituted for that alias.
+If a case-insensitive match is
+found between the hostname to be resolved and the first field of a line in
+the file, the substituted name is looked up with no further processing.
+.Pp
+If there is at least one dot in the name, then the name is first tried
+.Dq as-is .
+The number of dots to cause this action is configurable by setting the
+threshold using the
+.Dq Li ndots
+option in
+.Pa /etc/resolv.conf
+(default: 1).
+If the name ends with a dot, the trailing dot is
+removed, and the remaining name is looked up (regardless of the setting of
+the
+.Li ndots
+option), without further processing.
+.Pp
+If the input name does not end with a trailing dot, it is looked up by
+searching through a list of domains until a match is found.
+If neither the search option in the
+.Pa /etc/resolv.conf
+file or the
+.Dq Ev LOCALDOMAIN
+environment variable is used, then the
+search list of domains contains only the full domain specified by the
+.Li domain
+option (in
+.Pa /etc/resolv.conf )
+or the domain used in the local hostname.
+For example, if the
+.Dq Li domain
+option is set to
+.Li CS.Berkeley.EDU ,
+then only
+.Li CS.Berkeley.EDU
+will be in the search list, and this will be the only
+domain appended to the partial hostname.
+For example, if
+.Dq Li lithium
+is the name to be resolved, this would make
+.Li lithium.CS.Berkeley.EDU
+the only name to be tried using the search list.
+.Pp
+If the
+.Li search
+option is used in
+.Pa /etc/resolv.conf
+or the environment variable
+.Dq Ev LOCALDOMAIN
+is set by the user, then
+the search list will include what is set by these methods.
+For example, if the
+.Dq Li search
+option contained
+.Pp
+.Dl CS.Berkeley.EDU CChem.Berkeley.EDU Berkeley.EDU
+.Pp
+then the partial hostname (e.g.,
+.Dq Li lithium )
+will be tried with
+.Em each
+domain name appended (in the same order specified); the resulting hostnames
+that would be tried are:
+.Bd -literal -offset indent
+lithium.CS.Berkeley.EDU
+lithium.CChem.Berkeley.EDU
+lithium.Berkeley.EDU
+.Ed
+.Pp
+The environment variable
+.Dq Ev LOCALDOMAIN
+overrides the
+.Dq Li search
+and
+.Dq Li domain
+options, and if both
+.Li search
+and
+.Li domain
+options are present in the resolver configuration file, then only the
+.Em last
+one listed is used (see
+.Xr resolv.conf 5 ) .
+.Pp
+If the name was not previously tried
+.Dq as-is
+(i.e., it fell below the
+.Dq Li ndots
+threshold or did not contain a dot), then the name as
+originally provided is attempted.
+.Sh ENVIRONMENT
+.Bl -tag -width "/etc/resolv.conf  "
+.It Ev LOCALDOMAIN
+Affects domains appended to partial hostnames.
+.It Ev HOSTALIASES
+Name of file containing
+.Pq Ar host alias , full hostname
+pairs.
+.El
+.Sh FILES
+.Bl -tag -width "/etc/resolv.conf  " -compact
+.It Pa /etc/resolv.conf
+See
+.Xr resolv.conf 5 .
+.El
+.Sh SEE ALSO
+.Xr gethostbyname 3 ,
+.Xr resolv.conf 5 ,
+.Xr mailaddr 7
diff --git a/static/netbsd/man7/intro.7 b/static/netbsd/man7/intro.7
new file mode 100644
index 00000000..cbbfb290
--- /dev/null
+++ b/static/netbsd/man7/intro.7
@@ -0,0 +1,139 @@
+.\"	$NetBSD: intro.7,v 1.29 2021/05/01 07:41:14 nia Exp $
+.\"
+.\" Copyright (c) 1983, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     @(#)intro.7	8.1 (Berkeley) 6/5/93
+.\"
+.Dd May 1, 2021
+.Dt INTRO 7
+.Os
+.Sh NAME
+.Nm intro
+.Nd miscellaneous information pages
+.Sh DESCRIPTION
+This section contains miscellaneous documentation, including:
+.Bl -tag -width "kernel_sanitizers(7)" -offset indent
+.It Xr ascii 7
+map of ASCII character set
+.It Xr c 7
+the C programming language
+.It Xr entropy 7
+random unpredictable secrets needed for security
+.It Xr environ 7
+user environment
+.It Xr glob 7
+shell-style pattern matching
+.\" .It Sy eqnchar
+.\" special character definitions for eqn
+.It Xr groups 7
+standard
+.Nx
+group names
+.It Xr hier 7
+file system hierarchy in
+.Nx
+.It Xr hostname 7
+host name resolution description
+.It Xr kernel_sanitizers 7
+bug detection features in the
+.Nx
+kernel
+.It Xr mailaddr 7
+mail addressing description
+.\" .It Sy man
+.\" macros to typeset manual pages
+.It Xr mdoc 7
+macros for typesetting
+.Nm \-mdoc
+style manual pages
+.It Xr mdoc.samples 7
+tutorial for writing BSD manuals with
+.Nm \-mdoc
+.\" .It Sy \&me
+.\" macros for formatting papers
+.\" .It Sy \&ms
+.\" macros for formatting manuscripts
+.It Xr module 7
+kernel modules
+.It Xr nls 7
+overview of national language support
+.It Xr npf 7
+.Nx
+Packet Filter
+.It Xr operator 7
+C operator precedence and order of evaluation
+.It Xr orders 7
+orders of magnitude
+.It Xr pkgsrc 7
+the
+.Nx
+packages collection
+.It Xr release 7
+layout of
+.Nx
+releases and snapshots
+.It Xr rfc6056 7
+udp port randomization algorithms
+.It Xr script 7
+how interpreter scripts are executed
+.It Xr security 7
+security features available in
+.Nx
+.It Xr setuid 7
+checklist for security and setuid programs
+.It Xr signal 7
+available signals under
+.Nx
+.It Xr src 7
+layout of the
+.Nx
+source tree
+.It Xr sticky 7
+sticky bit
+.Pq Dv S_ISVTX
+handling
+.It Xr symlink 7
+symbolic link handling
+.It Xr sysctl 7
+system information variables in
+.Nx
+.It Xr tests 7
+.Nx
+test suite
+.\" .It Sy term
+.\" conventional names for terminals
+.It Xr users 7
+standard
+.Nx
+user account names
+.El
+.Sh HISTORY
+The
+.Nm intro
+manual page appeared in
+.Bx 4.2 .
diff --git a/static/netbsd/man7/kernel_sanitizers.7 b/static/netbsd/man7/kernel_sanitizers.7
new file mode 100644
index 00000000..0a3a554d
--- /dev/null
+++ b/static/netbsd/man7/kernel_sanitizers.7
@@ -0,0 +1,157 @@
+.\"	$NetBSD: kernel_sanitizers.7,v 1.6 2020/07/12 13:40:44 skrll Exp $
+.\"
+.\" Copyright (c) 2020 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Maxime Villard.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 12, 2020
+.Dt KERNEL_SANITIZERS 7
+.Os
+.Sh NAME
+.Nm kernel_sanitizers
+.Nd NetBSD Kernel Sanitizers
+.Sh DESCRIPTION
+Kernel Sanitizers are powerful kernel bug detection features that can
+automatically discover several classes of bugs at run time while the kernel
+executes.
+.Pp
+.Nx
+supports four kernel sanitizers.
+They are not mutually compatible, and only one can be enabled at a time, via
+compilation options.
+.Sh KUBSAN
+Kernel Undefined Behavior Sanitizer, specializes in finding several types of
+undefined behaviors, such a misaligned accesses and integer overflows.
+.Ss Runtime cost
+Heavy runtime checks.
+.Ss Used components
+Compiler instrumentation and an entirely MI runtime.
+.Ss Supported architectures
+aarch64 (gcc), amd64 (gcc), arm (gcc).
+[Theoretically supported on all other architectures with no MD change required]
+.Ss Files
+.Bl -tag -width XXXX -compact
+.It Pa src/common/lib/libc/misc/ubsan.c
+Core KUBSAN code.
+MI.
+.El
+.Sh KASAN
+Kernel Address Sanitizer, specializes in finding memory corruptions such as
+buffer overflows and use-after-frees.
+.Ss Runtime cost
+Heavy runtime checks, and ~12.5% increase in memory consumption.
+.Ss Used components
+Shadow memory, compiler instrumentation, special kernel wrappers, and
+light MD infrastructure.
+.Ss Supported architectures
+aarch64 (gcc), amd64 (gcc, llvm), arm (gcc).
+.Pp
+KASAN is made of six sub-features that perform memory validation:
+.Bd -literal
+          +-----------------------------------------------------+
+          |                SUPPORTED SUB-FEATURE                |
++---------+------+-------+---------+-----------+---------+------+
+|  PORT   | HEAP | STACK | ATOMICS | BUS_SPACE | BUS_DMA | VLAs |
++---------+------+-------+---------+-----------+---------+------+
+| amd64   | Yes  | Yes   | Yes     | Yes       | Yes     | Yes  |
++---------+------+-------+---------+-----------+---------+------+
+| aarch64 | Yes  | Yes   | Yes     | No        | Yes     | Yes  |
++---------+------+-------+---------+-----------+---------+------+
+| arm     | Yes  | Yes   | Yes     | No        | Yes     | Yes  |
++---------+------+-------+---------+-----------+---------+------+
+.Ed
+.Pp
+An architecture is allowed to have only partial support.
+.Ss Files
+.Bl -tag -width XXXX -compact
+.It Pa src/sys/kern/subr_asan.c
+Core KASAN code.
+MI.
+.It Pa src/sys/sys/asan.h
+Main KASAN header.
+MI.
+.It Pa src/sys/arch/{port}/include/asan.h
+Port-specific KASAN code.
+MD.
+.El
+.Pp
+Each new port of KASAN should respect the existing naming conventions, and
+should introduce only one MD header file.
+.Sh KCSAN
+Kernel Concurrency Sanitizer, specializes in finding memory races.
+.Ss Runtime cost
+Medium runtime checks.
+.Ss Used components
+Compiler instrumentation, special kernel wrappers, and light MD infrastructure.
+.Ss Supported architectures
+amd64 (gcc).
+.Ss Files
+.Bl -tag -width XXXX -compact
+.It Pa src/sys/kern/subr_csan.c
+Core KCSAN code.
+MI.
+.It Pa src/sys/sys/csan.h
+Main KCSAN header.
+MI.
+.It Pa src/sys/arch/{port}/include/csan.h
+Port-specific KCSAN code.
+MD.
+.El
+.Pp
+Each new port of KCSAN should respect the existing naming conventions, and
+should introduce only one MD header file.
+.Sh KMSAN
+Kernel Memory Sanitizer, specializes in finding uninitialized memory.
+.Ss Runtime cost
+Heavy runtime checks, and ~200% increase in memory consumption.
+.Ss Used components
+Double shadow memory, compiler instrumentation, special kernel wrappers, and
+heavy MD infrastructure.
+.Ss Supported architectures
+amd64 (llvm).
+.Ss Files
+.Bl -tag -width XXXX -compact
+.It Pa src/sys/kern/subr_msan.c
+Core KMSAN code.
+MI.
+.It Pa src/sys/sys/msan.h
+Main KMSAN header.
+MI.
+.It Pa src/sys/arch/{port}/include/msan.h
+Port-specific KMSAN code.
+MD.
+.El
+.Pp
+Each new port of KMSAN should respect the existing naming conventions, and
+should introduce only one MD header file.
+.Sh AUTHORS
+.An -nosplit
+Support for KUBSAN was developed by
+.An Kamil Rytarowski .
+Support for KASAN, KCSAN and KMSAN was developed by
+.An Maxime Villard .
+Support for KASAN on ARM was developed by
+.An Nick Hudson .
diff --git a/static/netbsd/man7/mailaddr.7 b/static/netbsd/man7/mailaddr.7
new file mode 100644
index 00000000..99ef8738
--- /dev/null
+++ b/static/netbsd/man7/mailaddr.7
@@ -0,0 +1,104 @@
+.\"	$NetBSD: mailaddr.7,v 1.14 2010/03/01 16:52:41 jruoho Exp $
+.\"
+.\" Copyright (c) 1983, 1987, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     @(#)mailaddr.7	8.1 (Berkeley) 6/16/93
+.\"
+.Dd June 16, 1998
+.Dt MAILADDR 7
+.Os
+.Sh NAME
+.Nm mailaddr
+.Nd mail addressing description
+.Sh DESCRIPTION
+Mail addresses are based on the Internet protocol listed at the end of this
+manual page.
+These addresses are in the general format
+.Pp
+.Dl user@domain
+.Pp
+where a domain is a hierarchical dot separated list of subdomains.
+For example, a valid address is:
+.Pp
+.Dl eric@CS.Berkeley.EDU
+.Pp
+Unlike some other (now obsolete) forms of addressing, domains do not
+imply any routing, or the existence of a particular host.
+Simply because mail may be sent to ``user@somedomain.com'' does not imply
+that there is any actual host named ``somedomain.com'', and does not
+imply a particular routing of the message.
+Routing is performed by Mail Transport Agents, such as
+.Xr postfix 1 ,
+based on policies set in the MTA's configuration.
+.Ss Abbreviation
+Under certain circumstances it may not be necessary to type the entire
+domain name.
+In general, anything following the first dot may be omitted
+if it is the same as the domain from which you are sending the message.
+For example, a user on ``calder.berkeley.edu'' could send to ``eric@CS''
+without adding the ``berkeley.edu'' since it is the same on both sending
+and receiving hosts.
+Whether abbreviation is permitted depends on how your site is configured.
+.Ss Case Distinctions
+Domain names (i.e., anything after the ``@'' sign) may be given in any mixture
+of upper and lower case.
+Most hosts accept any combination of case in user names, although there
+are exceptions.
+.Ss Postmaster
+Every site is required to have a user or user alias designated ``postmaster''
+to which problems with the mail system may be addressed, for example:
+.Pp
+.Dl postmaster@CS.Berkeley.EDU
+.Ss Obsolete Formats
+Certain old address formats, such as UUCP ``bang path'' addresses,
+explicitly routed internet addresses (so-called ``route-addrs'' and
+the ``percent hack'') and others have been used historically.
+All these addressing formats are now considered obsolete, and should no
+longer be used.
+.Pp
+To some extent, MTAs attempt to provide backward compatibility
+for these addressing forms, but in practice many of them no longer work.
+Users should always use standard Internet style addresses.
+.Sh SEE ALSO
+.Xr mail 1
+.Rs
+.%R RFC
+.%N 822
+.%D August 1982
+.%A D. H. Crocker
+.%T "Standard for the Format of Arpa Internet Text Messages"
+.Re
+.Sh HISTORY
+.Nm
+appeared in
+.Bx 4.2 .
+.Sh BUGS
+The RFC 822 group syntax (``group:user1,user2,user3;'') is not supported
+except in the special case of ``group:;'' because of a conflict with old
+berknet-style addresses, not that anyone cares about either berknet or
+group syntax style addresses any longer.
diff --git a/static/netbsd/man7/module.7 b/static/netbsd/man7/module.7
new file mode 100644
index 00000000..4cb7425b
--- /dev/null
+++ b/static/netbsd/man7/module.7
@@ -0,0 +1,215 @@
+.\" $NetBSD: module.7,v 1.9 2020/07/13 13:42:51 pgoyette Exp $
+.\"
+.\" Copyright (c) 2010 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 13, 2020
+.Dt MODULE 7
+.Os
+.Sh NAME
+.Nm module
+.Nd Kernel Modules interface
+.Sh SYNOPSIS
+.Cd "options MODULAR"
+.Sh DESCRIPTION
+Kernel modules allow the system administrator to
+dynamically add and remove functionality from a running system.
+This also helps software developers add
+new parts of the kernel without constantly rebooting to
+test their changes.
+.Pp
+The kernel may automatically load software modules as
+needed to perform requested operations.
+For example, an
+.Dq xyzfs
+module can be loaded automatically when an
+attempt is made to mount an
+.Dq xyzfs
+file system.
+Modules can also depend on other modules, and dependent modules are
+automatically loaded.
+When a module is no longer needed, it can be automatically unloaded.
+.Pp
+An in-kernel linker resolves symbol references between the module
+and the rest of the kernel.
+.Pp
+The
+.Nm
+interface is accessed with the
+.Xr modctl 2
+system call.
+All common operations involving
+kernel modules are handled by the
+.Xr modload 8 ,
+.Xr modunload 8 ,
+and
+.Xr modstat 8
+programs.
+Users should never have to interact with
+.Xr modctl 2
+directly.
+.Sh MODULE CLASSES
+.Ss Virtual File System modules
+Virtual file systems may be added via the
+.Nm
+interface.
+.Ss Device Driver modules
+Many device drivers can be loaded as a kernel module.
+One potential problem specific to block and character device drivers
+is that the device nodes must exist for the devices to be accessed.
+These need to be created manually, after the driver module has been
+successfully loaded.
+Most device driver modules do not
+need any manual intervention to function properly.
+.Ss Execution Interpreters
+Execution Interpreters can be loaded to provide support for executing
+binaries not normally supported by the kernel.
+This also allows loading
+support for executing foreign system binaries.
+Execution Interpreters may require that an appropriate
+emulation module also be loaded.
+.Ss Miscellaneous modules
+Miscellaneous modules are modules for which there are not currently
+well-defined or well-used interfaces for extension.
+They are provided for extension, and the user-provided module
+initialization routine is expected to install the necessary "hooks"
+into the rest of the operating system.
+An example of a "miscellaneous module" might be a loader for
+card-specific VGA drivers or alternate terminal emulations in
+an appropriately layered console driver.
+.Ss Security-Model modules
+Alternate system security models also may be loaded using
+.Nm .
+.Sh EXAMPLES
+The common build tool of
+.Nx ,
+.Dq build.sh ,
+automatically compiles and installs most
+modules during a full system build and install.
+(The exceptions are some modules from external sources which, due to
+licensing concerns, can be built only as separately-loaded modules.)
+However, sometimes it is useful to update only modules.
+The following example demonstrates one way to do this.
+It is assumed that the source code is under
+.Pa /usr/src ,
+while the object and toolchain directories are under
+.Pa /usr/obj
+and
+.Pa /usr/tools ,
+respectively.
+.Bd -literal -offset indent
+cd /usr/src/sys/modules
+
+export OBJDIR=/usr/obj
+export TOOLDIR=/usr/tools
+
+make clean
+make
+make install
+.Ed
+.Pp
+Alternatively, the
+.Dq build.sh
+tool can be used to build and install only the modules:
+.Bd -literal -offset indent
+cd /usr/src
+\&./build.sh -O /usr/obj -T /usr/tools modules
+\&./build.sh -O /usr/obj -T /usr/tools installmodules=/
+.Ed
+.Sh SEE ALSO
+.Xr modctl 2 ,
+.Xr modload 8 ,
+.Xr modstat 8 ,
+.Xr modunload 8 ,
+.Xr module 9
+.Sh HISTORY
+The
+.Nm
+facility was designed to be similar in functionality
+to the loadable kernel modules facility provided by
+SunOS 4.1.3.
+The old
+.Dv LKM
+interface was replaced by
+.Nm
+in
+.Nx 5.0 .
+.Sh AUTHORS
+The
+.Nm
+subsystem was implemented by
+.An Andrew Doran
+.Aq ad@netbsd.org .
+.Sh CAVEATS
+The
+.Nm
+framework is still under active development.
+At least two potential caveats can be mentioned.
+.Bl -enum -offset 2n
+.It
+Kernel modules are built to operate only with a specific version of the
+.Nx
+kernel.
+When the kernel is updated to a new version, the contents of the
+.Pa /stand/${ARCH}/${VERSION}/modules/
+directory should be updated as well.
+(This location has been the subject of much discussion, and may change
+in future versions of
+.Nx . )
+.It
+If an attempt is made to boot the operating system from a file system for
+which the module is not built into the kernel, the boot may fail
+with the message
+.Dq "Cannot mount root, error 79" .
+On certain architectures (currently, i386 and amd64), one may be able to
+recover from this error by using the
+.Dq "load xxxfs"
+command before trying to boot.
+This command is only available on newer bootloaders.
+.El
+.Pp
+The absence of required modules or the inability of the bootloader
+to load the modules are common reasons for failures to boot a
+.Cd MODULAR
+kernel.
+It may be a good practice to maintain a non-MODULAR kernel
+in the root file system for recovery purposes.
+.Sh SECURITY CONSIDERATIONS
+A module becomes part of the kernel once loaded.
+Unlike in userland programs, fatal errors in kernel modules
+may crash the operating system.
+There is no memory protection between modules and the rest of the kernel.
+Hence, a potential attacker with access to the
+.Xr modctl 2
+system call can acquire total control over the system.
+.Pp
+To avoid such security risks, new modules can only be loaded when
+.Pa securelevel
+is less than or equal to zero, or if the kernel was built with
+.Cd options INSECURE .
+Refer to
+.Xr secmodel_securelevel 9
+for additional details on the
+.Pa securelevel .
+Only use modules from trusted sources.
diff --git a/static/netbsd/man7/nls.7 b/static/netbsd/man7/nls.7
new file mode 100644
index 00000000..7e57562c
--- /dev/null
+++ b/static/netbsd/man7/nls.7
@@ -0,0 +1,518 @@
+.\"     $NetBSD: nls.7,v 1.15 2009/04/09 02:51:54 joerg Exp $
+.\"
+.\" Copyright (c) 2003 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Gregory McGarry.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd February 21, 2007
+.Dt NLS 7
+.Os
+.Sh NAME
+.Nm NLS
+.Nd Native Language Support Overview
+.Sh DESCRIPTION
+Native Language Support (NLS) provides commands for a single
+worldwide operating system base.
+An internationalized system has no built-in assumptions or dependencies
+on language-specific or cultural-specific conventions such as:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+Character classifications
+.It
+Character comparison rules
+.It
+Character collation order
+.It
+Numeric and monetary formatting
+.It
+Date and time formatting
+.It
+Message-text language
+.It
+Character sets
+.El
+.Pp
+All information pertaining to cultural conventions and language is
+obtained at program run time.
+.Pp
+.Dq Internationalization
+(often abbreviated
+.Dq i18n )
+refers to the operation by which system software is developed to support
+multiple cultural-specific and language-specific conventions.
+This is a generalization process by which the system is untied from
+calling only English strings or other English-specific conventions.
+.Dq Localization
+(often abbreviated
+.Dq l10n )
+refers to the operations by which the user environment is customized to
+handle its input and output appropriate for specific language and cultural
+conventions.
+This is a specialization process, by which generic methods already
+implemented in an internationalized system are used in specific ways.
+The formal description of cultural conventions for some country, together
+with all associated translations targeted to the native language, is
+called the
+.Dq locale .
+.Pp
+.Nx
+provides extensive support to programmers and system developers to
+enable internationalized software to be developed.
+.Nx
+also supplies a large variety of locales for system localization.
+.Ss Localization of Information
+All locale information is accessible to programs at run time so that
+data is processed and displayed correctly for specific cultural
+conventions and language.
+.Pp
+A locale is divided into categories.
+A category is a group of language-specific and culture-specific conventions
+as outlined in the list above.
+ISO C specifies the following six standard categories supported by
+.Nx :
+.Pp
+.Bl -tag -compact -width LC_MONETARYXX
+.It Ev LC_COLLATE
+string-collation order information
+.It Ev LC_CTYPE
+character classification, case conversion, and other character attributes
+.It Ev LC_MESSAGES
+the format for affirmative and negative responses
+.It Ev LC_MONETARY
+rules and symbols for formatting monetary numeric information
+.It Ev LC_NUMERIC
+rules and symbols for formatting nonmonetary numeric information
+.It Ev LC_TIME
+rules and symbols for formatting time and date information
+.El
+.Pp
+Localization of the system is achieved by setting appropriate values
+in environment variables to identify which locale should be used.
+The environment variables have the same names as their respective
+locale categories.
+Additionally, the
+.Ev LANG ,
+.Ev LC_ALL ,
+and
+.Ev NLSPATH
+environment variables are used.
+The
+.Ev NLSPATH
+environment variable specifies a colon-separated list of directory names
+where the message catalog files of the NLS database are located.
+The
+.Ev LC_ALL
+and
+.Ev LANG
+environment variables also determine the current locale.
+.Pp
+The values of these environment variables contains a string format as:
+.Pp
+.Bd -literal
+	language[_territory][.codeset][@modifier]
+.Ed
+.Pp
+Valid values for the language field come from the ISO639 standard which
+defines two-character codes for many languages.
+Some common language codes are:
+.Pp
+.Bl -column "PERSIAN (farsi)" "Sy Code" "OCEANIC/INDONESIAN"
+.It Sy Language Name Ta Sy Code Ta Sy Language Family
+.It ABKHAZIAN	AB	IBERO-CAUCASIAN
+.It AFAN (OROMO)	OM	HAMITIC
+.It AFAR	AA	HAMITIC
+.It AFRIKAANS	AF	GERMANIC
+.It ALBANIAN	SQ	INDO-EUROPEAN (OTHER)
+.It AMHARIC	AM	SEMITIC
+.It ARABIC	AR	SEMITIC
+.It ARMENIAN	HY	INDO-EUROPEAN (OTHER)
+.It ASSAMESE	AS	INDIAN
+.It AYMARA	AY	AMERINDIAN
+.It AZERBAIJANI	AZ	TURKIC/ALTAIC
+.It BASHKIR	BA	TURKIC/ALTAIC
+.It BASQUE	EU	BASQUE
+.It BENGALI	BN	INDIAN
+.It BHUTANI	DZ	ASIAN
+.It BIHARI	BH	INDIAN
+.It BISLAMA     Ta BI   Ta ""
+.It BRETON	BR	CELTIC
+.It BULGARIAN	BG	SLAVIC
+.It BURMESE	MY	ASIAN
+.It BYELORUSSIAN	BE	SLAVIC
+.It CAMBODIAN	KM	ASIAN
+.It CATALAN	CA	ROMANCE
+.It CHINESE	ZH	ASIAN
+.It CORSICAN	CO	ROMANCE
+.It CROATIAN	HR	SLAVIC
+.It CZECH	CS	SLAVIC
+.It DANISH	DA	GERMANIC
+.It DUTCH	NL	GERMANIC
+.It ENGLISH	EN	GERMANIC
+.It ESPERANTO	EO	INTERNATIONAL AUX.
+.It ESTONIAN	ET	FINNO-UGRIC
+.It FAROESE	FO	GERMANIC
+.It FIJI	FJ	OCEANIC/INDONESIAN
+.It FINNISH	FI	FINNO-UGRIC
+.It FRENCH	FR	ROMANCE
+.It FRISIAN	FY	GERMANIC
+.It GALICIAN	GL	ROMANCE
+.It GEORGIAN	KA	IBERO-CAUCASIAN
+.It GERMAN	DE	GERMANIC
+.It GREEK	EL	LATIN/GREEK
+.It GREENLANDIC	KL	ESKIMO
+.It GUARANI	GN	AMERINDIAN
+.It GUJARATI	GU	INDIAN
+.It HAUSA	HA	NEGRO-AFRICAN
+.It HEBREW	HE	SEMITIC
+.It HINDI	HI	INDIAN
+.It HUNGARIAN	HU	FINNO-UGRIC
+.It ICELANDIC	IS	GERMANIC
+.It INDONESIAN	ID	OCEANIC/INDONESIAN
+.It INTERLINGUA	IA	INTERNATIONAL AUX.
+.It INTERLINGUE	IE	INTERNATIONAL AUX.
+.It INUKTITUT   Ta IU   Ta ""
+.It INUPIAK	IK	ESKIMO
+.It IRISH	GA	CELTIC
+.It ITALIAN	IT	ROMANCE
+.It JAPANESE	JA	ASIAN
+.It JAVANESE	JV	OCEANIC/INDONESIAN
+.It KANNADA	KN	DRAVIDIAN
+.It KASHMIRI	KS	INDIAN
+.It KAZAKH	KK	TURKIC/ALTAIC
+.It KINYARWANDA	RW	NEGRO-AFRICAN
+.It KIRGHIZ	KY	TURKIC/ALTAIC
+.It KURUNDI	RN	NEGRO-AFRICAN
+.It KOREAN	KO	ASIAN
+.It KURDISH	KU	IRANIAN
+.It LAOTHIAN	LO	ASIAN
+.It LATIN	LA	LATIN/GREEK
+.It LATVIAN	LV	BALTIC
+.It LINGALA	LN	NEGRO-AFRICAN
+.It LITHUANIAN	LT	BALTIC
+.It MACEDONIAN	MK	SLAVIC
+.It MALAGASY	MG	OCEANIC/INDONESIAN
+.It MALAY	MS	OCEANIC/INDONESIAN
+.It MALAYALAM	ML	DRAVIDIAN
+.It MALTESE	MT	SEMITIC
+.It MAORI	MI	OCEANIC/INDONESIAN
+.It MARATHI	MR	INDIAN
+.It MOLDAVIAN	MO	ROMANCE
+.It MONGOLIAN   Ta MN   Ta ""
+.It NAURU       Ta NA   Ta ""
+.It NEPALI	NE	INDIAN
+.It NORWEGIAN	NO	GERMANIC
+.It OCCITAN	OC	ROMANCE
+.It ORIYA	OR	INDIAN
+.It PASHTO	PS	IRANIAN
+.It PERSIAN (farsi)	FA	IRANIAN
+.It POLISH	PL	SLAVIC
+.It PORTUGUESE	PT	ROMANCE
+.It PUNJABI	PA	INDIAN
+.It QUECHUA	QU	AMERINDIAN
+.It RHAETO-ROMANCE	RM	ROMANCE
+.It ROMANIAN	RO	ROMANCE
+.It RUSSIAN	RU	SLAVIC
+.It SAMOAN	SM	OCEANIC/INDONESIAN
+.It SANGHO	SG	NEGRO-AFRICAN
+.It SANSKRIT	SA	INDIAN
+.It SCOTS GAELIC	GD	CELTIC
+.It SERBIAN	SR	SLAVIC
+.It SERBO-CROATIAN	SH	SLAVIC
+.It SESOTHO	ST	NEGRO-AFRICAN
+.It SETSWANA	TN	NEGRO-AFRICAN
+.It SHONA	SN	NEGRO-AFRICAN
+.It SINDHI	SD	INDIAN
+.It SINGHALESE	SI	INDIAN
+.It SISWATI	SS	NEGRO-AFRICAN
+.It SLOVAK	SK	SLAVIC
+.It SLOVENIAN	SL	SLAVIC
+.It SOMALI	SO	HAMITIC
+.It SPANISH	ES	ROMANCE
+.It SUNDANESE	SU	OCEANIC/INDONESIAN
+.It SWAHILI	SW	NEGRO-AFRICAN
+.It SWEDISH	SV	GERMANIC
+.It TAGALOG	TL	OCEANIC/INDONESIAN
+.It TAJIK	TG	IRANIAN
+.It TAMIL	TA	DRAVIDIAN
+.It TATAR	TT	TURKIC/ALTAIC
+.It TELUGU	TE	DRAVIDIAN
+.It THAI	TH	ASIAN
+.It TIBETAN	BO	ASIAN
+.It TIGRINYA	TI	SEMITIC
+.It TONGA	TO	OCEANIC/INDONESIAN
+.It TSONGA	TS	NEGRO-AFRICAN
+.It TURKISH	TR	TURKIC/ALTAIC
+.It TURKMEN	TK	TURKIC/ALTAIC
+.It TWI	TW	NEGRO-AFRICAN
+.It UIGUR       Ta UG   Ta ""
+.It UKRAINIAN	UK	SLAVIC
+.It URDU	UR	INDIAN
+.It UZBEK	UZ	TURKIC/ALTAIC
+.It VIETNAMESE	VI	ASIAN
+.It VOLAPUK	VO	INTERNATIONAL AUX.
+.It WELSH	CY	CELTIC
+.It WOLOF	WO	NEGRO-AFRICAN
+.It XHOSA	XH	NEGRO-AFRICAN
+.It YIDDISH	YI	GERMANIC
+.It YORUBA	YO	NEGRO-AFRICAN
+.It ZHUANG      Ta ZA   Ta ""
+.It ZULU	ZU	NEGRO-AFRICAN
+.El
+.Pp
+For example, the locale for the Danish language spoken in Denmark
+using the ISO 8859-1 character set is da_DK.ISO8859-1.
+The da stands for the Danish language and the DK stands for Denmark.
+The short form of da_DK is sufficient to indicate this locale.
+.Pp
+The environment variable settings are queried by their priority level
+in the following manner:
+.Pp
+.Bl -bullet
+.It
+If the
+.Ev LC_ALL
+environment variable is set, all six categories use the locale it
+specifies.
+.It
+If the
+.Ev LC_ALL
+environment variable is not set, each individual category uses the
+locale specified by its corresponding environment variable.
+.It
+If the
+.Ev LC_ALL
+environment variable is not set, and a value for a particular
+.Ev LC_*
+environment variable is not set, the value of the
+.Ev LANG
+environment variable specifies the default locale for all categories.
+Only the
+.Ev LANG
+environment variable should be set in /etc/profile, since it makes it
+most easy for the user to override the system default using the individual
+.Ev LC_*
+variables.
+.It
+If the
+.Ev LC_ALL
+environment variable is not set, a value for a particular
+.Ev LC_*
+environment variable is not set, and the value of the
+.Ev LANG
+environment variable is not set, the locale for that specific
+category defaults to the C locale.
+The C or POSIX locale assumes the ASCII character set and defines
+information for the six categories.
+.El
+.Ss Character Sets
+A character is any symbol used for the organization, control, or
+representation of data.
+A group of such symbols used to describe a
+particular language make up a character set.
+It is the encoding values in a character set that provide
+the interface between the system and its input and output devices.
+.Pp
+The following character sets are supported in
+.Nx :
+.Bl -tag -width ISO_8859_family
+.It ASCII
+The American Standard Code for Information Exchange (ASCII) standard
+specifies 128 Roman characters and control codes, encoded in a 7-bit
+character encoding scheme.
+.It ISO 8859 family
+Industry-standard character sets specified by the ISO/IEC 8859
+standard.
+The standard is divided into 15 numbered parts, with each
+part specifying broad script similarities.
+Examples include Western European, Central European, Arabic, Cyrillic,
+Hebrew, Greek, and Turkish.
+The character sets use an 8-bit character encoding scheme which is
+compatible with the ASCII character set.
+.It Unicode
+The Unicode character set is the full set of known abstract characters of
+all real-world scripts.  It can be used in environments where multiple
+scripts must be processed simultaneously.
+Unicode is compatible with ISO 8859-1 (Western European) and ASCII.
+Many character encoding schemes are available for Unicode, including UTF-8,
+UTF-16 and UTF-32.
+These encoding schemes are multi-byte encodings.
+The UTF-8 encoding scheme uses 8-bit, variable-width encodings which is
+compatible with ASCII.
+The UTF-16 encoding scheme uses 16-bit, variable-width encodings.
+The UTF-32 encoding scheme using 32-bit, fixed-width encodings.
+.El
+.Ss Font Sets
+A font set contains the glyphs to be displayed on the screen for a
+corresponding character in a character set.
+A display must support a suitable font to display a character set.
+If suitable fonts are available to the X server, then X clients can
+include support for different character sets.
+.Xr xterm 1
+includes support for Unicode with UTF-8 encoding.
+.Xr xfd 1
+is useful for displaying all the characters in an X font.
+.Pp
+The
+.Nx
+.Xr wscons 4
+console provides support for loading fonts using the
+.Xr wsfontload 8
+utility.
+Currently, only fonts for the ISO8859-1 family of character sets are
+supported.
+.Ss Internationalization for Programmers
+To facilitate translations of messages into various languages and to
+make the translated messages available to the program based on a
+user's locale, it is necessary to keep messages separate from the
+programs and provide them in the form of message catalogs that a
+program can access at run time.
+.Pp
+Access to locale information is provided through the
+.Xr setlocale 3
+and
+.Xr nl_langinfo 3
+interfaces.
+See their respective man pages for further information.
+.Pp
+Message source files containing application messages are created by
+the programmer and converted to message catalogs.
+These catalogs are used by the application to retrieve and display
+messages, as needed.
+.Pp
+.Nx
+supports two message catalog interfaces: the X/Open
+.Xr catgets 3
+interface and the Uniforum
+.Xr gettext 3
+interface.
+The
+.Xr catgets 3
+interface has the advantage that it belongs to a standard which is
+well supported.
+Unfortunately the interface is complicated to use and
+maintenance of the catalogs is difficult.
+The implementation also doesn't support different character sets.
+The
+.Xr gettext 3
+interface has not been standardized yet, however it is being supported
+by an increasing number of systems.
+It also provides many additional tools which make programming and
+catalog maintenance much easier.
+.Ss Support for Multi-byte Encodings
+Some character sets with multi-byte encodings may be difficult to decode,
+or may contain state (i.e., adjacent characters are dependent).
+ISO C specifies a set of functions using 'wide characters' which can handle
+multi-byte encodings properly.
+The behaviour of these functions is affected
+by the
+.Ev LC_CTYPE
+category of the current locale.
+.Pp
+A wide character is specified in ISO C
+as being a fixed number of bits wide and is stateless.
+There are two types for wide characters:
+.Em wchar_t
+and
+.Em wint_t .
+.Em wchar_t
+is a type which can contain one wide character and operates like 'char'
+type does for one character.
+.Em wint_t
+can contain one wide character or WEOF (wide EOF).
+.Pp
+There are functions that operate on
+.Em wchar_t ,
+and substitute for functions operating on 'char'.
+See
+.Xr wmemchr 3
+and
+.Xr towlower 3
+for details.
+There are some additional functions that operate on
+.Em wchar_t .
+See
+.Xr wctype 3
+and
+.Xr wctrans 3
+for details.
+.Pp
+Wide characters should be used for all I/O processing which may rely
+on locale-specific strings.
+The two primary issues requiring special use of wide characters are:
+.Bl -bullet -offset indent
+.It
+All I/O is performed using multibyte characters.
+Input data is converted into wide characters immediately after
+reading and data for output is converted from wide characters to
+multi-byte encoding immediately before writing.
+Conversion is controlled by the
+.Xr mbstowcs 3 ,
+.Xr mbsrtowcs 3 ,
+.Xr wcstombs 3 ,
+.Xr wcsrtombs 3 ,
+.Xr mblen 3 ,
+.Xr mbrlen 3 ,
+and
+.Xr  mbsinit 3 .
+.It
+Wide characters are used directly for I/O, using
+.Xr getwchar 3 ,
+.Xr fgetwc 3 ,
+.Xr getwc 3 ,
+.Xr ungetwc 3 ,
+.Xr fgetws 3 ,
+.Xr putwchar 3 ,
+.Xr fputwc 3 ,
+.Xr putwc 3 ,
+and
+.Xr fputws 3 .
+They are also used for formatted I/O functions for wide characters
+such as
+.Xr fwscanf 3 ,
+.Xr wscanf 3 ,
+.Xr swscanf 3 ,
+.Xr fwprintf 3 ,
+.Xr wprintf 3 ,
+.Xr swprintf 3 ,
+.Xr vfwprintf 3 ,
+.Xr vwprintf 3 ,
+and
+.Xr vswprintf 3 ,
+and wide character identifier of %lc, %C, %ls, %S for conventional
+formatted I/O functions.
+.El
+.Sh SEE ALSO
+.Xr gencat 1 ,
+.Xr xfd 1 ,
+.Xr xterm 1 ,
+.Xr catgets 3 ,
+.Xr gettext 3 ,
+.Xr nl_langinfo 3 ,
+.Xr setlocale 3 ,
+.Xr wsfontload 8
+.Sh BUGS
+This man page is incomplete.
diff --git a/static/netbsd/man7/operator.7 b/static/netbsd/man7/operator.7
new file mode 100644
index 00000000..d5968d24
--- /dev/null
+++ b/static/netbsd/man7/operator.7
@@ -0,0 +1,106 @@
+.\"	$NetBSD: operator.7,v 1.12 2017/07/03 21:30:59 wiz Exp $
+.\"
+.\" Copyright (c) 1989, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)operator.7	8.1 (Berkeley) 6/9/93
+.\"
+.Dd January 18, 2011
+.Dt OPERATOR 7
+.Os
+.Sh NAME
+.Nm operator
+.Nd C and C++ operator precedence and associativity
+.Sh DESCRIPTION
+.Bl -column -offset indent \
+    ".Li \&! ~ ++ \-\- \- (type) * & sizeof new delete" \
+    ".Sy Associativity"
+.\"
+.It Sy Operator \
+ Ta Sy Associativity
+.\"
+.\" XXX: For some reason if anything but tab follows the last dot
+.\" XXX: the space before it is lost and we get ->. in the output.
+.\" XXX: My troff fu is weak, just work around with explicit \<space>.
+.It Li \&() [] \->\ \. \
+ Ta left to right
+.\"
+.It Li \&! ~ ++ \-\- \- (type) * & sizeof new delete \
+ Ta right to left
+.\"
+.It Li \&\->* .* \
+ Ta left to right
+.\"
+.It Li \&* / % \
+ Ta left to right
+.\"
+.It Li \&+ \- \
+ Ta left to right
+.\"
+.It Li \&<< >> \
+ Ta left to right
+.\"
+.It Li \&< <= > >= \
+ Ta left to right
+.\"
+.It Li \&== != \
+ Ta left to right
+.\"
+.It Li \&& \
+ Ta left to right
+.\"
+.It Li \&^ \
+ Ta left to right
+.\"
+.It Li \&| \
+ Ta left to right
+.\"
+.It Li \&&& \
+ Ta left to right
+.\"
+.It Li \&|| \
+ Ta left to right
+.\"
+.It Li \&?: \
+ Ta right to left
+.\"
+.It Li \&= += \-= *= /= %= <<= >>= &= ^= |= throw \
+ Ta right to left
+.\"
+.It Li \&?: No (C++, third operand)\
+ Ta right to left
+.\"
+.It Li \&, \
+ Ta left to right
+.\"
+.El
+.Sh FILES
+.Bl -tag -width ".Pa /usr/share/misc/operator" -compact
+.It Pa /usr/share/misc/operator
+.El
+.Sh SEE ALSO
+.Xr iso646 3
diff --git a/static/netbsd/man7/orders.7 b/static/netbsd/man7/orders.7
new file mode 100644
index 00000000..67456a28
--- /dev/null
+++ b/static/netbsd/man7/orders.7
@@ -0,0 +1,113 @@
+.\" $NetBSD: orders.7,v 1.7 2022/11/19 22:09:21 jakllsch Exp $
+.\"
+.\" Copyright (c) 2010 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Jukka Ruohonen.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd November 19, 2022
+.Dt ORDERS 7
+.Os
+.Sh NAME
+.Nm orders
+.Nd orders of magnitude
+.Sh DESCRIPTION
+The following table lists common multiples of bytes.
+.Bl -column -offset 2n \
+"Kilobyte" "Prefix" "Power of 2" "Power of 10"
+.It Sy Name Ta Sy Prefix Ta Sy Power of 2 Ta Sy Power of 10
+.It Kilobyte Ta kB Ta 2^10 Ta 10^3
+.It Megabyte Ta MB Ta 2^20 Ta 10^6
+.It Gigabyte Ta GB Ta 2^30 Ta 10^9
+.It Terabyte Ta TB Ta 2^40 Ta 10^12
+.It Petabyte Ta PB Ta 2^50 Ta 10^15
+.It Exabyte Ta EB Ta 2^60 Ta 10^18
+.It Zettabyte Ta ZB Ta 2^70 Ta 10^21
+.It Yottabyte Ta YB Ta 2^80 Ta 10^24
+.It Ronnabyte Ta RB Ta 2^90 Ta 10^27
+.It Quettabyte Ta QB Ta 2^100 Ta 10^30
+.El
+.Pp
+The following table lists common bit rates as a power of ten.
+.Bl -column -offset 2n \
+"Megabit per second" "Prefix" "Bit per second" "Byte per second"
+.It Sy Name Ta Sy Prefix Ta Sy Bit per second Ta Sy Byte per second
+.It Bit per second Ta bit/s Ta 1 Ta 0.125
+.It Byte per second Ta B/s Ta 8 Ta 1
+.It Kilobit per second Ta kbit/s Ta 10^3 Ta 125
+.It Kilobyte per second Ta kB/s Ta 8 * 10^3 Ta 1000
+.It Megabit per second Ta Mbit/s Ta 10^6 Ta 125000
+.It Megabyte per second Ta MB/s Ta 8 * 10^6 Ta 1000000
+.It Gigabit per second Ta Gbit/s Ta 10^9 Ta 125000000
+.It Gigabyte per second Ta GB/s Ta 8 * 10^9 Ta 1000000000
+.It Terabit per second Ta Tbit/s Ta 10^12 Ta 125000000000
+.It Terabyte per second Ta TB/s Ta 8 * 10^12 Ta 1000000000000
+.El
+.Pp
+The following table lists common orders of magnitude as a power of ten.
+.Bl -column -offset 2n \
+"Septillionth" "Order" "Prefix" "Symbol" "Decimal"
+.It Sy Name Ta Sy Order Ta Sy Prefix Ta Sy Symbol Ta Sy Decimal
+.It Nonillionth Ta 10^-30 Ta quecto Ta q Ta 0.000000000000000000000000000001
+.It Octillionth Ta 10^-27 Ta ronto Ta r Ta 0.000000000000000000000000001
+.It Septillionth Ta 10^-24 Ta yocto Ta y Ta 0.000000000000000000000001
+.It Sextillionth Ta 10^-21 Ta zepto Ta z Ta 0.000000000000000000001
+.It Quintillionth Ta 10^-18 Ta atto Ta a Ta 0.000000000000000001
+.It Quadrillionth Ta 10^-15 Ta femto Ta f Ta 0.000000000000001
+.It Trillionth Ta 10^-12 Ta pico Ta p Ta 0.000000000001
+.It Billionth Ta 10^-9 Ta nano Ta n Ta 0.000000001
+.It Millionth Ta 10^-6 Ta micro  Ta mu Ta 0.000001
+.It Thousandth Ta 10^-3 Ta milli Ta m Ta 0.001
+.It Hundredth Ta 10^-2 Ta centi Ta c Ta 0.01
+.It Tenth Ta 10^-1 Ta deci Ta d Ta 0.1
+.It One Ta 10^0 Ta - Ta - Ta 1
+.It Ten Ta 10^1 Ta deca Ta da Ta 10
+.It Hundred Ta 10^2 Ta hecto Ta h Ta 100
+.It Thousand Ta 10^3 Ta kilo Ta k Ta 1000
+.It Million Ta 10^6 Ta mega Ta M Ta 1000000
+.It Billion Ta 10^9 Ta giga Ta G Ta 1000000000
+.It Trillion Ta 10^12 Ta tera Ta T Ta 1000000000000
+.It Quadrillion Ta 10^15 Ta peta Ta P Ta 1000000000000000
+.It Quintillion Ta 10^18 Ta exa Ta E Ta 1000000000000000000
+.It Sextillion Ta 10^21 Ta zetta Ta Z Ta 1000000000000000000000
+.It Septillion Ta 10^24 Ta yotta Ta Y Ta 1000000000000000000000000
+.It Octillion Ta 10^27 Ta ronna Ta R Ta 1000000000000000000000000000
+.It Nonillion Ta 10^30 Ta quetta Ta Q Ta 1000000000000000000000000000000
+.El
+.Sh SEE ALSO
+.Xr units 1 ,
+.Xr strsuftoll 3 ,
+.Xr number 6
+.Sh STANDARDS
+There have been various attempts to standardize the set of binary prefixes.
+Organizations such as International Electrotechnical Commission
+.Pq Tn IEC
+have proposed new prefixes such as
+.Dq kibi ,
+.Dq mebi ,
+.Dq gibi ,
+and
+.Dq yobi ,
+but the adoption has been slow at best.
diff --git a/static/netbsd/man7/pkgsrc.7 b/static/netbsd/man7/pkgsrc.7
new file mode 100644
index 00000000..261a4f7e
--- /dev/null
+++ b/static/netbsd/man7/pkgsrc.7
@@ -0,0 +1,61 @@
+.\"	$NetBSD: pkgsrc.7,v 1.7 2024/09/07 19:13:29 rillig Exp $
+.\"
+.\" Copyright (c) 2007 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Thomas Klausner.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd March 2, 2007
+.Dt PKGSRC 7
+.Os
+.Sh NAME
+.Nm pkgsrc
+.Nd NetBSD packages collection (framework for third-party software)
+.Sh DESCRIPTION
+The
+.Nx
+Packages Collection (pkgsrc) is a framework for building and
+maintaining third-party software on
+.Nx
+and other
+.Ux Ns -like
+systems.
+It is used to enable freely available software to be configured
+and built easily on supported platforms.
+.Pp
+Tools are available to install ready-to-use packages and to perform
+various administrative tasks for the package system.
+.Sh SEE ALSO
+.Xr pkg_add 1 ,
+.Xr pkg_delete 1 ,
+.Xr pkg_info 1
+.Rs
+.%A Alistair Crooks
+.%A Hubert Feyrer
+.%A The pkgsrc developers
+.%T The pkgsrc guide,
+.%T Documentation on the NetBSD packages system
+.%U https://www.NetBSD.org/docs/pkgsrc/
+.Re
diff --git a/static/netbsd/man7/release.7 b/static/netbsd/man7/release.7
new file mode 100644
index 00000000..77214acc
--- /dev/null
+++ b/static/netbsd/man7/release.7
@@ -0,0 +1,449 @@
+.\"	$NetBSD: release.7,v 1.40 2022/08/21 15:01:08 brook Exp $
+.\"
+.\" Copyright (c) 1997, 2000, 2005 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Charles M. Hannum and Jason R. Thorpe.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 13, 2020
+.Dt RELEASE 7
+.Os
+.Sh NAME
+.Nm release
+.Nd layout of NetBSD releases and snapshots
+.Sh DESCRIPTION
+This document describes the layout of
+.Nx
+releases and snapshots.
+This layout should be consistent between FTP servers and CD-ROMs,
+except possibly the path that leads to the release hierarchy.
+.Pp
+In this document, the following special words have these definitions:
+.Bl -tag -width "<machine_arch>"
+.It Aq Em machine
+The platform for which the release was built, corresponding to the
+.Em hw.machine
+sysctl variable, e.g.,
+.Em i386
+or
+.Em amiga .
+.It Aq Em machine_arch
+The architecture for which a particular installation set was built,
+corresponding to the
+.Em hw.machine_arch
+sysctl variable, e.g.,
+.Em i386
+or
+.Em m68k .
+.It Aq Em rel
+The release version number.
+.El
+.Pp
+All
+.Sy README
+files are descriptions of the various files in directories that have
+.Dq non-standard
+contents.
+There may also be a
+.Sy README
+file at the top-level,
+describing who built the snapshot and under what circumstances
+.Po e.g., whether it's an official
+.Nx
+snapshot, or not
+.Pc .
+.Pp
+All
+.Sy MD5
+files are MD5 digests for the various files in that directory, in the
+format produced by the command:
+.Sy cksum -a MD5 Aq Sy file .
+.Pp
+All
+.Sy SHA512
+files are SHA512 digests for the various files in that directory, in the
+format produced by the command:
+.Sy cksum -a SHA512 Aq Sy file .
+.Pp
+The SHA512 digest is safer, but MD5 checksums are provided so that a wider
+range of operating systems can check the integrity of the release files.
+.Pp
+Files that end in
+.Sy .tgz
+are gzipped tar archives.
+This is used in lieu of
+.Sy .tar.gz
+because the software used to download the sets may incorrectly auto-unpack
+files ending in
+.Sy .gz
+and to accommodate systems which only support 3 character extensions
+to file names.
+.Pp
+All tar archives are relative to the target's
+.Sy /
+directory, and
+.Em do not
+include the leading
+.Dq / .
+.Pp
+The root of the release hierarchy may be the root directory of a
+CD-ROM, but in all other cases it should be
+.Sm off
+.Xo
+.Sy .../NetBSD-
+.Aq Em rel
+.Sy / .
+.Xc
+.Sm on
+.Pp
+The root of the release hierarchy should contain the following
+files and subdirectories:
+.Pp
+.Bl -tag -width "<machine>"
+.It Sy images/
+Image files intended for use in installing
+.Nx .
+There are different types of images for different platforms, and sometimes
+multiple different image types for a single platform.
+.Pp
+Images in this directory, unlike images in the
+.Sm off
+.Xo
+.Sy .../NetBSD-
+.Aq Em rel
+.Sy /
+.Aq Em machine
+.Sy /installation/\\*/
+.Xc
+.Sm on
+directories, contain file systems that
+have an internal layout that corresponds to
+a complete release for a given machine type.
+If built with
+.Dq iso-image-source ,
+then it will also contain a
+.Dq source
+directory.
+These images are usually bootable.
+.Bl -tag -width "NetBSD-<rel>-<machine>.iso"
+.It Sy MD5
+.It Sy SHA512
+.It Sy NetBSD- Ns Ao Em rel Ac Ns Sy - Ns Ao Em machine Ac Ns Sy .iso
+CD-ROM images in ISO 9660 format, usually created with
+.Dq ./build.sh ... iso-image ...
+after a
+.Dq ./build.sh -x ... release ...
+in
+.Pa src
+or created with
+.Dq ./build.sh ... iso-image-source ...
+after a
+.Dq ./build.sh -x ... release sourcesets ...
+in
+.Pa src .
+.It Sy NetBSD- Ns Ao Em rel Ac Ns Sy - Ns Ao Em machine Ac Ns Sy -install.img.gz
+Bootable installation images intended to be written to any drive which
+appears as an
+.Xr sd 4
+type, such as USB flash disks.
+These images are created with
+.Dq ./build.sh ... install-image
+in
+.Pa src .
+.El
+.
+.It Sy shared/
+Files shared by two or more machine types.
+.Bl -tag -width "<machine_arch>"
+.It Ao Em machine_arch Ac Ns Pa /
+Files which may be shared by all systems of the same
+.Aq Em machine_arch
+will be located in
+.Sm off
+.Xo
+.Sy .../NetBSD-
+.Aq Em rel
+.Sy /shared/
+.Aq Em machine_arch
+.Sy /
+.Xc
+.Sm on
+with symbolic links pointing to these files from the
+.Aq Em machine
+subdirectory.
+.It Sy ALL/
+Files which are completely machine-independent will be
+located in
+.Sy .../NetBSD- Ns Ao Em rel Ac Ns Sy /shared/ALL/
+with symbolic links pointing to these files from the
+.Aq Em machine
+subdirectory.
+.El
+.
+.It Sy source/
+Source code of the operating system should be put into
+.Sy .../NetBSD- Ns Ao Em rel Ac Ns Sy /source/
+using the following layout:
+.Pp
+.Bl -tag -width "sets/"
+.It Sy sets/
+Sources for the various system sets.
+.Bl -tag -width "sharesrc.tgz"
+.It Sy MD5
+.It Sy SHA512
+.It Sy gnusrc.tgz
+Contains sources for all GPLed and possibly other programs that
+contains restrictions in their licensing that prevent others from
+using these programs in closed-source environments.
+.It Sy sharesrc.tgz
+Contains machine-independent data files that can be shared across
+architectures/systems.
+.It Sy src.tgz
+The operating system's userland source code, including all programs,
+tools, libraries, etc.
+.It Sy syssrc.tgz
+Kernel sources for all architectures plus sources of the tools needed
+to build kernels (like
+.Xr config 1 ) .
+.It Sy xsrc.tgz
+Source code of the X Window System used on all
+.Nx
+architectures.
+Includes X clients and servers.
+.El
+.El
+.
+.It Ao Em machine Ac Ns Pa /
+The binary releases in
+.Sm off
+.Xo
+.Sy .../NetBSD-
+.Aq Em rel
+.Sy /
+.Aq Em machine
+.Sy /
+.Xc
+.Sm on
+fit the following layout:
+.Bl -tag -width "installation/"
+.It Sy INSTALL.txt
+Installation notes, including complete descriptions of files contained
+within the release hierarchy
+.It Sy INSTALL.more
+pretty version, suited for viewing with
+.Xr more 1
+.It Sy INSTALL.html
+HTML version
+.It Sy INSTALL.ps
+PostScript version
+.It Sy binary/
+system binaries
+.Bl -tag -width "SHA512/"
+.It Sy gzimg/
+compressed system images
+.Bl -tag -width "xserver.tgz"
+.It Ao Em machine Ac Ns Pa .tar.gz
+The primary system image on those platforms that provide them.  These
+images may not be bootable.
+.It Ao Em machine Ac Ns Pa - Ns Ao Em board Ac Ns Pa .tar.gz
+A bootable system image for a particular board, on platforms that
+provide them.
+.El
+.It Sy sets/
+installation sets
+.Bl -tag -width "xserver.tgz"
+.It Sy MD5
+.It Sy SHA512
+.It Sy base.tgz
+The base binary distribution.
+This set contains the base
+.Nx
+utilities that are necessary for the system to run and be minimally
+functional.
+This set excludes all things listed in the sets
+described below.
+.It Sy comp.tgz
+The compiler tools distribution.
+This set contains the C and C++
+compilers, assembler, linker, other toolchain components, and their
+manual pages.
+It also includes the system include files
+.Pq Pa /usr/include
+and the static system libraries.
+.It Sy etc.tgz
+This set contains the system configuration files that reside in
+.Pa /etc
+and in several other places throughout the file system hierarchy.
+.It Sy games.tgz
+This set includes the games and their manual pages.
+.It Sy kern-GENERIC.tgz
+This set includes a kernel built from the
+.Sy GENERIC
+kernel configuration file.
+This is meant as an example only; different
+platforms may have differently named kernels.
+.It Sy man.tgz
+This set includes all of the manual pages for the binaries and other
+software contained in the
+.Sy base
+set which are not included in the other sets.
+.It Sy misc.tgz
+This set includes miscellaneous non-essential files, including dictionaries,
+the typesettable document set, and various other documentation and example
+configuration files.
+.It Sy modules.tgz
+This set includes all the kernel modules.
+.It Sy rescue.tgz
+This set contains the
+.Xr rescue 8
+utilities.
+.It Sy tests.tgz
+This set includes the
+.Xr tests 7
+for
+.Xr atf 7 ,
+the automated test framework used by NetBSD.
+.It Sy text.tgz
+This set includes the
+.Nx
+text processing tools, including
+.Xr groff 1 ,
+all related programs, and their manual pages.
+.It Sy xbase.tgz
+This set includes the base X11 distribution, including manual pages
+and excluding everything contained in the other X11 sets.
+.It Sy xetc.tgz
+This set includes X11 configuration files.
+.It Sy xcomp.tgz
+This set includes the X11 include files and static X11 libraries.
+.It Sy xfont.tgz
+This set includes the X11 fonts.
+.It Sy xserver.tgz
+This set includes the X servers and manual pages for
+a given machine.
+.Em "Note: this set may not be available on some platforms" .
+.El
+.It Sy kernel/
+suitably named, gzipped kernels
+.Bl -tag -width "netbsd-GENERIC.gz"
+.It Sy MD5
+.It Sy SHA512
+.It Sy netbsd-GENERIC.gz
+A kernel built from the
+.Sy GENERIC
+kernel configuration file.
+This is meant as an example only; different
+platforms may have differently named kernels.
+.El
+.El
+.It Sy installation/
+installation helper items
+.Bl -tag -width "diskimage/"
+.It Sy cdrom/
+CD-ROM images in ISO 9660 format, created as part of
+.Dq build.sh ... release ...
+in
+.Pa src .
+.Pp
+Images in this directory are bootable, and contain one a kernel,
+installation tools, and rescue tools.
+They do not contain installation sets, source sets, or
+other components of a complete release.
+.Pp
+.Em "Note: These images are only present in the amd64 and i386 distributions."
+.Bl -tag -width "boot-com.iso"
+.It Sy MD5
+.It Sy SHA512
+.It Sy boot.iso
+VGA console
+.It Sy boot-com.iso
+Serial console
+.El
+.It Sy diskimage/
+disk images, on those platforms that provide them
+.Bl -tag -width "diskimage.gz"
+.It Sy MD5
+.It Sy SHA512
+.It Sy diskimage.gz
+.El
+.It Sy floppy/
+floppy images, on those platforms that provide them
+.Bl -tag -width "boot1.fs"
+.It Sy MD5
+.It Sy SHA512
+.It Sy boot1.fs
+.It Sy boot2.fs
+.El
+.It Sy instkernel/
+installation kernels for platforms that can boot them directly
+.Bl -tag -width netbsd.gz
+.It Sy MD5
+.It Sy SHA512
+.It Sy netbsd.gz
+.El
+.It Sy miniroot/
+miniroot images, on those platforms that provide them
+.Bl -tag -width "miniroot.fs.gz"
+.It Sy MD5
+.It Sy SHA512
+.It Sy miniroot.fs.gz
+.El
+.It Sy misc/
+miscellaneous installation helper utilities, including boot selectors,
+floppy writing software, other software that runs under foreign operating
+systems, etc.
+.Bl -tag -width "SHA512"
+.It Sy MD5
+.It Sy SHA512
+.It Sy ...
+.El
+.It Sy netboot/
+network boot programs
+.Bl -tag -width "netboot.gz"
+.It Sy MD5
+.It Sy SHA512
+.It Sy netboot.gz
+.El
+.It Sy tapeimage/
+tape images, on those platforms that provide them
+.Bl -tag -width "tapeboot"
+.It Sy MD5
+.It Sy SHA512
+.It Sy tapeboot
+.El
+.El
+.El
+.El
+.Sh SEE ALSO
+.Xr cksum 1 ,
+.Xr dd 1 ,
+.Xr gzip 1 ,
+.Xr split 1 ,
+.Xr tar 1
+.Sh HISTORY
+The
+.Nm
+manual page first appeared in
+.Nx 1.3 .
diff --git a/static/netbsd/man7/rfc6056.7 b/static/netbsd/man7/rfc6056.7
new file mode 100644
index 00000000..4041837c
--- /dev/null
+++ b/static/netbsd/man7/rfc6056.7
@@ -0,0 +1,123 @@
+.\"     $NetBSD: rfc6056.7,v 1.4 2012/07/01 17:00:32 wiz Exp $
+.\"
+.\" Copyright (c) 2011
+.\"     The NetBSD Foundation.  All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Vlad Balan
+.\".
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"
+.Dd August 25, 2011
+.Dt RFC6056 7
+.Os
+.Sh NAME
+.Nm rfc6056
+.Nd port randomization algorithms
+.Sh DESCRIPTION
+The
+.Nm
+algorithms are used in order to randomize the port allocation of outgoing UDP
+packets, in order to provide protection from a series of
+.Dq blind
+attacks based on the
+attacker's ability to guess the sequence of ephemeral ports associated
+with outgoing packets.
+For more information consult RFC 6056.
+.Pp
+The individual algorithms are described below.
+.Ss The RFC 6056 algorithms
+The following algorithms are available:
+.Bl -tag -width "random_start"
+.It Sy bsd
+This is the default
+.Nx
+port selection algorithm, which starts from
+.Dv anonportmax
+and proceeds decreasingly through the available ephemeral ports.
+.It Sy random_start
+Select ports randomly from the available ephemeral ports.
+In case a collision with a local port is detected, the
+algorithm proceeds decreasingly through the sequence of ephemeral
+ports until a free port is found.
+Note that the random port selection algorithms are not guaranteed to find
+a free port.
+.It Sy random_pick
+Select ports randomly from the available ephemeral ports.
+In case a collision with a local port is detected the algorithm tries
+selecting a new port randomly until a free port is found.
+.It Sy hash
+Select ports using a
+.Xr md5 3
+hash of the local address, the foreign address, and the foreign port.
+Note that in the case of a
+.Xr bind 2
+call some of this information might be unavailable and the
+port selection is delayed until the time of a
+.Xr connect 2
+call, performed either explicitly or up calling
+.Xr sendto 2 .
+.It Sy doublehash
+Select ports using a
+.Xr md5 3
+hash of the local address, foreign address, and foreign port coupled with a
+.Xr md5 3
+hash of the same components obtained using a separate table that is
+associated with a subset of all outgoing connections.
+The same considerations regarding late connection as in the case of hash apply.
+.It Sy randinc
+Use random increments in order to select the next port.
+.El
+.Sh SYSCTL CONTROLS
+The following sysctl controls are available for selecting the default
+port randomization algorithm:
+.Bl -column "net.inet6.udp6.anonportalgo.available" "string" "Changeable"
+.It Sy sysctl name                   Ta Sy Type Ta Sy Changeable
+.It net.inet.ip.anonportalgo.available   Ta string  Ta no
+.It net.inet.ip.anonportalgo.selected    Ta string  Ta yes
+.It net.inet6.ip6.anonportalgo.available Ta string  Ta no
+.It net.inet6.ip6.anonportalgo.selected  Ta string  Ta yes
+.El
+.Sh SOCKET OPTIONS
+The
+.Dv IP_PORTSEL
+socket option at the
+.Dv IPPROTO_IP
+level and the
+.Dv IPV6_PORTSEL
+socket option at the
+.Dv IPPROTO_IPV6
+level can be used with a string argument specifying the algorithm's
+name in order to select the port randomization algorithm
+for a specific socket.
+For more info see
+.Xr setsockopt 2 .
+.Sh SEE ALSO
+.Xr setsockopt 2 ,
+.Xr sysctl 3 ,
+.Xr sysctl 7
+.Sh HISTORY
+The
+.Nm
+algorithms first appeared in
+.Nx 6.0 .
diff --git a/static/netbsd/man7/script.7 b/static/netbsd/man7/script.7
new file mode 100644
index 00000000..02ed9bcf
--- /dev/null
+++ b/static/netbsd/man7/script.7
@@ -0,0 +1,413 @@
+.\"	$NetBSD: script.7,v 1.6 2010/03/22 18:58:32 joerg Exp $
+.\"
+.\" Copyright (c) 2005 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This document was originally contributed to The NetBSD Foundation
+.\" by Perry E. Metzger of Metzger, Dowdeswell & Co. LLC.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd May 6, 2005
+.Dt SCRIPT 7
+.Os
+.Sh NAME
+.Nm script
+.Nd interpreter script execution
+.Sh DESCRIPTION
+The system is capable of treating a text file containing commands
+intended for an interpreter, such as
+.Xr sh 1
+or
+.Xr awk 1 ,
+as an executable program.
+.Pp
+An
+.Dq interpreter script
+is a file which has been set executable (see
+.Xr chmod 2 )
+and which has a first line of the form:
+.Pp
+.D1 Li #! Ar pathname Op Ar argument
+.Pp
+The
+.Dq #!
+must appear as the first two characters of the file.
+A space between the
+.Dq #!
+and
+.Ar pathname
+is optional.
+At most one
+.Ar argument
+may follow
+.Ar pathname ,
+and the length of the entire line is limited (see below).
+.Pp
+If such a file is executed (such as via the
+.Xr execve 2
+system call), the interpreter specified by the
+.Ar pathname
+is executed by the system.
+(The
+.Ar pathname
+is executed without regard to the
+.Ev PATH
+variable, so in general
+.Ar pathname
+should be an absolute path.)
+.Pp
+The arguments passed to the interpreter will be as follows.
+.Va argv[0]
+will be the path to the interpreter itself, as specified on the first
+line of the script.
+If there is an
+.Ar argument
+following
+.Ar pathname
+on the first line of the script, it will be passed as
+.Va argv[1] .
+The subsequent elements of
+.Va argv
+will be the path to the interpreter script file itself (i.e. the
+original
+.Va argv[0] )
+followed by any further arguments passed when
+.Xr execve 2
+was invoked to execute the script file.
+.Pp
+By convention, it is expected that an interpreter will open the script
+file passed as an argument and process the commands within it.
+Typical interpreters treat
+.Sq #
+as a comment character, and thus will ignore the initial line of the script
+because it begins
+.Dq #! ,
+but there is no requirement for this per se.
+.Pp
+On
+.Nx ,
+the length of the
+.Dq #!
+line, excluding the
+.Dq #!
+itself, is limited to
+.Dv PATH_MAX
+(as defined in
+.In limits.h ) .
+Other operating systems impose much smaller limits on the length of
+the
+.Dq #!
+line (see below).
+.Pp
+Note that the interpreter may not itself be an interpreter script.
+If
+.Ar pathname
+does not point to an executable binary, execution of the interpreter
+script will fail.
+.Ss Trampolines and Portable Scripts
+Different operating systems often have interpreters located in
+different locations, and the kernel executes the passed interpreter
+without regard to the setting of environment variables such as
+.Ev PATH .
+This makes it somewhat challenging to set the
+.Dq #!
+line of a script so that it will run identically on different systems.
+.Pp
+Since the
+.Xr env 1
+utility executes a command passed to it on its command line, it is
+often used as a
+.Dq trampoline
+to render scripts portable.
+If the leading line of a script reads
+.Dl #! /usr/bin/env interp
+then the
+.Xr env 1
+command will execute the
+.Dq interp
+command it finds in its
+.Ev PATH ,
+passing on to it all subsequent arguments with which it itself was called.
+Since
+.Pa /usr/bin/env
+is found on almost all
+.Tn POSIX
+style systems, this trick is frequently exploited by authors who need
+a script to execute without change on multiple systems.
+.Ss Historical Note: Scripts without Dq #!
+Shell scripts predate the invention of the
+.Dq #!
+convention, which is implemented in the kernel.
+In the days of
+.At v7 ,
+there was only one interpreter used on the system,
+.Pa /bin/sh ,
+and the shell treated any file that failed to execute with an
+.Er ENOEXEC
+error
+(see
+.Xr intro 2 )
+as a shell script.
+.Pp
+Most shells (such as
+.Xr sh 1 )
+and certain other facilities (including
+.Xr execlp 3
+and
+.Xr execvp 3
+but not other types of
+.Xr exec 3
+calls) still pass
+interpreter scripts that do not include the
+.Dq #!
+(and thus fail to execute with
+.Er ENOEXEC )
+to
+.Pa /bin/sh .
+.Pp
+As this behavior is implemented outside the kernel, there is no
+mechanism that forces it to be respected by all programs that execute
+other programs.
+It is thus not completely reliable.
+It is therefore important to always include
+.Dl #!/bin/sh
+in front of Bourne shell scripts, and to treat the traditional
+behavior as obsolete.
+.Sh EXAMPLES
+Suppose that an executable binary exists in
+.Pa /bin/interp
+and that the file
+.Pa /tmp/script
+contains:
+.Bd -literal -offset indent
+#!/bin/interp -arg
+
+[...]
+.Ed
+.Pp
+and that
+.Pa /tmp/script
+is set mode 755.
+.Pp
+Executing
+.Pp
+.Dl $ /tmp/script one two three
+.Pp
+at the shell will result in
+.Pa /bin/interp
+being executed, receiving the following arguments in
+.Va argv
+(numbered from 0):
+.Pp
+.Bd -ragged -offset indent
+.Qq /bin/interp ,
+.Qq "-arg" ,
+.Qq /tmp/script ,
+.Qq one ,
+.Qq two ,
+.Qq three
+.Ed
+.Ss Portability Note: Multiple arguments
+The behavior of multiple arguments on the
+.Dq #!
+line is highly non-portable between different systems.
+In general, only one argument can be assumed to work consistently.
+.Pp
+Consider the following variation on the previous example.
+Suppose that an executable binary exists in
+.Pa /bin/interp
+and that the file
+.Pa /tmp/script
+contains:
+.Bd -literal -offset indent
+#!/bin/interp -x -y
+
+[...]
+.Ed
+.Pp
+and that
+.Pa /tmp/script
+is set mode 755.
+.Pp
+Executing
+.Pp
+.Dl $ /tmp/script one two three
+.Pp
+at the shell will result in
+.Pa /bin/interp
+being executed, receiving the following arguments in
+.Va argv
+(numbered from 0):
+.Pp
+.Bd -ragged -offset indent
+.Qq /bin/interp ,
+.Qq "-x -y" ,
+.Qq /tmp/script ,
+.Qq one ,
+.Qq two ,
+.Qq three
+.Ed
+.Pp
+Note that
+.Qq "-x -y"
+will be passed on
+.Nx
+as a single argument.
+.Pp
+Although most
+.Tn POSIX
+style operating systems will pass only one
+.Ar argument ,
+the behavior when multiple arguments are included is not
+consistent between platforms.
+Some, such as current releases of
+.Nx ,
+will concatenate multiple arguments into a single argument (as above),
+some will truncate them, and at least one will pass them as multiple
+arguments.
+.Pp
+The
+.Nx
+behavior is common but not universal.
+Sun's
+.Tn Solaris
+would present the above argument as
+.Qq -x ,
+dropping the
+.Qq " -y"
+entirely.
+Perhaps uniquely, recent versions of Apple's
+.Tn OS X
+will actually pass multiple arguments properly, i.e.:
+.Bd -ragged -offset indent
+.Qq /bin/interp ,
+.Qq -x ,
+.Qq -y ,
+.Qq /tmp/script ,
+.Qq one ,
+.Qq two ,
+.Qq three
+.Ed
+.Pp
+The behavior of the system in the face of multiple arguments is thus
+not currently standardized, should not be relied on, and may be
+changed in future releases.
+In general, pass at most one argument, and do not rely on multiple
+arguments being concatenated.
+.Sh SEE ALSO
+.Xr awk 1 ,
+.Xr csh 1 ,
+.Xr ksh 1 ,
+.Xr sh 1 ,
+.Xr chmod 2 ,
+.Xr execve 2 ,
+.Xr intro 2 ,
+.Xr execlp 3 ,
+.Xr execvp 3 ,
+.Xr fd 4 ,
+.Xr options 4 ,
+.Xr setuid 7
+.Sh STANDARDS
+The behavior of interpreter scripts is obliquely referred to, but
+never actually described in,
+.St -p1003.1-2004 .
+.Pp
+The behavior is partially (but not completely) described in the
+.St -svid4 .
+.Pp
+Although it has never been formally standardized, the behavior
+described is largely portable across
+.Tn POSIX
+style systems, with two significant exceptions: the maximum length of the
+.Dq #!
+line, and the behavior if multiple arguments are passed.
+Please be aware that some operating systems limit the line to 32
+or 64 characters, and that (as described above) the behavior in the
+face of multiple arguments is not consistent across systems.
+.Sh HISTORY
+The behavior of the kernel when encountering scripts that start in
+.Dq #!
+was not present in
+.At v7 .
+A Usenet posting to net.unix by Guy Harris on October 16, 1984 claims
+that the idea for the
+.Dq #!
+behavior was first proposed by Dennis Ritchie but that the first
+implementation was on
+.Bx .
+.Pp
+Historical manuals (specifically the exec man page) indicate that the
+behavior was present in
+.Bx 4
+at least as early as April, 1981.
+Information on precisely when it was first implemented, and in which
+version of
+.Ux ,
+is solicited.
+.Sh SECURITY CONSIDERATIONS
+Numerous security problems are associated with setuid interpreter
+scripts.
+.Pp
+In addition to the fact that many interpreters (and scripts) are
+simply not designed to be robust in a setuid context, a race condition
+exists between the moment that the kernel examines the interpreter
+script file and the moment that the newly invoked interpreter opens
+the file itself.
+.Pp
+Because of these security issues,
+.Nx
+does not allow setuid interpreter scripts by default.
+In order to turn on setuid interpreter scripts,
+.D1 Cd options SETUIDSCRIPTS
+must be set in the configuration of the running kernel.
+Setting this option implies the
+.Cd FDSCRIPTS
+option, which causes the kernel to open the script file on behalf of
+the interpreter and pass it in
+.Va argv
+as
+.Pa /dev/fd/[fdnum] .
+(See
+.Xr fd 4
+for an explanation of the
+.Pa /dev/fd/[fdnum]
+devices.)
+This design avoids the race condition, at the cost of denying the
+interpreter the actual name of the script file.
+See
+.Xr options 4
+for more information.
+.Pp
+However, the
+.Cd FDSCRIPTS
+mechanism is not a cure-all for security issues in setuid interpreters
+and scripts.
+Subtle techniques can be used to subvert even seemingly well written scripts.
+Scripts executed by Bourne type shells can be subverted in numerous
+ways, such as by setting the
+.Ev IFS
+variable before executing the script.
+Other interpreters possess their own vulnerabilities.
+Turning on
+.Cd SETUIDSCRIPTS
+is therefore very dangerous, and should not be done lightly if at all.
diff --git a/static/netbsd/man7/security.7 b/static/netbsd/man7/security.7
new file mode 100644
index 00000000..1593de2e
--- /dev/null
+++ b/static/netbsd/man7/security.7
@@ -0,0 +1,510 @@
+.\" $NetBSD: security.7,v 1.18 2024/10/31 01:13:19 gutteridge Exp $
+.\"
+.\" Copyright (c) 2006, 2011 Elad Efrat <elad@NetBSD.org>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd October 31, 2024
+.Dt SECURITY 7
+.Os
+.Sh NAME
+.Nm security
+.Nd
+.Nx
+security features
+.Sh DESCRIPTION
+.Nx
+supports a variety of security features.
+Below is a brief description of them with some quick usage examples
+that will help you get started.
+.Pp
+Contents:
+.Pp
+.Bl -hyphen -compact -offset indent
+.It
+Veriexec
+.Pq file integrity
+.It
+Exploit mitigation
+.It
+Per-user
+.Pa /tmp
+directory
+.It
+Information filtering
+.It
+Administrative security
+.El
+.Pp
+See also
+.Xr entropy 7 .
+.Ss Veriexec
+.Em Veriexec
+is a file integrity subsystem.
+.Pp
+For more information about it, and a quick guide on how to use it, please see
+.Xr veriexec 8 .
+.Pp
+In a nutshell, once enabled,
+.Em Veriexec
+can be started as follows:
+.Bd -literal -offset indent
+# veriexecgen && veriexecctl load
+.Ed
+.Ss Exploit mitigation
+.Nx
+incorporates some exploit mitigation features.
+The purpose of exploit mitigation features is to interfere
+with the way exploits work, in order to prevent them from succeeding.
+Due to that, some features may have other impacts on the system, so be sure to
+fully understand the implications of each feature.
+.Pp
+.Nx
+provides the following exploit mitigation features:
+.Pp
+.Bl -hyphen -compact -offset indent
+.It
+.Tn PaX ASLR
+.Pq Address Space Layout Randomization .
+.It
+.Tn PaX MPROTECT
+.Xr ( mprotect 2
+restrictions)
+.It
+.Tn PaX SegvGuard
+.It
+.Xr gcc 1
+stack-smashing protection
+.Pq Tn SSP
+.It
+bounds checked libc functions
+.Pq Tn FORTIFY_SOURCE
+.It
+Protections against
+.Dv NULL
+pointer dereferences
+.El
+.Ss PaX ASLR
+.Em PaX ASLR
+implements Address Space Layout Randomization
+.Pq Tn ASLR ,
+meant to complement non-executable mappings.
+Its purpose is to harden prediction of the address space layout, namely
+location of library and application functions that can be used by an attacker
+to circumvent non-executable mappings by using a technique called
+.Dq return to library
+to bypass the need to write new code to (potentially executable) regions of
+memory.
+.Pp
+When
+.Em PaX ASLR
+is used, it is more likely the attacker will fail to predict the addresses of
+such functions, causing the application to segfault.
+To detect cases where an attacker might try and brute-force the return address
+of respawning services,
+.Em PaX Segvguard
+can be used (see below).
+.Pp
+For non-PIE
+.Pq Position Independent Executable
+executables, the
+.Nx
+.Em PaX ASLR
+implementation introduces randomization to the following memory regions:
+.Pp
+.Bl -enum -compact -offset indent
+.It
+The stack
+.El
+.Pp
+For
+.Tn PIE
+executables:
+.Pp
+.Bl -enum -compact -offset indent
+.It
+The program itself (exec base)
+.It
+All shared libraries
+.It
+The data segment
+.It
+The stack
+.El
+.Pp
+While it can be enabled globally,
+.Nx
+provides a tool,
+.Xr paxctl 8 ,
+to enable
+.Em PaX ASLR
+on a per-program basis.
+.Pp
+Example usage:
+.Bd -literal -offset indent
+# paxctl +A /usr/sbin/sshd
+.Ed
+.Pp
+Enabling
+.Em PaX ASLR
+globally:
+.Bd -literal -offset indent
+# sysctl -w security.pax.aslr.global=1
+.Ed
+.Ss PaX MPROTECT
+.Em PaX MPROTECT
+implements memory protection restrictions,
+meant to complement non-executable mappings.
+The purpose is to prevent situations where malicious code attempts to mark
+writable memory regions as executable, often by trashing arguments to an
+.Xr mprotect 2
+call.
+.Pp
+While it can be enabled globally,
+.Nx
+provides a tool,
+.Xr paxctl 8 ,
+to enable
+.Em PaX MPROTECT
+on a per-program basis.
+.Pp
+Example usage:
+.Bd -literal -offset indent
+# paxctl +M /usr/sbin/sshd
+.Ed
+.Pp
+Enabling
+.Em PaX MPROTECT
+globally:
+.Bd -literal -offset indent
+# sysctl -w security.pax.mprotect.global=1
+.Ed
+.Pp
+PaX MPROTECT affects the following three uses:
+.Bl -bullet -offset indent
+.It
+Processes that utilize code generation (such as the JVM) might need to have
+MPROTECT disabled.
+.It
+Miscompiled programs that have text relocations, will now core dump instead
+of having their relocations corrected.
+You will need to fix those programs (recompile them properly).
+.It
+Debugger breakpoints:
+.Xr gdb 1
+needs to be able to write to the text segment in order to insert and
+delete breakpoints.
+This will not work unless MPROTECT is disabled on the executable.
+.El
+.Ss PaX Segvguard
+.Em PaX Segvguard
+monitors the number of segmentation faults in a program on a per-user basis,
+in an attempt to detect on-going exploitation attempts and possibly prevent
+them.
+For instance,
+.Em PaX Segvguard
+can help detect when an attacker tries to brute-force a function
+return address, when attempting to perform a return-to-lib attack.
+.Pp
+.Em PaX Segvguard
+consumes kernel memory, so use it wisely.
+While it provides rate-limiting protections, records are tracked for all
+users on a per-program basis, meaning that irresponsible use may result in
+tracking all segmentation faults in the system, possibly consuming all kernel
+memory.
+.Pp
+For this reason, it is highly recommended to have
+.Em PaX Segvguard
+enabled explicitly only for network services or
+other processes deemed as critical to system security.
+Enabling
+.Em PaX Segvguard
+explicitly works like this:
+.Bd -literal -offset indent
+# paxctl +G /usr/sbin/sshd
+.Ed
+.Pp
+However, a global knob is still provided, for use in strict environments
+with no local users (for example, some network appliances, embedded devices,
+and firewalls)
+.Bd -literal -offset indent
+# sysctl -w security.pax.segvguard.global=1
+.Ed
+.Pp
+Explicitly disabling
+.Em PaX Segvguard
+is also possible:
+.Bd -literal -offset indent
+# paxctl +g /bin/ls
+.Ed
+.Pp
+In addition,
+.Em PaX Segvguard
+provides several tunable options.
+For example, to limit a program to 5 segmentation faults from the same user in
+a 60 second timeframe:
+.Bd -literal -offset indent
+# sysctl -w security.pax.segvguard.max_crashes=5
+# sysctl -w security.pax.segvguard.expiry_timeout=60
+.Ed
+.Pp
+The number of seconds a user will be suspended from running the culprit
+program is also configurable.
+For example, 10 minutes seem like a sane setting:
+.Bd -literal -offset indent
+# sysctl -w security.pax.segvguard.suspend_timeout=600
+.Ed
+.Ss GCC Stack Smashing Protection ( SSP )
+As of
+.Nx 4.0 ,
+.Xr gcc 1
+includes
+.Em SSP ,
+a set of compiler extensions to raise the bar on exploitation attempts by
+detecting corruption of variables and buffer overruns, which may be used to
+affect program control flow.
+.Pp
+Upon detection of a buffer overrun,
+.Em SSP
+will immediately abort execution of the program and send a log message
+to
+.Xr syslog 3 .
+.Pp
+The system (userland and kernel) can be built with
+.Em SSP
+by using the
+.Dq USE_SSP
+flag in
+.Pa /etc/mk.conf :
+.Bd -literal -offset indent
+USE_SSP=yes
+.Ed
+.Pp
+You are encouraged to use
+.Em SSP
+for software you build, by providing one of the
+.Fl fstack-protector
+or
+.Fl fstack-protector-all
+flags to
+.Xr gcc 1 .
+Keep in mind, however, that
+.Em SSP
+will not work for functions that make use of
+.Xr alloca 3 ,
+as the latter modifies the stack size during run-time, while
+.Em SSP
+relies on it being a compile-time static.
+.Pp
+Use of
+.Em SSP
+is especially encouraged on platforms without per-page execute bit granularity
+such as i386.
+As of
+.Nx 6.0 ,
+.Em SSP
+is used by default on i386 and amd64 architectures.
+.Ss FORTIFY_SOURCE
+The so-called
+.Em FORTIFY_SOURCE
+is a relatively simple technique to detect a subset of buffer overflows
+before these can do damage.
+It is integrated to
+.Xr gcc 1
+together with some common memory and string functions in the standard
+C library of
+.Nx .
+.Pp
+The underlying idea builds on the observation that there are cases where
+the compiler knows the size of a buffer.
+If a buffer overflow is suspected in a function that does little or no
+bounds checking, either a compile time warning can be issued or a
+safer substitute function can be used at runtime.
+Refer to
+.Xr ssp 3
+for additional details.
+.Pp
+The
+.Em FORTIFY_SOURCE
+is enabled by default in some parts of the
+.Nx
+source tree.
+It is also possible to explicitly enable it by defining
+the following in
+.Xr mk.conf 5 :
+.Bd -literal -offset indent
+USE_FORT=yes
+.Ed
+.Ss Protections against NULL pointer dereferences
+A certain class of attacks rely on kernel bugs that dereference
+.Dv NULL
+pointers.
+If user processes are allowed to map the virtual address 0 with
+.Xr mmap 2
+or by other means, there is a risk that code or data
+can be injected into the kernel address space.
+.Pp
+In
+.Nx
+it is possible to restrict whether user processes are
+allowed to make mappings at the zero address.
+By default, address 0 mappings are restricted on all architectures.
+It is however known that some third-party programs
+may not function properly with the restriction.
+Such mappings can be allowed either by using the
+.Dv USER_VA0_DISABLE_DEFAULT
+kernel configuration option or by changing the following variable at runtime:
+.Bd -literal -offset indent
+# sysctl -w vm.user_va0_disable=0
+.Ed
+.Pp
+Note that if
+.Em securelevel
+(see
+.Xr secmodel_securelevel 9 )
+is greater than zero, it is not possible to change the
+.Xr sysctl 8
+variable.
+.Ss Per-user temporary storage
+It is possible to configure per-user temporary storage to avoid potential
+security issues (race conditions, etc.) in programs that do not make secure
+usage of
+.Pa /tmp .
+.Pp
+To enable per-user temporary storage, add the following line to
+.Xr rc.conf 5 :
+.Bd -literal -offset indent
+per_user_tmp=YES
+.Ed
+.Pp
+If
+.Pa /tmp
+is a mount point, you will also need to update its
+.Xr fstab 5
+entry to use
+.Dq /private/tmp
+(or whatever directory you want, if you override the default using the
+.Dq per_user_tmp_dir
+.Xr rc.conf 5
+keyword) instead of
+.Dq /tmp .
+.Pp
+Following that, run:
+.Bd -literal -offset indent
+# /etc/rc.d/perusertmp start
+.Ed
+.Pp
+The per-user temporary storage is implemented by using
+.Dq magic symlinks .
+These are further described in
+.Xr symlink 7 .
+.Pp
+Note that some programs will not work correctly with the present
+.Dq magic symlinks
+implementation, if they invoke
+.Xr realpath 3
+on temporary file paths, for example
+.Xr tmux 1 .
+In this case, resolution will fail, so this feature is not suited for
+all uses.
+.Ss Information filtering
+.Nx
+provides administrators the ability to restrict information passed from
+the kernel to userland so that users can only view information they
+.Dq own .
+.Pp
+The hooks that manage this restriction are located in various parts of the
+system and affect programs such as
+.Xr ps 1 ,
+.Xr fstat 1 ,
+and
+.Xr netstat 1 .
+Information filtering is enabled as follows:
+.Bd -literal -offset indent
+# sysctl -w security.curtain=1
+.Ed
+.Ss Administrative security
+Also certain administrative tasks are related to security.
+For instance, the daily maintenance script includes some basic
+consistency checks; see
+.Xr security.conf 5
+for more details.
+In particular, it is possible to configure
+.Nx
+to automatically audit all third-party packages installed via
+.Xr pkgsrc 7 .
+To audit for any known vulnerabilities on daily basis, set the following in
+.Pa /etc/daily.conf :
+.Bd -literal -offset indent
+fetch_pkg_vulnerabilities=YES
+.Ed
+.Sh SEE ALSO
+.Xr ssp 3 ,
+.Xr options 4 ,
+.Xr entropy 7 ,
+.Xr paxctl 8 ,
+.Xr sysctl 8 ,
+.Xr veriexec 8 ,
+.Xr kauth 9
+.\"
+.Rs
+.%A Joseph Kong
+.%B "Designing BSD Rootkits: An Introduction to Kernel Hacking"
+.%D 2007
+.%I "No Starch Press"
+.Re
+.\"
+.Rs
+.%A Enrico Perla
+.%A Massimiliano Oldani
+.%B "A Guide to Kernel Exploitation: Attacking the Core"
+.%D 2010
+.%I "Elsevier"
+.Re
+.\"
+.Rs
+.%A Erik Buchanan
+.%A Ryan Roemer
+.%A Hovav Shacham
+.%A Stefan Savage
+.%T "When Good Instructions Go Bad: \
+Generalizing Return-Oriented Programming to RISC"
+.%P 27-38
+.%O CCS '08: Proceedings of the 15th ACM Conference \
+on Computer and Communications Security
+.%I ACM Press
+.%D October 27-31, 2008
+.%U http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf
+.Re
+.\"
+.Rs
+.%A Sebastian Krahmer
+.%T "x86-64 Buffer Overflow Exploits and \
+the Borrowed Code Chunks Exploitation Technique"
+.%D September 28, 2005
+.%U http://www.suse.de/~krahmer/no-nx.pdf
+.Re
+.Sh AUTHORS
+Many of the security features were pioneered by
+.An Elad Efrat Aq Mt elad@NetBSD.org .
diff --git a/static/netbsd/man7/setuid.7 b/static/netbsd/man7/setuid.7
new file mode 100644
index 00000000..ef269c87
--- /dev/null
+++ b/static/netbsd/man7/setuid.7
@@ -0,0 +1,369 @@
+.\" $NetBSD: setuid.7,v 1.9 2020/08/29 13:32:27 fcambus Exp $
+.\"
+.\" Copyright (c) 2003 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Henry Spencer <henry@spsystems.net>.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd February 26, 2009
+.Dt SETUID 7
+.Os
+.Sh NAME
+.Nm setuid
+.Nd checklist for security of setuid programs
+.Sh DESCRIPTION
+.Em Please note :
+This manual page was written long ago, and is in need of updating to
+match today's systems.
+We think it is valuable enough to include, even though parts of it
+are outdated.
+A carefully-researched updated version
+would be very useful, if anyone is feeling enthusiastic...
+.Pp
+Writing a secure setuid (or setgid) program is tricky.
+There are a number of possible ways of subverting such a program.
+The most conspicuous security holes occur when a setuid program is
+not sufficiently careful to avoid giving away access to resources
+it legitimately has the use of.
+Most of the other attacks are basically a matter of altering the program's
+environment in unexpected ways and hoping it will fail in some
+security-breaching manner.
+There are generally three categories of environment manipulation:
+supplying a legal but unexpected environment that may cause the
+program to directly do something insecure,
+arranging for error conditions that the program may not handle correctly,
+and the specialized subcategory of giving the program inadequate
+resources in hopes that it won't respond properly.
+.Pp
+The following are general considerations of security when writing
+a setuid program.
+.Bl -bullet
+.It
+The program should run with the weakest userid possible, preferably
+one used only by itself.
+A security hole in a setuid program running with a highly-privileged
+userid can compromise an entire system.
+Security-critical programs like
+.Xr passwd 1
+should always have private userids, to minimize possible damage
+from penetrations elsewhere.
+.It
+The result of
+.Xr getlogin 2
+or
+.Xr ttyname 3
+may be wrong if the descriptors have been meddled with.
+There is
+.Em no
+foolproof way to determine the controlling terminal
+or the login name (as opposed to uid) on V7.
+.It
+On some systems, the setuid bit may not be honored if
+the program is run by root,
+so the program may find itself running as root.
+.It
+Programs that attempt to use
+.Xr creat 3
+for locking can foul up when run by root;
+use of
+.Xr link 2
+is preferred when implementing locking.
+Using
+.Xr chmod 2
+for locking is an obvious disaster.
+.It
+Breaking an existing lock is very dangerous; the breakdown of a locking
+protocol may be symptomatic of far worse problems.
+Doing so on the basis of the lock being
+.Sq old
+is sometimes necessary,
+but programs can run for surprising lengths of time on heavily-loaded
+systems.
+.It
+Care must be taken that user requests for I/O are checked for
+permissions using the user's permissions, not the program's.
+Use of
+.Xr access 2
+is recommended.
+.It
+Programs executed at user request (e.g. shell escapes) must
+not receive the setuid program's permissions;
+use of daughter processes and
+.Dq setuid(getuid())
+plus
+.Dq setgid(getgid())
+after
+.Xr fork 2
+but before
+.Xr exec 3
+is vital.
+.It
+Similarly, programs executed at user request must not receive other
+sensitive resources, notably file descriptors.
+Use of
+.Xr fcntl 2
+.Dv F_CLOSEM ,
+.Dv FILENO_STDERR + 1
+(close all fd's greater than stderr)
+and/or
+.Xr fcntl 2
+.Dv F_SETFD ,
+.Dv FD_CLOEXEC
+(close-on-exec) arrangements
+on systems which have them
+is recommended.
+.Pp
+Other resources should also be examined for sanity and possibly set to
+desired settings, such as the current working directory, signal disposition,
+resource limits, environment, umask, group membership, chroot.
+.Pp
+Programs activated by one user but handling traffic on behalf of
+others (e.g. daemons) should avoid doing
+.Dq setuid(getuid())
+or
+.Dq setgid(getgid()) ,
+since the original invoker's identity is almost certainly inappropriate.
+On systems which permit it, use of
+.Dq setuid(geteuid())
+and
+.Dq setgid(getegid())
+is recommended when performing work on behalf of the system as
+opposed to a specific user.
+.It
+There are inherent permission problems when a setuid program executes
+another setuid program,
+since the permissions are not additive.
+Care should be taken that created files are not owned by the wrong person.
+Use of
+.Dq setuid(geteuid())
+and its gid counterpart can help, if the system allows them.
+.It
+Care should be taken that newly-created files do not have the wrong
+permission or ownership even momentarily.
+Permissions should be arranged by using
+.Xr umask 2
+in advance, rather than by creating the file wide-open and then using
+.Xr chmod 2 .
+Ownership can get sticky due to the limitations of the setuid concept,
+although using a daughter process connected by a pipe can help.
+.It
+Setuid programs should be especially careful about error checking,
+and the normal response to a strange situation should be termination,
+rather than an attempt to carry on.
+.El
+.Pp
+The following are ways in which the program may be induced to carelessly
+give away its special privileges.
+.Bl -bullet
+.It
+The directory the program is started in, or directories it may
+plausibly
+.Xr chdir 2
+to, may contain programs with the same names as system programs,
+placed there in hopes that the program will activate a shell with
+a permissive
+.Ev PATH
+setting.
+.Ev PATH
+should
+.Em always
+be standardized before invoking a shell
+(either directly or via
+.Xr popen 3
+or
+.Xr execvp 3
+or
+.Xr execlp 3 ) .
+.It
+Similarly, a bizarre
+.Ev IFS
+setting may alter the interpretation of a shell command in really
+strange ways, possibly causing a user-supplied program to be invoked.
+.Ev IFS
+too should always be standardized before invoking a shell.
+.It
+Environment variables in general cannot be trusted.
+Their contents should never be taken for granted.
+.It
+Setuid shell files (on systems which implement such) simply cannot
+cope adequately with some of these problems.
+They also have some nasty problems like trying to run a
+.Pa \&.profile
+when run under a suitable name.
+They are terminally insecure, and must be avoided.
+.It
+Relying on the contents of files placed in publicly-writable
+directories, such as
+.Pa /tmp ,
+is a nearly-incurable security problem.
+Setuid programs should avoid using
+.Pa /tmp
+entirely, if humanly possible.
+The sticky-directories modification (sticky bit on for a directory means
+only owner of a file can remove it) helps,
+but is not a complete solution.
+.It
+A related problem is that
+spool directories, holding information that the program will trust
+later, must never be publicly writable even if the files in the
+directory are protected.
+Among other sinister manipulations that can be performed, note that
+on many Unixes, a core dump of a setuid program is owned
+by the program's owner and not by the user running it.
+.El
+.Pp
+The following are unusual but possible error conditions that the
+program should cope with properly (resource-exhaustion questions
+are considered separately, see below).
+.Bl -bullet
+.It
+The value of
+.Ar argc
+might be 0.
+.It
+The setting of the
+.Xr umask 2
+might not be sensible.
+In any case, it should be standardized when creating files
+not intended to be owned by the user.
+.It
+One or more of the standard descriptors might be closed, so that
+an opened file might get (say) descriptor 1, causing chaos if the
+program tries to do a
+.Xr printf 3 .
+.It
+The current directory (or any of its parents)
+may be unreadable and unsearchable.
+On many systems
+.Xr pwd 1
+does not run setuid-root,
+so it can fail under such conditions.
+.It
+Descriptors shared by other processes (i.e., any that are open
+on startup) may be manipulated in strange ways by said processes.
+.It
+The standard descriptors may refer to a terminal which has a bizarre
+mode setting, or which cannot be opened again,
+or which gives end-of-file on any read attempt, or which cannot
+be read or written successfully.
+.It
+The process may be hit by interrupt, quit, hangup, or broken-pipe signals,
+singly or in fast succession.
+The user may deliberately exploit the race conditions inherent
+in catching signals;
+ignoring signals is safe, but catching them is not.
+.It
+Although non-keyboard signals cannot be sent by ordinary users in V7,
+they may perhaps be sent by the system authorities (e.g. to
+indicate that the system is about to shut down),
+so the possibility cannot be ignored.
+.It
+On some systems there may be an
+.Xr alarm 3
+signal pending on startup.
+.It
+The program may have children it did not create.
+This is normal when the process is part of a pipeline.
+.It
+In some non-V7 systems, users can change the ownerships of their files.
+Setuid programs should avoid trusting the owner identification of a file.
+.It
+User-supplied arguments and input data
+.Em must
+be checked meticulously.
+Overly-long input stored in an array without proper bound checking
+can easily breach security.
+When software depends on a file being in a specific format, user-supplied
+data should never be inserted into the file without being checked first.
+Meticulous checking includes allowing for the possibility of non-ASCII
+characters.
+.It
+Temporary files left in public directories like
+.Pa /tmp
+might vanish at inconvenient times.
+.El
+.Pp
+The following are resource-exhaustion possibilities that the
+program should respond properly to.
+.Bl -bullet
+.It
+The user might have used up all of their allowed processes, so
+any attempt to create a new one (via
+.Xr fork 2
+or
+.Xr popen 3 )
+will fail.
+.It
+There might be many files open, exhausting the supply of descriptors.
+Running
+.Xr fcntl 2
+.Dv F_CLOSEM
+on systems which have it,
+is recommended.
+.It
+There might be many arguments.
+.It
+The arguments and the environment together might occupy a great deal
+of space.
+.El
+.Pp
+Systems which impose other resource limitations can open setuid
+programs to similar resource-exhaustion attacks.
+.Pp
+Setuid programs which execute ordinary programs without reducing
+authority pass all the above problems on to such unprepared children.
+Standardizing the execution environment is only a partial solution.
+.Sh SEE ALSO
+.Xr passwd 1 ,
+.Xr pwd 1 ,
+.Xr access 2 ,
+.Xr chdir 2 ,
+.Xr chroot 2 ,
+.Xr execve 2 ,
+.Xr fcntl 2 ,
+.Xr fork 2 ,
+.Xr getlogin 2 ,
+.Xr link 2 ,
+.Xr setegid 2 ,
+.Xr seteuid 2 ,
+.Xr setgid 2 ,
+.Xr setgroups 2 ,
+.Xr setrlimit 2 ,
+.Xr setuid 2 ,
+.Xr sigaction 2 ,
+.Xr umask 2 ,
+.Xr alarm 3 ,
+.Xr creat 3 ,
+.Xr execvp 3 ,
+.Xr popen 3 ,
+.Xr printf 3 ,
+.Xr ttyname 3
+.Sh HISTORY
+Written by Henry Spencer, and based on additional outside contributions.
+.Sh AUTHORS
+.An Henry Spencer Aq Mt henry@spsystems.net
+.Sh BUGS
+The list really is rather long...
+and probably incomplete.
diff --git a/static/netbsd/man7/signal.7 b/static/netbsd/man7/signal.7
new file mode 100644
index 00000000..37515d50
--- /dev/null
+++ b/static/netbsd/man7/signal.7
@@ -0,0 +1,633 @@
+.\"	$NetBSD: signal.7,v 1.28 2023/07/17 14:20:19 riastradh Exp $
+.\"
+.\" Copyright (c) 1999, 2016 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd August 24, 2018
+.Dt SIGNAL 7
+.Os
+.Sh NAME
+.Nm signal
+.Nd signal facilities
+.Sh DESCRIPTION
+A
+.Nm
+is a system-level notification delivered to a process.
+Signals may be generated as the result of process activity, by certain
+user inputs, by kernel facilities or subsystems, or sent
+programmatically by other processes or by users.
+There is a small fixed set of signals, each with a symbolic name and a
+number.
+For historical reasons many of the numbers are ``well-known values'',
+which are in practice the same on all implementations and
+realistically can never be changed.
+(Nonetheless, compiled code should always use only the symbolic
+names.)
+Many/most signals also have specific semantics, both in how they can
+be generated and in their effects.
+Some are special cases in ways that have quite far-reaching
+consequences.
+.Pp
+When a signal is
+.Em posted
+.Pq Dq sent
+to a process, in general any of several things can happen.
+If the process has elected to
+.Em ignore
+the signal, it is discarded and nothing happens.
+(Some signals may not be ignored, however.)
+If the process has elected to
+.Em block
+the signal temporarily, delivery is postponed until the process
+later unblocks that signal.
+Otherwise, the signal is
+.Em delivered ,
+meaning that whatever the process is doing is interrupted in order to
+react to the signal.
+(Note that processes that are waiting in the kernel must unwind what
+they are doing for signals to be delivered.
+This can sometimes be expensive.
+See
+.Xr sigaction 2
+for further information.)
+.Pp
+If the process has elected to
+.Em catch
+the signal, which means that the process has installed a handler to
+react to the signal in some process-specific way, the kernel arranges
+for the process's handler logic to be invoked.
+This is always done in a way that allows the process to resume if
+desired.
+(Note, however, that some signals may not be caught.)
+Otherwise, the default action for the signal is taken.
+For most signals the default action is to terminate the process and
+generate a core dump.
+See the table below.
+Note that the term
+.Em delivery
+is also used for the specific process of arranging for a signal
+handler to be invoked.
+.Pp
+In general, signals are delivered as soon as they are posted.
+(Some delays may occur due to scheduling.)
+However, in some cases a process that has been sleeping in the kernel
+may need to do slow things as part of unwinding its state; this can
+sometimes lead to human-perceptible delays.
+.Pp
+Also, some sleep states within the kernel are
+.Em uninterruptible
+meaning that signals posted will have no effect until the state
+clears.
+These states are supposed to be short-term only, but sometimes kernel
+bugs make this not the case and one can end up with unkillable
+processes.
+Such processes appear in state "D" in
+.Xr ps 1 .
+In general the only way to get rid of them is to reboot.
+(However, when the "wchan" reported is "tstile", it means the process
+is waiting for some other process to release resources; sometimes if
+one can find and kill that process the situation is recoverable.)
+.Ss Signal list
+The following signals are defined in
+.Nx :
+.Pp
+.Bl -column ".Sy SIGVTALRM" 3n "Profiling timer expired blablabla" -compact
+.\".It Sy "Symbol" Ta No Ta Sy "Descriptive name"
+.It Dv SIGHUP Ta 1 Ta "Hangup"
+.It Dv SIGINT Ta 2 Ta "Interrupt"
+.It Dv SIGQUIT Ta 3 Ta "Quit"
+.It Dv SIGILL Ta 4 Ta "Illegal instruction"
+.It Dv SIGTRAP Ta 5 Ta "Trace/BPT trap"
+.It Dv SIGABRT Ta 6 Ta "Abort trap"
+.It Dv SIGEMT Ta 7 Ta "EMT trap"
+.It Dv SIGFPE Ta 8 Ta "Floating point exception"
+.It Dv SIGKILL Ta 9 Ta "Killed"
+.It Dv SIGBUS Ta 10 Ta "Bus error"
+.It Dv SIGSEGV Ta 11 Ta "Segmentation fault"
+.It Dv SIGSYS Ta 12 Ta "Bad system call"
+.It Dv SIGPIPE Ta 13 Ta "Broken pipe"
+.It Dv SIGALRM Ta 14 Ta "Alarm clock"
+.It Dv SIGTERM Ta 15 Ta "Terminated"
+.It Dv SIGURG Ta 16 Ta "Urgent I/O condition"
+.It Dv SIGSTOP Ta 17 Ta "Suspended (signal)"
+.It Dv SIGTSTP Ta 18 Ta "Suspended"
+.It Dv SIGCONT Ta 19 Ta "Continued"
+.It Dv SIGCHLD Ta 20 Ta "Child exited, stopped or continued"
+.It Dv SIGTTIN Ta 21 Ta "Stopped (tty input)"
+.It Dv SIGTTOU Ta 22 Ta "Stopped (tty output)"
+.It Dv SIGIO Ta 23 Ta "I/O possible"
+.It Dv SIGXCPU Ta 24 Ta "CPU time limit exceeded"
+.It Dv SIGXFSZ Ta 25 Ta "File size limit exceeded"
+.It Dv SIGVTALRM Ta 26 Ta "Virtual timer expired"
+.It Dv SIGPROF Ta 27 Ta "Profiling timer expired"
+.It Dv SIGWINCH Ta 28 Ta "Window size changed"
+.It Dv SIGINFO Ta 29 Ta "Information request"
+.It Dv SIGUSR1 Ta 30 Ta "User defined signal 1"
+.It Dv SIGUSR2 Ta 31 Ta "User defined signal 2"
+.It Dv SIGPWR Ta 32 Ta "Power fail/restart"
+.El
+.Pp
+These are numbered 1 to 32.
+(There is no signal 0; 0 is a reserved value that can be used as a
+no-op with some signal operations.)
+.Pp
+Detailed descriptions of these signals follow.
+.Bl -tag -width "aaa"
+.\" ************
+.It Dv SIGHUP No (Hangup)
+This signal is generated by the
+.Xr tty 4
+driver
+to indicate a hangup condition on a process's controlling terminal:
+the user has disconnected.
+Accordingly, the default action is to terminate the process.
+This signal is also used by many daemons,
+such as
+.Xr inetd 8 ,
+as a cue to reload configuration.
+The number for
+.Dv SIGHUP
+is\~1, which is quite well known.
+.\" ************
+.It Dv SIGINT No (Interrupt)
+This signal is generated by the
+.Xr tty 4
+driver
+when the user presses the interrupt character, normally control-C.
+The default action is to terminate the process.
+The number for
+.Dv SIGINT
+is\~2.
+.\" ************
+.It Dv SIGQUIT No (Quit)
+This signal is generated by the
+.Xr tty 4
+driver
+when the user presses the quit character, normally control-backspace.
+The default action is to terminate the process and dump core.
+The number for
+.Dv SIGQUIT
+is\~3.
+.\" ************
+.It Dv SIGILL No (Illegal instruction)
+This signal is generated synchronously by the kernel when the process
+executes an invalid instruction.
+The default action is to terminate the process and dump core.
+Note: the results of executing an illegal instruction when
+.Dv SIGILL
+is blocked or ignored are formally unspecified.
+The number for
+.Dv SIGILL
+is\~4.
+.\" ************
+.It Dv SIGTRAP No (Trace/BPT trap)
+This signal is used when a process is being traced
+(see
+.Xr ptrace 2 )
+to indicate that the process has stopped at a breakpoint or after
+single-stepping.
+It is normally intercepted by the debugger and not exposed to the
+debuggee.
+The default action is to terminate the process and dump core.
+The number for
+.Dv SIGTRAP
+is\~5.
+.\" ************
+.It Dv SIGABRT No (Abort trap)
+This signal is generated when the
+.Xr abort 3
+standard library function is called.
+The default action is to terminate the process and dump core.
+The number for
+.Dv SIGABRT
+is\~6.
+This number was also formerly used for
+.Dv SIGIOT ,
+which is no longer defined,
+as it was specific to the PDP-11 instruction
+.Dv iot .
+.\" ************
+.It Dv SIGEMT No (EMT trap)
+In theory this signal is generated when an instruction needs to be
+emulated.
+.\"   XXX expand this -- I don't know, grep isn't helping much and
+.\"   information seems pretty thin on the ground on the net.
+The default action is to terminate the process and dump core.
+The number for
+.Dv SIGEMT
+is\~7.
+.\" ************
+.It Dv SIGFPE No (Floating point exception)
+This signal is generated when an invalid floating point operation is
+detected by hardware or by a soft-float library.
+The default action is to terminate the process and dump core.
+The number for
+.Dv SIGFPE
+is\~8.
+.\" ************
+.It Dv SIGKILL No (Killed)
+This signal cannot be caught or ignored.
+The (unconditional) action is to terminate the process.
+It is most often sent by system administrators, but is also generated
+by the kernel in response to running completely out of memory and
+swap space.
+Note that because many processes need to perform cleanup before
+exiting, it is usually best (as a user or administrator) to not deploy
+.Dv SIGKILL
+until a process has failed to respond to other signals.
+The number for
+.Dv SIGKILL
+is\~9, which is extremely well known.
+.\" ************
+.It Dv SIGBUS No (Bus error)
+This signal is generated synchronously by the kernel when the process
+performs certain kinds of invalid memory accesses.
+The most common cause of
+.Dv SIGBUS
+is an unaligned memory access; however, on some architectures it may
+cover other memory conditions, such as attempts to access memory
+belonging to the kernel.
+The default action is to terminate the process and dump core.
+Note: the results of performing such invalid accesses when
+.Dv SIGBUS
+is blocked or ignored are formally unspecified.
+The number for
+.Dv SIGBUS
+is\~10.
+.\" ************
+.It Dv SIGSEGV No (Segmentation fault)
+This signal is generated synchronously by the kernel when the process
+attempts to access unmapped memory, or access memory in a manner that
+the protection settings for that memory region do not permit.
+On some architectures other assorted permission or protection errors
+also yield
+.Dv SIGSEGV .
+On
+.Nx ,
+passing invalid pointers to system calls will yield failure with
+.Er EFAULT
+but not also
+.Dv SIGSEGV .
+The default action is to terminate the process and dump core.
+Note: the results of an invalid memory access when
+.Dv SIGSEGV
+is blocked or ignored are formally unspecified.
+The number for
+.Dv SIGSEGV
+is\~11, which is very well known.
+.\" ************
+.It Dv SIGSYS No (Bad system call)
+This signal is generated by the kernel, in addition to failing with
+.Er ENOSYS ,
+when a system call is made using an invalid system call number.
+.\" (This facility was intended to facilitate emulation of system calls.)
+The default action is to terminate the process and dump core.
+The number for
+.Dv SIGSYS
+is\~12.
+.\" ************
+.It Dv SIGPIPE No (Broken pipe)
+This signal is generated by the kernel, in addition to failing with
+.Er EPIPE ,
+when a
+.Xr write 2
+call or similar is made on a pipe or socket that has been closed and
+has no readers.
+The default action is to terminate the process.
+The number for
+.Dv SIGPIPE
+is\~13.
+.\" ************
+.It Dv SIGALRM No (Alarm clock)
+This signal is generated by the kernel when a real-time timer expires.
+See
+.Xr alarm 3 ,
+.Xr setitimer 2 ,
+and
+.Xr timer_settime 2 .
+The default action is to terminate the process.
+The number for
+.Dv SIGALRM
+is\~14.
+.\" ************
+.It Dv SIGTERM No (Terminated)
+This signal is the default signal sent by
+.Xr kill 1
+and represents a user or administrator request that a program shut
+down.
+It is sent to all processes as part of the
+.Xr shutdown 8
+procedure.
+The default action is to terminate the process.
+The number for
+.Dv SIGTERM
+is\~15.
+.\" ************
+.It Dv SIGURG No (Urgent I/O condition)
+This signal is generated when an ``urgent condition'' exists on a
+socket.
+In practice this means when
+.Xr tcp 4
+out-of-band data has arrived.
+The default action is to do nothing.
+The number for
+.Dv SIGURG
+is\~16.
+.\" ************
+.It Dv SIGSTOP No (Suspended (signal))
+This signal cannot be caught or ignored.
+The (unconditional) action is to stop the process.
+Note that like with
+.Dv SIGKILL
+(and for similar reasons) it is best to not send this signal until a
+process has failed to respond to
+.Dv SIGTSTP .
+It can also be used by processes to stop themselves after catching
+.Dv SIGTSTP .
+A process that is explicitly stopped will not run again until told to
+with
+.Dv SIGCONT .
+The number for
+.Dv SIGSTOP
+is\~17.
+.\" ************
+.It Dv SIGTSTP No (Suspended)
+This signal is generated by the
+.Xr tty 4
+driver
+when the user presses the stop character, normally control-Z.
+The default action is to stop the process.
+The number for
+.Dv SIGTSTP
+is\~18.
+.\" ************
+.It Dv SIGCONT No (Continued)
+This signal is generated by the job-control feature of shells to
+manage processes.
+It causes the target process to start executing again after previously
+being stopped.
+This happens as a magic extra effect
+.Nm before
+the signal is actually delivered.
+The default action when the signal is delivered is to do nothing (else).
+The number for
+.Dv SIGCONT
+is\~19.
+.\" ************
+.It Dv SIGCHLD No (Child exited, stopped or continued)
+This signal is generated by the kernel when one of a process's
+immediate children exits and can be waited for using one of the
+.Xr wait 2
+family of functions.
+The default action is to do nothing.
+.Pp
+As a special case, if a child exits when its parent process has
+.Dv SIGCHLD
+ignored
+.Pq not merely blocked
+by having its signal handler set to
+.Dv SIG_IGN ,
+or if the signal action has the
+.Dv SA_NOCLDWAIT
+flag set
+.Pq Xr sigaction 2 ,
+then the child is detached so that
+.Xr wait 2
+in the parent will wait for
+.Em all
+children to exit and then fail with
+.Er ECHILD
+without returning any information about any specific child processes.
+.Pp
+The number for
+.Dv SIGCHLD
+is\~20.
+This signal was spelled
+.Dv SIGCLD
+in old System V versions and today many systems provide both
+spellings.
+.\" ************
+.It Dv SIGTTIN No (Stopped (tty input))
+This signal is generated by the
+.Xr tty 4
+driver
+when a process that is not in the foreground of its controlling
+terminal attempts to read from this terminal.
+The default action is to stop the process.
+The number for
+.Dv SIGTTIN
+is\~21.
+.\" ************
+.It Dv SIGTTOU No (Stopped (tty output))
+This signal is generated by the
+.Xr tty 4
+driver
+when a process that is not in the foreground of its controlling
+terminal attempts to write to this terminal, if the terminal is
+configured accordingly, which is not the default.
+(See
+.Xr termios 4 . )
+The default action is to stop the process.
+The number for
+.Dv SIGTTOU
+is\~22.
+.\" ************
+.It Dv SIGIO No (I/O possible)
+This signal is sent by the kernel when I/O becomes possible on a file
+handle opened for asynchronous access with
+.Dv O_ASYNC .
+See
+.Xr open 2
+and
+.Xr fcntl 2 .
+The default action is to do nothing.
+The number for
+.Dv SIGIO
+is\~23.
+.\" ************
+.It Dv SIGXCPU No (CPU time limit exceeded)
+This signal is sent by the kernel when the amount of CPU time consumed
+exceeds the configured limit.
+See
+.Xr setrlimit 2
+and the
+.Ic ulimit
+and
+.Ic rlimit
+builtins of
+.Xr sh 1
+and
+.Xr csh 1
+respectively.
+The default action is to terminate the process.
+The number for
+.Dv SIGXCPU
+is\~24.
+.\" ************
+.It Dv SIGXFSZ No (File size limit exceeded)
+This signal is sent by the kernel when a write causes the size of a
+file to exceed the configured limit.
+See
+.Xr setrlimit 2
+and the
+.Ic ulimit
+and
+.Ic rlimit
+builtins of
+.Xr sh 1
+and
+.Xr csh 1
+respectively.
+The default action is to terminate the process.
+The number for
+.Dv SIGXFSZ
+is\~25.
+.\" ************
+.It Dv SIGVTALRM No (Virtual timer expired)
+This signal is generated by the kernel when a virtual-time (process
+execution time) timer expires.
+See
+.Xr setitimer 2
+and
+.Xr timer_settime 2 .
+The default action is to terminate the process.
+The number for
+.Dv SIGVTALRM
+is\~26.
+.\" ************
+.It Dv SIGPROF No (Profiling timer expired)
+This signal is generated by the kernel when a profiling timer
+expires.
+See
+.Xr setitimer 2
+and
+.Xr timer_settime 2 .
+The default action is to terminate the process.
+The number for
+.Dv SIGPROF
+is\~27.
+.\" ************
+.It Dv SIGWINCH No (Window size changed)
+This signal is generated by the
+.Xr tty 4
+driver
+when the stored window size of the process's controlling terminal has
+changed.
+The default action is to do nothing.
+The number for
+.Dv SIGWINCH
+is\~28.
+.\" ************
+.It Dv SIGINFO No (Information request)
+This signal is generated by the
+.Xr tty 4
+driver
+when the user presses the status request character, normally
+control-T.
+The default action is to do nothing.
+The number for
+.Dv SIGINFO
+is\~29.
+.\" ************
+.It Dv SIGUSR1 No (User defined signal 1)
+This signal is not generated by the system and is made available for
+applications to use for their own purposes.
+Many daemons use it for restart or reload requests of various types.
+The default action is to terminate the process.
+The number for
+.Dv SIGUSR1
+is\~30.
+.\" ************
+.It Dv SIGUSR2 No (User defined signal 2)
+This signal is not generated by the system and is made available for
+applications to use for their own purposes.
+The default action is to terminate the process.
+The number for
+.Dv SIGUSR2
+is\~31.
+.\" ************
+.It Dv SIGPWR No (Power fail/restart)
+This signal is notionally sent by the kernel or by a privileged
+monitor process when an external power failure is detected, and again
+when power has been restored.
+Currently
+.Nx
+does not in fact send
+.Dv SIGPWR ,
+although it is possible to prepare a custom configuration for
+.Xr powerd 8
+that does so.
+The default action is to do nothing.
+The number for
+.Dv SIGPWR
+is\~32.
+.\" ************
+.El
+.Ss Shell Interface
+Signals may be sent with the
+.Xr kill 1
+utility, either by number or the symbolic name without the ``SIG'' part.
+This utility is built into many shells to allow addressing job control
+jobs.
+.Ss Program Interface
+In C code signals may be sent using
+.Xr raise 3 ,
+.Xr kill 2 ,
+.Xr pthread_kill 3 ,
+and some other related functions.
+.Pp
+Signals may be caught or ignored using
+.Xr sigaction 2
+or the simpler
+.Xr signal 3 ,
+and blocked using
+.Xr sigprocmask 2 .
+.Sh STANDARDS
+The
+.Dv SIGTRAP ,
+.Dv SIGEMT ,
+.Dv SIGBUS ,
+.Dv SIGSYS ,
+.Dv SIGURG ,
+.Dv SIGIO ,
+.Dv SIGXCPU ,
+.Dv SIGXFSZ ,
+.Dv SIGVTALRM ,
+.Dv SIGPROF ,
+.Dv SIGWINCH ,
+and
+.Dv SIGINFO
+signals are long-existing Berkeley extensions, available on most
+.Bx Ns \-derived
+systems.
+The
+.Dv SIGPWR
+signal comes from System V.
+.Pp
+The remaining signals conform to
+.St -p1003.1-90 .
+.Sh HISTORY
+.Dv SIGPWR
+was introduced in
+.Nx 1.4 .
diff --git a/static/netbsd/man7/src.7 b/static/netbsd/man7/src.7
new file mode 100644
index 00000000..ba15b9c9
--- /dev/null
+++ b/static/netbsd/man7/src.7
@@ -0,0 +1,362 @@
+.\" $NetBSD: src.7,v 1.17 2022/08/21 07:10:03 lukem Exp $
+.\"
+.\" Copyright (c) 2012, 2013 Mingzhe Wang and Elvira Khabirova.
+.\"	All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd May 14, 2020
+.Dt SRC 7
+.Os
+.Sh NAME
+.Nm src
+.Nd layout of NetBSD sources
+.Sh DESCRIPTION
+An outline of the
+.Nx
+source code hierarchy.
+.Bl -tag -width "external/"
+.It Pa bin/
+Critical utilities for the system and users.
+.It Pa sbin/
+Critical utilities for the system and the superuser.
+.It Pa usr.bin/
+Not-so critical utilities for the system and users.
+.It Pa usr.sbin/
+Not-so critical utilities for the system and the superuser.
+.It Pa common/
+Sources shared between kernel and userland.
+.Bl -tag -width "include/" -compact
+.It Pa dist/
+Utilities.
+Every utility has its own subdirectory,
+where its source and Makefile are located.
+.It Pa include/
+Include headers.
+Every group of header files has its own
+subdirectory, where it and its
+Makefile are located.
+.It Pa lib/
+Libraries.
+Every library has its own subdirectory,
+where it and its Makefile are located.
+.El
+.It Pa compat/
+A framework to (re)build the libraries
+shipped with
+.Nx
+for different ABI than the default for
+that platform.
+.Bl -tag -width "compat/<arch1>/<arch2>/" -compact
+.It Pa compat/<arch1>/<arch2>/
+Every
+.Pa compat/<arch1>/<arch2>/
+directory contains a Makefile and a makefile
+fragment for building an
+.Pa <arch2>
+compat libraries for
+.Pa <arch1> .
+For example,
+.Pa compat/amd64/i386/
+is where the 32-bit compat libraries for the
+amd64 port are being built.
+.It Pa compatsubdir.mk
+The list of subdirectories (the libraries and
+ld.elf_so) to build with this ABI.
+.It Pa archdirs.mk
+The list of subdirectories for each port.
+.It Pa Makefile.compat
+The basic framework to force the right paths for
+library and ld.elf_so linkage.
+.It Pa dirshack/Makefile
+A hack to get objdirs created timely.
+.El
+.It Pa crypto/
+Cryptographic source, which may have import or
+export restrictions.
+.Bl -tag -width "external/" -compact
+.It Pa dist/
+Original sources.
+This is deprecated;
+.Pa crypto/external/
+should be used instead.
+.It Pa external/
+Original sources, grouped by license, and then
+package per license.
+.Pa crypto/external/<license>/<package>/dist/
+contain original sources for given package;
+other directories contain Makefiles and
+given package's config files.
+.El
+.It Pa dist/
+Unmodified sources from third parties.
+This is deprecated;
+.Pa external/
+should be used instead.
+.It Pa distrib/
+Tools and data-files for making distributions.
+.Bl -tag -width "distrib/notes/<arch>/" -compact
+.It Pa <arch>/
+Architecture-specific files, grouped by
+image type.
+For example,
+.Pa distrib/<arch>/floppies/
+contains Makefiles for making images for
+various types of floppies;
+.Pa <arch>/ramdisk/
+contains makefiles for making ramdisks etc.
+.It Pa cdrom/
+Was used to create bootable CD images.
+This is deprecated;
+.Pa build.sh
+\'s
+.Pa iso-image
+target should be used instead.
+.It Pa common/
+Common files for images generation.
+.It Pa miniroot/
+Files for miniroot.
+.It Pa notes/<arch>
+Architecture-specific parts of release notes.
+.It Pa sets/
+Scripts for making file sets.
+.It Pa utils/
+Utilities for installation ramdisk.
+.El
+.It Pa doc/
+Development documentation files: changelogs,
+build readmes etc.
+.Pa doc/roadmaps/
+contains roadmaps.
+.It Pa etc/
+Default configuration files to be put into
+.Pa /etc .
+.Bl -tag -width "compat/<arch1>/<arch2>/" -compact
+.It Pa etc/etc.<arch>/
+Architecture-specific config files.
+.El
+.It Pa external/
+Unmodified sources from third parties,
+grouped by license.
+Every
+.Pa external/<license>/<package>/
+may contain:
+.Bl -tag -width "usr.sbin/" -compact
+.It Pa dist/
+Unmodified third party source for a given package
+.It Pa bin/
+.It Pa usr.bin/
+.It Pa usr.sbin/
+.It etc.
+Such subdirectories contain reachover Makefiles,
+README's and various import helper scripts.
+For example,
+.Pa external/public-domain/
+contains
+sources licensed under Public Domain
+license;
+.Pa external/public-domain/sqlite/dist/
+contains original sources;
+.Pa external/public-domain/sqlite/bin/ ,
+.Pa external/public-domain/sqlite/lib/
+and
+.Pa external/public-domain/sqlite/
+itself contain reachover Makefiles.
+.El
+.It Pa games/
+Sources for utilities/files in
+.Pa /usr/games ;
+each utility has its own subdirectory, where
+its sources and Makefiles are located.
+.It Pa include/
+Files to be put into
+.Pa /usr/include .
+.It Pa lib/
+Source for libraries in
+.Pa /usr/lib
+and some scripts for them.
+Every directory contains source for given library
+and Makefiles.
+.It Pa libexec/
+Source for utilities in
+.Pa /usr/libexec .
+Every directory contains source for given utility
+and Makefiles.
+.It Pa regress/
+Various regression tests in
+.Pa /usr/tests .
+This is deprecated; most tests are being migrated
+into
+.Pa tests/
+once they are migrated to the
+.Xr atf 7
+test framework.
+.It Pa rescue/
+Makefiles for copying utilities to
+.Pa /rescue .
+.It Pa share/
+Source for utilities/files in
+.Pa /usr/share .
+Every utility has its own subdirectory,
+where its source and Makefile are located.
+.It Pa sys/
+Kernel source.
+.Bl -tag -width "opencrypto/" -compact
+.It Pa altq/
+Network packet alternate queueing.
+.It Pa arch/
+Files to specific hardware platforms.
+.It Pa coda/
+Coda file system driver.
+.It Pa compat/
+Support for older version
+.Nx
+binaries and
+.Pf non- Nx
+binaries.
+.It Pa conf/
+Misc files for building kernel.
+.It Pa crypto/
+Crypt algorithms used by IPsec.
+.It Pa ddb/
+Client code for local kernel debugger.
+.It Pa dev/
+Device drivers.
+.It Pa dist/
+Parent directory for the
+.Ox
+packet filter
+.Xr pf 4 .
+.It Pa external/
+Sources from third parties, grouped by license.
+.It Pa fs/
+File systems storing data on physical drives.
+.It Pa gdbscripts/
+.Xr gdb 1
+macros.
+.It Pa kern/
+.Nx Ap s
+Kernel code, such as resource management, signal delivering, etc.
+.It Pa lib/
+Libraries used by the kernel.
+.It Pa miscfs/
+Drivers for file systems used to store layered data for kernel features.
+.It Pa modules/
+Kernel components, including hardware specific drivers and upper-level drivers.
+.It Pa net/
+Lowlevel network: protocol drivers, packet filters and access interfaces for NICs.
+.It Pa net80211/
+Drivers for 802.11 wireless network.
+.It Pa netatalk/
+Appletalk protocol stack
+.Xr atalk 4 .
+.It Pa netbt/
+Bluetooth stack
+.Xr bluetooth 4 .
+.It Pa netcan/
+Controller Area Network stack
+.Xr can 4 .
+.It Pa netinet/
+IPv4 protocol stack
+.Xr ip 4 .
+.It Pa netinet6/
+IPv6 protocol stack.
+.It Pa netipsec/
+IPsec protocol stack
+.Xr ipsec 4 .
+.It Pa netmpls/
+MPLS protocol stack
+.Xr mpls 4 .
+.It Pa nfs/
+Network file system driver.
+.It Pa opencrypto/
+Cryptographic hardware framework
+.Xr opencrypto 9 .
+.It Pa rump/
+Rump kernel
+.Xr rump 3 .
+.It Pa secmodel/
+Security model framework
+.Xr secmodel 9 .
+.It Pa stand/
+Source for several standalone programs that aren't used by
+.Nx
+currently.
+.It Pa sys/
+Header files that get installed into
+.Pa /usr/include/sys .
+.It Pa ufs/
+UFS file system driver.
+.It Pa uvm/
+Virtual memory manager.
+.El
+.It Pa tests/
+Source for test programs in
+.Pa /usr/tests .
+These tests use the
+.Xr atf 7
+test framework.
+For library routines, including system calls, the
+directory structure of the tests should follow the
+directory structure of the real source tree.
+For instance, interfaces available via the C
+library should follow:
+.Pa src/lib/libc/gen -> Pa src/tests/lib/libc/gen ,
+.Pa src/lib/libc/sys -> Pa src/tests/lib/libc/sys ,
+etc.
+Equivalently, all tests for userland utilities
+should try to follow their location in the source tree.
+If this can not be satisfied, the tests for
+a utility should be located under the directory to which
+the utility is installed.
+Thus, a test for
+.Xr env 1
+should go to
+.Pa src/tests/usr.bin/env .
+Likewise, a test for
+.Xr tcpdump 8
+should be in
+.Pa src/tests/usr.sbin/tcpdump ,
+even though the source code for the program is located under
+.Pa src/external .
+.It Pa tools/
+Reachover build structure for the host build tools.
+Every utility has its own directory, where its Makefile
+is located.
+.It Pa x11/
+Reachover build structure for X11R7; the source is in
+.Pa X11SRCDIR .
+The directory structure copies the system\'s;
+every directory contains a Makefile.
+.El
+.Sh SEE ALSO
+.Xr hier 7
+.Sh HISTORY
+This file was created as a part of Google Code-in 2012/2013.
+.Sh AUTHORS
+.An -nosplit
+This manpage was written by
+.An Elvira Khabirova Aq Mt skinder0@gmail.com ,
+the
+.Pa sys/
+part by
+.An Mingzhe Wang .
diff --git a/static/netbsd/man7/stack.7 b/static/netbsd/man7/stack.7
new file mode 100644
index 00000000..86c2fa0b
--- /dev/null
+++ b/static/netbsd/man7/stack.7
@@ -0,0 +1,293 @@
+.\"	$NetBSD: stack.7,v 1.8 2026/04/23 20:09:46 uwe Exp $
+.\"
+.\" Copyright (c) 2023 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd April 23, 2026
+.Dt STACK 7
+.Os
+.Sh NAME
+.Nm stack
+.Nd layout of program execution stack memory
+.Sh DESCRIPTION
+When executing a program, with the
+.Xr execve 2
+or
+.Xr posix_spawn 3
+families of system calls,
+.Nx
+reserves a region in the new program image's virtual address space for
+the
+.Em stack ,
+which stores return addresses and local variables for nested procedure
+calls in program execution.
+Similarly, threads created with
+.Xr pthread_create 3
+have regions allocated for per-thread stacks.
+.Pp
+The stack grows from the
+.Em base ,
+where information of the outermost procedure call is stored, fixed at
+program start, to the
+.Em stack pointer ,
+a
+.Tn CPU
+register that points to information used by the current procedure call,
+varying during execution as procedures are called.
+.Pp
+On most architectures, the stack base is at higher-numbered virtual
+addresses and the stack pointer is at lower-numbered virtual addresses
+\(em on these architectures,
+.Em the stack grows down .
+On some other architectures, notably
+.Tn HP PA-RISC
+.Pq Sq hppa ,
+the stack base is at lower-numbered virtual addresses and the stack
+pointer is at higher-numbered virtual addresses, so on those
+architectures
+.Em the stack grows up .
+.Pp
+In the kernel, the C preprocessor macro
+.Dv __HAVE_MACHINE_STACK_GROWS_UP
+is defined in
+.In machine/types.h
+on architectures where the stack grows up.
+.Ss Main thread
+For single-threaded programs, and for the main thread of multi-threaded
+programs,
+.Nx
+reserves virtual addresses as follows on architectures where the stack
+grows
+.Em down :
+.Bd -literal -offset indent
++--------------------+ USRSTACK
+| ASLR stack gap     |
++--------------------+ stack base
+| accessible pages   |
+| .                  |
+| .                  | <-- stack pointer
+| .                  |      (varies during execution)
+| V                  |
++--------------------+ (stack base) - (soft stack rlimit)
+| inaccessible pages |
++--------------------+ (stack base) - (hard stack rlimit)
+| guard/redzone      |
++--------------------+ USRSTACK - MAXSSIZ
+.Ed
+.Pp
+On architectures where the stack grows
+.Em up ,
+the layout is:
+.Bd -literal -offset indent
++--------------------+ USRSTACK + MAXSSIZ
+| guard/redzone      |
++--------------------+ (stack base) + (hard stack rlimit)
+| inaccessible pages |
++--------------------+ (stack base) + (soft stack rlimit)
+| \(ha                  |
+| .                  | <-- stack pointer
+| .                  |       (varies during execution)
+| .                  |
+| accessible pages   |
++--------------------+ stack base
+| ASLR stack gap     |
++--------------------+ USRSTACK
+.Ed
+.Bl -bullet
+.It
+The
+.Em stack guard
+is allocated so that any access \(em read, write, or execute \(em will
+deliver
+.Dv SIGSEGV
+to the process.
+This serves to detect stack overflow and crash rather than silently
+overwrite other memory in the program's virtual address space.
+The size of the stack guard is tuned by the
+.Li vm.guard_size
+.Xr sysctl 7
+knob.
+.Pp
+The stack guard is also sometimes known as the
+.Sq redzone
+or
+.Sq red zone ,
+although the term
+.Sq red zone
+is also sometimes used to mean a fixed space
+.Em above
+the stack pointer (in the direction of stack growth) that the system
+guarantees it will not overwrite when calling a signal handler in the
+.Tn ABI
+of some architectures; see also
+.Xr sigaltstack 2
+to specify an alternate stack base for the kernel to use when invoking
+signal handlers on signal delivery.
+.It
+The
+.Em inaccessible pages
+of the stack region are allocated so that any access will also deliver
+.Dv SIGSEGV
+to the process, but they can be made accessible by changing the soft
+stack rlimit with
+.Xr setrlimit 2 .
+.It
+The
+.Em accessible pages
+of the stack region are allocated with read/write access permitted, and
+are used to store the actual data in the program stack.
+.It
+When
+.Tn PaX ASLR ,
+address space layout randomization, is enabled, the
+.Em stack gap
+is an
+.Em unallocated
+space of a size chosen unpredictably at random at program startup time.
+When
+.Tn PaX ASLR
+is disabled, the stack gap is empty.
+.El
+.Pp
+All of the boundaries \(em
+.Dv USRSTACK ,
+the stack base, and the boundaries between the accessible,
+inaccessible, and guard pages \(em are page-aligned, or rounded to be
+page-aligned even if the rlimits are not themselves page-aligned,
+rounding so that the sizes of the regions do not exceed the rlimits.
+.Pp
+The stack base is exposed to programs via the
+.Dv AT_STACKBASE
+.Xr elf 5
+auxiliary info vector entry.
+.Pp
+The per-architecture constants
+.Dv USRSTACK
+and
+.Dv MAXSSIZ
+are defined in
+.In machine/vmparam.h .
+.Ss Non-main threads
+Threads created with
+.Xr pthread_create 3
+have stacks allocated at dynamically chosen addresses outside the main
+thread's stack region by default, and their stacks cannot be resized
+after creation.
+On architectures where the stack grows
+.Em down ,
+the layout is:
+.Bd -literal -offset indent
++--------------------+ stack base = stackaddr + stacksize
+| stack              |
+| .                  |
+| .                  | <-- stack pointer
+| .                  |       (varies during execution)
+| V                  |
++--------------------+ stackaddr
+| guard/redzone      |
++--------------------+ stackaddr - guardsize
+.Ed
+.Pp
+On architectures where the stack grows
+.Em up ,
+the layout is:
+.Bd -literal -offset indent
++--------------------+ stackaddr + stacksize + guardsize
+| guard/redzone      |
++--------------------+ stackaddr + stacksize
+| \(ha                  |
+| .                  | <-- stack pointer
+| .                  |       (varies during execution)
+| .                  |
+| stack              |
++--------------------+ stack base = stackaddr
+.Ed
+.Pp
+The parameters stackaddr, stacksize, and guardsize can be obtained from
+an existing thread using
+.Xr pthread_getattr_np 3 ,
+.Xr pthread_attr_getguardsize 3 ,
+and the
+.Xr pthread_attr_getstack 3
+family of functions.
+.Pp
+When creating a thread, the stack can be manually allocated and the
+parameters can be set using
+.Xr pthread_attr_setguardsize 3
+and the
+.Xr pthread_attr_setstack 3
+family of functions.
+However, the stack parameters cannot be changed after thread creation.
+The default guard size is tuned by the
+.Li vm.thread_guard_size
+.Xr sysctl 7
+knob.
+.Pp
+For the main thread,
+.Xr pthread_getattr_np 3
+returns a
+.Em snapshot
+of the parameters as they existed at program startup, so that stackaddr
+and stacksize reflect the current accessible pages of the stack, and
+guardsize is the value of the
+.Li vm.guard_size
+.Xr sysctl 7
+knob at the time of program startup.
+.Po
+Note that this means the
+.Xr pthread 3
+view of the main thread's stack guard may not coincide with the actual
+stack guard \(em it may overlap with, or lie entirely in, the
+inaccessible pages of the stack reserved on program start.
+.Pc
+However, if the program changes its soft stack rlimit with
+.Xr setrlimit 2 ,
+this snapshot may become stale.
+.Sh SEE ALSO
+.Xr execve 2 ,
+.Xr mmap 2 ,
+.Xr mprotect 2 ,
+.Xr sigaltstack 2 ,
+.Xr ucontext 2 ,
+.Xr posix_spawn 3 ,
+.Xr pthread 3 ,
+.Xr security 7 ,
+.Xr sysctl 7 ,
+.Xr paxctl 8
+.Sh BUGS
+.Tn PaX ASLR
+doesn't actually guarantee an accessible stack reservation of length
+equal to the soft stack rlimit \(em owing to a bug (XXX which PR
+number?),
+.Nx
+may sometimes reserve less space than the soft rlimit, in which case
+the accessible pages of the stack cannot be extended.
+.Pp
+There is a race between the kernel's access of
+.Li vm.guard_size
+at exec time, and userland's access of
+.Li vm.guard_size
+in
+.Xr pthread 3
+initialization.
diff --git a/static/netbsd/man7/sticky.7 b/static/netbsd/man7/sticky.7
new file mode 100644
index 00000000..d9cda3a0
--- /dev/null
+++ b/static/netbsd/man7/sticky.7
@@ -0,0 +1,112 @@
+.\"	$NetBSD: sticky.7,v 1.7 2024/02/08 20:11:55 andvar Exp $
+.\"
+.\" Copyright (c) 1980, 1991, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     @(#)sticky.8	8.1 (Berkeley) 6/5/93
+.\"
+.Dd May 10, 2011
+.Dt STICKY 7
+.Os
+.Sh NAME
+.Nm sticky
+.Nd Description of the `sticky' (S_ISVTX) bit functionality
+.Sh DESCRIPTION
+A special file mode, called the
+.Em sticky bit
+(mode
+.Dv S_ISVTX ) ,
+is used to indicate special treatment for directories.
+See
+.Xr chmod 2
+or the file
+.Pa /usr/include/sys/stat.h
+.Ss Sticky files
+For regular files, the use of mode
+.Dv S_ISVTX
+is reserved and can be set only by the super-user.
+.Nx
+does not currently treat regular files that have the sticky bit set
+specially, but this behavior might change in the future.
+.Ss Sticky directories
+A directory whose
+.Dq sticky bit
+is set becomes a
+directory in which the deletion of files is restricted.
+A file in a sticky directory may only be removed or renamed
+by a user if the user has write permission for the directory and
+the user is the owner of the file, the owner of the directory,
+or the super-user.
+This feature is usefully applied to directories such as
+.Pa /tmp
+which must be publicly writable but should deny users the license
+to arbitrarily delete or rename each others' files.
+.Pp
+Any user may create a sticky directory.
+See
+.Xr chmod 1
+for details about modifying file modes.
+.Sh HISTORY
+The sticky bit first appeared in V7, and this manual page appeared
+in section 8.
+Its initial use was to mark shareable executables
+that were frequently used so that they would stay in swap after
+the process exited.
+Shareable executables were compiled in a special way so their text
+and read-only data could be shared amongst processes.
+.Xr vi 1
+and
+.Xr sh 1
+were such executables.
+This is where the term
+.Dq sticky
+comes from - the program would stick around in swap, and it would
+not have to be fetched again from the file system.
+Of course as long as there was a copy in the swap area, the file
+was marked busy so it could not be overwritten.
+On V7 this meant that the file could not be removed either, because
+busy executables could not be removed, but this restriction was
+lifted in BSD releases.
+.Pp
+To replace such executables was a cumbersome process.
+One had first to remove the sticky bit, then execute the binary so
+that the copy from swap was flushed, overwrite the executable, and
+finally reset the sticky bit.
+.Pp
+Later, on SunOS 4, the sticky bit got an additional meaning for
+files that had the bit set and were not executable: read and write
+operations from and to those files would go directly to the disk
+and bypass the buffer cache.
+This was typically used on swap files for NFS clients on an NFS
+server, so that swap I/O generated by the clients on the servers
+would not evict useful data from the server's buffer cache.
+.Sh BUGS
+Neither
+.Xr open 2
+nor
+.Xr mkdir 2
+will create a file with the sticky bit set.
diff --git a/static/netbsd/man7/symlink.7 b/static/netbsd/man7/symlink.7
new file mode 100644
index 00000000..d36f0c55
--- /dev/null
+++ b/static/netbsd/man7/symlink.7
@@ -0,0 +1,674 @@
+.\"	$NetBSD: symlink.7,v 1.29 2019/03/25 19:24:30 maxv Exp $
+.\"
+.\" Copyright (c) 1992, 1993, 1994
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)symlink.7	8.3 (Berkeley) 3/31/94
+.\"
+.Dd March 25, 2019
+.Dt SYMLINK 7
+.Os
+.Sh NAME
+.Nm symlink
+.Nd symbolic link handling
+.Sh DESCRIPTION
+Symbolic links are files that act as pointers to other files.
+To understand their behavior, you must first understand how hard links
+work.
+.Pp
+A hard link to a file is indistinguishable from the original file because
+it is a reference to the object underlying the original file name.
+Changes to a file are independent of the name used to reference the
+file.
+Hard links may not refer to directories and may not reference files
+on different file systems.
+.Pp
+A symbolic link contains the name of the file to which it is linked,
+i.e.
+it is a pointer to another name, and not to an underlying object.
+For this reason, symbolic links may reference directories and may span
+file systems.
+.Pp
+Because a symbolic link and its referenced object coexist in the filesystem
+name space, confusion can arise in distinguishing between the link itself
+and the referenced object.
+Historically, commands and system calls have adopted their own link
+following conventions in a somewhat ad-hoc fashion.
+Rules for more a uniform approach, as they are implemented in this system,
+are outlined here.
+It is important that local applications conform to these rules, too,
+so that the user interface can be as consistent as possible.
+.Pp
+Symbolic links are handled either by operating on the link itself,
+or by operating on the object referenced by the link.
+In the latter case,
+an application or system call is said to
+.Qq follow
+the link.
+.Pp
+Symbolic links may reference other symbolic links,
+in which case the links are dereferenced until an object that is
+not a symbolic link is found,
+a symbolic link which references a file which doesn't exist is found,
+or a loop is detected.
+Loop detection is done by placing an upper limit on the number of
+links that may be followed, and an error results if this limit is
+exceeded.
+.Pp
+There are three separate areas that need to be discussed.
+They are as follows:
+.Pp
+.Bl -enum -compact -offset indent
+.It
+Symbolic links used as file name arguments for system calls.
+.It
+Symbolic links specified as command line arguments to utilities that
+are not traversing a file tree.
+.It
+Symbolic links encountered by utilities that are traversing a file tree
+(either specified on the command line or encountered as part of the
+file hierarchy walk).
+.El
+.Ss System calls
+The first area is symbolic links used as file name arguments for
+system calls.
+.Pp
+Except as noted below, all system calls follow symbolic links.
+For example, if there were a symbolic link
+.Qq Li slink
+which pointed to a file named
+.Qq Li afile ,
+the system call
+.Qq Li open("slink" ...)
+would return a file descriptor to the file
+.Qq afile .
+.Pp
+There are eleven system calls that do not follow links, and which operate
+on the symbolic link itself.
+They are:
+.Xr lchflags 2 ,
+.Xr lchmod 2 ,
+.Xr lchown 2 ,
+.\".Xr lpathconf 2 ,
+.Xr lstat 2 ,
+.Xr lutimes 2 ,
+.Xr readlink 2 ,
+.Xr readlinkat 2 ,
+.Xr rename 2 ,
+.Xr renameat 2 ,
+.Xr unlinkat 2 .
+and
+.Xr unlink 2 .
+Because
+.Xr remove 3
+is an alias for
+.Xr unlink 2 ,
+it also does not follow symbolic links.
+When
+.Xr rmdir 2
+or
+.Xr unlinkat 2
+with the
+.Dv AT_REMOVEDIR
+flag
+is applied to a symbolic link, it fails with the error
+.Er ENOTDIR .
+.Pp
+The
+.Xr linkat 2
+system call does not follow symbolic links
+unless given the
+.Dv AT_SYMLINK_FOLLOW
+flag.
+.Pp
+The following system calls follow symbolic links
+unless given the
+.Dv AT_SYMLINK_NOFOLLOW
+flag:
+.\" .Xr chflagsat 2 ,
+.Xr fchmodat 2 ,
+.Xr fchownat 2 ,
+.Xr fstatat 2 ,
+and
+.Xr utimensat 2 .
+.Pp
+The owner and group of an existing symbolic link can be changed by
+means of the
+.Xr lchown 2
+system call.
+The flags, access permissions, owner/group and modification time of
+an existing symbolic link can be changed by means of the
+.Xr lchflags 2 ,
+.Xr lchmod 2 ,
+.Xr lchown 2 ,
+and
+.Xr lutimes 2
+system calls, respectively.
+Of these, only the flags and ownership are used by the system;
+the access permissions are ignored.
+.Pp
+The
+.Bx 4.4
+system differs from historical
+.Bx 4
+systems in that the system call
+.Xr chown 2
+has been changed to follow symbolic links.
+The
+.Xr lchown 2
+system call was added later when the limitations of the new
+.Xr chown 2
+became apparent.
+.Pp
+If the filesystem is mounted with the
+.Em symperm
+.Xr mount 8
+option, the symbolic link file permission bits have the following effects:
+.Pp
+The
+.Xr readlink 2
+system call requires read permissions on the symbolic link.
+.Pp
+System calls that follow symbolic links will fail without execute/search
+permissions on all the symbolic links followed.
+.Pp
+The write, sticky, set-user-ID-on-execution and set-group-ID-on-execution
+symbolic link mode bits have no effect on any system calls
+.Po
+including
+.Xr execve 2
+.Pc .
+.Ss Commands not traversing a file tree
+The second area is symbolic links, specified as command line file
+name arguments, to commands which are not traversing a file tree.
+.Pp
+Except as noted below, commands follow symbolic links named as command
+line arguments.
+For example, if there were a symbolic link
+.Qq Li slink
+which pointed to a file named
+.Qq Li afile ,
+the command
+.Qq Li cat slink
+would display the contents of the file
+.Qq Li afile .
+.Pp
+It is important to realize that this rule includes commands which may
+optionally traverse file trees, e.g.
+the command
+.Qq Li "chown file"
+is included in this rule, while the command
+.Qq Li "chown -R file"
+is not
+(The latter is described in the third area, below).
+.Pp
+If it is explicitly intended that the command operate on the symbolic
+link instead of following the symbolic link, e.g., it is desired that
+.Qq Li "file slink"
+display the type of file that
+.Qq Li slink
+is, whether it is a symbolic link or not, the
+.Fl h
+option should be used.
+In the above example,
+.Qq Li "file slink"
+would report the type of the file referenced by
+.Qq Li slink ,
+while
+.Qq Li "file -h slink"
+would report that
+.Qq Li slink
+was a symbolic link.
+.Pp
+There are five exceptions to this rule.
+The
+.Xr mv 1
+and
+.Xr rm 1
+commands do not follow symbolic links named as arguments,
+but respectively attempt to rename and delete them.
+(Note, if the symbolic link references a file via a relative path,
+moving it to another directory may very well cause it to stop working,
+since the path may no longer be correct).
+.Pp
+The
+.Xr ls 1
+command is also an exception to this rule.
+For compatibility with historic systems (when
+.Nm ls
+is not doing a tree walk, i.e.
+the
+.Fl R
+option is not specified),
+the
+.Nm ls
+command follows symbolic links named as arguments if the
+.\" .Fl H
+.\" or
+.Fl L
+option is specified,
+or if the
+.Fl F ,
+.Fl d ,
+or
+.Fl l
+options are not specified.
+(If the
+.Fl L
+option is specified,
+.Nm ls
+always follows symbolic links.
+.Nm ls
+is the only command where the
+.\" .Fl H
+.\" and
+.Fl L
+option affects its behavior even though it is not doing a walk of
+a file tree).
+.Pp
+The
+.Xr file 1
+and
+.Xr stat 1
+commands are also exceptions to this rule.
+These
+commands do not follow symbolic links named as argument by default,
+but do follow symbolic links named as argument if the
+.Fl L
+option is specified.
+.Pp
+The
+.Bx 4.4
+system differs from historical
+.Bx 4
+systems in that the
+.Nm chown
+and
+.Nm chgrp
+commands follow symbolic links specified on the command line.
+.Ss Commands traversing a file tree
+The following commands either optionally or always traverse file trees:
+.Xr chflags 1 ,
+.Xr chgrp 1 ,
+.Xr chmod 1 ,
+.Xr cp 1 ,
+.Xr du 1 ,
+.Xr find 1 ,
+.Xr ls 1 ,
+.Xr pax 1 ,
+.Xr rm 1 ,
+.Xr tar 1 ,
+and
+.Xr chown 8 .
+.Pp
+It is important to realize that the following rules apply equally to
+symbolic links encountered during the file tree traversal and symbolic
+links listed as command line arguments.
+.Pp
+The first rule applies to symbolic links that reference files that are
+not of type directory.
+Operations that apply to symbolic links are performed on the links
+themselves, but otherwise the links are ignored.
+.Pp
+For example, the command
+.Qq Li "chown -R user slink directory"
+will ignore
+.Qq Li slink ,
+because the
+.Fl h
+flag must be used to change owners of symbolic links.
+Any symbolic links encountered during the tree traversal will also be
+ignored.
+The command
+.Qq Li "rm -r slink directory"
+will remove
+.Qq Li slink ,
+as well as any symbolic links encountered in the tree traversal of
+.Qq Li directory ,
+because symbolic links may be removed.
+In no case will either
+.Nm chown
+or
+.Nm rm
+affect the file which
+.Qq Li slink
+references in any way.
+.Pp
+The second rule applies to symbolic links that reference files of type
+directory.
+Symbolic links which reference files of type directory are never
+.Qq followed
+by default.
+This is often referred to as a
+.Qq physical
+walk, as opposed to a
+.Qq logical
+walk (where symbolic links referencing directories are followed).
+.Pp
+As consistently as possible, you can make commands doing a file tree
+walk follow any symbolic links named on the command line, regardless
+of the type of file they reference, by specifying the
+.Fl H
+(for
+.Qq half\-logical )
+flag.
+This flag is intended to make the command line name space look
+like the logical name space.
+(Note, for commands that do not always do file tree traversals, the
+.Fl H
+flag will be ignored if the
+.Fl R
+flag is not also specified).
+.Pp
+For example, the command
+.Qq Li "chown -HR user slink"
+will traverse the file hierarchy rooted in the file pointed to by
+.Qq Li slink .
+Note, the
+.Fl H
+is not the same as the previously discussed
+.Fl h
+flag.
+The
+.Fl H
+flag causes symbolic links specified on the command line to be
+dereferenced both for the purposes of the action to be performed
+and the tree walk, and it is as if the user had specified the
+name of the file to which the symbolic link pointed.
+.Pp
+As consistently as possible, you can make commands doing a file tree
+walk follow any symbolic links named on the command line, as well as
+any symbolic links encountered during the traversal, regardless of
+the type of file they reference, by specifying the
+.Fl L
+(for
+.Qq logical )
+flag.
+This flag is intended to make the entire name space look like
+the logical name space.
+(Note, for commands that do not always do file tree traversals, the
+.Fl L
+flag will be ignored if the
+.Fl R
+flag is not also specified).
+.Pp
+For example, the command
+.Qq Li "chown -LR user slink"
+will change the owner of the file referenced by
+.Qq Li slink .
+If
+.Qq Li slink
+references a directory,
+.Nm chown
+will traverse the file hierarchy rooted in the directory that it
+references.
+In addition, if any symbolic links are encountered in any file tree that
+.Nm chown
+traverses, they will be treated in the same fashion as
+.Qq Li slink .
+.Pp
+As consistently as possible, you can specify the default behavior by
+specifying the
+.Fl P
+(for
+.Qq physical )
+flag.
+This flag is intended to make the entire name space look like the
+physical name space.
+.Pp
+For commands that do not by default do file tree traversals, the
+.Fl H ,
+.Fl L ,
+and
+.Fl P
+flags are ignored if the
+.Fl R
+flag is not also specified.
+In addition, you may specify the
+.Fl H ,
+.Fl L ,
+and
+.Fl P
+options more than once; the last one specified determines the
+command's behavior.
+This is intended to permit you to alias commands to behave one way
+or the other, and then override that behavior on the command line.
+.Pp
+The
+.Xr ls 1
+and
+.Xr rm 1
+commands have exceptions to these rules.
+The
+.Nm rm
+command operates on the symbolic link, and not the file it references,
+and therefore never follows a symbolic link.
+The
+.Nm rm
+command does not support the
+.Fl H ,
+.Fl L ,
+or
+.Fl P
+options.
+.Pp
+To maintain compatibility with historic systems,
+the
+.Nm ls
+command acts a little differently.
+If you do not specify the
+.Fl F ,
+.Fl d ,
+or
+.Fl l
+options,
+.Nm ls
+will follow symbolic links specified on the command line.
+If the
+.Fl L
+flag is specified.
+If the
+.Fl L
+flag is specified,
+.Nm ls
+follows all symbolic links,
+regardless of their type,
+whether specified on the command line or encountered in the tree walk.
+The
+.Nm ls
+command does not support the
+.Fl H
+or
+.Fl P
+options.
+.Ss Magic symlinks
+So-called
+.Dq magic symlinks
+can be enabled by setting the
+.Dq vfs.generic.magiclinks
+variable with
+.Xr sysctl 8 .
+When magic symlinks are enabled
+.Dq magic
+patterns in symlinks are expanded.
+Those patterns begin with
+.Dq @
+.Pq an at-sign ,
+and end at the end of the pathname component
+.Po
+i.e. at the next
+.Dq / ,
+or at the end of the symbolic link if there are no more slashes
+.Pc .
+.Pp
+To illustrate the pattern matching rules, assume that
+.Dq @foo
+is a valid magic string:
+.Pp
+.Bl -tag -width @foo/barxxxxx -offset indent -compact
+.It @foo
+would be matched
+.It @foo/bar
+would be matched
+.It bar@foo
+would be matched
+.It @foobar
+would not be matched
+.El
+.Pp
+Magic strings may also be delimited with
+.Sq {
+and
+.Sq }
+characters, allowing for more complex patterns in symbolic links such as:
+.Bd -literal -offset indent
+@{var1}-@{var2}.@{var3}
+.Ed
+.Pp
+The following patterns are supported:
+.Bl -tag -width @machine_arch -offset indent
+.It @domainname
+Expands to the machine's domain name, as set by
+.Xr setdomainname 3 .
+.It @hostname
+Expands to the machine's host name, as set by
+.Xr sethostname 3 .
+.It @emul
+Expands to the name of the current process's emulation.
+Defaults to
+.Dv netbsd .
+Other valid emulations are:
+.Dv aout ,
+.Dv aoutm68k ,
+.Dv freebsd ,
+.Dv linux ,
+.Dv linux32 ,
+.Dv m68k4k ,
+.Dv netbsd32 ,
+.Dv sunos ,
+.Dv sunos32 ,
+.Dv ultrix ,
+.Dv vax1k .
+.It @kernel_ident
+Expands to the name of the
+.Xr config 1
+file used to generate the running kernel.
+For example
+.Dv GENERIC .
+.It @machine
+Expands to the value of
+.Li MACHINE
+for the system.
+For native binaries, this is
+equivalent to the output of
+.Dq uname -m
+or
+.Xr sysctl 3
+.Dq hw.machine .
+.Po
+For non-native binaries, the values returned by uname and sysctl
+typically vary to match the emulation environment.
+.Pc
+.It @machine_arch
+Expands to the value of
+.Li MACHINE_ARCH
+for the system.
+For native binaries, this is
+equivalent to the output of
+.Dq uname -p
+or
+.Xr sysctl 3
+.Dq hw.machine_arch .
+.Po
+For non-native binaries, the values returned by uname and sysctl
+typically vary to match the emulation environment.
+.Pc
+.It @osrelease
+Expands to the operating system release of the running kernel
+.Po
+equivalent to the output of
+.Dq uname -r
+or
+.Xr sysctl 3
+.Dq kern.osrelease
+.Pc .
+.It @ostype
+Expands to the operating system type of the running kernel
+.Po
+equivalent to the output of
+.Dq uname -s
+or
+.Xr sysctl 3
+.Dq kern.ostype
+.Pc .
+This will always be
+.Dq NetBSD
+on
+.Nx
+systems.
+.It @ruid
+Expands to the real user-id of the process.
+.It @uid
+Expands to the effective user-id of the process.
+.It @rgid
+Expands to the real group-id of the process.
+.It @gid
+Expands to the effective group-id of the process.
+.El
+.Sh SEE ALSO
+.Xr chflags 1 ,
+.Xr chgrp 1 ,
+.Xr chmod 1 ,
+.Xr cp 1 ,
+.Xr du 1 ,
+.Xr find 1 ,
+.Xr ln 1 ,
+.Xr ls 1 ,
+.Xr mv 1 ,
+.Xr pax 1 ,
+.Xr rm 1 ,
+.Xr tar 1 ,
+.Xr uname 1 ,
+.Xr chown 2 ,
+.Xr execve 2 ,
+.Xr lchflags 2 ,
+.Xr lchmod 2 ,
+.Xr lchown 2 ,
+.Xr lstat 2 ,
+.Xr lutimes 2 ,
+.Xr mount 2 ,
+.Xr readlink 2 ,
+.Xr rename 2 ,
+.Xr symlink 2 ,
+.Xr unlink 2 ,
+.Xr fts 3 ,
+.Xr remove 3 ,
+.Xr chown 8 ,
+.Xr mount 8
+.Sh HISTORY
+Magic symlinks appeared in
+.Nx 4.0 .
diff --git a/static/netbsd/man7/sysctl.7 b/static/netbsd/man7/sysctl.7
new file mode 100644
index 00000000..ee306b81
--- /dev/null
+++ b/static/netbsd/man7/sysctl.7
@@ -0,0 +1,2920 @@
+.\"	$NetBSD: sysctl.7,v 1.171 2026/04/23 13:42:57 wiz Exp $
+.\"
+.\" Copyright (c) 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)sysctl.3	8.4 (Berkeley) 5/9/95
+.\"
+.Dd April 23, 2026
+.Dt SYSCTL 7
+.Os
+.Sh NAME
+.Nm sysctl
+.Nd system information variables
+.Sh DESCRIPTION
+The
+.Xr sysctl 3
+library function and the
+.Xr sysctl 8
+utility are used to get and set values of system variables, maintained
+by the kernel.
+The variables are organized in a tree and identified by a sequence of
+numbers, conventionally separated by dots with the topmost identifier
+at the left side.
+The numbers have corresponding text names.
+The
+.Xr sysctlnametomib 3
+function or the
+.Fl M
+argument to the
+.Xr sysctl 8
+utility can be used to convert the text representation to the
+numeric one.
+.Pp
+The individual sysctl variables are described below, both the textual
+and numeric form where applicable.
+The textual names can be used as argument to the
+.Xr sysctl 8
+utility and in the file
+.Pa /etc/sysctl.conf .
+The numeric names are usually defined as preprocessor constants and
+are intended for use by programs.
+Every such constant expands to one integer, which identifies the
+sysctl variable relative to the upper level of the tree.
+See the
+.Xr sysctl 3
+manual page for programming examples.
+.Ss Top level names
+The top level names are defined with a
+.Va CTL_
+prefix in
+.In sys/sysctl.h ,
+and are as follows.
+The next and subsequent levels down are found in the include files
+listed here, and described in separate sections below.
+.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits"
+.It Sy Name  Ta Sy Constant     Ta Sy Next level names Ta Sy Description
+.It kern     Ta Dv CTL_KERN     Ta In sys/sysctl.h     Ta High kernel limits
+.It vm       Ta Dv CTL_VM       Ta In uvm/uvm_param.h  Ta Virtual memory
+.It vfs      Ta Dv CTL_VFS      Ta In sys/mount.h      Ta Filesystem
+.It net      Ta Dv CTL_NET      Ta In sys/socket.h     Ta Networking
+.It debug    Ta Dv CTL_DEBUG    Ta In sys/sysctl.h     Ta Debugging
+.It hw       Ta Dv CTL_HW       Ta In sys/sysctl.h     Ta Generic CPU, I/O
+.It machdep  Ta Dv CTL_MACHDEP  Ta In sys/sysctl.h     Ta Machine dependent
+.It user     Ta Dv CTL_USER     Ta In sys/sysctl.h     Ta User-level
+.It ddb      Ta Dv CTL_DDB      Ta In sys/sysctl.h     Ta In-kernel debugger
+.It proc     Ta Dv CTL_PROC     Ta In sys/sysctl.h     Ta Per-process
+.It vendor   Ta Dv CTL_VENDOR   Ta ?                   Ta Vendor specific
+.It emul     Ta Dv CTL_EMUL     Ta In sys/sysctl.h     Ta Emulation settings
+.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h     Ta Security settings
+.El
+.Ss The debug.* subtree
+The debugging variables vary from system to system.
+A debugging variable may be added or deleted without need to recompile
+.Nm
+to know about it.
+Each time it runs,
+.Nm
+gets the list of debugging variables from the kernel and
+displays their current values.
+The system defines twenty
+.Vt ( struct ctldebug )
+variables named
+.Dv debug0
+through
+.Dv debug19 .
+They are declared as separate variables so that they can be
+individually initialized at the location of their associated variable.
+The loader prevents multiple use of the same variable by issuing errors
+if a variable is initialized in more than one place.
+For example, to export the variable
+.Va dospecialcheck
+as a debugging variable, the following declaration would be used:
+.Pp
+.Bd -literal -offset indent -compact
+int dospecialcheck = 1;
+struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
+.Ed
+.Pp
+Note that the dynamic implementation of
+.Nm
+currently in use largely makes this particular
+.Nm
+interface obsolete.
+See
+.Xr sysctl 8
+.\" and
+.\" .Xr sysctl 9
+for more information.
+.Ss The vfs.* subtree
+A distinguished second level name,
+.Li vfs.generic ( Dv VFS_GENERIC ) ,
+is used to get general information about all file systems.
+It has the following third level identifiers:
+.Bl -tag -width "123456"
+.It Li vfs.generic.maxtypenum ( Dv VFS_MAXTYPENUM )
+The highest valid file system type number.
+.It Li vfs.generic.conf ( Dv VFS_CONF )
+Returns configuration information about the file system type given as a fourth
+level identifier.
+.It Li vfs.generic.usermount ( Dv VFS_USERMOUNT )
+Controls whether users other than the super-user can mount file
+systems.
+Defaults to
+.Li 0 ,
+so only the super-user can mount file systems.
+.Pp
+File systems mounted by unprivileged users must be mounted with the
+.Li nodev
+and
+.Li nosuid
+.Xr mount 8
+options.
+.It Li vfs.generic.magiclinks ( Dv VFS_MAGICLINKS )
+Controls whether expansion of variables is going to be performed on
+pathnames or not.
+Defaults to
+.Li 0 ,
+no variable expansion.
+Variables are of the form
+.Li @name
+and the variables supported are described in
+.Xr symlink 7
+under
+.Dq "MAGIC SYMLINKS" .
+.El
+.Pp
+A second level name for controlling the
+.Xr wapbl 4
+(Write Ahead Physical Block Logging file system journaling)
+capabilities with the following third level identifiers:
+.Bl -tag -width "123456"
+.It Li vfs.wapbl.flush_disk_cache
+Controls whether to attempt to flush the disk cache on each commit.
+It defaults to 1 and it should always be on to ensure integrity
+of file system metadata in the event of a power loss.
+For slow disks, turning it off can improve performance.
+.It Li vfs.wapbl.verbose_commit
+For each transaction log commit, print the number of bytes written
+and the time it took to commit as seconds.nanoseconds.
+.El
+.Pp
+The remaining second level identifiers are the file system names, identified
+by the type number returned by a
+.Xr statvfs 2
+call or from
+.Li vfs.generic.conf .
+.Pp
+The third level identifiers available for each file system
+are given in the header file that defines the mount
+argument structure for that file system.
+.Ss The hw.* subtree
+The string and integer information available for the
+.Li hw
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It hw.alignbytes	integer	no
+.It hw.byteorder	integer	no
+.It hw.cnmagic	string	yes
+.It hw.disknames	string	no
+.It hw.diskstats	struct	no
+.It hw.machine	string	no
+.It hw.machine_arch	string	no
+.It hw.model	string	no
+.It hw.ncpu	integer	no
+.It hw.ncpuonline	integer	no
+.It hw.pagesize	integer	no
+.It hw.physmem	integer	no
+.It hw.physmem64	quad	no
+.It hw.usermem	integer	no
+.It hw.usermem64	quad	no
+.El
+.Bl -tag -width "123456"
+.It Li hw.alignbytes ( Dv HW_ALIGNBYTES )
+Alignment constraint for all possible data types.
+This shows the value
+.Dv ALIGNBYTES
+in
+.In machine/param.h ,
+at the kernel compilation time.
+.It Li hw.byteorder ( Dv HW_BYTEORDER )
+The byteorder (4321, or 1234).
+.It Li hw.cnmagic ( Dv HW_CNMAGIC )
+The console magic key sequence.
+.It Li hw.disknames ( Dv HW_DISKNAMES )
+The list of (space separated) disk device names on the system.
+.It Li hw.iostatnames ( Dv HW_IOSTATNAMES )
+A space separated list of devices that will have I/O statistics
+collected on them.
+.It Li hw.iostats ( Dv HW_IOSTATS )
+Return statistical information on the NFS mounts, disk and tape
+devices on the system.
+An array of
+.Vt struct io_sysctl
+structures is returned,
+whose size depends on the current number of such objects in the system.
+The third level name is the size of the
+.Vt struct io_sysctl .
+The type of object can be determined by examining the
+.Va type
+element of
+.Vt struct io_sysctl .
+Which can be
+.Dv IOSTAT_DISK
+(disk drive),
+.Dv IOSTAT_TAPE
+(tape drive), or
+.Dv IOSTAT_NFS
+(NFS mount).
+.It Li hw.machine ( Dv HW_MACHINE )
+The machine class.
+.It Li hw.machine_arch ( Dv HW_MACHINE_ARCH )
+The machine CPU class.
+.It Li hw.model ( Dv HW_MODEL )
+The machine model.
+.It Li hw.ncpu ( Dv HW_NCPU )
+The number of CPUs configured.
+.It Li hw.ncpuonline ( Dv HW_NCPUONLINE )
+The number of CPUs online.
+.It Li hw.pagesize ( Dv HW_PAGESIZE )
+The software page size.
+.It Li hw.physmem ( Dv HW_PHYSMEM )
+The bytes of physical memory as a 32-bit integer.
+.It Li hw.physmem64 ( Dv HW_PHYSMEM64 )
+The bytes of physical memory as a 64-bit integer.
+.It Li hw.usermem ( Dv HW_USERMEM )
+The bytes of non-kernel memory as a 32-bit integer.
+.It Li hw.usermem64 ( Dv HW_USERMEM64 )
+The bytes of non-kernel memory as a 64-bit integer.
+.El
+.Ss The kern.* subtree
+This subtree includes data generally related to the kernel.
+The string and integer information available for the
+.Li kern
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "kern.posix_reader_writer_locks" \
+"struct kinfo_drivers" "not applicable"
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It kern.aio_listio_max	integer	yes
+.It kern.aio_max	integer	yes
+.It kern.arandom	integer	no
+.It kern.argmax	integer	no
+.It kern.boothowto	integer	no
+.It kern.boottime	struct timespec	no
+.It kern.buildinfo	string	no
+.\".It kern.bufq	node	not applicable
+.It kern.ccpu	integer	no
+.It kern.clockrate	struct clockinfo	no
+.It kern.consdev	integer	no
+.It kern.coredump	node	not applicable
+.It kern.cp_id	struct	no
+.It kern.cp_time	uint64_t[\|]	no
+.It kern.cryptodevallowsoft	integer	yes
+.It kern.defcorename	string	yes
+.It kern.detachall	integer	yes
+.It kern.domainname	string	yes
+.It kern.drivers	struct kinfo_drivers	no
+.It kern.dump_on_panic	integer	yes
+.It kern.expose_address	integer	yes
+.It kern.file	struct file	no
+.It kern.forkfsleep	integer	yes
+.It kern.fscale	integer	no
+.It kern.fsync	integer	no
+.It kern.hardclock_ticks	integer	no
+.It kern.heartbeat.max_period	integer	yes
+.It kern.hostid	integer	yes
+.It kern.hostname	string	yes
+.It kern.iov_max	integer	no
+.It kern.ipc	node	not applicable
+.It kern.job_control	integer	no
+.It kern.labeloffset	integer	no
+.It kern.labelsector	integer	no
+.It kern.login_name_max	integer	no
+.It kern.logsigexit	integer	yes
+.It kern.lwp	struct kinfo_lwp	yes
+.It kern.mapped_files	integer	no
+.It kern.maxfiles	integer	yes
+.It kern.maxlwp	integer	yes
+.It kern.maxpartitions	integer	no
+.It kern.maxphys	integer	no
+.It kern.maxproc	integer	yes
+.It kern.maxptys	integer	yes
+.It kern.maxvnodes	integer	yes
+.It kern.messages	integer	yes
+.It kern.mbuf	node	not applicable
+.It kern.memlock	integer	no
+.It kern.memlock_range	integer	no
+.It kern.memory_protection	integer	no
+.It kern.module	node	not applicable
+.It kern.monotonic_clock	integer	no
+.It kern.mqueue	node	not applicable
+.It kern.msgbuf	integer	no
+.It kern.msgbufsize	integer	no
+.It kern.ngroups	integer	no
+.\".It kern.no_sa_support	integer	yes
+.It kern.ntptime	struct ntptimeval	no
+.It kern.osrelease	string	no
+.It kern.osrevision	integer	no
+.It kern.ostype	string	no
+.\".It kern.panic_now	integer	yes
+.It kern.pipe	node	not applicable
+.It kern.pool	struct pool_sysctl	no
+.\" .It kern.posix	node	not applicable
+.It kern.posix1version	integer	no
+.It kern.posix_aio	integer	no
+.It kern.posix_barriers	integer	no
+.It kern.posix_reader_writer_locks	integer	no
+.\".It kern.posix_sched	integer	yes
+.It kern.posix_semaphores	integer	no
+.It kern.posix_spin_locks	integer	no
+.It kern.posix_threads	integer	no
+.It kern.posix_timers	integer	no
+.It kern.proc	struct kinfo_proc	no
+.It kern.proc2	struct kinfo_proc2	no
+.It kern.proc_args	string	no
+.It kern.profiling	node	not applicable
+.\".It kern.pset	node	not applicable
+.It kern.rawpartition	integer	no
+.It kern.root_device	string	no
+.It kern.root_partition	integer	no
+.It kern.rtc_offset	integer	yes
+.It kern.saved_ids	integer	no
+.It kern.sbmax	integer	yes
+.It kern.sched	node	not applicable
+.It kern.securelevel	integer	raise only
+.It kern.sofixedbuf	boolean	yes
+.It kern.somaxkva	integer	yes
+.It kern.sooptions	integer	yes
+.It kern.synchronized_io	integer	no
+.It kern.timecounter	node	not applicable
+.It kern.timex	struct	no
+.It kern.tkstat	node	not applicable
+.It kern.tty	node	not applicable
+.It kern.urandom	integer	no
+.It kern.usercrypto	integer	yes
+.It kern.userasymcrypto	integer	yes
+.It kern.veriexec	node	not applicable
+.It kern.version	string	no
+.It kern.vnode	struct vnode	no
+.El
+.Bl -tag -width "123456"
+.It Li kern.aio_listio_max
+The maximum number of asynchronous I/O operations in a single list
+I/O call.
+Like with all variables related to
+.Xr aio 3 ,
+the variable may be created and removed dynamically
+upon loading or unloading the corresponding kernel module.
+.It Li kern.aio_max
+The maximum number of asynchronous I/O operations.
+.It Li kern.arandom ( Dv KERN_ARND )
+Returns independent uniformly distributed bytes at random each time, as
+many as requested up to 256, derived from the system entropy pool; see
+.Xr rnd 4 .
+.Pp
+Reading
+.Li kern.arandom
+is equivalent to reading up to 256 bytes at a time from
+.Pa /dev/urandom :
+reading
+.Li kern.arandom
+never blocks, and once the system entropy pool has full entropy, output
+subsequently read from
+.Li kern.arandom
+is fit for use as cryptographic key material.
+For example, the
+.Xr arc4random 3
+library routine uses
+.Li kern.arandom
+internally to seed a cryptographic pseudorandom number generator.
+.It Li kern.argmax ( Dv KERN_ARGMAX )
+The maximum bytes of argument to
+.Xr execve 2 .
+.It Li kern.boothowto
+Flags passed from the boot loader; see
+.Xr reboot 2
+for the meanings of the flags.
+.It Li kern.boottime ( Dv KERN_BOOTTIME )
+A
+.Vt struct timespec
+structure is returned.
+This structure contains the time that the system was booted.
+That time is defined (for this purpose) to be the time at
+which the kernel first started accumulating clock ticks.
+.It Li kern.bufq
+This variable contains information on the
+.Xr bufq 9
+subsystem.
+Currently, the only third level name implemented is
+.Dv kern.bufq.strategies
+which provides a list of buffer queue strategies currently available.
+.It Li kern.buildinfo
+When the kernel is built, the build environment may optionally provide
+arbitrary information to be stored in this variable.
+.It Li kern.ccpu ( Dv KERN_CCPU )
+The scheduler exponential decay value.
+.It Li kern.clockrate ( Dv KERN_CLOCKRATE )
+A
+.Vt struct clockinfo
+structure is returned.
+This structure contains the clock, statistics clock and profiling clock
+frequencies, the number of micro-seconds per hz tick, and the clock
+skew rate.
+Refer to
+.Xr hz 9
+for additional details.
+.It Li kern.consdev ( Dv KERN_CONSDEV )
+Console device.
+.It Li kern.coredump
+Settings related to set-id processes coredumps.
+By default, set-id processes do not dump core in situations where
+other processes would.
+The settings in this node allows an administrator to change this
+behavior.
+.Pp
+The third level name is
+.Dv kern.coredump.setid
+and fourth level variables are described below.
+.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent
+.It Sy Fourth level name Ta Sy Type Ta Sy Changeable
+.It kern.coredump.setid.dump	integer	yes
+.It kern.coredump.setid.group	integer	yes
+.It kern.coredump.setid.mode	integer	yes
+.It kern.coredump.setid.owner	integer	yes
+.It kern.coredump.setid.path	string	yes
+.El
+.Bl -tag -width "123456"
+.It Li kern.coredump.setid.dump
+If non-zero, set-id processes will dump core.
+.It Li kern.coredump.setid.group
+The group-id for the set-id processes' coredump.
+.It Li kern.coredump.setid.mode
+The mode for the set-id processes' coredump.
+See
+.Xr chmod 1 .
+.It Li kern.coredump.setid.owner
+The user-id that will be used as the owner of the set-id processes'
+coredump.
+.It Li kern.coredump.setid.path
+The path to which set-id processes' coredumps will be saved to.
+Same syntax as kern.defcorename.
+.El
+.It Li kern.cp_id ( Dv KERN_CP_ID )
+Mapping of CPU number to CPU id.
+.It Li kern.cp_time ( Dv KERN_CP_TIME )
+Returns an array of
+.Dv CPUSTATES
+.Vt uint64_t Ns s .
+This array contains the
+number of clock ticks spent in different CPU states.
+On multi-processor systems, the sum across all CPUs is returned unless
+appropriate space is given for one data set for each CPU.
+Data for a specific CPU can also be obtained by adding the number of the
+CPU at the end of the MIB, enlarging it by one.
+.It Li kern.cryptodevallowsoft
+This variable controls userland access to hardware versus software transforms
+in the
+.Xr crypto 4
+system.
+The available values are as follows:
+.Bl -tag -width XX0 -offset indent
+.It Dv < 0
+Always force userlevel requests to use software transforms.
+.It Dv = 0
+If present, use hardware and grant userlevel requests for
+non-accelerated transforms (handling the latter in software).
+.It Dv > 0
+Allow user requests only for transforms which are hardware-accelerated.
+.El
+.It Li kern.defcorename ( Dv KERN_DEFCORENAME )
+Default template for the name of core dump files (see also
+.Li proc.pid.corename
+in the per-process variables
+.Li proc.* ,
+and
+.Xr core 5
+for format of this template).
+The default value is
+.Pa %n.core
+and can be changed with the kernel configuration option
+.Cd options DEFCORENAME
+(see
+.Xr options 4
+).
+.It Li kern.detachall
+Detach all devices at shutdown.
+.It Li kern.domainname ( Dv KERN_DOMAINNAME )
+Get or set the YP domain name.
+.It Li kern.drivers ( Dv KERN_DRIVERS )
+Return an array of
+.Vt struct kinfo_drivers
+that contains the name and major device numbers of all the device drivers
+in the current kernel.
+The
+.Va d_name
+field is always a NUL terminated string.
+The
+.Va d_bmajor
+field will be set to \-1 if the driver doesn't have a block device.
+.It Li kern.expose_address
+Expose kernel addresses in
+.Xr sysctl 3
+calls used by
+.Xr fstat 1
+and
+.Xr sockstat 1 .
+If it is set to
+.Dv 0
+access is not allowed.
+If it is set to
+.Dv 1
+then only processes that have opened
+.Pa /dev/kmem
+can have access.
+If it is set to
+.Dv 2
+every process is allowed.
+Defaults to
+.Dv 0
+for
+.Dv KASLR
+kernels
+and
+.Dv 1
+otherwise.
+Allowing general access renders KASLR ineffective; allowing only kmem
+accessing programs weakens KASLR if those programs can be subverted
+to leak the addresses.
+.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC )
+Perform a crash dump on system
+.Xr panic 9 .
+.It Li kern.file ( Dv KERN_FILE )
+Return the entire file table.
+The returned data consists of a single
+.Vt struct filelist
+followed by an array of
+.Vt struct file ,
+whose size depends on the current number of such objects in the system.
+.It Li kern.forkfsleep ( Dv KERN_FORKFSLEEP )
+If
+.Xr fork 2
+system call fails due to limit on number of processes (either
+the global maxproc limit or user's one), wait for this many
+milliseconds before returning
+.Er EAGAIN
+error to process.
+Useful to keep heavily forking runaway processes in bay.
+Default zero (no sleep).
+Maximum is 20 seconds.
+.It Li kern.fscale ( Dv KERN_FSCALE )
+The kernel fixed-point scale factor.
+.It Li kern.fsync ( Dv KERN_FSYNC )
+Return 1 if the
+.St -p1003.1b-93
+File Synchronization Option is available
+on this system,
+otherwise\ 0.
+.It Li kern.hardclock_ticks ( Dv KERN_HARDCLOCK_TICKS )
+Returns the number of
+.Xr hardclock 9
+ticks.
+.It Li kern.heartbeat.max_period
+Time in seconds since the last
+.Cd options HEARTBEAT
+progress check has passed before it will trigger a panic.
+See
+.Xr options 4 .
+.It Li kern.hist
+This variable contains kernel history data if the kernel was
+configured for any of the options
+.Dv UVMHIST ,
+.Dv USB_DEBUG ,
+.Dv BIOHIST ,
+or
+.Dv SCDEBUG .
+(See
+.Xr options 4
+for more details.)
+The third-level names correspond to each available history table.
+The values of the history tables are in an internal format, and can be
+decoded by the
+.Xr vmstat 1
+utility's
+.Fl U
+and
+.Fl u
+options;
+the
+.Fl l
+option can be used to see which tables are available.
+.It Li kern.hostid ( Dv KERN_HOSTID )
+Get or set the host identifier.
+This is aimed to replace the legacy
+.Xr gethostid 3
+and
+.Xr sethostid 3
+system calls.
+.It Li kern.hostname ( Dv KERN_HOSTNAME )
+Get or set the
+.Xr hostname 1 .
+.It Li kern.iov_max ( Dv KERN_IOV_MAX )
+Return the maximum number of
+.Vt iovec
+structures that a process has available for use with
+.Xr preadv 2 ,
+.Xr pwritev 2 ,
+.Xr readv 2 ,
+.Xr recvmsg 2 ,
+.Xr sendmsg 2
+and
+.Xr writev 2 .
+.It Li kern.ipc ( Dv KERN_SYSVIPC )
+Return information about the SysV IPC parameters.
+The third level names for the ipc variables are detailed below.
+.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.ipc.sysvmsg	integer	no
+.It kern.ipc.sysvsem	integer	no
+.It kern.ipc.sysvshm	integer	no
+.It kern.ipc.sysvipc_info	struct	no
+.It kern.ipc.shmmax	integer	yes
+.It kern.ipc.shmmni	integer	yes
+.It kern.ipc.shmseg	integer	yes
+.It kern.ipc.shmmaxpgs	integer	yes
+.It kern.ipc.shm_use_phys	integer	yes
+.It kern.ipc.msgmni	integer	yes
+.It kern.ipc.msgseg	integer	yes
+.It kern.ipc.semmni	integer	yes
+.It kern.ipc.semmns	integer	yes
+.It kern.ipc.semmnu	integer	yes
+.El
+.Bl -tag -width "123456"
+.It Li kern.ipc.sysvmsg ( Dv KERN_SYSVIPC_MSG )
+Returns 1 if System V style message queue functionality is available
+on this system,
+otherwise\ 0.
+.It Li kern.ipc.sysvsem ( Dv KERN_SYSVIPC_SEM )
+Returns 1 if System V style semaphore functionality is available
+on this system,
+otherwise\ 0.
+.It Li kern.ipc.sysvshm ( Dv KERN_SYSVIPC_SHM )
+Returns 1 if System V style share memory functionality is available
+on this system,
+otherwise\ 0.
+.It Li kern.ipc.sysvipc_info ( Dv KERN_SYSVIPC_INFO )
+Return System V style IPC configuration and run-time information.
+The fourth level name selects the System V style IPC facility.
+.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent
+.It Sy Fourth level name Ta Sy Type
+.It KERN_SYSVIPC_MSG_INFO	struct msg_sysctl_info
+.It KERN_SYSVIPC_SEM_INFO	struct sem_sysctl_info
+.It KERN_SYSVIPC_SHM_INFO	struct shm_sysctl_info
+.El
+.Bl -tag -width "123456"
+.It Li KERN_SYSVIPC_MSG_INFO
+Return information on the System V style message facility.
+The
+.Sy msg_sysctl_info
+structure is defined in
+.In sys/msg.h .
+.It Li KERN_SYSVIPC_SEM_INFO
+Return information on the System V style semaphore facility.
+The
+.Sy sem_sysctl_info
+structure is defined in
+.In sys/sem.h .
+.It Li KERN_SYSVIPC_SHM_INFO
+Return information on the System V style shared memory facility.
+The
+.Sy shm_sysctl_info
+structure is defined in
+.In sys/shm.h .
+.El
+.It Li kern.ipc.shmmax ( Dv KERN_SYSVIPC_SHMMAX )
+Max shared memory segment size in bytes.
+.It Li kern.ipc.shmmni ( Dv KERN_SYSVIPC_SHMMNI )
+Max number of shared memory identifiers.
+.It Li kern.ipc.shmseg ( Dv KERN_SYSVIPC_SHMSEG )
+Max shared memory segments per process.
+.It Li kern.ipc.shmmaxpgs ( Dv KERN_SYSVIPC_SHMMAXPGS )
+Max amount of shared memory in pages.
+.It Li kern.ipc.shm_use_phys ( Dv KERN_SYSVIPC_SHMUSEPHYS )
+Locking of shared memory in physical memory.
+If 0, memory can be swapped
+out, otherwise it will be locked in physical memory.
+.It Li kern.ipc.msgmni
+Max number of message queue identifiers.
+.It Li kern.ipc.msgseg
+Max number of number of message segments.
+.It Li kern.ipc.semmni
+Max number of number of semaphore identifiers.
+.It Li kern.ipc.semmns
+Max number of number of semaphores in system.
+.It Li kern.ipc.semmnu
+Max number of undo structures in system.
+.El
+.It Li kern.job_control ( Dv KERN_JOB_CONTROL )
+Return 1 if job control is available on this system, otherwise\ 0.
+.It Li kern.labeloffset ( Dv KERN_LABELOFFSET )
+The offset within the sector specified by
+.Dv KERN_LABELSECTOR
+of the
+.Xr disklabel 5 .
+.It Li kern.labelsector ( Dv KERN_LABELSECTOR )
+The sector number containing the
+.Xr disklabel 5 .
+.It Li kern.login_name_max ( Dv KERN_LOGIN_NAME_MAX )
+The size of the storage required for a login name, in bytes,
+including the terminating NUL.
+.It Li kern.logsigexit ( Dv KERN_LOGSIGEXIT )
+If this flag is non-zero, the kernel will
+.Xr log 9
+all process exits due to signals which create a
+.Xr core 5
+file, and whether the coredump was created.
+.It Li kern.lwp ( Dv KERN_LWP )
+Returns information about the current light-weight process.
+The
+.Sy kinfo_lwp
+structure is defined in
+.In sys/sysctl.h .
+.It Li kern.mapped_files ( Dv KERN_MAPPED_FILES )
+Returns 1 if the
+.St -p1003.1b-93
+Memory Mapped Files Option is available on this system,
+otherwise\ 0.
+.It Li kern.maxfiles ( Dv KERN_MAXFILES )
+The maximum number of open files that may be open in the system.
+This also controls the maximum file locks per unprivileged user
+enforced by
+.Xr fcntl 2
+and
+.Xr flock 2 .
+.It Li kern.maxpartitions ( Dv KERN_MAXPARTITIONS )
+The maximum number of partitions allowed per disk.
+.It Li kern.maxlwp
+The maximum number of Lightweight Processes (threads) the system allows
+per uid.
+.It Li kern.maxphys ( Dv KERN_MAXPHYS )
+Maximum raw I/O transfer size.
+.It Li kern.maxproc ( Dv KERN_MAXPROC )
+The maximum number of simultaneous processes the system will allow.
+.It Li kern.maxptys ( Dv KERN_MAXPTYS )
+The maximum number of pseudo terminals.
+This value can be both raised and lowered, though it cannot
+be set lower than number of currently used ptys.
+See also
+.Xr pty 4 .
+.It Li kern.maxvnodes ( Dv KERN_MAXVNODES )
+The maximum number of vnodes available on the system.
+This cannot be lowered below the number of currently active vnodes.
+.It Li kern.mbuf ( Dv KERN_MBUF )
+Return information about the mbuf control variables.
+Mbufs are data structures which store network packets and other data
+structures in the networking code, see
+.Xr mbuf 9 .
+The third level names for the mbuf variables are detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "kern.mbuf.nmbclusters_limit" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.\" XXX Changeable? really?
+.It kern.mbuf.mblowat	integer	yes
+.It kern.mbuf.mclbytes	integer	yes
+.It kern.mbuf.mcllowat	integer	yes
+.It kern.mbuf.msize	integer	yes
+.It kern.mbuf.nmbclusters	integer	yes
+.It kern.mbuf.nmbclusters_limit	integer	no
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.mbuf.mblowat ( Dv MBUF_MBLOWAT )
+The mbuf low water mark.
+.It Li kern.mbuf.mclbytes ( Dv MBUF_MCLBYTES )
+The mbuf cluster size.
+.It Li kern.mbuf.mcllowat ( Dv MBUF_MCLLOWAT )
+The mbuf cluster low water mark.
+.It Li kern.mbuf.msize ( Dv MBUF_MSIZE )
+The mbuf base size.
+.It Li kern.mbuf.nmbclusters ( Dv MBUF_NMBCLUSTERS )
+The limit on the number of mbuf clusters.
+The variable can only be increased, and only increased on machines with
+direct-mapped pool pages.
+.It Li kern.mbuf.nmbclusters_limit ( Dv MBUF_NMBCLUSTERS_LIMIT )
+The limit of nmbclusters.
+.El
+.It Li kern.memlock ( Dv KERN_MEMLOCK )
+Returns 1 if the
+.St -p1003.1b-93
+Process Memory Locking Option is available on this system,
+otherwise\ 0.
+.It Li kern.memlock_range ( Dv KERN_MEMLOCK_RANGE )
+Returns 1 if the
+.St -p1003.1b-93
+Range Memory Locking Option is available on this system,
+otherwise\ 0.
+.It Li kern.memory_protection ( Dv KERN_MEMORY_PROTECTION )
+Returns 1 if the
+.St -p1003.1b-93
+Memory Protection Option is available on this system,
+otherwise\ 0.
+.It Li kern.messages
+Kernel console message verbosity.
+See
+.Aq Pa sys/reboot.h
+.Bl -column "verbosity" "setting" -offset indent
+.It Sy Value Ta Sy Verbosity Ta Sy sys/reboot.h equivalent
+.It 0 Ta Silent Ta Sy AB_SILENT
+.It 1 Ta Quiet Ta Sy AB_QUIET
+.It 2 Ta Normal Ta Sy AB_NORMAL
+.It 3 Ta Verbose Ta Sy AB_VERBOSE
+.It 4 Ta Debug Ta Sy AB_DEBUG
+.El
+.It Li kern.module
+Settings related to kernel modules.
+The third level names for the settings are described below.
+.Bl -column "kern.module.autounload_unsafe" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.module.autoload	integer	yes
+.It kern.module.autounload_unsafe	integer	yes
+.It kern.module.autotime	integer	yes
+.It kern.module.verbose	boolean	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width 6n
+.It Li kern.module.autoload
+A boolean that controls whether kernel modules are loaded automatically.
+See
+.Xr module 7
+for details.
+.It Li kern.module.autounload_unsafe
+A boolean that controls whether the kernel will autounload modules that
+were automatically loaded and have not been audited for autounload.
+.Pp
+By default, only modules that have been audited will be autounloaded,
+and only if they were autoloaded to begin with.
+.It Li kern.module.autotime
+An integer that controls the delay before an attempt is made to
+automatically unload a module that was auto-loaded.
+Setting this value to zero disables the auto-unload function.
+.It Li kern.module.verbose
+A boolean that enables or disables verbose
+debug messages related to kernel modules.
+.El
+.It Li kern.monotonic_clock ( Dv KERN_MONOTONIC_CLOCK )
+Returns the standard version the implementation of the
+.St -p1003.1b-93
+Monotonic Clock Option conforms to,
+otherwise\ 0.
+.It Li kern.mqueue
+Settings related to POSIX message queues; see
+.Xr mqueue 3 .
+This node is created dynamically when
+the corresponding kernel module is loaded.
+The third level names for the settings are described below.
+.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.mqueue.mq_open_max	integer	yes
+.It kern.mqueue.mq_prio_max	integer	yes
+.It kern.mqueue.mq_max_msgsize	integer	yes
+.It kern.mqueue.mq_def_maxmsg	integer	yes
+.It kern.mqueue.mq_max_maxmsg	integer	yes
+.El
+.Pp
+The variables are:
+.Bl -tag -width "123456"
+.It Li kern.mqueue.mq_open_max
+The maximum number of message queue descriptors any single process can open.
+.It Li kern.mqueue.mq_prio_max
+The maximum priority of a message.
+.It Li kern.mqueue.mq_max_msgsize
+The maximum size of a message in a message queue.
+.It Li kern.mqueue.mq_def_maxmsg
+The default maximum message count.
+.It Li kern.mqueue.mq_max_maxmsg
+The maximum number of messages in a message queue.
+.El
+.It Li kern.msgbuf ( Dv KERN_MSGBUF )
+The kernel message buffer, rotated so that the head of the circular kernel
+message buffer is at the start of the returned data.
+The returned data may contain NUL bytes.
+.It Li kern.msgbufsize ( Dv KERN_MSGBUFSIZE )
+The maximum number of characters that the kernel message buffer can hold.
+.It Li kern.ngroups ( Dv KERN_NGROUPS )
+The maximum number of supplemental groups.
+.\" .It Li kern.no_sa_support
+.\" XXX: Undocumented.
+.It Li kern.ntptime ( Dv KERN_NTPTIME )
+A
+.Vt struct ntptimeval
+structure is returned.
+This structure contains data used by the
+.Xr ntpd 8
+program.
+.It Li kern.osrelease ( Dv KERN_OSRELEASE )
+The system release string.
+.It Li kern.osrevision ( Dv KERN_OSREV )
+The system revision, expressed as an integer.
+.It Li kern.ostype ( Dv KERN_OSTYPE )
+The system type string.
+.\".It Li kern.panic_now
+.\" XXX: Undocumented.
+.It Li kern.pipe ( Dv KERN_PIPE )
+Pipe settings.
+The third level names for the  integer pipe settings is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.pipe.kvasiz	integer	yes
+.It kern.pipe.maxbigpipes	integer	yes
+.It kern.pipe.maxkvasz	integer	yes
+.It kern.pipe.limitkva	integer	yes
+.It kern.pipe.nbigpipes	integer	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.pipe.kvasiz ( Dv KERN_PIPE_KVASIZ )
+Amount of kernel memory consumed by pipe buffers.
+.It Li kern.pipe.maxbigpipes ( Dv KERN_PIPE_MAXBIGPIPES )
+Maximum number of
+.Dq big
+pipes.
+.It Li kern.pipe.maxkvasz ( Dv KERN_PIPE_MAXKVASZ )
+Maximum amount of kernel memory to be used for pipes.
+.It Li kern.pipe.limitkva ( Dv KERN_PIPE_LIMITKVA )
+Limit for direct transfers via page loan.
+.It Li kern.pipe.nbigpipes ( Dv KERN_PIPE_NBIGPIPES )
+Number of
+.Dq big
+pipes.
+.El
+.It Li kern.pool
+Provides statistics about the
+.Xr pool 9
+and
+.Xr pool_cache 9
+subsystems.
+.\" XXX: Undocumented .It Li kern.posix ( ? )
+.\"	 This is a node in which the only variable is semmax.
+.It Li kern.posix1version ( Dv KERN_POSIX1 )
+The version of ISO/IEC 9945
+.Pq St -p1003.1
+with which the system attempts to comply.
+.It Li kern.posix_aio
+The version of
+.St -p1003.1
+and its Asynchronous I/O option to which the system attempts to conform.
+.It Li kern.posix_barriers ( Dv KERN_POSIX_BARRIERS )
+The version of
+.St -p1003.1
+and its
+Barriers
+option to which the system attempts to conform,
+otherwise\ 0.
+.It Li kern.posix_reader_writer_locks ( Dv KERN_POSIX_READER_WRITER_LOCKS )
+The version of
+.St -p1003.1
+and its
+Read-Write Locks
+option to which the system attempts to conform,
+otherwise\ 0.
+.\".It Li kern.posix_sched
+.\" XXX: Undocumented.
+.It Li kern.posix_semaphores ( Dv KERN_POSIX_SEMAPHORES )
+The version of
+.St -p1003.1
+and its
+Semaphores
+option to which the system attempts to conform,
+otherwise\ 0.
+.It Li kern.posix_spin_locks ( Dv KERN_POSIX_SPIN_LOCKS )
+The version of
+.St -p1003.1
+and its
+Spin Locks
+option to which the system attempts to conform,
+otherwise\ 0.
+.It Li kern.posix_threads ( Dv KERN_POSIX_THREADS )
+The version of
+.St -p1003.1
+and its
+Threads
+option to which the system attempts to conform,
+otherwise\ 0.
+.It Li kern.posix_timers ( Dv KERN_POSIX_TIMERS )
+The version of
+.St -p1003.1
+and its
+Timers
+option to which the system attempts to conform,
+otherwise\ 0.
+.It Li kern.proc ( Dv KERN_PROC )
+Return the entire process table, or a subset of it.
+An array of
+.Vt struct kinfo_proc
+structures is returned,
+whose size depends on the current number of such objects in the system.
+The third and fourth level numeric names are as follows:
+.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent
+.It Sy Third level name Ta Sy Fourth level is :
+.It KERN_PROC_ALL	None
+.It KERN_PROC_GID	A group ID
+.It KERN_PROC_PID	A process ID
+.It KERN_PROC_PGRP	A process group
+.It KERN_PROC_RGID	A real group ID
+.It KERN_PROC_RUID	A real user ID
+.It KERN_PROC_SESSION	A session ID
+.It KERN_PROC_TTY	A tty device
+.It KERN_PROC_UID	A user ID
+.El
+.It Li kern.proc2 ( Dv KERN_PROC2 )
+As for
+.Dv KERN_PROC ,
+but an array of
+.Vt struct kinfo_proc2
+structures are returned.
+The fifth level name is the size of the
+.Vt struct kinfo_proc2
+and the sixth level name is the number of structures to return.
+.It Li kern.proc_args ( Dv KERN_PROC_ARGS )
+Return the argv or environment strings (or the number thereof)
+of a process.
+Multiple strings are returned separated by NUL characters.
+The third level name is the process ID.
+The fourth level name is as follows:
+.Bl -column "KERN_PROG_PATHNAME" "The full pathname of the executable" -offset indent
+.It Dv KERN_PROC_ARGV	The argv strings
+.It Dv KERN_PROC_ENV	The environ strings
+.It Dv KERN_PROC_NARGV	The number of argv strings
+.It Dv KERN_PROC_NENV	The number of environ strings
+.It Dv KERN_PROC_PATHNAME	The full pathname of the executable
+.It Dv KERN_PROC_CWD	The current working directory
+.El
+.It Li kern.profiling ( Dv KERN_PROF )
+Return profiling information about the kernel.
+If the kernel is not compiled for profiling,
+attempts to retrieve any of the
+.Dv KERN_PROF
+values will fail with
+.Er EOPNOTSUPP .
+The third level names for the string and integer profiling information
+is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.profiling.count	u_short[\|]	yes
+.It kern.profiling.froms	u_short[\|]	yes
+.It kern.profiling.gmonparam	struct gmonparam	no
+.It kern.profiling.state	integer	yes
+.It kern.profiling.tos	struct tostruct	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.profiling.count ( Dv GPROF_COUNT )
+Array of statistical program counter counts.
+.It Li kern.profiling.froms ( Dv GPROF_FROMS )
+Array indexed by program counter of call-from points.
+.It Li kern.profiling.gmonparams ( Dv GPROF_GMONPARAM )
+Structure giving the sizes of the above arrays.
+.It Li kern.profiling.state ( Dv GPROF_STATE )
+Profiling state.
+If set to
+.Dv GMON_PROF_ON ,
+starts profiling.
+If set to
+.Dv GMON_PROF_OFF ,
+stops profiling.
+.It Li kern.profiling.tos ( Dv GPROF_TOS )
+Array of
+.Vt struct tostruct
+describing destination of calls and their counts.
+.El
+.\" .It Li kern.pset
+.\" XXX: Undocumented.
+.It Li kern.rawpartition ( Dv KERN_RAWPARTITION )
+The raw partition of a disk (a == 0).
+.It Li kern.root_device ( Dv KERN_ROOT_DEVICE )
+The name of the root device (e.g.,
+.Dq wd0 ) .
+.It Li kern.root_partition ( Dv KERN_ROOT_PARTITION )
+The root partition on the root device (a == 0).
+.It Li kern.rtc_offset ( Dv KERN_RTC_OFFSET )
+Return the offset of real time clock from UTC in minutes.
+.It Li kern.saved_ids ( Dv KERN_SAVED_IDS )
+Returns 1 if saved set-group and saved set-user ID is available.
+.It Li kern.sbmax ( Dv KERN_SBMAX )
+Maximum socket buffer size in bytes.
+.It Li kern.securelevel ( Dv KERN_SECURELVL )
+See
+.Xr secmodel_securelevel 9 .
+.It Li kern.sched ( dynamic )
+Influence the scheduling of LWPs, their prioritisation and how they are
+distributed on and moved between CPUs.
+.Bl -column "kern.sched.balance_period" "integer" "Changeable" -offset indent
+.It Sy Third level name	   Sy Type	 Sy Changeable
+.It kern.sched.cacheht_time	   integer	 yes
+.It kern.sched.balance_period	   integer	 yes
+.It kern.sched.average_weight	   integer	 yes
+.It kern.sched.min_catch	   integer	 yes
+.It kern.sched.timesoftints	   integer	 yes
+.It kern.sched.kpreempt_pri	   integer	 yes
+.It kern.sched.upreempt_pri	   integer	 yes
+.It kern.sched.maxts	   integer	 yes
+.It kern.sched.mints	   integer	 yes
+.It kern.sched.name	   string	 no
+.It kern.sched.rtts	   integer	 no
+.It kern.sched.pri_min	   integer	 no
+.It kern.sched.pri_max	   integer	 no
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.sched.cacheht_time ( dynamic )
+Cache hotness time in which a LWP is kept on one particular CPU
+and not moved to another CPU.
+This reduces the overhead of flushing and reloading caches.
+Defaults to 3ms.
+Needs to be given in
+.Dq hz
+units, see
+.Xr mstohz 9 .
+.It Li kern.sched.balance_period ( dynamic )
+Interval at which the CPU queues are checked for re-balancing.
+Defaults to 300ms.
+Needs to be given in
+.Dq hz
+units, see
+.Xr mstohz 9 .
+.It Li kern.sched.average_weight ( dynamic )
+Can be used to influence how likely LWPs are to be migrated from
+one CPU's queue of LWPs that are ready to run to a different, idle CPU.
+The value gives the percentage for weighting the average count of
+migratable threads from the past against the current number of
+migratable threads.
+A small value gives more weight to the past, a larger values more weight
+on the current situation.
+Defaults to 50 and must be between 0 and 100.
+.It Li kern.sched.min_catch ( dynamic )
+Minimum count of migratable (runnable) threads for catching (stealing)
+from another CPU.
+Defaults to 1 but can be increased to decrease chance of thread
+migration between CPUs.
+.It Li kern.sched.timesoftints ( dynamic )
+Enable tracking of CPU time for soft interrupts
+as part of a LWP's real execution time.
+Set to a non-zero value to enable,
+and see
+.Xr ps 1
+for printing CPU times.
+.It Li kern.sched.kpreempt_pri ( dynamic )
+Minimum priority to trigger kernel preemption.
+.It Li kern.sched.upreempt_pri ( dynamic )
+Minimum priority to trigger user preemption.
+.It Li kern.sched.maxts ( dynamic )
+Scheduler specific maximal time quantum (in milliseconds).
+Must be set to a value larger than
+.Dq mints
+and between 10 and
+.Dq hz
+as given by the
+.Dv kern.clockrate
+sysctl.
+Provided by the M2 scheduler.
+.It Li kern.sched.mints ( dynamic )
+Scheduler specific minimal time quantum (in milliseconds).
+Must be set to a value smaller than
+.Dq maxts
+and between 1 and
+.Dq hz
+as given by the
+.Dq kern.clockrate
+sysctl.
+Provided by the M2 scheduler.
+.It Li kern.sched.name ( dynamic )
+Scheduler name.
+Provided both by the M2 and the 4BSD scheduler.
+.It Li kern.sched.rtts ( dynamic )
+Fixed scheduler specific round-robin time quantum in milliseconds.
+Provided both by the M2 and the 4BSD scheduler.
+.It Li kern.sched.pri_min ( dynamic )
+Minimal POSIX real-time priority.
+See
+.Xr sched 3 .
+.It Li kern.sched.pri_max ( dynamic )
+Maximal POSIX real-time priority.
+See
+.Xr sched 3 .
+.El
+.It Li kern.sofixedbuf ( Dv KERN_SOFIXEDBUF )
+Prevent socket buffer autoscaling when a size is set with
+.Dv SO_SNDBUF
+or
+.Dv SO_RCVBUF .
+.It Li kern.somaxkva ( Dv KERN_SOMAXKVA )
+Maximum amount of kernel memory to be used for socket buffers in bytes.
+.It Li kern.sooptions
+Set the default socket option flags for
+.Xr socket 2
+creation.
+See
+.Xr setsockopt 2
+for a list of supported flags.
+.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO )
+Returns 1 if the
+.St -p1003.1b-93
+Synchronized I/O Option is available on this system,
+otherwise\ 0.
+.It Li kern.timecounter ( dynamic )
+Display and control the timecounter source of the system.
+.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.timecounter.choice	string	no
+.It kern.timecounter.hardware	string	yes
+.It kern.timecounter.timestepwarnings	integer	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.timecounter.choice ( dynamic )
+The list of available timecounters with their quality and frequency.
+.It Li kern.timecounter.hardware ( dynamic )
+The currently selected timecounter source.
+.It Li kern.timecounter.timestepwarnings ( dynamic )
+If non-zero display a message each time the time is stepped.
+.El
+.It Li kern.timex ( Dv KERN_TIMEX )
+Not available.
+.It Li kern.tkstat ( Dv KERN_TKSTAT )
+Return information about the number of characters sent and received
+on ttys.
+The third level names for the tty statistic variables are detailed below.
+The changeable column shows whether a process
+with appropriate privilege may change the value.
+.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.tkstat.cancc	quad	no
+.It kern.tkstat.nin	quad	no
+.It kern.tkstat.nout	quad	no
+.It kern.tkstat.rawcc	quad	no
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.tkstat.cancc ( Dv KERN_TKSTAT_CANCC )
+The number of canonical input characters.
+.It Li kern.tkstat.nin ( Dv KERN_TKSTAT_NIN )
+The total number of input characters.
+.It Li kern.tkstat.nout ( Dv KERN_TKSTAT_NOUT )
+The total number of output characters.
+.It Li kern.tkstat.rawcc ( Dv KERN_TKSTAT_RAWCC )
+The number of raw input characters.
+.El
+.It Li kern.tty
+The third level names for the tty setup variables are detailed below.
+The changeable column shows whether a process
+with appropriate privilege may change the value.
+.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.tty.qsize	int	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.tty.qsize
+Control/display the size of the default input and output queues selected
+during tty creation.
+Is converted to a power of two and its range is between
+.Dv 1024
+and
+.Dv 65536 .
+.El
+.It Li kern.uidinfo
+Resource usage for the current user.
+.Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.uidinfo.proccnt	integer	no
+.It kern.uidinfo.lwpcnt	integer	no
+.It kern.uidinfo.lockcnt	integer	no
+.It kern.uidinfo.semcnt	integer	no
+.It kern.uidinfo.sbsize	integer	no
+.El
+.Bl -tag -width "123456"
+.It Li kern.uidinfo.proccnt
+Returns the number of active processes for the current user.
+.It Li kern.uidinfo.lwpcnt
+Returns the number of active threads for the current user; the first thread
+of each process is not counted.
+.It Li kern.uidinfo.lockcnt
+Number of locks held by the current user.
+.It Li kern.uidinfo.semcnt
+Number of semaphores held by the current user.
+.It Li kern.uidinfo.sbsize
+Number of bytes in socket buffers allocated to the current user.
+.El
+.It Li kern.urandom ( Dv KERN_URND )
+Random integer value.
+.It Li kern.usercrypto
+When enabled, allows userland to
+.Xr open 2
+the
+.Pa /dev/crypto
+special device, used by the
+.Xr crypto 4
+system.
+.It Li kern.userasymcrypto
+Enables or disables the use of software asymmetric crypto support in the
+.Xr crypto 4
+system.
+.It Li kern.veriexec
+Runtime information for
+.Xr veriexec 8 .
+.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.veriexec.algorithms	string	no
+.It kern.veriexec.count	node	not applicable
+.It kern.veriexec.strict	integer	yes
+.It kern.veriexec.verbose	integer	yes
+.El
+.Bl -tag -width "123456"
+.It Li kern.veriexec.algorithms
+Returns a string with the supported algorithms in Veriexec.
+.It Li kern.veriexec.count
+Sub-nodes are added to this node as new mounts are monitored by Veriexec.
+Each mount will be under its own
+.No tableN
+node.
+Under each node there will be three variables, indicating the mount
+point, the file system type, and the number of entries.
+.It Li kern.veriexec.strict
+Controls the strict level of Veriexec.
+See
+.Xr security 7
+for more information on each level's implications.
+.It Li kern.veriexec.verbose
+Controls the verbosity level of Veriexec.
+If 0, only the minimal
+indication required will be given about what's happening - fingerprint
+mismatches, removal of entries from the tables, modification of a
+fingerprinted file.
+If 1, more messages will be printed (ie., when a file with a valid
+fingerprint is accessed).
+Verbose level 2 is debug mode.
+.El
+.It Li kern.version ( Dv KERN_VERSION )
+The system version string.
+.It Li kern.vnode ( Dv KERN_VNODE )
+Return the entire vnode table.
+Note, the vnode table is not necessarily a consistent snapshot of
+the system.
+The returned data consists of an array whose size depends on the
+current number of such objects in the system.
+Each element of the array contains the kernel address of a vnode
+.Vt struct vnode *
+followed by the vnode itself
+.Vt struct vnode .
+.El
+.Ss The machdep.* subtree
+The set of variables defined is architecture dependent.
+Most architectures define at least the following variables.
+.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It Li machdep.booted_kernel	string	no
+.El
+.\" XXX: Document the above.
+.Ss The net.* subtree
+The string and integer information available for the
+.Li net
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+The second and third levels are typically the protocol family and
+protocol number, though this is not always the case.
+.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It net.route	routing messages	no
+.It net.inet	IPv4 values	yes
+.It net.inet6	IPv6 values	yes
+.It net.key	IPsec key management values	yes
+.El
+.Bl -tag -width "123456"
+.It Li net.route ( Dv PF_ROUTE )
+.\" XXX really?
+Return the entire routing table or a subset of it.
+The data is returned as a sequence of routing messages (see
+.Xr route 4
+for the header file, format and meaning).
+The length of each message is contained in the message header.
+.Pp
+The third level name is a protocol number, which is currently always\ 0.
+The fourth level name is an address family, which may be set to 0 to
+select all address families.
+The fifth and sixth level names are as follows:
+.Bl -column "Fifth level name" "Sixth level is:" -offset indent
+.It Sy Fifth level name Ta Sy Sixth level is :
+.It NET_RT_FLAGS	rtflags
+.It NET_RT_DUMP	None
+.It NET_RT_IFLIST	None
+.El
+.It Li net.inet ( Dv PF_INET )
+Get or set various global information about the IPv4
+.Pq Internet Protocol version 4 .
+The third level name is the protocol.
+The fourth level name is the variable name.
+The currently defined protocols and names are:
+.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent
+.It Sy Protocol	Variable Ta Sy Type Ta Sy Changeable
+.It arp	nd_delay	integer	yes
+.It arp	nd_bmaxtries	integer	yes
+.It arp	nd_umaxtries	integer	yes
+.It arp	nd_basereachable	integer	yes
+.It arp	nd_retrans	integer	yes
+.It arp	nd_nud		integer	yes
+.It arp	nd_maxnudhint	integer	yes
+.It arp	log_movements	integer	yes
+.It arp	log_permanent_modify	integer	yes
+.It arp	log_unknown_network	integer	yes
+.It arp	log_wrong_iface	integer	yes
+.It carp	allow	integer	yes
+.It carp	preempt	integer	yes
+.It carp	log	integer	yes
+.It carp	arpbalance	integer	yes
+.It icmp	errppslimit	integer	yes
+.It icmp	maskrepl	integer	yes
+.It icmp	rediraccept	integer	yes
+.It icmp	redirtimeout	integer	yes
+.It icmp	bmcastecho	integer	yes
+.It icmp	dynamic_rt_msg	boolean	yes
+.It ip	allowsrcrt	integer	yes
+.It ip 	anonportalgo.selected	string	yes
+.It ip 	anonportalgo.available	string	yes
+.It ip 	anonportalgo.reserve	struct	yes
+.It ip	anonportmax	integer	yes
+.It ip	anonportmin	integer	yes
+.It ip	checkinterface	integer	yes
+.It ip	dad_count	integer	yes
+.It ip	directed-broadcast	integer	yes
+.It ip	do_loopback_cksum	integer	yes
+.It ip	forwarding	integer	yes
+.It ip	forwsrcrt	integer	yes
+.It ip	gifttl	integer	yes
+.It ip	grettl	integer	yes
+.It ip	hashsize	integer	yes
+.It ip	hostzerobroadcast	integer	yes
+.It ip	lowportmin	integer	yes
+.It ip	lowportmax	integer	yes
+.It ip	maxflows	integer	yes
+.It ip	maxfragpackets	integer	yes
+.It ip	mtudisc	integer	yes
+.It ip	mtudisctimeout	integer	yes
+.It ip	random_id	integer	yes
+.It ip	redirect	integer	yes
+.It ip	subnetsarelocal	integer	yes
+.It ip	ttl	integer	yes
+.It tcp	rfc1323	integer	yes
+.It tcp	sendspace	integer	yes
+.It tcp	recvspace	integer	yes
+.It tcp	mssdflt	integer	yes
+.It tcp	syn_cache_limit	integer	yes
+.It tcp	syn_bucket_limit	integer	yes
+.It tcp	syn_cache_interval	integer	yes
+.It tcp	init_win	integer	yes
+.It tcp	init_win_local	integer	yes
+.It tcp	mss_ifmtu	integer	yes
+.It tcp	win_scale	integer	yes
+.It tcp	timestamps	integer	yes
+.It tcp	cwm	integer	yes
+.It tcp	cwm_burstsize	integer	yes
+.It tcp	ack_on_push	integer	yes
+.It tcp	keepidle	integer	yes
+.It tcp	keepintvl	integer	yes
+.It tcp	keepcnt	integer	yes
+.It tcp	slowhz	integer	no
+.It tcp	keepinit	integer	yes
+.It tcp	log_refused	integer	yes
+.It tcp	rstppslimit	integer	yes
+.It tcp	ident	struct	no
+.It tcp	drop	struct	no
+.It tcp	sack.enable	integer	yes
+.It tcp	sack.globalholes	integer	no
+.It tcp	sack.globalmaxholes	integer	yes
+.It tcp	sack.maxholes	integer	yes
+.It tcp	ecn.enable	integer	yes
+.It tcp	ecn.maxretries	integer	yes
+.It tcp	congctl.selected	string	yes
+.It tcp	congctl.available	string	yes
+.It tcp	abc.enable	integer	yes
+.It tcp	abc.aggressive	integer	yes
+.It udp	checksum	integer	yes
+.It udp	do_loopback_cksum	integer	yes
+.It udp	recvspace	integer	yes
+.It udp	sendspace	integer	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li arp.nd_delay
+The delay in seconds before sending the first probe,
+after it has been decided that the entry is stale.
+.It Li arp.nd_bmaxtries
+The maximum number of broadcasts send to discover the hardware address
+claiming an IP address.
+.It Li arp.nd_umaxtries
+The maximum number of unicasts send to the hardware address to ensure
+it still claims an IP address.
+.It Li arp.nd_basereachable
+The number of milliseconds the ARP entry is considered reachable before
+probing reachability.
+.It Li arp.nd_retrans
+The number of milliseconds between ARP probes.
+.It Li arp.nd_nud
+If set to non-zero, perform Neighbor Unreachability Detection.
+.It Li arp.nd_maxnudhint
+Neighbor discovery permits upper layer protocols to supply reachability
+hints, to avoid unnecessary neighbor discovery exchanges.
+The variable defines the number of consecutive hints the neighbor discovery
+layer will take.
+For example, by setting the variable to 3, neighbor discovery layer
+will take 3 consecutive hints in maximum.
+After receiving 3 hints, neighbor discovery layer will perform
+normal neighbor discovery process.
+.It Li carp.allow
+If set to 0, incoming
+.Xr carp 4
+packets will not be processed.
+If set to any other value, processing will occur.
+Enabled by default.
+.It Li carp.arpbalance
+If set to any value other than 0, the ARP balancing functionality of
+.Xr carp 4
+is enabled.
+When ARP requests are received for an IP address which is part of any virtual
+host, carp will hash the source IP in the ARP request to select one of the
+virtual hosts from the set of all the virtual hosts which have that IP address.
+The master of that host will respond with the correct virtual MAC address.
+Disabled by default.
+.It Li carp.log
+If set to any value other than 0,
+.Xr carp 4
+will log errors.
+Disabled by default.
+.It Li carp.preempt
+If set to 0,
+.Xr carp 4
+will not attempt to become master if it is receiving advertisements from
+another active master.
+If set to any other value, carp will become master of the virtual host if it
+believes it can send advertisements more frequently than the current master.
+Disabled by default.
+.It Li ip.allowsrcrt
+If set to 1, the host accepts source routed packets.
+.It Li ip.anonportalgo.available
+The available RFC 6056 port randomization algorithms.
+.It Li ip.anonportalgo.reserve
+A bitmask of ports that will not be used during anonymous or privileged
+port selection.
+.It Li ip.anonportalgo.selected
+The currently selected RFC 6056 port randomization algorithm; see
+.Xr rfc6056 7
+for details.
+.It Li ip.anonportmax
+The highest port number to use for TCP and UDP ephemeral port allocation.
+This cannot be set to less than 1024 or greater than 65535, and must
+be greater than
+.Li ip.anonportmin .
+.It Li ip.anonportmin
+The lowest port number to use for TCP and UDP ephemeral port allocation.
+This cannot be set to less than 1024 or greater than 65535.
+.It Li ip.checkinterface
+If set to non-zero, the host will reject packets addressed to it
+that arrive on an interface not bound to that address.
+Currently, this must be disabled if NAT is used to translate the
+destination address to another local interface, or if addresses
+are added to the loopback interface instead of the interface where
+the packets for those packets are received.
+.It Li ip.dad_count
+The number of
+.Xr arp 4
+probes sent for Address Conflict Detection.
+Set to 0 to disable this.
+.It Li ip.directed-broadcast
+If set to 1, enables directed broadcast behavior for the host.
+.It Li ip.do_loopback_cksum
+Perform IP checksum on loopback.
+.It Li ip.forwarding
+If set to 1, enables IP forwarding for the host,
+meaning that the host is acting as a router.
+.It Li ip.forwsrcrt
+If set to 1, enables forwarding of source-routed packets for the host.
+This value may only be changed if the kernel security level is less than 1.
+.It Li ip.gifttl
+The maximum time-to-live (hop count) value for an IPv4 packet generated by
+.Xr gif 4
+tunnel interface.
+.It Li ip.grettl
+The maximum time-to-live (hop count) value for an IPv4 packet generated by
+.Xr gre 4
+tunnel interface.
+.It Li ip.hashsize
+The size of IPv4 Fast Forward hash table.
+This value must be a power of 2 (64, 256...).
+A larger hash table size results in fewer collisions.
+Also see
+.Li ip.maxflows .
+.It Li ip.hostzerobroadcast
+All zeroes address is broadcast address.
+.It Li ip.lowportmax
+The highest port number to use for TCP and UDP reserved port allocation.
+This cannot be set to less than 0 or greater than 1024, and must
+be greater than
+.Li ip.lowportmin .
+.It Li ip.lowportmin
+The lowest port number to use for TCP and UDP reserved port allocation.
+This cannot be set to less than 0 or greater than 1024, and must
+be smaller than
+.Li ip.lowportmax .
+.It Li ip.maxflows
+IPv4 Fast Forwarding is enabled by default.
+If set to 0, IPv4 Fast Forwarding is disabled.
+.Li ip.maxflows
+controls the maximum amount of flows which can be created.
+The default value is 256.
+.It Li ip.maxfragpackets
+The maximum number of fragmented packets the node will accept.
+0 means that the node will not accept any fragmented packets.
+\-1 means that the node will accept as many fragmented packets as it receives.
+The flag is provided basically for avoiding possible DoS attacks.
+.It Li ip.mtudisc
+If set to 1, enables Path MTU Discovery (RFC 1191).
+When Path MTU Discovery is enabled, the transmitted TCP segment
+size will be determined by the advertised maximum segment size
+(MSS) from the remote end, as constrained by the path MTU.
+If MTU Discovery is disabled, the transmitted segment size will
+never be greater than
+.Li tcp.mssdflt
+(the local maximum segment size).
+.It Li ip.mtudisctimeout
+The number of seconds in which a route added by the Path MTU
+Discovery engine will time out.
+When the route times out, the Path
+MTU Discovery engine will attempt to probe a larger path MTU.
+.It Li ip.random_id
+Assign random ip_id values.
+.It Li ip.redirect
+If set to 1, ICMP redirects may be sent by the host.
+This option is ignored unless the host is routing IP packets,
+and should normally be enabled on all systems.
+.It Li ip.subnetsarelocal
+If set to 1, subnets are to be considered local addresses.
+.It Li ip.ttl
+The maximum time-to-live (hop count) value for an IP packet sourced by
+the system.
+This value applies to normal transport protocols, not to ICMP.
+.It Li icmp.errppslimit
+The variable specifies the maximum number of outgoing ICMP error messages,
+per second.
+ICMP error messages that exceeded the value are subject to rate limitation
+and will not go out from the node.
+Negative value disables rate limitation.
+.It Li icmp.maskrepl
+If set to 1, ICMP network mask requests are to be answered.
+.It Li icmp.rediraccept
+If set to non-zero, the host will accept ICMP redirect packets.
+Note that routers will never accept ICMP redirect packets,
+and the variable is meaningful on IP hosts only.
+.It Li icmp.redirtimeout
+The variable specifies lifetime of routing entries generated by incoming
+ICMP redirect.
+This defaults to 600 seconds.
+.It Li icmp.returndatabytes
+Number of bytes to return in an ICMP error message.
+.It Li icmp.bmcastecho
+If set to 1, enables responding to ICMP echo or timestamp request to the
+broadcast address.
+.It Li icmp.dynamic_rt_msg
+A boolean that the kernel sends routing message for RTM_DYNAMIC or not.
+If set to true, sends such routing message.
+.It Li tcp.ack_on_push
+If set to 1, TCP is to immediately transmit an ACK upon reception of
+a packet with PUSH set.
+This can avoid losing a round trip time in some rare situations,
+but has the caveat of potentially defeating TCP's delayed ACK algorithm.
+Use of this option is generally not recommended, but
+the variable exists in case your configuration really needs it.
+.It Li tcp.cwm
+If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window
+Monitoring algorithm.
+This algorithm prevents line-rate bursts of packets that could
+otherwise occur when data begins flowing on an idle TCP connection.
+These line-rate bursts can contribute to network and router congestion.
+This can be particularly useful on World Wide Web servers
+which support HTTP/1.1, which has lingering connections.
+.It Li tcp.cwm_burstsize
+The Congestion Window Monitoring allowed burst size, in terms
+of packet count.
+.It Li tcp.delack_ticks
+Number of ticks to delay sending an ACK.
+.It Li tcp.do_loopback_cksum
+Perform TCP checksum on loopback.
+.It Li tcp.init_win
+A value indicating the TCP initial congestion window.
+The valid range
+is 0 to 10 (maximum specified by RFC6928),
+with a default of 4 (approximately 4K per RFC3390).
+.It Li tcp.init_win_local
+Like
+.Li tcp.init_win ,
+but used when communicating with hosts on a local network.
+.It Li tcp.keepcnt
+Number of keepalive probes sent before declaring a connection dead.
+If set to zero, there is no limit;
+keepalives will be sent until some kind of
+response is received from the peer.
+.It Li tcp.keepidle
+Time a connection must be idle before keepalives are sent (if keepalives
+are enabled for the connection).
+See also tcp.slowhz.
+.It Li tcp.keepintvl
+Time after a keepalive probe is sent until, in the absence of any response,
+another probe is sent.
+See also tcp.slowhz.
+.It Li tcp.log_refused
+If set to 1, refused TCP connections to the host will be logged.
+.It Li tcp.keepinit
+Timeout in seconds during connection establishment.
+.It Li tcp.mss_ifmtu
+If set to 1, TCP calculates the outgoing maximum segment size based on
+the MTU of the appropriate interface.
+If set to 0, it is calculated based on the greater of the MTU of the
+interface, and the largest (non-loopback) interface MTU on the system.
+.It Li tcp.mssdflt
+The default maximum segment size both advertised to the peer
+and to use when either the peer does not advertise a maximum segment size to
+us during connection setup or Path MTU Discovery
+.Li ( ip.mtudisc )
+is disabled.
+Do not change this value unless you really know what you are doing.
+.It Li tcp.recvspace
+The default TCP receive buffer size.
+.It Li tcp.rfc1323
+If set to 1, enables RFC 1323 extensions to TCP.
+.It Li tcp.rstppslimit
+The variable specifies the maximum number of outgoing TCP RST packets,
+per second.
+TCP RST packet that exceeded the value are subject to rate limitation
+and will not go out from the node.
+Negative value disables rate limitation.
+.It Li tcp.ident
+Return the user ID of a connected socket pair.
+(RFC1413 Identification Protocol lookups.)
+.It Li tcp.drop
+Drop a TCP socket pair connection.
+.It Li tcp.sack.enable
+If set to 1, enables RFC 2018 Selective ACKnowledgement.
+.It Li tcp.sack.globalholes
+Global number of TCP SACK holes.
+.It Li tcp.sack.globalmaxholes
+Global maximum number of TCP SACK holes.
+.It Li tcp.sack.maxholes
+Maximum number of TCP SACK holes allowed per connection.
+.It Li tcp.ecn.enable
+If set to 1, enables RFC 3168 Explicit Congestion Notification.
+.It Li tcp.ecn.maxretries
+Number of times to retry sending the ECN-setup packet.
+.It Li tcp.sendspace
+The default TCP send buffer size.
+.It Li tcp.slowhz
+The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks
+of a clock that ticks tcp.slowhz times per second.
+(That is, their values
+must be divided by the tcp.slowhz value to get times in seconds.)
+.It Li tcp.syn_bucket_limit
+The maximum number of entries allowed per hash bucket in the TCP
+compressed state engine.
+.It Li tcp.syn_cache_limit
+The maximum number of entries allowed in the TCP compressed state
+engine.
+.It Li tcp.timestamps
+If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options,
+used for measuring TCP round trip times, are enabled.
+.It Li tcp.win_scale
+If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options,
+for increasing the TCP window size, are enabled.
+.It Li tcp.congctl.available
+The available TCP congestion control algorithms.
+.It Li tcp.congctl.selected
+The currently selected TCP congestion control algorithm.
+.It Li tcp.abc.enable
+If set to 1, use RFC 3465 Appropriate Byte Counting (ABC).
+If set to 0, use traditional Packet Counting.
+.It Li tcp.abc.aggressive
+Choose the L parameter found in RFC 3465.
+L is the maximum cwnd increase for an ack during slow start.
+If set to 1, use L=2*SMSS.
+If set to 0, use L=1*SMSS.
+It has no effect unless tcp.abc.enable is set to 1.
+.It Li udp.checksum
+If set to 1, UDP checksums are being computed.
+Received non-zero UDP checksums are always checked.
+Disabling UDP checksums is strongly discouraged.
+.It Li udp.recvspace
+The default UDP receive buffer size.
+.It Li udp.sendspace
+The default UDP send buffer size.
+.El
+.Pp
+For variables net.*.ipsec, please refer to
+.Xr ipsec 4 .
+.It Li net.inet6 ( Dv PF_INET6 )
+Get or set various global information about the IPv6
+.Pq Internet Protocol version 6 .
+The third level name is the protocol.
+The fourth level name is the variable name.
+The currently defined protocols and names are:
+.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent
+.It Sy Protocol	Variable Ta Sy Type Ta Sy Changeable
+.It icmp6	errppslimit	integer	yes
+.It icmp6	mtudisc_hiwat	integer	yes
+.It icmp6	mtudisc_lowat	integer	yes
+.It icmp6	nd6_debug	integer	yes
+.It icmp6	nd6_delay	integer	yes
+.It icmp6	nd6_maxnudhint	integer	yes
+.It icmp6	nd6_mmaxtries	integer	yes
+.It icmp6	nd6_gctimer	integer	yes
+.It icmp6	nd6_prune	integer	yes
+.It icmp6	nd6_umaxtries	integer	yes
+.It icmp6	nd6_useloopback	integer	yes
+.It icmp6	nodeinfo	integer	yes
+.It icmp6	rediraccept	integer	yes
+.It icmp6	redirtimeout	integer	yes
+.It icmp6	reflect_pmtu	boolean	yes
+.It icmp6	dynamic_rt_msg	boolean	yes
+.It ip6	accept_rtadv	integer	yes
+.It ip6	addctlpolicy	struct in6_addrpolicy	no
+.It ip6	anonportalgo.selected	string	yes
+.It ip6	anonportalgo.available	string	yes
+.It ip6	anonportalgo.reserve	struct	yes
+.It ip6	anonportmax	integer	yes
+.It ip6	anonportmin	integer	yes
+.It ip6	auto_flowlabel	integer	yes
+.It ip6	dad_count	integer	yes
+.It ip6	defmcasthlim	integer	yes
+.It ip6	forwarding	integer	yes
+.It ip6	gifhlim	integer	yes
+.It ip6	hashsize	integer	yes
+.It ip6	hlim	integer	yes
+.It ip6	hdrnestlimit	integer	yes
+.It ip6	kame_version	string	no
+.It ip6	keepfaith	integer	yes
+.It ip6	log_interval	integer	yes
+.It ip6	lowportmax	integer	yes
+.It ip6	lowportmin	integer	yes
+.It ip6	maxdynroutes	integer	yes
+.It ip6	maxifprefixes	integer	yes
+.It ip6	maxifdefrouters	integer	yes
+.It ip6	maxflows	integer	yes
+.It ip6	maxfragpackets	integer	yes
+.It ip6	maxfrags	integer	yes
+.It ip6	neighborgcthresh	integer	yes
+.It ip6	param_rt_msg	integer	yes
+.It ip6	redirect	integer	yes
+.It ip6	rr_prune	integer	yes
+.It ip6	use_deprecated	integer	yes
+.It ip6	v6only	integer	yes
+.It udp6	do_loopback_cksum	integer	yes
+.It udp6	recvspace	integer	yes
+.It udp6	sendspace	integer	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li ip6.accept_rtadv
+If set to non-zero, the node will accept ICMPv6 router advertisement packets
+and autoconfigures address prefixes and default routers.
+The node must be a host
+.Pq not a router
+for the option to be meaningful.
+.It Li ip6.anonportalgo.available
+The available RFC 6056 port randomization algorithms.
+.It Li ip6.anonportalgo.reserve
+A bitmask of ports that will not be used during anonymous or privileged
+port selection.
+.It Li ip6.anonportalgo.selected
+The currently selected RFC 6056 port randomization algorithm; see
+.Xr rfc6056 7
+for details.
+.It Li ip6.anonportmax
+The highest port number to use for TCP and UDP ephemeral port allocation.
+This cannot be set to less than 1024 or greater than 65535, and must
+be greater than
+.Li ip6.anonportmin .
+.It Li ip6.anonportmin
+The lowest port number to use for TCP and UDP ephemeral port allocation.
+This cannot be set to less than 1024 or greater than 65535.
+.It Li ip6.auto_flowlabel
+On connected transport protocol packets,
+fill IPv6 flowlabel field to help intermediate routers to identify packet flows.
+.It Li ip6.dad_count
+The variable configures number of IPv6 DAD
+.Pq duplicated address detection
+probe packets.
+The packets will be generated when IPv6 interface addresses are configured.
+.It Li ip6.defmcasthlim
+The default hop limit value for an IPv6 multicast packet sourced by the node.
+This value applies to all the transport protocols on top of IPv6.
+There are APIs to override the value, as documented in
+.Xr ip6 4 .
+.It Li ip6.forwarding
+If set to 1, enables IPv6 forwarding for the node,
+meaning that the node is acting as a router.
+If set to 0, disables IPv6 forwarding for the node,
+meaning that the node is acting as a host.
+IPv6 specification defines node behavior for
+.Dq router
+case and
+.Dq host
+case quite differently, and changing this variable during operation
+may cause serious trouble.
+It is recommended to configure the variable at bootstrap time,
+and bootstrap time only.
+.It Li ip6.gifhlim
+The maximum hop limit value for an IPv6 packet generated by
+.Xr gif 4
+tunnel interface.
+.It Li ip6.hdrnestlimit
+The number of IPv6 extension headers permitted on incoming IPv6 packets.
+If set to 0, the node will accept as many extension headers as possible.
+.It Li ip6.hashsize
+The size of IPv6 Fast Forward hash table.
+This value must be a power of 2 (64, 256, ...).
+A larger hash table size results in fewer collisions.
+Also see
+.Li ip6.maxflows .
+.It Li ip6.hlim
+The default hop limit value for an IPv6 unicast packet sourced by the node.
+This value applies to all the transport protocols on top of IPv6.
+There are APIs to override the value, as documented in
+.Xr ip6 4 .
+.It Li ip6.kame_version
+The string identifies the version of KAME IPv6 stack implemented in the kernel.
+.It Li ip6.keepfaith
+If set to non-zero, it enables
+.Dq FAITH
+TCP relay IPv6-to-IPv4 translator code in the kernel.
+Refer
+.Xr faith 4
+and
+.Xr faithd 8
+for detail.
+.It Li ip6.log_interval
+The variable controls amount of logs generated by IPv6 packet
+forwarding engine, by setting interval between log output
+.Pq in seconds .
+.It Li ip6.lowportmax
+The highest port number to use for TCP and UDP reserved port allocation.
+This cannot be set to less than 0 or greater than 1024, and must
+be greater than
+.Li ip6.lowportmin .
+.It Li ip6.lowportmin
+The lowest port number to use for TCP and UDP reserved port allocation.
+This cannot be set to less than 0 or greater than 1024, and must
+be smaller than
+.Li ip6.lowportmax .
+.It Li ip6.maxdynroutes
+Maximum number of routes created by redirect.
+Set it to negative to disable.
+The default value is 4096.
+.It Li ip6.maxifprefixes
+Maximum number of prefixes created by route advertisements per interface.
+Set it to negative to disable.
+The default value is 16.
+.It Li ip6.maxifdefrouters 16
+Maximum number of default routers created by route advertisements per interface.
+Set it to negative to disable.
+The default value is 16.
+.It Li ip6.maxflows
+IPv6 Fast Forwarding is enabled by default.
+If set to 0, IPv6 Fast Forwarding is disabled.
+.Li ip6.maxflows
+controls the maximum amount of flows which can be created.
+The default value is 256.
+.It Li ip6.maxfragpackets
+The maximum number of fragmented packets the node will accept.
+0 means that the node will not accept any fragmented packets.
+\-1 means that the node will accept as many fragmented packets as it receives.
+The flag is provided basically for avoiding possible DoS attacks.
+.It Li ip6.maxfrags
+The maximum number of fragments the node will accept.
+0 means that the node will not accept any fragments.
+\-1 means that the node will accept as many fragments as it receives.
+The flag is provided basically for avoiding possible DoS attacks.
+.It Li ip6.neighborgcthresh
+Maximum number of entries in neighbor cache per interface.
+Set to negative to disable.
+The default value is 2048.
+.It Li ip6.param_rt_msg
+If set to 0, parameter changing routing message is suppressed.
+If set to 1, parameter changing routing message is sent by RTM_NEWADDR.
+Other values are undefined yet.
+.It Li ip6.redirect
+If set to 1, ICMPv6 redirects may be sent by the node.
+This option is ignored unless the node is routing IP packets,
+and should normally be enabled on all systems.
+.It Li ip6.rr_prune
+The variable specifies interval between IPv6 router renumbering prefix
+babysitting, in seconds.
+.It Li ip6.use_deprecated
+The variable controls use of deprecated address, specified in RFC 2462 5.5.4.
+.It Li ip6.v6only
+The variable specifies initial value for
+.Dv IPV6_V6ONLY
+socket option for
+.Dv AF_INET6
+socket.
+Please refer to
+.Xr ip6 4
+for detail.
+.It Li icmp6.errppslimit
+The variable specifies the maximum number of outgoing ICMPv6 error messages,
+per second.
+ICMPv6 error messages that exceeded the value are subject to rate limitation
+and will not go out from the node.
+Negative value disables rate limitation.
+.It Li icmp6.mtudisc_hiwat
+.It Li icmp6.mtudisc_lowat
+The variables define the maximum number of routing table entries,
+created due to path MTU discovery
+.Pq prevents denial-of-service attacks with ICMPv6 too big messages .
+When IPv6 path MTU discovery happens, we keep path MTU information into
+the routing table.
+If the number of routing table entries exceed the value,
+the kernel will not attempt to keep the path MTU information.
+.Li icmp6.mtudisc_hiwat
+is used when we have verified ICMPv6 too big messages.
+.Li icmp6.mtudisc_lowat
+is used when we have unverified ICMPv6 too big messages.
+Verification is performed by using address/port pairs kept in connected pcbs.
+Negative value disables the upper limit.
+.It Li icmp6.nd6_debug
+If set to non-zero, kernel IPv6 neighbor discovery code will generate
+debugging messages.
+The debug outputs are useful to diagnose IPv6 interoperability issues.
+The flag must be set to 0 for normal operation.
+.It Li icmp6.nd6_delay
+The variable specifies
+.Dv DELAY_FIRST_PROBE_TIME
+timing constant in IPv6 neighbor discovery specification
+.Pq RFC 2461 ,
+in seconds.
+.It Li icmp6.nd6_maxnudhint
+Neighbor discovery permits upper layer protocols to supply reachability
+hints, to avoid unnecessary neighbor discovery exchanges.
+The variable defines the number of consecutive hints the neighbor discovery
+layer will take.
+For example, by setting the variable to 3, neighbor discovery layer
+will take 3 consecutive hints in maximum.
+After receiving 3 hints, neighbor discovery layer will perform
+normal neighbor discovery process.
+.It Li icmp6.nd6_mmaxtries
+The variable specifies
+.Dv MAX_MULTICAST_SOLICIT
+constant in IPv6 neighbor discovery specification
+.Pq RFC 2461 .
+.It Li icmp6.nd6_gctimer
+The duration stale neighbors will be kept for, before being garbage collected,
+in seconds.
+.It Li icmp6.nd6_prune
+The variable specifies interval between IPv6 neighbor cache babysitting,
+in seconds.
+.It Li icmp6.nd6_umaxtries
+The variable specifies
+.Dv MAX_UNICAST_SOLICIT
+constant in IPv6 neighbor discovery specification
+.Pq RFC 2461 .
+.It Li icmp6.nd6_useloopback
+If set to non-zero, kernel IPv6 stack will use loopback interface for
+local traffic.
+.It Li icmp6.nodeinfo
+The variable enables responses to ICMPv6 node information queries.
+If you set the variable to 0, responses will not be generated for
+ICMPv6 node information queries.
+Since node information queries can have a security impact, it is
+possible to fine tune which responses should be answered.
+Two separate bits can be set.
+.Bl -tag -width "12345"
+.It 1
+Respond to ICMPv6 FQDN queries, e.g.
+.Li ping6 -w .
+.It 2
+Respond to ICMPv6 node addresses queries, e.g.
+.Li ping6 -a .
+.El
+.It Li icmp6.rediraccept
+If set to non-zero, the host will accept ICMPv6 redirect packets.
+Note that IPv6 routers will never accept ICMPv6 redirect packets,
+and the variable is meaningful on IPv6 hosts
+.Pq non-router
+only.
+.It Li icmp6.redirtimeout
+The variable specifies lifetime of routing entries generated by incoming
+ICMPv6 redirect.
+.It Li icmp6.reflect_pmtu
+A boolean that icmpv6 reflecting uses path MTU discovery or not.
+When not, icmpv6 reflecting uses IPV6_MINMTU.
+.It Li icmp6.dynamic_rt_msg
+A boolean that the kernel sends routing message for RTM_DYNAMIC or not.
+If set to true, sends such routing message.
+.It Li udp6.do_loopback_cksum
+Perform UDP checksum on loopback.
+.It Li udp6.recvspace
+Default UDP receive buffer size.
+.It Li udp6.sendspace
+Default UDP send buffer size.
+.El
+.Pp
+Variables net.inet6.tcp6.* and net.inet6.udp6.* have identical meanings to
+net.inet.tcp.* and net.inet.udp.*, respectively.
+Please refer to
+.Li PF_INET
+section above.
+For variables net.*.ipsec6, please refer to
+.Xr ipsec 4 .
+.It Li net.key ( Dv PF_KEY )
+Get or set various global information about the IPsec key management.
+The third level name is the variable name.
+The currently defined variable and names are:
+.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent
+.It Sy Variable	Type Ta Sy Changeable
+.It debug	integer	yes
+.It enabled	integer	yes
+.It used	integer	no
+.It spi_try	integer	yes
+.It spi_min_value	integer	yes
+.It spi_max_value	integer	yes
+.It larval_lifetime	integer	yes
+.It blockacq_count	integer	yes
+.It blockacq_lifetime	integer	yes
+.It esp_keymin	integer	yes
+.It esp_auth	integer	yes
+.It ah_keymin	integer	yes
+.It allow_different_idtype	boolean	yes
+.El
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li debug
+Turn on debugging message from within the kernel.
+The value is a bitmap, as defined in
+.In netipsec/key_debug.h .
+.It Li enabled
+Control processing of IPsec control messages.
+.Bl -tag -width indent
+.It 0
+Never allow IPsec processing
+.It 1
+Allow IPsec processing when SPD policies are present.
+.It 2
+Force IPsec processing even when SPD policies are not present.
+.El
+.It Li used
+Based on if IPsec is enabled, and SPD rule existence, show if
+IPsec is being used.
+Note that currently once IPsec is being used, it cannot be disabled.
+.It Li spi_try
+The number of times the kernel will try to obtain an unique SPI
+when it generates it from random number generator.
+.It Li spi_min_value
+Minimum SPI value when generating it within the kernel.
+.It Li spi_max_value
+Maximum SPI value when generating it within the kernel.
+.It Li larval_lifetime
+Lifetime for LARVAL SAD entries, in seconds.
+.It Li blockacq_count
+Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message.
+It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the
+key management daemon.
+.It Li blockacq_lifetime
+Lifetime of ACQUIRE PF_KEY message.
+.It Li esp_keymin
+Minimum ESP key length, in bits.
+The value is used when the kernel creates proposal payload
+on ACQUIRE PF_KEY message.
+.It Li esp_auth
+Whether ESP authentication should be used or not.
+Non-zero value indicates that ESP authentication should be used.
+The value is used when the kernel creates proposal payload
+on ACQUIRE PF_KEY message.
+.It Li ah_keymin
+Minimum AH key length, in bits,
+The value is used when the kernel creates proposal payload
+on ACQUIRE PF_KEY message.
+.It Li allow_different_idtype
+A boolean that allow or disallow different identifier types
+on IDii and IDir.
+Allowing that can improve interconnectivity to some VPN appliances.
+.El
+.It Li net.local ( Dv PF_LOCAL )
+Get or set various global information about
+.Dv AF_LOCAL
+type sockets.
+For some variables, the third level name is the variable name:
+.Bl -column "Variable" "integer" "Changeable" -offset indent
+.It Sy Variable	Type Ta Sy Changeable
+.It inflight	integer	no
+.It deferred	integer	no
+.El
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li inflight
+The number of file descriptors currently passed between processes,
+.Qq in flight .
+.It Li deferred
+The number of file descriptors passed between processes that have been
+deferred for cleanup by a kernel task.
+.El
+.Pp
+Other variables are specific to a socket type:
+.Bl -column "seqpacket" "sendspace" "integer" "Changeable" -offset indent
+.It Sy "Socket Type"  	Sy Variable	Type Ta Sy Changeable
+.It dgram	pcblist	struct	no
+.It dgram	recvspace	integer	yes
+.It dgram	sendspace	integer	yes
+.It seqpacket	pcblist	struct	no
+.It stream	pcblist	struct	no
+.It stream	recvspace	integer	yes
+.It stream	sendspace	integer	yes
+.El
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li dgram.pcblist
+The Protocol Control Block list structure for datagram sockets.
+Parsed by
+.Xr netstat 1
+or
+.Xr sockstat 1 .
+.It Li dgram.recvspace
+The default datagram receive buffer size.
+.It Li dgram.sendspace
+The default datagram send buffer size.
+.It Li seqpacket.pcblist
+The Protocol Control Block list structure for Sequential Packet sockets.
+Parsed by
+.Xr netstat 1
+or
+.Xr sockstat 1 .
+.It Li stream.pcblist
+The Protocol Control Block list structure for stream sockets.
+Parsed by
+.Xr netstat 1
+or
+.Xr sockstat 1 .
+.It Li stream.recvspace
+The default stream receive buffer size.
+.It Li stream.sendspace
+The default stream send buffer size.
+.El
+.El
+.Ss The proc.* subtree
+The string and integer information available for the
+.Li proc
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+These values are per-process,
+and as such may change from one process to another.
+When a process is created,
+the default values are inherited from its parent.
+When a set-user-ID or set-group-ID binary is executed, the
+value of PROC_PID_CORENAME is reset to the system default value.
+The second level name is either the magic value PROC_CURPROC, which
+points to the current process, or the PID of the target process.
+.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It proc.pid.corename	string	yes
+.It proc.pid.rlimit	node	not applicable
+.It proc.pid.stopfork	int	yes
+.It proc.pid.stopexec	int	yes
+.It proc.pid.stopexit	int	yes
+.It proc.pid.paxflags	int	no
+.El
+.Bl -tag -width "123456"
+.It Li proc.pid.corename ( Dv PROC_PID_CORENAME )
+The template used for the core dump file name (see
+.Xr core 5
+for details).
+The base name must either be
+.Pa core
+or end with the suffix
+.Pa .core
+(the super-user may set arbitrary names).
+By default it points to
+.Dv KERN_DEFCORENAME .
+.It Li proc.pid.rlimit ( Dv PROC_PID_LIMIT )
+Return resources limits, as defined for the
+.Xr getrlimit 2
+and
+.Xr setrlimit 2
+system calls.
+The fourth level name is one of:
+.Bl -tag -width "123456"
+.It Li proc.pid.rlimit.cputime ( Dv PROC_PID_LIMIT_CPU )
+The maximum amount of CPU time (in seconds) to be used by each process.
+.It Li proc.pid.rlimit.filesize ( Dv PROC_PID_LIMIT_FSIZE )
+The largest size (in bytes) file that may be created.
+.It Li proc.pid.rlimit.datasize ( Dv PROC_PID_LIMIT_DATA )
+The maximum size (in bytes) of the data segment for a process;
+this defines how far a program may extend its break with the
+.Xr sbrk 2
+system call.
+.It Li proc.pid.rlimit.stacksize ( Dv PROC_PID_LIMIT_STACK )
+The maximum size (in bytes) of the stack segment for a process;
+this defines how far a program's stack segment may be extended.
+Stack extension is performed automatically by the system.
+.It Li proc.pid.rlimit.coredumpsize ( Dv PROC_PID_LIMIT_CORE )
+The largest size (in bytes)
+.Pa core
+file that may be created.
+.It Li proc.pid.rlimit.memoryuse ( Dv PROC_PID_LIMIT_RSS )
+The maximum size (in bytes) to which a process's resident set size may
+grow.
+This imposes a limit on the amount of physical memory to be given to
+a process; if memory is tight, the system will prefer to take memory
+from processes that are exceeding their declared resident set size.
+.It Li proc.pid.rlimit.memorylocked ( Dv PROC_PID_LIMIT_MEMLOCK )
+The maximum size (in bytes) which a process may lock into memory
+using the
+.Xr mlock 2
+function.
+.It Li proc.pid.rlimit.maxproc ( Dv PROC_PID_LIMIT_NPROC )
+The maximum number of simultaneous processes for this user id.
+.It Li proc.pid.rlimit.descriptors ( Dv PROC_PID_LIMIT_NOFILE )
+The maximum number of open files for this process.
+.It Li proc.pid.rlimit.sbsize ( Dv PROC_PID_LIMIT_SBSIZE )
+The maximum size (in bytes) of the socket buffers
+set by the
+.Xr setsockopt 2
+.Dv SO_RCVBUF
+and
+.Dv SO_SNDBUF
+options.
+.It Li proc.pid.rlimit.vmemoryuse ( Dv PROC_PID_LIMIT_AS )
+The maximum size (in bytes) which a process can obtain.
+.It Li proc.pid.rlimit.maxlwp ( Dv PROC_PID_LIMIT_NTHR )
+The maximum number of threads that cen be created and running at one time in
+the process.
+The first thread of each process is not counted against this.
+.El
+.Pp
+The fifth level name is one of
+.Li soft ( Dv PROC_PID_LIMIT_TYPE_SOFT )
+or
+.Li hard ( Dv PROC_PID_LIMIT_TYPE_HARD ) ,
+to select respectively the soft or hard limit.
+Both are of type integer.
+.It Li proc.pid.stopfork ( Dv PROC_PID_STOPFORK )
+If non zero, the process' children will be stopped after
+.Xr fork 2
+calls.
+The children are created in the SSTOP state and are never scheduled
+for running before being stopped.
+This feature enables attaching to a process with a debugger such as
+.Xr gdb 1
+before the process has the opportunity to actually do anything.
+.Pp
+This value is inherited by the process's children, and it also
+applies to emulation specific system calls that fork a new process, such as
+.Fn sproc
+or
+.Fn clone .
+.It Li proc.pid.stopexec ( Dv PROC_PID_STOPEXEC )
+If non zero, the process will be stopped on the next
+.Xr exec 3
+call.
+The process created by
+.Xr exec 3
+is created in the SSTOP state and is never scheduled for running
+before being stopped.
+This feature enables attaching to a process with a debugger such as
+.Xr gdb 1
+before the process has the opportunity to actually do anything.
+.Pp
+This value is inherited by the process's children.
+.It Li proc.pid.stopexit ( Dv PROC_PID_STOPEXIT )
+If non zero, the process will be stopped when it has cause to exit,
+either by way of calling
+.Xr exit 3 ,
+.Xr _exit 2 ,
+or by the receipt of a specific signal.
+The process is stopped before any of its resources or vm space is
+released allowing examination of the termination state of the process
+before it disappears.
+This feature can be used to examine the final conditions of the
+process's vmspace via
+.Xr pmap 1
+or its resource settings with
+.Xr sysctl 8
+before it disappears.
+.Pp
+This value is also inherited by the process's children.
+.It Li proc.pid.paxflags ( Dv PROC_PID_PAXFLAGS )
+This read-only variable returns the current value of the process's pax
+flags (see
+.Xr paxctl 8 ) .
+.El
+.Ss The user.* subtree ( Dv CTL_USER )
+The string and integer information available for the
+.Li user
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It user.atexit_max	integer	no
+.It user.bc_base_max	integer	no
+.It user.bc_dim_max	integer	no
+.It user.bc_scale_max	integer	no
+.It user.bc_string_max	integer	no
+.It user.coll_weights_max	integer	no
+.It user.cs_path	string	no
+.It user.expr_nest_max	integer	no
+.It user.line_max	integer	no
+.It user.posix2_c_bind	integer	no
+.It user.posix2_c_dev	integer	no
+.It user.posix2_char_term	integer	no
+.It user.posix2_fort_dev	integer	no
+.It user.posix2_fort_run	integer	no
+.It user.posix2_localedef	integer	no
+.It user.posix2_sw_dev	integer	no
+.It user.posix2_upe	integer	no
+.It user.posix2_version	integer	no
+.It user.re_dup_max	integer	no
+.It user.stream_max	integer	no
+.It user.stream_max	integer	no
+.It user.tzname_max	integer	no
+.El
+.Bl -tag -width "123456"
+.It Li user.atexit_max ( Dv USER_ATEXIT_MAX )
+The maximum number of functions that may be registered with
+.Xr atexit 3 .
+.It Li user.bc_base_max ( Dv USER_BC_BASE_MAX )
+The maximum ibase/obase values in the
+.Xr bc 1
+utility.
+.It Li user.bc_dim_max ( Dv USER_BC_DIM_MAX )
+The maximum array size in the
+.Xr bc 1
+utility.
+.It Li user.bc_scale_max ( Dv USER_BC_SCALE_MAX )
+The maximum scale value in the
+.Xr bc 1
+utility.
+.It Li user.bc_string_max ( Dv USER_BC_STRING_MAX )
+The maximum string length in the
+.Xr bc 1
+utility.
+.It Li user.coll_weights_max ( Dv USER_COLL_WEIGHTS_MAX )
+The maximum number of weights that can be assigned to any entry of
+the LC_COLLATE order keyword in the locale definition file.
+.It Li user.cs_path ( USER_CS_PATH )
+Return a value for the
+.Ev PATH
+environment variable that finds all the standard utilities.
+.It Li user.expr_nest_max ( Dv USER_EXPR_NEST_MAX )
+The maximum number of expressions that can be nested within
+parenthesis by the
+.Xr expr 1
+utility.
+.It Li user.line_max ( Dv USER_LINE_MAX )
+The maximum length in bytes of a text-processing utility's input
+line.
+.It Li user.posix2_char_term ( Dv USER_POSIX2_CHAR_TERM )
+Return 1 if the system supports at least one terminal type capable of
+all operations described in
+.St -p1003.2 ,
+otherwise\ 0.
+.It Li user.posix2_c_bind ( Dv USER_POSIX2_C_BIND )
+Return 1 if the system's C-language development facilities support the
+C-Language Bindings Option, otherwise\ 0.
+.It Li user.posix2_c_dev ( Dv USER_POSIX2_C_DEV )
+Return 1 if the system supports the C-Language Development Utilities Option,
+otherwise\ 0.
+.It Li user.posix2_fort_dev ( Dv USER_POSIX2_FORT_DEV )
+Return 1 if the system supports the FORTRAN Development Utilities Option,
+otherwise\ 0.
+.It Li user.posix2_fort_run ( Dv USER_POSIX2_FORT_RUN )
+Return 1 if the system supports the FORTRAN Runtime Utilities Option,
+otherwise\ 0.
+.It Li user.posix2_localedef ( Dv USER_POSIX2_LOCALEDEF )
+Return 1 if the system supports the creation of locales, otherwise\ 0.
+.It Li user.posix2_sw_dev ( Dv USER_POSIX2_SW_DEV )
+Return 1 if the system supports the Software Development Utilities Option,
+otherwise\ 0.
+.It Li user.posix2_upe ( Dv USER_POSIX2_UPE )
+Return 1 if the system supports the User Portability Utilities Option,
+otherwise\ 0.
+.It Li user.posix2_version ( Dv USER_POSIX2_VERSION )
+The version of
+.St -p1003.2
+with which the system attempts to comply.
+.It Li user.re_dup_max ( Dv USER_RE_DUP_MAX )
+The maximum number of repeated occurrences of a regular expression
+permitted when using interval notation.
+.It Li user.stream_max ( Dv USER_STREAM_MAX )
+The minimum maximum number of streams that a process may have open
+at any one time.
+.It Li user.tzname_max ( Dv USER_TZNAME_MAX )
+The minimum maximum number of types supported for the name of a
+timezone.
+.El
+.Ss The vm.* subtree ( Dv CTL_VM )
+The string and integer information available for the
+.Li vm
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It vm.anonmax	int	yes
+.It vm.anonmin	int	yes
+.It vm.bufcache	int	yes
+.It vm.bufmem	int	no
+.It vm.bufmem_hiwater	int	yes
+.It vm.bufmem_lowater	int	yes
+.It vm.execmax	int	yes
+.It vm.execmin	int	yes
+.It vm.filemax	int	yes
+.It vm.filemin	int	yes
+.It vm.loadavg	struct loadavg	no
+.It vm.maxslp	int	no
+.It vm.nkmempages	int	no
+.It vm.uspace	int	no
+.It vm.uvmexp	struct uvmexp	no
+.It vm.uvmexp2	struct uvmexp_sysctl	no
+.It vm.vmmeter	struct vmtotal	no
+.It vm.proc.map	struct kinfo_vmentry	no
+.It vm.guard_size	unsigned int	no
+.It vm.thread_guard_size	unsigned int	yes
+.It vm.swap_encrypt	bool	yes
+.El
+.Bl -tag -width "123456"
+.It Li vm.anonmax ( Dv VM_ANONMAX )
+The percentage of physical memory which will be reclaimed
+from other types of memory usage to store anonymous application data.
+.It Li vm.anonmin ( Dv VM_ANONMIN )
+The percentage of physical memory which will be always be available for
+anonymous application data.
+.It Li vm.bufcache ( Dv VM_BUFCACHE )
+The percentage of physical memory which will be available
+for the buffer cache.
+.It Li vm.bufmem ( Dv VM_BUFMEM )
+The amount of kernel memory that is being used by the buffer cache.
+.It Li vm.bufmem_lowater ( Dv VM_BUFMEM_LOWATER )
+The minimum amount of kernel memory to reserve for the
+buffer cache.
+.It Li vm.bufmem_hiwater ( Dv VM_BUFMEM_HIWATER )
+The maximum amount of kernel memory to be used for the
+buffer cache.
+.It Li vm.execmax ( Dv VM_EXECMAX )
+The percentage of physical memory which will be reclaimed
+from other types of memory usage to store cached executable data.
+.It Li vm.execmin ( Dv VM_EXECMIN )
+The percentage of physical memory which will be always be available for
+cached executable data.
+.It Li vm.filemax ( Dv VM_FILEMAX )
+The percentage of physical memory which will be reclaimed
+from other types of memory usage to store cached file data.
+.It Li vm.filemin ( Dv VM_FILEMIN )
+The percentage of physical memory which will be always be available for
+cached file data.
+.It Li vm.loadavg ( Dv VM_LOADAVG )
+Return the load average history.
+The returned data consists of a
+.Vt struct loadavg .
+.It Li vm.maxslp ( Dv VM_MAXSLP )
+The value of the maxslp kernel global variable.
+.It Li vm.vmmeter ( Dv VM_METER )
+Return system wide virtual memory statistics.
+The returned data consists of a
+.Vt struct vmtotal .
+.It vm.user_va0_disable
+A flag which controls whether user processes can map virtual address\ 0.
+.It Li vm.proc.map ( Dv VM_PROC )
+The third level is
+.Dv VM_PROC_MAP ,
+the fourth is the pid of the process to display the vm object entries for, and
+the fifth is the size of
+.Vt struct kinfo_vmentry .
+Returns an array of
+.Vt struct kinfo_vmentry
+objects.
+.It Li vm.ubc_direct Bq Sy "EXPERIMENTAL" Ns No , default off
+Use direct map for UBC I/O, avoiding need to map and unmap buffer memory.
+Speeds up operation for fast I/O devices like NVMe, especially
+on multi-CPU systems.
+Only available on some architectures.
+.It Li vm.uspace ( Dv VM_USPACE )
+The number of bytes allocated for each kernel stack.
+.It Li vm.uvmexp ( Dv VM_UVMEXP )
+Return system wide virtual memory statistics.
+The returned data consists of a
+.Vt struct uvmexp .
+.It Li vm.uvmexp2 ( Dv VM_UVMEXP2 )
+Return system wide virtual memory statistics.
+The returned data consists of a
+.Vt struct uvmexp_sysctl .
+.It Li vm.guard_size ( Dv VM_GUARD_SIZE )
+Return system wide guard size for the main thread of a program.
+.It Li vm.thread_guard_size ( Dv VM_THREAD_GUARD_SIZE )
+Return system wide default size for the guard area of all other threads
+of a program.
+.It Li vm.swap_encrypt
+If true, encrypt data while swapped out to disk.
+.Pp
+Each swap device maintains an independent AES-256 key, generated when
+the first page is swapped to that device.
+Each page is swapped independently using AES-CBC, with an
+initialization vector chosen by the encryption under the AES-256 key of
+the little-endian swap slot number padded to 128 bits with zeros.
+(This is essentially the
+.Xr cgd 4
+.Sq encblkno1
+method.)
+.Pp
+Changes to
+.Li vm.swap_encrypt
+only affect pages of swap newly written out.
+To force encrypting or decrypting all existing swap, or to rekey
+previously encrypted swap, you can remove the swap devices and re-add
+them with
+.Xr swapctl 8 ,
+with the caveat that whatever pages were already written to disk
+unencrypted or encrypted with a compromised key may still be written to
+disk afterward.
+.El
+.Ss The ddb.* subtree ( Dv CTL_DDB )
+The information available for the
+.Li ddb
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "Second level name" "integer" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It ddb.commandonenter	string	yes
+.It ddb.dumpstack 	integer	yes
+.It ddb.fromconsole	integer	yes
+.It ddb.lines	integer	yes
+.It ddb.maxoff	integer	yes
+.It ddb.maxwidth	integer	yes
+.It ddb.onpanic	integer	yes
+.It ddb.panicstackframes	integer	yes
+.It ddb.radix	integer	yes
+.It ddb.tabstops	integer	yes
+.It ddb.tee_msgbuf	integer	yes
+.El
+.Bl -tag -width "123456"
+.It Li ddb.commandonenter
+If not empty, the string is used as the DDB command to be executed each time
+DDB is entered.
+.It Li ddb.dumpstack
+A value of 1 causes a stack trace to be printed on entering ddb from a panic.
+A value of 0 disables this behaviour.
+The default value is 1.
+.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE )
+If not zero, DDB may be entered by sending a break on a serial
+console or by a special key sequence on a graphics console.
+.It Li ddb.lines ( Dv DDBCTL_LINES )
+Number of display lines.
+.It Li ddb.maxoff ( Dv DDBCTL_MAXOFF )
+The maximum symbol offset.
+.It Li ddb.maxwidth ( Dv DDBCTL_MAXWIDTH )
+The maximum output line width.
+.It Li ddb.onpanic ( Dv DDBCTL_ONPANIC )
+If greater than zero, DDB will be entered if the kernel panics.
+A value of 1 causes the system to enter DDB on panic.
+A value of 0 causes the kernel to attempt to print a stack trace, then
+reboot, while a value of \-1 means neither a stack trace will be printed
+nor DDB entered.
+.It Li ddb.panicstackframes
+Number of stack frames to display on panic.
+Useful to avoid scrolling away the interesting frames on a glass tty.
+Default value is
+.Dv 65535
+(all frames), useful value around
+.Dv 10 .
+.It Li ddb.radix ( Dv DDBCTL_RADIX )
+The input and output radix.
+.It Li ddb.tabstops ( Dv DDBCTL_TABSTOPS )
+Tab width.
+.It Li ddb.tee_msgbuf
+If not zero, DDB will output also to the kernel message buffer.
+.El
+.Pp
+Some of these MIB
+nodes are also available as variables from within the debugger.
+See
+.Xr ddb 4
+for more details.
+.Ss The security.* subtree ( Dv CTL_SECURITY )
+The
+.Li security
+level contains various security-related settings for
+the system.
+The available second level names are:
+.Bl -column "Second level name" "integer" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It Li security.curtain	integer	yes
+.It Li security.models	node	not applicable
+.It Li security.pax	node	not applicable
+.El
+.Pp
+Available settings are detailed below.
+.Bl -tag -width "123456"
+.It Li security.curtain
+If non-zero, will filter return objects according to the user ID
+requesting information about them, preventing users from
+accessing any objects they do not own.
+.Pp
+At the moment, it affects
+.Xr ps 1 ,
+.Xr netstat 1
+(for
+.Dv PF_INET ,
+.Dv PF_INET6 ,
+and
+.Dv PF_UNIX
+PCBs), and
+.Xr w 1 .
+.It Li security.models
+.Nx
+supports pluggable security models.
+Every security model used, whether if loaded as a module or built with the system,
+is required to add an entry to this node with at least one element,
+.Dq name ,
+indicating the name of the security model.
+.Pp
+In addition to the name, any settings and other information private to the
+security model will be available under this node.
+See
+.Xr secmodel 9
+for more information.
+.It Li security.pax
+Settings for PaX \(em exploit mitigation features.
+For more information on any of the PaX features, please see
+.Xr paxctl 8
+and
+.Xr security 7 .
+The available third and fourth level names are:
+.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \
+-offset 2n
+.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable
+.It Li security.pax.aslr.enabled	integer	yes
+.\".It Li security.pax.aslr.exec_len	integer	yes
+.It Li security.pax.aslr.global	integer	yes
+.\".It Li security.pax.aslr.mmap_len	integer	yes
+.\".It Li security.pax.aslr.stack_len	integer	yes
+.It Li security.pax.mprotect.enabled	integer	yes
+.It Li security.pax.mprotect.global	integer	yes
+.It Li security.pax.mprotect.ptrace	integer	yes
+.It Li security.pax.segvguard.enabled	integer	yes
+.It Li security.pax.segvguard.expiry_timeout	integer	yes
+.It Li security.pax.segvguard.global	integer	yes
+.It Li security.pax.segvguard.max_crashes	integer	yes
+.It Li security.pax.segvguard.suspend_timeout	integer	yes
+.El
+.Bl -tag -width "123456"
+.It Li security.pax.aslr.enabled
+Enable PaX ASLR (Address Space Layout Randomization).
+.Pp
+The value of this
+knob must be non-zero for PaX ASLR to be enabled, even if a program is set to
+explicit enable.
+.\".It Li security.pax.aslr.exec_len
+.\" XXX: Undocumented.
+.It Li security.pax.aslr.global
+Specifies the default global policy for programs without an
+explicit enable/disable flag.
+.Pp
+When non-zero, all programs will get PaX ASLR, except those exempted with
+.Xr paxctl 8 .
+Otherwise, all programs will not get PaX ASLR, except those specifically
+marked as such with
+.Xr paxctl 8 .
+.\".It Li security.pax.aslr.mmap_len
+.\" XXX: Undocumented.
+.\" .It Li security.pax.aslr.stack_len
+.\" XXX: Undocumented.
+.It Li security.pax.mprotect.enabled
+Enable PaX MPROTECT restrictions.
+.Pp
+These are
+.Xr mprotect 2
+restrictions to better enforce a W^X policy.
+The value of this
+knob must be non-zero for PaX MPROTECT to be enabled, even if a
+program is set to explicit enable.
+.It Li security.pax.mprotect.global
+Specifies the default global policy for programs without an
+explicit enable/disable flag.
+.Pp
+When non-zero, all programs will get the PaX MPROTECT restrictions,
+except those exempted with
+.Xr paxctl 8 .
+Otherwise, all programs will not get the PaX MPROTECT restrictions,
+except those specifically marked as such with
+.Xr paxctl 8 .
+.It Li security.pax.mprotect.ptrace
+This variable allows
+.Xr ptrace 2
+to override PaX MPROTECT permissions.
+It can have the following values:
+.Bl -tag -width XX -compact
+.It 0
+Does not let override any permissions.
+.It 1
+Disables PaX MPROTECT from processes that start executing while traced (default).
+.It 2
+Bypasses PaX MPROTECT for all processes being traced.
+.El
+.It Li security.pax.segvguard.enabled
+Enable PaX Segvguard.
+.Pp
+PaX Segvguard can detect and prevent certain exploitation attempts, where
+an attacker may try for example to brute-force function return addresses
+of respawning daemons.
+.Pp
+.Em Note :
+The
+.Nx
+interface and implementation of the Segvguard is still experimental, and may
+change in future releases.
+.It Li security.pax.segvguard.expiry_timeout
+If the max number was not reached within this timeout (in seconds), the entry
+will expire.
+.It Li security.pax.segvguard.global
+Specifies the default global policy for programs without an
+explicit enable/disable flag.
+.Pp
+When non-zero, all programs will get the PaX Segvguard,
+except those exempted with
+.Xr paxctl 8 .
+Otherwise, no program will get the PaX Segvguard restrictions,
+except those specifically marked as such with
+.Xr paxctl 8 .
+.It Li security.pax.segvguard.max_crashes
+The maximum number of segfaults a program can receive before suspension.
+.It Li security.pax.segvguard.suspend_timeout
+Number of seconds to suspend a user from running a faulting program when the
+limit was exceeded.
+.El
+.El
+.Ss The vendor.* subtree ( Dv CTL_VENDOR )
+The
+.Li vendor
+toplevel name is reserved to be used by vendors who wish to
+have their own private MIB tree.
+Intended use is to store values under
+.Dq vendor.<yourname>.* .
+.Sh SEE ALSO
+.Xr sysctl 3 ,
+.Xr ipsec 4 ,
+.Xr tcp 4 ,
+.Xr security 7 ,
+.Xr sysctl 8
+.Sh HISTORY
+The
+.Nm
+variables first appeared in
+.Bx 4.4 .
diff --git a/static/netbsd/man7/tests.atf.7 b/static/netbsd/man7/tests.atf.7
new file mode 100644
index 00000000..ffa50b3a
--- /dev/null
+++ b/static/netbsd/man7/tests.atf.7
@@ -0,0 +1,236 @@
+.\"	$NetBSD: tests.atf.7,v 1.8 2023/08/27 15:17:50 rillig Exp $
+.\"
+.\" Copyright (c) 2010 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND
+.\" CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY
+.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+.\" GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+.\" IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+.\" IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 29, 2015
+.Dt TESTS 7
+.Os
+.Sh NAME
+.Nm tests
+.Nd introduction to the NetBSD test suite
+.Sh DESCRIPTION
+The
+.Nx
+test suite provides a collection of automated tests for two major purposes.
+On the one hand, the test suite aids
+.Em developers
+in catching bugs and regressions in the code
+when they are performing modifications to the source tree.
+On the other hand, the test suite allows
+.Em end users
+(and, in particular, system administrators) to verify that fresh installations
+of the
+.Nx
+operating system behave correctly in their hardware platform and also to ensure
+that the system does not suffer from regressions during regular system
+operation and maintenance.
+.Pp
+The
+.Nx
+tests are implemented using the
+.Em Automated Testing Framework (ATF) ,
+a third-party package shipped with
+.Nx ;
+see
+.Xr atf 7
+for details.
+The
+.Nx
+test suite is distributed as a separate installation set, named
+.Pa tests.tgz ,
+and the test programs are all installed under the
+.Pa /usr/tests
+hierarchy.
+.Pp
+This manual page describes how to execute the test suite and how to configure
+some of its optional features.
+.Ss When to run the tests?
+Before diving into the details of how to run the test suite, here are some
+scenarios in which you should be running them:
+.Bl -bullet -offset indent
+.It
+After a fresh installation of
+.Nx
+to ensure that the system works correctly on your hardware platform.
+.It
+After an upgrade of
+.Nx
+to a different version to ensure that the new code works well on your
+hardware platform and that the upgrade did not introduce regressions in your
+configuration.
+.It
+After performing changes to the source tree to catch any bugs and/or regressions
+introduced by the modifications.
+.It
+Periodically, maybe from a
+.Xr cron 8
+job, to ensure that any changes to the system (such as the installation of
+third-party packages or manual modifications to configuration files) do not
+introduce unexpected failures.
+.El
+.Ss Installing the tests
+If you chose to install the
+.Pa tests.tgz
+distribution set while setting up your
+.Nx
+system, the tests are already available in
+.Pa /usr/tests .
+Otherwise, install the set now by running:
+.Bd -literal -offset indent
+# cd /
+# tar xzpf /path/to/tests.tgz
+.Ed
+.Ss Running the tests
+Use the following commands to run the whole test suite:
+.Bd -literal -offset indent
+$ cd /usr/tests
+$ atf-run | atf-report
+.Ed
+.Pp
+The above will go through all test programs in
+.Pa /usr/tests
+recursively, execute them, and, at the very end, show a report of
+the results of the test suite.
+These results include the count of tests that succeeded (passed), the names of
+the tests that failed, and the count of the tests that were not executed
+(skipped) because the system configuration did not meet their requirements.
+.Pp
+If you are interested in saving the whole output of the test suite execution so
+that you can later investigate failures, use the following idiom instead:
+.Bd -literal -offset indent
+$ cd /usr/tests
+$ atf-run | tee ~/tests.log | atf-report
+.Ed
+.Pp
+The above command will save the raw output of the test suite in
+.Pa ~/tests.log ,
+which you can later inspect manually to look for failures.
+Note that the file contains a copy of the
+.Sq stdout
+and
+.Sq stderr
+of each test case, which becomes valuable during debugging.
+.Pp
+It is also possible to restrict which tests to execute so that only a small
+subsystem is tested; see
+.Xr atf-run 1
+for details.
+Additionally, it is also possible to run the test programs themselves by hand;
+see
+.Xr atf-test-program 1
+for more details, but be aware that you should only be doing this if you are
+debugging failing tests.
+.Ss Test environment considerations
+Tests can be invoked as an unprivileged user, in which case tests that
+require privileges will be skipped.
+If run as root, an unprivileged user will be used for tests that
+do not require privileges.
+For maximal coverage, the standard approach is to invoke tests as root.
+.Pp
+Ideally, tests are self-contained and do not either depend on or
+perturb the host environment, aside from skipping tests when optional
+facilities are not available.
+In reality, tests load and unload modules, and do other things that
+might cause problems.
+While it is not entirely safe to run tests on a multi-user system,
+permanent problems or crashes from doing so are viewed as bugs and
+should be reported.
+.Ss Configuring the tests
+Some test cases in the
+.Nx
+test suite require the administrator to manually set up some configuration
+properties before they can run.
+Unless these properties are defined, the tests that require them will be marked
+as skipped and thus they will not be really executed.
+.Pp
+Each test suite is configured through a separate file that lives under
+.Pa /etc/atf/
+and that carries the name of the test suite.
+Henceforth, to configure the properties that affect the execution of the
+.Nx
+test suite, you need to edit
+.Pa /etc/atf/NetBSD.conf .
+The suite-specific configuration file implicitly depends on
+.Pa /etc/atf/common.conf ,
+which contains properties shared among all test suites.
+These files conform to the configuration file format described in
+.Xr atf-formats 5 .
+.Pp
+The following configuration variables are available in the
+.Nx
+test suite:
+.Bl -tag -width "unprivileged-user"
+.It fstype
+When set to a filesystem type, restrict tests programs from the
+.Pa /usr/tests/fs/vfs/
+tree to only run test cases for the given type.
+.It unprivileged-user
+This variable allows setting an unprivileged user login name to be used by
+tests.
+Defaults to
+.Sq _tests .
+.El
+.Ss What to do if something fails?
+If there is
+.Em any failure
+during the execution of the test suite, please considering reporting it to the
+.Nx
+developers so that the failure can be analyzed and fixed.
+To do so, either send a message to the appropriate mailing list or file a
+problem report.
+For more details please refer to:
+.Bl -bullet -offset indent -compact
+.It
+.Lk https://www.netbsd.org/mailinglists/ "NetBSD mailing lists"
+.It
+.Lk https://www.netbsd.org/support/send-pr.html "NetBSD Problem Reports"
+.El
+.Sh FILES
+.Bl -tag -compact -width etcXatfXNetBSDXconfXX
+.It Pa /etc/atf/NetBSD.conf
+Configuration file for the
+.Nx
+test suite.
+.It Pa /etc/atf/common.conf
+Configuration file for all test suites.
+.It Pa /usr/tests/
+Location of the test suites.
+.El
+.Sh SEE ALSO
+.Xr atf 7
+.Sh HISTORY
+The
+.Nm
+manual page first appeared in
+.Nx 6.0 .
+.Pp
+The ATF testing framework was first distributed with
+.Nx 5.0
+and the collection of test programs in
+.Pa /usr/tests
+has been growing since then.
+.Sh AUTHORS
+.An Julio Merino Aq Mt jmmv@NetBSD.org
diff --git a/static/netbsd/man7/tests.kyua.7 b/static/netbsd/man7/tests.kyua.7
new file mode 100644
index 00000000..b608fa71
--- /dev/null
+++ b/static/netbsd/man7/tests.kyua.7
@@ -0,0 +1,248 @@
+.\"	$NetBSD: tests.kyua.7,v 1.8 2023/08/27 15:17:50 rillig Exp $
+.\"
+.\" Copyright (c) 2010 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND
+.\" CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY
+.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+.\" GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+.\" IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+.\" IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 29, 2015
+.Dt TESTS 7
+.Os
+.Sh NAME
+.Nm tests
+.Nd introduction to the NetBSD test suite
+.Sh DESCRIPTION
+The
+.Nx
+test suite provides a collection of automated tests for two major purposes.
+On the one hand, the test suite aids
+.Em developers
+in catching bugs and regressions in the code
+when they are performing modifications to the source tree.
+On the other hand, the test suite allows
+.Em end users
+(and, in particular, system administrators) to verify that fresh installations
+of the
+.Nx
+operating system behave correctly in their hardware platform and also to ensure
+that the system does not suffer from regressions during regular system
+operation and maintenance.
+.Pp
+The
+.Nx
+test suite is distributed as a separate installation set, named
+.Pa tests.tgz ,
+and the test programs are all installed under the
+.Pa /usr/tests
+hierarchy.
+.Pp
+This manual page describes how to execute the test suite and how to configure
+some of its optional features.
+.Ss When to run the tests?
+Before diving into the details of how to run the test suite, here are some
+scenarios in which you should be running them:
+.Bl -bullet -offset indent
+.It
+After a fresh installation of
+.Nx
+to ensure that the system works correctly on your hardware platform.
+.It
+After an upgrade of
+.Nx
+to a different version to ensure that the new code works well on your
+hardware platform and that the upgrade did not introduce regressions in your
+configuration.
+.It
+After performing changes to the source tree to catch any bugs and/or regressions
+introduced by the modifications.
+.It
+Periodically, maybe from a
+.Xr cron 8
+job, to ensure that any changes to the system (such as the installation of
+third-party packages or manual modifications to configuration files) do not
+introduce unexpected failures.
+.El
+.Ss Installing the tests
+If you chose to install the
+.Pa tests.tgz
+distribution set while setting up your
+.Nx
+system, the tests are already available in
+.Pa /usr/tests .
+Otherwise, install the set now by running:
+.Bd -literal -offset indent
+# cd /
+# tar xzpf /path/to/tests.tgz
+.Ed
+.Ss Running the tests
+Use the following command to run the whole test suite:
+.Bd -literal -offset indent
+$ kyua test -k /usr/tests/Kyuafile
+.Ed
+.Pp
+The above will go through all test programs in
+.Pa /usr/tests
+recursively, execute them, store their results and debugging data in Kyua
+database (by default in
+.Pa ~/.kyua/store.db ) ,
+and print a summary of the results.
+This summary includes a brief count of all total tests run and how many of
+them failed.
+.Pp
+It is possible to restrict which tests to run by providing their names in
+the command line.
+For example, this would execute the tests for the
+.Xr cp 1
+and
+.Xr cut 1
+utilities:
+.Bd -literal -offset indent
+$ kyua test -k /usr/tests/Kyuafile bin/cp usr.bin/cut
+.Ed
+.Ss Obtaining reports of the tests execution
+Additional information of the results of the execution can be later extracted
+from the database by using the various reporting commands of Kyua.
+For example, the following would extract a plain-text report of the executed
+tests and show which ones failed:
+.Bd -literal -offset indent
+$ kyua report
+.Ed
+.Pp
+This other example would generate an HTML report ready to be published on a
+web server, possibly the built-in
+.Xr httpd 8 :
+.Bd -literal -offset indent
+$ kyua report-html --output ~/public_html/tests
+.Ed
+.Pp
+For further details on the command-line interface of Kyua, please refer
+to its manual page
+.Xr kyua 1 .
+.Ss Test environment considerations
+Tests can be invoked as an unprivileged user, in which case tests that
+require privileges will be skipped.
+If run as root, an unprivileged user will be used for tests that
+do not require privileges.
+For maximal coverage, the standard approach is to invoke tests as root.
+.Pp
+Ideally, tests are self-contained and do not either depend on or
+perturb the host environment, aside from skipping tests when optional
+facilities are not available.
+In reality, tests load and unload modules, and do other things that
+might cause problems.
+While it is not entirely safe to run tests on a multi-user system,
+permanent problems or crashes from doing so are viewed as bugs and
+should be reported.
+.Ss Configuring the tests
+Some test cases in the
+.Nx
+test suite require the administrator to manually set up some configuration
+properties before they can run.
+Unless these properties are defined, the tests that require them will be marked
+as skipped and thus they will not be really executed.
+.Pp
+Test suites are configured by defining the values to their configuration
+variables in
+.Pa /etc/kyua/kyua.conf .
+The format of this file is detailed in
+.Xr kyua.conf 5 .
+.Pp
+The following configuration variables are available in the
+.Nx
+test suite:
+.Bl -tag -width "fstype"
+.It fstype
+When set to a filesystem type, restrict tests programs from the
+.Pa /usr/tests/fs/vfs/ .
+.El
+.Ss What to do if something fails?
+If there is
+.Em any failure
+during the execution of the test suite, please considering reporting it to the
+.Nx
+developers so that the failure can be analyzed and fixed.
+To do so, either send a message to the appropriate mailing list or file a
+problem report.
+For more details please refer to:
+.Bl -bullet -offset indent -compact
+.It
+.Lk https://www.netbsd.org/mailinglists/ "NetBSD mailing lists"
+.It
+.Lk https://www.netbsd.org/support/send-pr.html "NetBSD Problem Reports"
+.El
+.Sh FILES
+.Bl -tag -compact -width etcXatfXNetBSDXconfXX
+.It Pa /etc/kyua/kyua.conf
+System-wide configuration file for
+.Xr kyua 1 .
+.It Pa ~/.kyua/kyua.conf
+User-specific configuration file for
+.Xr kyua 1 ;
+overrides the system file.
+.It Pa ~/.kyua/store.db
+Default database used by Kyua to maintain the data of the executed tests.
+.It Pa /usr/tests/
+Location of the
+.Nx
+test suite.
+.It Pa /usr/tests/Kyuafile
+Top-level test suite definition file.
+.El
+.Sh SEE ALSO
+.Xr kyua 1 ,
+.Xr kyua-report 1 ,
+.Xr kyua-test 1
+.Sh HISTORY
+The collection of test programs in
+.Pa /usr/tests
+first appeared in
+.Nx 5.0
+and has been growing since then.
+.Pp
+The
+.Nm
+manual page first appeared in
+.Nx 6.0
+and was updated in
+.Nx 7.0
+to describe the execution of the tests with Kyua rather than with ATF.
+.Pp
+The ATF testing framework was first distributed with
+.Nx 5.0
+and the runtime tools of this framework are being phased out in
+.Nx 7.0 .
+Note that the
+.Em libraries
+that ship with ATF are still in active use and are not deprecated.
+.Pp
+The Kyua testing toolkit was first distributed with
+.Nx 7.0 .
+The
+.Xr atf-run 1
+and
+.Xr atf-report 1
+tools were replaced as part of this import to be backwards-compatibility
+wrappers around
+.Xr kyua 1 .
+.Sh AUTHORS
+.An Julio Merino Aq Mt jmmv@NetBSD.org
diff --git a/static/netbsd/man7/users.7 b/static/netbsd/man7/users.7
new file mode 100644
index 00000000..345a5ed6
--- /dev/null
+++ b/static/netbsd/man7/users.7
@@ -0,0 +1,206 @@
+.\"	$NetBSD: users.7,v 1.5 2020/04/02 20:57:20 roy Exp $
+.\"
+.\" Copyright (c) 2020 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd April 2, 2020
+.Dt USERS 7
+.Os
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.Sh NAME
+.Nm users
+.Nd standard user account names
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.Sh DESCRIPTION
+A standard
+.Nx
+installation has the following user account names:
+.\" These are currently sorted by uid; perhaps they should be sorted
+.\" lexicographically by name instead.
+.Bl -tag -width ".Em _tcpdump"
+.It Em root
+The super-user, uid 0, with the highest administrative privileges.
+Normally not used for login directly, only via
+.Xr su 1
+or equivalent by users in the
+.Em wheel
+group; see
+.Xr groups 7 .
+.Pp
+Secondary groups:
+.Em guest ,
+.Em kmem ,
+.Em nvmm ,
+.Em operator ,
+.Em staff ,
+.Em sys ,
+.Em tty .
+.It Em toor
+Like
+.Em root ,
+this is the super-user with uid 0, but with no secondary group
+memberships.
+.Pp
+Historically,
+.Em root
+had a login shell of
+.Pa /bin/csh
+while
+.Em toor
+had a login shell of
+.Pa /bin/sh .
+However, today both default to
+.Pa /bin/sh .
+This user account name is not used for anything in
+.Nx ;
+it is purely a convenience for actual users.
+.\" Maybe we should just remove this.
+.It Em daemon
+Historic user for general daemonic activity.
+.Pp
+Owner of
+.Pa /var/msgs ;
+see
+.Xr msgs 1 .
+Used only by
+.Xr rpcbind 8 ,
+with the
+.Fl s
+flag.
+.It Em operator
+Historic user.
+Unused in modern
+.Nx .
+.It Em bin
+Historic user.
+Unused in modern
+.Nx .
+.It Em games
+Owner of high-score files and other shared files for games.
+.It Em postfix
+Pseudo-user for use by the
+.Xr postfix 1
+mail transfer agent.
+.It Em named
+Pseudo-user for use by the
+.Xr named 8
+DNS nameserver daemon.
+.It Em ntpd
+Pseudo-user for use by the
+.Xr ntpd 8
+network time protocol daemon.
+.It Em sshd
+Pseudo-user for use by the
+.Xr sshd 8
+secure shell daemon.
+.It Em _pflogd
+Pseudo-user for use by the
+.Xr pflogd 8
+log daemon with the
+.Xr pf 4
+packet filter.
+.It Em _rwhod
+Pseudo-user for use by the
+.Xr rwhod 8
+system status daemon.
+.It Em _proxy
+Pseudo-user for use by the
+.Xr ftp-proxy 8
+and
+.Xr tftp-proxy 8
+proxy daemons with packet filters such as
+.Xr pf 4
+or
+.Xr ipnat 4 .
+.It Em _timedc
+Pseudo-user for use by the
+.Xr timedc 8
+tool to communicate with the
+.Xr timed 8
+time server daemon.
+.It Em _sdpd
+Pseudo-user for use by the
+.Xr sdpd 8
+Bluetooth service discovery protocol daemon.
+.It Em _httpd
+Pseudo-user for use by the
+.Xr httpd 8 Pq bozohttpd
+web server.
+.It Em _mdnsd
+Pseudo-user for use by the
+.Xr mdnsd 8
+multicast DNS and DNS service discovery daemon.
+.It Em _tests
+Pseudo-user for use by
+.Xr atf 7
+automatic tests that request to run unprivileged.
+Default value for the
+.Sq unprivileged-user
+configuration variable; see
+.Xr tests 7 .
+.It Em _tcpdump
+Pseudo-user for use by the
+.Xr tcpdump 8
+network traffic dumper and analyzer.
+.It Em _tss
+Pseudo-user for use by the
+.Xr tcsd 8
+.Sq Trusted Computing
+daemon TPM to manage a TPM.
+.It Em _dhcpcd
+Pseudo-user for use by the
+.Xr dhcpcd 8
+DHCP Client Daemon.
+.It Em _rtadvd
+Pseudo-user for use by the
+.Xr rtadvd 8
+IPv6 network router advertisement daemon.
+.It Em _unbound
+Pseudo-user for the
+.Xr unbound 8
+recursive DNS resolver.
+.It Em _nsd
+Pseudo-user for the
+.Xr nsd 8
+authoritative DNS nameserver.
+.It Em uucp
+Pseudo-user for use by historic UUCP software, available now in
+.Xr pkgsrc 7 .
+.It Em nobody
+Traditional pseudo-user used for dropping privileges.
+Modern practice is to assign to each different daemon its own separate
+pseudo-user account and group so that if one daemon is compromised it
+does not compromise all the other daemons.
+.El
+.Pp
+All new standard
+.Nx
+pseudo-user account names should begin with an underscore
+.Sq "_"
+to distinguish them from accounts that real users might add, and should
+have a primary group of the same name; real users should accordingly
+avoid such account names.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.Sh SEE ALSO
+.Xr groups 7