diff options
| author | Jacob McDonnell <jacob@jacobmcdonnell.com> | 2026-04-25 19:54:44 -0400 |
|---|---|---|
| committer | Jacob McDonnell <jacob@jacobmcdonnell.com> | 2026-04-25 19:54:44 -0400 |
| commit | a9157ce950dfe2fc30795d43b9d79b9d1bffc48b (patch) | |
| tree | 9df484304b560466d145e662c1c254ff0e9ae0ba /static/openbsd/man5 | |
| parent | 160aa82b2d39c46ad33723d7d909cb4972efbb03 (diff) | |
docs: Added All OpenBSD Manuals
Diffstat (limited to 'static/openbsd/man5')
79 files changed, 40659 insertions, 0 deletions
diff --git a/static/openbsd/man5/acme-client.conf.5 b/static/openbsd/man5/acme-client.conf.5 new file mode 100644 index 00000000..b47531fe --- /dev/null +++ b/static/openbsd/man5/acme-client.conf.5 @@ -0,0 +1,230 @@ +.\" $OpenBSD: acme-client.conf.5,v 1.35 2026/02/23 10:39:39 sthen Exp $ +.\" +.\" Copyright (c) 2005 Esben Norby <norby@openbsd.org> +.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: February 23 2026 $ +.Dt ACME-CLIENT.CONF 5 +.Os +.Sh NAME +.Nm acme-client.conf +.Nd acme-client configuration file +.Sh DESCRIPTION +The +.Nm +file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Authorities +Certificate authorities (CAs) that can be contacted via ACME. +.It Sx Domains +Certificate specifications. +.El +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/acme-client.sub.conf" +.Ed +.Pp +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment is effective until the end of the entire block. +.Pp +Arguments not beginning with a letter, digit, underscore, or '/' +must be quoted. +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word. +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +api_url="https://acme-v02.api.letsencrypt.org/directory" +authority letsencrypt { + api url $api_url + account key "/etc/acme/letsencrypt-privkey.pem" +} +.Ed +.Ss Authorities +The configured certificate authorities. +.Pp +Each authority section starts with a declaration of the name identifying a +certificate authority. +.Bl -tag -width Ds +.It Ic authority Ar name Brq ... +The +.Ar name +is a string used to reference this certificate authority. +.El +.Pp +It is followed by a block of options enclosed in curly brackets: +.Bl -tag -width Ds +.It Ic account key Ar file Op Ar keytype +Specify a +.Ar file +used to identify the user of this certificate authority. +.Ar keytype +can be +.Cm rsa +or +.Cm ecdsa . +It defaults to +.Cm rsa . +.It Ic api url Ar url +Specify the +.Ar url +under which the ACME API is reachable. +.It Ic contact Ar contact +Optional +.Ar contact +URLs that the authority can use to contact the client for issues related to +this account. +.El +.Ss Domains +The certificates to be obtained through ACME. +.Bl -tag -width Ds +.It Ic domain Ar handle Brq ... +Each domain section begins with the +.Ic domain +keyword followed by an identifier for this domain block. +This is usually the domain name however, if requesting +certificates of different types (EC and RSA) for the same name, +the +.Ar handle +identifiers should be unique and the +.Cm domain name +directive should be used. +.El +.Pp +It is followed by a block of options enclosed in curly brackets: +.Bl -tag -width Ds +.It Ic domain name Ar name +The +.Ar name +to be used as the primary Subject Alternative Name (SAN) +in the X.509 certificate. +This is optional. +If not specified, the +.Ar handle +of the domain block will be used. +.It Ic alternative names Brq ... +A list of additional names, +comma or space separated, +for which the certificate will be valid. +If supported by the CA and selected profile, either fully qualified +domain names, IPv4, or IPv6 addresses may be used. +There is no automatic conversion/inclusion between "www." and +plain domain name forms. +.It Ic domain key Ar file Op Ar keytype +The private key file for which the certificate will be obtained. +.Ar keytype +can be +.Cm rsa +or +.Cm ecdsa . +It defaults to +.Cm rsa . +If the key file does not exist, +.Xr acme-client 1 +will generate a key itself (4096-bit for +.Cm rsa +or secp384r1 for +.Cm ecdsa ) . +.It Ic domain certificate Ar file +The filename of the certificate that will be issued. +This is optional if +.Ar domain full chain certificate +is specified. +A backup with name +.Ar file.1 +is created if +.Ar file +exists. +.It Ic domain chain certificate Ar file +The filename in which to store the certificate chain +that will be returned by the certificate authority. +It needs to be in the same directory as the +.Ar domain certificate +(or in a subdirectory) and can be specified as a relative or absolute path. +This setting is optional. +A backup with name +.Ar file.1 +is created if +.Ar file +exists. +.It Ic domain full chain certificate Ar file +The filename in which to store the full certificate chain +that will be returned by the certificate authority. +It needs to be in the same directory as the +.Ar domain certificate +(or in a subdirectory) and can be specified as a relative or absolute path. +This is a combination of the +.Ar domain certificate +and the +.Ar domain chain certificate +in one file, and is required by most browsers. +This is optional if +.Ar domain certificate +is specified. +A backup with name +.Ar file.1 +is created if +.Ar file +exists. +.It Ic profile Ar profile +The certificate profile to be requested. +If this setting is absent, no profile request is made. +.It Ic sign with Ar authority +The certificate authority (as declared above in the +.Sx Authorities +section) to use. +If this setting is absent, the first authority specified is used. +.It Ic challengedir Ar path +The directory in which the challenge file will be stored. +If it is not specified, a default of +.Pa /var/www/acme +will be used. +.El +.Sh FILES +.Bl -tag -width /etc/examples/acme-client.conf -compact +.It Pa /etc/acme-client.conf +.Xr acme-client 1 +configuration file. +.It Pa /etc/examples/acme-client.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr acme-client 1 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 6.1 . diff --git a/static/openbsd/man5/aliases.5 b/static/openbsd/man5/aliases.5 new file mode 100644 index 00000000..76ed0a11 --- /dev/null +++ b/static/openbsd/man5/aliases.5 @@ -0,0 +1,102 @@ +.\" $OpenBSD: aliases.5,v 1.17 2021/02/13 07:20:49 jmc Exp $ +.\" +.\" Copyright (c) 2012 Gilles Chehade <gilles@poolp.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: February 13 2021 $ +.Dt ALIASES 5 +.Os +.Sh NAME +.Nm aliases +.Nd aliases file for smtpd +.Sh DESCRIPTION +This manual page describes the format of the +.Nm +file, as used by +.Xr smtpd 8 . +An alias, in its simplest form, is used to assign an arbitrary name +to an email address or a group of email addresses. +This provides a convenient way to send mail. +For example an alias could refer to all users of a group: +email to that alias would be sent to all members of the group. +Much more complex aliases can be defined however: +an alias can refer to other aliases, +be used to send mail to a file instead of another person, +or to execute various commands. +.Pp +Within the file, +.Ql # +is a comment delimiter; anything placed after it is discarded. +The file consists of key/value mappings of the form: +.Bd -filled -offset indent +key: value1, value2, value3, ... +.Ed +.Pp +.Em key +is always folded to lowercase before alias lookups to ensure that +there can be no ambiguity. +The key is expanded to the corresponding values, +which consist of one or more of the following: +.Bl -tag -width Ds +.It Em user +A user on the host machine. +The user must have a valid entry in the +.Xr passwd 5 +database file. +.It Ar /path/to/file +Append messages to +.Ar file , +specified by its absolute pathname. +.It | Ns Ar command +Pipe the message to +.Ar command +on its standard input. +The command is run under the privileges of the daemon's unprivileged account. +.It : Ns Ar include : Ns Ar /path/to/file +Include any definitions in +.Ar file +as alias entries. +The format of the file is identical to this one. +.It Ar user-part@domain-part +An email address in RFC 5322 format. +If an address extension is appended to the user-part, +it is first compared for an exact match. +It is then stripped so that an address such as user+ext@example.com +will only use the part that precedes +.Sq + +as a +.Em key . +.It Ar error : Ns Ar code message +A status code and message to return. +The code must be 3 digits, +starting 4XX (TempFail) or 5XX (PermFail). +The message must be present and can be freely chosen. +.El +.Sh FILES +.Bl -tag -width "/etc/mail/aliasesXXX" -compact +.It Pa /etc/mail/aliases +Default +.Nm +file. +.El +.Sh SEE ALSO +.Xr smtpd.conf 5 , +.Xr makemap 8 , +.Xr newaliases 8 , +.Xr smtpd 8 +.Sh HISTORY +The +.Nm +file format appeared in +.Bx 4.0 . diff --git a/static/openbsd/man5/bgpd.conf.5 b/static/openbsd/man5/bgpd.conf.5 new file mode 100644 index 00000000..ac62bc1c --- /dev/null +++ b/static/openbsd/man5/bgpd.conf.5 @@ -0,0 +1,2409 @@ +.\" $OpenBSD: bgpd.conf.5,v 1.253 2026/04/22 13:51:46 claudio Exp $ +.\" +.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: April 22 2026 $ +.Dt BGPD.CONF 5 +.Os +.Sh NAME +.Nm bgpd.conf +.Nd BGP routing daemon configuration file +.Sh DESCRIPTION +The +.Xr bgpd 8 +daemon implements the Border Gateway Protocol version 4 as described +in RFC 4271. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx MACROS +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx GLOBAL CONFIGURATION +Global settings for +.Xr bgpd 8 . +.It Sx SET CONFIGURATION +Various lookup tables are defined in this section. +.It Sx NETWORK AND FLOWSPEC ANNOUNCEMENTS +Networks which should be announced by +.Xr bgpd 8 +are set in this section. +.It Sx MPLS VPN CONFIGURATION +The definition and properties for BGP MPLS VPNs are set in this section. +.It Sx NEIGHBORS AND GROUPS +.Xr bgpd 8 +establishes sessions with +.Em neighbors . +The neighbor definition and properties are set in this section, as well as +grouping neighbors for the ease of configuration. +.It Sx FILTER +Filter rules for incoming and outgoing +.Em UPDATES . +.El +.Pp +With the exception of macros, +the sections should be grouped and appear in +.Nm +in the order shown above. +.Pp +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment is effective until the end of the entire block. +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/bgpd/bgpd-10.0.0.1.filter" +.Ed +.Sh MACROS +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic AS , +.Ic neighbor , +or +.Ic group ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +peer1="1.2.3.4" +neighbor $peer1 { + remote-as 65001 +} +.Ed +.Sh GLOBAL CONFIGURATION +These settings affect the operation of the +.Xr bgpd 8 +daemon as a whole. +.Pp +.Bl -tag -width Ds -compact +.It Ic AS Ar as-number Op Ar as-number +Set the local +.Em autonomous system +number to +.Ar as-number . +A fallback 2-byte AS number may follow a 4-byte AS number for neighbors that +do not support 4-byte AS numbers. +The standard and default fallback AS number is 23456. +.Pp +The AS numbers are assigned by local RIRs, such as: +.Pp +.Bl -tag -width xxxxxxxx -compact +.It AfriNIC +for Africa +.It APNIC +for Asia Pacific +.It ARIN +for North America and parts of the Caribbean +.It LACNIC +for Latin America and the Caribbean +.It RIPE NCC +for Europe, the Middle East, and parts of Asia +.El +.Pp +The AS numbers 64512 \(en 65534 are designated for private use. +The AS number 23456 is reserved and should not be used. +4-byte AS numbers may be specified in either the ASPLAIN format: +.Bd -literal -offset indent +AS 196618 +.Ed +.Pp +or in the older ASDOT format: +.Bd -literal -offset indent +AS 3.10 +.Ed +.Pp +.It Ic connect-retry Ar seconds +Set the number of seconds to wait before attempting to re-open +a connection. +This timer should be sufficiently large in EBGP configurations. +The default is 120 seconds. +.Pp +.It Xo +.Ic dump +.Op Ic rib Ar name +.Pq Ic table-v2 Ns | Ns Ic table-mp Ns | Ns Ic table +.Ar file Op Ar interval +.Xc +.It Xo +.Ic dump +.Pq Ic all Ns | Ns Ic updates +.Pq Ic in Ns | Ns Ic out +.Ar file Op Ar interval +.Xc +Dump the RIB, a.k.a. the +.Em routing information base , +or dump ongoing BGP activity, in Multi-threaded Routing Toolkit (MRT) format. +The +.Ar file +is subject to +.Xr strftime 3 Ns -expansion. +.Pp +The +.Ic table-v2 +and +.Ic table-mp +RIB formats store multi-protocol RIBs correctly, but the +.Ic table +format does not. +The latter two are provided only to support third-party tools lacking +support for the recommended +.Ic table-v2 +format. +Dump an alternative RIB by specifying +.Ar name . +Specify an +.Ar interval +in seconds for periodic RIB dumps. +.Pp +The following will dump the entire RIB table, at startup and every +5 minutes thereafter, to a new file: +.Bd -literal -offset indent +dump table-v2 "/tmp/rib-dump-%H%M" 300 +.Ed +.Pp +Dumps of ongoing BGP activity include all BGP state transitions, and +all BGP messages in the specified direction. +Use +.Ic updates +to dump only BGP +.Em UPDATE +messages, without state transitions. +Specify an +.Ar interval +in seconds to restart periodically with a new file: +.Bd -literal -offset indent +dump all in "/tmp/all-in-%H%M" 300 +.Ed +.Pp +.It Ic fib-priority Ar prio +Set the routing priority to +.Ar prio . +The default is 48. +.Pp +.It Xo +.Ic fib-update +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic no , +do not update the Forwarding Information Base, a.k.a. the kernel +routing table. +The default is +.Ic yes . +.Pp +.It Ic holdtime Ar seconds +Set the announced holdtime in seconds. +This is exchanged with a neighbor upon connection +establishment, in the +.Em OPEN +message, and the shortest holdtime governs the session. +.Pp +The neighbor session is dropped if the session holdtime passes +without receipt of a +.Em KEEPALIVE +or an +.Em UPDATE +message from the neighbor. +The default is 90 seconds. +.Pp +.It Ic holdtime min Ar seconds +The minimum acceptable holdtime in seconds. +This value must be at least 3. +.Pp +.It Ic listen on Ar address Op Ic port Ar port +Specify the local IP address and optional port for +.Xr bgpd 8 +to listen on. +The default is to listen on all local addresses on the current default +routing domain. +.Pp +.It Ic log updates +Log sent and received BGP update messages. +.Pp +.It Xo +.Ic nexthop +.Ic qualify +.Ic via +.Pq Ic bgp Ns | Ns Ic default +.Xc +If set to +.Ic bgp , +.Xr bgpd 8 +may verify nexthops using BGP routes. +If set to +.Ic default , +.Xr bgpd 8 +may verify nexthops using the default route. +By default +.Xr bgpd 8 +uses only static routes or routes added by other routing +daemons, such as +.Xr ospfd 8 . +.Pp +.It Xo +.Ic rde Ic evaluate +.Pq Ic default Ns | Ns Ic all +.Xc +If set to +.Ar all , +keep evaluating alternative paths in case the selected path is filtered +out. +By default if a path is filtered by the output filters then no alternative +path is sent to this peer. +.Pp +.It Xo +.Ic rde Ic med Ic compare +.Pq Ic always Ns | Ns Ic strict +.Xc +If set to +.Ic always , +the +.Em MULTI_EXIT_DISC +attributes will always be compared. +The default is +.Ic strict , +where the metric is only compared between peers belonging to the same AS. +.Pp +.It Xo +.Ic rde +.Ic rib Ar name +.Op Ic no evaluate +.Xc +.It Xo +.Ic rde +.Ic rib Ar name +.Op Ic rtable Ar number +.Xc +Create an additional RIB named +.Ar name . +The degree to which its routes may be utilized is configurable. +They may be excluded from the decision process that selects usable routes +with the +.Ic no evaluate +flag, and this precludes their export to any kernel routing table. +By default its routes will be evaluated, but not exported to the kernel. +They may be both evaluated and exported if associated with a given +.Ic rtable +.Ar number , +which must belong to the routing domain that +.Xr bgpd 8 +was started in. +This table will not be consulted during nexthop verification +unless it is the one that +.Xr bgpd 8 +was started in. +It is unnecessary to create +.Ic Adj-RIB-In +and +.Ic Loc-RIB , +which are created automatically and used by default. +.Pp +.It Ic rde rib Loc-RIB include filtered +Include filtered prefixes in the +.Ic Loc-RIB . +Filtered prefixes are not eligible by the decision process but can be +displayed by +.Xr bgpctl 8 . +.Pp +.It Xo +.Ic rde +.Ic route-age +.Pq Ic ignore Ns | Ns Ic evaluate +.Xc +If set to +.Ic evaluate , +the route decision process will also consider the age of the route in +addition to its path attributes, giving preference to the older, +typically more stable, route. +This renders the decision process nondeterministic. +The default is +.Ic ignore . +.Pp +.It Xo +.Ic reject Ic as-set +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +.Em AS paths +attributes containing +.Em AS_SET +path segments will be rejected and +all prefixes will be treated as withdraws. +The default is +.Ic yes . +.Pp +.It Ic router-id Ar dotted-quad +Set the BGP router ID, which must be non-zero and should be unique +within the AS. +By default, the router ID is the highest IPv4 address assigned +to the local machine. +.Bd -literal -offset indent +router-id 10.0.0.1 +.Ed +.Pp +.It Ic rtable Ar number +Work with the given kernel routing table +instead of the default table, which is the one +.Xr bgpd 8 +was started in. +For nexthop verification, +.Xr bgpd 8 +will always consult the default table. +This is the same as using the following syntax: +.Bd -literal -offset indent +rde rib Loc-RIB rtable number +.Ed +.Pp +.It Ic socket Qo Ar path Qc Op Ic restricted +Create a control socket at +.Ar path . +If +.Ic restricted +is specified, a restricted control socket will be created. +By default +.Pa /var/run/bgpd.sock.<rdomain> +is used where +.Ar <rdomain> +is the routing domain in which +.Xr bgpd 8 +has been started. +By default, no restricted socket is created. +.Pp +.It Ic staletime Ar seconds +Set the upper bound in seconds stale routes are kept during graceful restart. +The default is 180 seconds. +.Pp +.It Xo +.Ic transparent-as +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +attribute transparency is enabled. +.Em AS paths +to EBGP neighbors are not prepended with the local AS. +Additionally, the MULTI_EXIT_DISC attribute is passed transparently and +automatic filtering based on the well-known communities +.Ic NO_EXPORT , +.Ic NO_ADVERTISE , +and +.Ic NO_EXPORT_SUBCONFED +is disabled. +The default is +.Ic no . +.El +.Sh SET CONFIGURATION +.Xr bgpd 8 +supports the efficient lookup of data within named +.Em sets . +An +.Ic as-set , +a +.Ic prefix-set , +and an +.Ic origin-set +store AS numbers, prefixes, and prefixes/source-as pairs, +respectively. +Such sets may be referenced by filter rules; see the +.Sx FILTER +section for details. +It is more efficient to evaluate a set than a long series of +rules for filtering each of its members. +.Pp +One single +.Ic roa-set +may be defined, against which +.Xr bgpd 8 +will validate the origin of each prefix. +The +.Ic roa-set +and the +.Ic aspa-set +are merged with the corresponding tables received via +.Ic rtr +sessions. +.Pp +A set definition can span multiple lines, and an optional comma is allowed +between elements. +The same set can be defined more than once, in this case the definitions are +merged into one common set. +.Pp +.Bl -tag -width Ds -compact +.It Xo +.Ic as-set Ar name +.Ic { Ar as-number ... Ic } +.Xc +An +.Ic as-set +stores AS numbers, and can be used with the AS specific parameter in +.Sx FILTER +rules. +.Pp +.It Xo +.Ic aspa-set +.Ic { Ic customer-as Ar as-number +.Op Ic expires Ar seconds +.Ic provider-as Ic { Ar as-number +.Ic ... Ic } ... Ic } +.Xc +The +.Ic aspa-set +holds a collection of +.Em Validated ASPA Payloads Pq VAPs . +Each as AS_PATH received from an eBGP peer is checked against the +.Ic aspa-set , +and the ASPA Validation State (AVS) is set. +.Ic expires +can be set to the seconds since Epoch until when this VAP is valid. +.Bd -literal -offset indent +aspa-set { + customer-as 64511 provider-as { 64496 65496 } + customer-as 64496 provider-as { 65496 64544 } +} +.Ed +.Pp +.It Xo +.Ic origin-set Ar name +.Ic { Ar address Ns Li / Ns Ar len +.Op Ic maxlen Ar mlen +.Ic source-as Ar asn ... Ic } +.Xc +An +.Ic origin-set +stores prefix/source-as pairs, and can be used to filter on the combination +by using the +.Ic origin-set +parameter in +.Sx FILTER +rules. +.Bd -literal -offset indent +origin-set private { 10.0.0.0/8 maxlen 24 source-as 64511 + 203.0.113.0/24 source-as 64496 } +.Ed +.Pp +.It Xo +.Ic prefix-set Ar name +.Ic { Ar address Ns Li / Ns Ar len ... Ic } +.Xc +A +.Ic prefix-set +stores network prefixes and can be used in place +of the +.Ic prefix +parameter in +.Sx FILTER +rules, and in +.Ic network +statements. +A prefix can be followed by the prefixlen operators listed for the +.Ic prefix +parameter in the +.Sx PARAMETERS +section. +.Pp +The first example below creates a set of prefixes called +.Dq private , +to hold a number of RFC 1918 private network blocks. +The second example shows the use of prefixlen operators. +.Bd -literal -offset indent +prefix-set private { 10.0.0.0/8, 172.16.0.0/12, + 192.168.0.0/16, fc00::/7 } +prefix-set as64496set { 192.0.2.0/24 prefixlen >= 26, + 2001:db8::/32 or-longer } +.Ed +.Pp +.It Xo +.Ic roa-set +.Ic { Ar address Ns Li / Ns Ar len +.Op Ic maxlen Ar mlen +.Ic source-as Ar asn +.Oo Ic expires Ar seconds Oc ... Ic } +.Xc +The +.Ic roa-set +holds a collection of +.Em Validated ROA Payloads Pq VRPs . +Each received prefix is checked against the +.Ic roa-set , +and the Origin Validation State (OVS) is set. +.Ic expires +can be set to the seconds since Epoch until when this VRP is valid. +.Bd -literal -offset indent +roa-set { 192.0.2.0/23 maxlen 24 source-as 64511 + 203.0.113.0/24 source-as 64496 } +.Ed +.Pp +.It Xo +.Ic rtr Ar address +.Ic { Ar ... Ic } +.Xc +The +.Ic rtr +block specifies a +.Em RPKI to Router Pq RTR +session. +.Em RTR +sessions provide another means to load +.Em VRP +sets into +.Xr bgpd 8 . +Changes propagated via the RTR protocol do not need a config reload and are +immediately applied. +The union of all +.Em VRP +sets received via +.Ic rtr +sessions and the entries in the +.Ic roa-set +is used to validate the origin of routes. +The rtr session properties are as follows: +.Pp +.Bl -tag -width Ds -compact +.It Ic descr Ar description +Add a description. +The description is used in logging and status reports, but has no further +meaning for +.Xr bgpd 8 . +.Pp +.It Ic local-address Ar address +Bind to the specific IP address before opening the TCP connection to the +.Em rtr +server. +.Pp +.It Ic min-version Ar number +Require a minimal RTR version of +.Ar number . +To ensure that ASPA records are synchronised over RTR a minimal version +of 2 is required. +.Pp +.It Ic port Ar number +Specify the TCP destination port for the +.Em rtr +session. +If not specified, the default +.Ic port +is +.Em 323 . +.El +.El +.Sh NETWORK AND FLOWSPEC ANNOUNCEMENTS +.Ic network +statements specify the networks that +.Xr bgpd 8 +will announce as its own. +An announcement must also be permitted by the +.Sx FILTER +rules. +By default +.Xr bgpd 8 +announces no networks. +.Pp +.Bl -tag -width Ds -compact +.It Xo +.Ic network +.Ar address Ns Li / Ns Ar prefix +.Op Ic set ... +.Xc +Announce the specified prefix as belonging to our AS. +.Pp +.It Xo +.Ic network +.Pq Ic inet Ns | Ns Ic inet6 +.Ic connected Op Ic set ... +.Xc +Announce routes to directly attached networks. +.Pp +.It Xo +.Ic network prefix-set +.Ar name +.Op Ic set ... +.Xc +Announce all networks in the prefix-set +.Ar name . +.Pp +.It Xo +.Ic network +.Pq Ic inet Ns | Ns Ic inet6 +.Ic priority Ar number Op Ic set ... +.Xc +Announce routes having the specified +.Ar priority . +.Pp +.It Xo +.Ic network +.Pq Ic inet Ns | Ns Ic inet6 +.Ic rtlabel Ar label Op Ic set ... +.Xc +Announce routes having the specified +.Ar label . +.Pp +.It Xo +.Ic network +.Pq Ic inet Ns | Ns Ic inet6 +.Ic static Op Ic set ... +.Xc +Announce all static routes. +.El +.Pp +Each +.Ic network +statement may set default +.Em AS path attributes : +.Bd -literal -offset indent +network 192.168.7.0/24 set localpref 220 +.Ed +.Pp +See also the +.Sx ATTRIBUTE SET +section. +.Pp +.Ic flowspec +statements specify the flowspec rules that +.Xr bgpd 8 +will announce as its own. +.\"An announcement must also be permitted by the +.\".Sx FILTER +.\"rules. +By default +.Xr bgpd 8 +announces no flowspec rules. +.Pp +.Bl -tag -width Ds -compact +.It Xo +.Ic flowspec +.Pq Ic inet Ns | Ns Ic inet6 +.Ar rule Op Ic set ... +.Xc +Announce an IPv4 or IPv6 specific flowspec +.Ar rule +including the +.Em AS path attributes +specified by +.Ar set . +.El +.Pp +The following rule parameters can be set. +Most number arguments in the below rules can be specified as a +list of ranges enclosed in curly brackets using these operators: +.Bd -literal -offset indent += (equal, default) +!= (unequal) +< (less than) +<= (less than or equal) +> (greater than) +>= (greater than or equal) +- (range including boundaries) +>< (except range) +.Ed +.Pp +.Sq >< , +and +.Sq - +are binary operators (they take two arguments). +.Pp +.Bl -tag -width Ds -compact +.It Ic from Ar source Op Ic port Ar list +.It Ic to Ar dest Op Ic port Ar list +This rule applies only to packets with the specified source or +destination addresses and ports. +Addresses can be specified in CIDR notation (matching netblocks) or using +.Cm any +to match any address. +In most cases a +.Ic to +address must be specified and be part of the announced networks. +.Pp +Ports can be specified either by number or by name. +For example, port 80 can be specified as +.Cm www . +For a list of all port name to number mappings see the file +.Pa /etc/services . +.It Ic flags Ar a Ns / Ns Ar b +This rule only applies to TCP packets that have the flags +.Ar a +set out of set +.Ar b . +Flags not specified in +.Ar b +are ignored. +The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R. +.It Ic fragment Ar a Ns / Ns Ar b +This rule only applies to fragmented packets which match the specified flags. +The flags are: (D)on't fragment, (I)s fragment, (F)irst fragment, and (L)ast +fragment. +.It Ic icmp-type Ar type Op Ic code Ar code +.It Ic icmp6-type Ar type Op Ic code Ar code +This rule only applies to ICMP or ICMP6 packets with the specified type +and code. +Text names for ICMP types and codes are listed in +.Xr icmp 4 +and +.Xr icmp6 4 . +.It Ic length Ar pktlen +This rule applies only to packets matching the specified +.Ar pktlen . +.It Ic proto Ar protocol +This rule applies only to packets of this protocol. +Common protocols are ICMP, ICMP6, TCP, and UDP. +For a list of all the protocol name to number mappings see the file +.Pa /etc/protocols . +.It Ic tos Ar string Ns | Ns Ar number +This rule applies to packets with the specified TOS bits set. +.Ar string +may be one of +.Cm critical , +.Cm inetcontrol , +.Cm lowdelay , +.Cm netcontrol , +.Cm throughput , +.Cm reliability , +or one of the DiffServ Code Points: +.Cm ef , +.Cm af11 No ... Cm af43 , +.Cm cs0 No ... Cm cs7 ; +.Ar number +may be either a hex or decimal number. +.El +.Pp +The action taken when a flowspec rules matches depends on extended communities. +For example to block all traffic either +.Ic ext-community Ic flow-rate Ar as-number : Ns 0 +or +.Ic ext-community Ic flow-pps Ar as-number : Ns 0 +need to be set. +.Sh MPLS VPN CONFIGURATION +A +.Ic vpn +section configures a router to participate in an MPLS Virtual Private Network. +It specifies an +.Xr mpe 4 +interface to use, a description, and various properties of the VPN: +.Bd -literal -offset indent +vpn "description" on mpe1 { + rd 65002:1 + import-target rt 65002:42 + export-target rt 65002:42 + network 192.168.1/24 +} +.Ed +.Pp +.Xr bgpd 8 +will not exchange VPN routes with a neighbor by default, see the +.Sx NEIGHBORS AND GROUPS +section. +The description is used when logging but has no further meaning to +.Xr bgpd 8 . +.Pp +The +.Xr mpe 4 +interface will be used as the outgoing interface for routes to +the VPN, and local networks will be announced with the MPLS label +specified on the interface. +The interface can provide VPN connectivity for another rdomain by +being configured in that rdomain. +The required rdomain must be configured on the interface before +.Xr bgpd 8 +uses it. +Multiple VPNs may be connected to a single rdomain, including the rdomain that +.Xr bgpd 8 +is running in. +.Pp +An example +.Xr hostname.if 5 +configuration for an +.Xr mpe 4 +interface providing connectivity to rdomain 1: +.Bd -literal -offset indent +rdomain 1 +mplslabel 2000 +inet 192.198.0.1 255.255.255.255 +up +.Ed +.Pp +The VPN properties are as follows: +.Pp +.Bl -tag -width Ds -compact +.It Ic export-target Ar subtype as-number : Ns Ar local +.It Ic export-target Ar subtype IP : Ns Ar local +Classify announced networks by tagging them with an +.Em extended community +of the given arguments. +The community +.Ar subtype +should be a +.Em route target , +.Ic rt , +to ensure interoperability. +The arguments are further detailed in the +.Sx ATTRIBUTE SET +section. +More than one +.Ic export-target +can be specified. +.Pp +.It Xo +.Ic fib-update +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic no , +do not update the Forwarding Information Base, a.k.a. the kernel +routing table. +The default is +.Ic yes . +.Pp +.It Ic import-target Ar subtype as-number : Ns Ar local +.It Ic import-target Ar subtype IP : Ns Ar local +The rdomain imports only those prefixes tagged with an +.Em extended community +matching an +.Ic import-target . +The community +.Ar subtype +should be a +.Em route target , +.Ic rt , +to ensure interoperability. +The arguments are further detailed in the +.Sx ATTRIBUTE SET +section. +More than one +.Ic import-target +can be specified. +.Pp +.It Ic network Ar argument ... +Announce the given networks within this VPN; +see the +.Sx NETWORK ANNOUNCEMENTS +section. +.Pp +.It Ic rd Ar as-number : Ns Ar local +.It Ic rd Ar IP : Ns Ar local +The Route Distinguisher +.Ic rd +supplies BGP with namespaces to disambiguate VPN prefixes, as these needn't be +globally unique. +Unlike route targets, the +.Ic rd +neither identifies the origin of the prefix nor controls into +which VPNs the prefix is distributed. +The +.Ar as-number +or +.Ar IP +of a +.Ic rd +should be set to a number or IP that was assigned by an appropriate authority, +whereas +.Ar local +can be chosen by the local operator. +.El +.Sh NEIGHBORS AND GROUPS +.Xr bgpd 8 +establishes TCP connections to other BGP speakers called +.Em neighbors . +A neighbor and its properties are specified by a +.Tg +.Ic neighbor +section: +.Bd -literal -offset indent +neighbor 10.0.0.2 { + remote-as 65002 + descr "a neighbor" +} +.Ed +.Pp +Neighbors placed within a +.Tg +.Ic group +section inherit the properties common to that group: +.Bd -literal -offset indent +group "peering AS65002" { + remote-as 65002 + neighbor 10.0.0.2 { + descr "AS65002-p1" + } + neighbor 10.0.0.3 { + descr "AS65002-p2" + } +} +.Ed +.Pp +An entire network of neighbors may be accommodated by specifying an +address/netmask pair: +.Bd -literal -offset indent +neighbor 10.0.0.0/8 +.Ed +.Pp +This is a +.Em template +that recognises as a neighbor any connection from within the given network. +Such neighbors inherit their template's properties, except for their IP address. +A template may omit +.Ic remote-as ; +.Xr bgpd 8 +then accepts any AS presented by the neighbor in the +.Em OPEN +message. +.Pp +The neighbor properties are as follows: +.Pp +.Bl -tag -width Ds -compact +.It Xo +.Ic announce +.Pq Ic IPv4 Ns | Ns Ic IPv6 +.Pq Ic none Ns | Ns Ic unicast Ns | Ns Ic vpn Ns | Ns Ic flowspec +.Op Ic enforce +.Xc +.It Xo +.Ic announce +.Ic EVPN +.Op Ic enforce +.Xc +For the given address family, control which +.Em subsequent address families +are announced during the capabilities negotiation. +Only routes for that address family and subsequent address families will be +announced and processed. +.Ic EVPN +does not require a subsequent address family. +.Pp +At the moment, only +.Ic none , +which disables the announcement of that address family, +.Ic unicast , +.Ic vpn , +which allows the distribution of BGP MPLS VPNs, and +.Ic flowspec , +which allows the distribution of Flow Specification Rules, +are supported. +.Pp +The default is +.Ic unicast +for the same address family of the session. +.Pp +.It Xo +.Ic announce add-path recv +.Pq Ic yes Ns | Ns Ic no Ns | Ns Ic enforce +.Xc +If set to +.Ic yes , +the receive add-path capability is announced, which allows reception of multiple +paths per prefix. +The default is +.Ic no . +.Pp +.It Xo +.Ic announce add-path send +.Pq Ic no Ns | Ns Ic all +.Op Ic enforce +.Xc +.It Xo +.Ic announce add-path send +.Pq Ic best Ns | Ns Ic ecmp Ns | Ns Ic as-wide-best +.Op Ic plus Ar num +.Op Ic max Ar num +.Op Ic enforce +.Xc +If set to +.Ic all , +.Ic best , +.Ic ecmp , +or +.Ic as-wide-best , +the send add-path capability is announced, which allows sending multiple paths +per prefix. +The paths sent depend on which mode is selected: +.Pp +.Bl -tag -width as-wide-best -compact +.It Ic no +do not advertise add-path send capability +.It Ic all +send all valid paths +.It Ic best +send the best path +.It Ic ecmp +send paths with equal nexthop cost +.It Ic as-wide-best +send paths where the first 8 checks of the decision process match +.El +.Pp +.Ic plus +allows the inclusion of additional backup paths and works for +.Ic best , +.Ic ecmp , +and +.Ic as-wide-best . +.Ic max +can be used to limit the total amount of paths sent for +.Ic ecmp +and +.Ic as-wide-best . +Right now +.Ic ecmp +and +.Ic as-wide-best +are equivalent. +The default is +.Ic no . +If +.Ic add-path Ic send +is active then the setting of +.Ic rde Ic evaluate +is ignored. +.Pp +.It Xo +.Ic announce as-4byte +.Pq Ic yes Ns | Ns Ic no Ns | Ns Ic enforce +.Xc +If set to +.Ic no , +the 4-byte AS capability is not announced and so native 4-byte AS support is +disabled. +If +.Ic enforce +is set, the session will only be established if the neighbor also announces +the capability. +The default is +.Ic yes . +.Pp +.It Xo +.Ic announce enhanced refresh +.Pq Ic yes Ns | Ns Ic no Ns | Ns Ic enforce +.Xc +If set to +.Ic yes , +the enhanced route refresh capability is announced. +If +.Ic enforce +is set, the session will only be established if the neighbor also announces +the capability. +The default is +.Ic no . +.Pp +.It Xo +.Ic announce extended message +.Pq Ic yes Ns | Ns Ic no Ns | Ns Ic enforce +.Xc +If set to +.Ic yes , +the extended message capability is announced. +If negotiated, the default maximum message size is increased from 4096 to 65535 +bytes. +If +.Ic enforce +is set, the session will only be established if the neighbor also announces +the capability. +The default is +.Ic no . +.Pp +.It Xo +.Ic announce extended nexthop +.Pq Ic yes Ns | Ns Ic no Ns | Ns Ic enforce +.Xc +If set to +.Ic yes , +the extended nexthop encoding capability is announced. +If negotiated, +.Ic IPv4 unicast +and +.Ic vpn +sessions can send paths with a IPv6 nexthop. +If +.Ic enforce +is set, the session will only be established if the neighbor also announces +the capability. +The default is +.Ic no . +.Pp +.It Xo +.Ic announce graceful notification +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +the graceful notification extension to graceful restart is announced. +The default is +.Ic no . +.Ic announce refresh +must be enabled to enable graceful notifications. +.Pp +.It Xo +.Ic announce policy +.Pq Ic yes Ns | Ns Ic no Ns | Ns Ic enforce +.Xc +If set to +.Ic yes , +add the open policy role capability. +If the role of the neighbor does not correspond to the expected role then +the session will be closed. +If +.Ic enforce +is set, the session will only be established if the neighbor also announces +the capability. +The default is +.Ic no . +.Pp +.It Xo +.Ic announce refresh +.Pq Ic yes Ns | Ns Ic no Ns | Ns Ic enforce +.Xc +If set to +.Ic no , +the route refresh capability is not announced. +If +.Ic enforce +is set, the session will only be established if the neighbor also announces +the capability. +The default is +.Ic yes . +.Pp +.It Xo +.Ic announce restart +.Pq Ic yes Ns | Ns Ic no Ns | Ns Ic enforce +.Xc +If set to +.Ic no , +the graceful restart capability is not announced. +Currently only the End-of-RIB marker is supported and announced by the +.Ic restart +capability. +If +.Ic enforce +is set, the session will only be established if the neighbor also announces +the capability. +The default is +.Ic yes . +.Pp +.It Xo +.Ic as-override +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +all occurrences of the neighbor AS in the +.Em AS path +will be replaced with the local AS before running the filters. +The Adj-RIB-In still holds the unmodified AS path. +The default value is +.Ic no . +.Pp +.It Ic demote Ar group +Increase the +.Xr carp 4 +demotion counter on the given interface group, usually +.Ar carp , +when the session is not in state +.Em ESTABLISHED . +The demotion counter will be increased as soon as +.Xr bgpd 8 +starts and decreased +60 seconds after the session went to state +.Em ESTABLISHED . +For neighbors added at runtime, the demotion counter is only increased after +the session has been +.Em ESTABLISHED +at least once before dropping. +.Pp +For more information on interface groups, +see the +.Ic group +keyword in +.Xr ifconfig 8 . +.Pp +.It Ic depend on Ar interface +The neighbor session will be kept in state +.Em IDLE +as long as +.Ar interface +reports no link. +For +.Xr carp 4 +interfaces, no link means that the interface is currently +.Em backup . +This is primarily intended to be used with +.Xr carp 4 +to reduce failover times. +.Pp +The state of the network interfaces on the system can be viewed +using the +.Cm show interfaces +command to +.Xr bgpctl 8 . +.Pp +.It Ic descr Ar description +Add a description. +The description is used when logging neighbor events, in status +reports, for specifying neighbors, etc., but has no further meaning to +.Xr bgpd 8 . +.Pp +.It Ic down Op Ar reason +Do not start the session when +.Xr bgpd 8 +comes up but stay in +.Em IDLE . +If the session is cleared at runtime, after a +.Ic down +.Ar reason +was configured at runtime, the +.Ar reason +is sent as Administrative Shutdown Communication. +The +.Ar reason +cannot exceed 255 octets. +.Pp +.It Xo +.Ic dump +.Pq Ic all Ns | Ns Ic updates +.Pq Ic in Ns | Ns Ic out +.Ar file Op Ar interval +.Xc +Dump ongoing BGP activity for a particular neighbor. +See also the +.Ic dump +setting in +.Sx GLOBAL CONFIGURATION . +.Pp +.It Xo +.Ic enforce local-as +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic no , +.Em AS paths +will not be checked for AS loop detection. +This feature is similar to allowas-in in some other BGP implementations. +Since there is no AS path loop check, this feature is dangerous, and +requires you to add filters to prevent receiving your own prefixes. +The default value is +.Ic yes . +.Pp +.It Xo +.Ic enforce neighbor-as +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +.Em AS paths +whose +.Em leftmost AS +is not equal to the +.Em remote AS +of the neighbor are rejected and a +.Em NOTIFICATION +is sent back. +The default value for IBGP peers is +.Ic no +otherwise the default is +.Ic yes . +.Pp +.It Xo +.Ic export +.Sm off +.Pq Ic none | default-route +.Sm on +.Xc +If set to +.Ic none , +no +.Em UPDATE +messages will be sent to the neighbor. +If set to +.Ic default-route , +only the default route will be announced to the neighbor. +.Pp +.It Ic holdtime Ar seconds +Set the holdtime in seconds. +Inherited from the global configuration if not given. +.Pp +.It Ic holdtime min Ar seconds +Set the minimal acceptable holdtime. +Inherited from the global configuration if not given. +.Pp +.It Xo +.Ic ipsec +.Pq Ic ah Ns | Ns Ic esp +.Pq Ic in Ns | Ns Ic out +.Ic spi Ar spi-number authspec Op Ar encspec +.Xc +Enable IPsec with static keying. +There must be at least two +.Ic ipsec +statements per peer with manual keying, one per direction. +.Ar authspec +specifies the authentication algorithm and key. +It can be +.Bd -literal -offset indent +sha1 <key> +md5 <key> +.Ed +.Pp +.Ar encspec +specifies the encryption algorithm and key. +.Ic ah +does not support encryption. +With +.Ic esp , +encryption is optional. +.Ar encspec +can be +.Bd -literal -offset indent +3des <key> +3des-cbc <key> +aes <key> +aes-128-cbc <key> +.Ed +.Pp +Keys must be given in hexadecimal format. +After changing settings, a session needs to be reset to use the new keys. +The +.Ic ipsec +flows only work with session using the default port 179. +.Pp +.It Xo +.Ic ipsec +.Pq Ic ah Ns | Ns Ic esp +.Ic ike +.Xc +Enable IPsec with dynamic keying. +In this mode, +.Xr bgpd 8 +sets up the flows, and a key management daemon such as +.Xr isakmpd 8 +is responsible for managing the session keys. +With +.Xr isakmpd 8 , +it is sufficient to copy the peer's public key, found in +.Pa /etc/isakmpd/local.pub , +to the local machine. +It must be stored in a file +named after the peer's IP address and must be stored in +.Pa /etc/isakmpd/pubkeys/ipv4/ . +The local public key must be copied to the peer in the same way. +As +.Xr bgpd 8 +manages the flows on its own, it is sufficient to restrict +.Xr isakmpd 8 +to only take care of keying by specifying the flags +.Fl Ka . +This can be done in +.Xr rc.conf.local 8 . +After starting the +.Xr isakmpd 8 +and +.Xr bgpd 8 +daemons on both sides, the session should be established. +After changing settings, a session needs to be reset to use the new keys. +The +.Ic ipsec +flows only work with session using the default port 179. +.Pp +.It Ic local-address Ar address +.It Ic no local-address +When +.Xr bgpd 8 +initiates the TCP connection to the neighbor system, it normally does not +bind to a specific IP address. +If a +.Ic local-address +is given, +.Xr bgpd 8 +binds to this address first. +.Ic no local-address +reverts back to the default. +.Pp +.It Ic local-as Ar as-number Op Ar as-number +Set the AS number sent to the remote system. +Used as described above under +.Sx GLOBAL CONFIGURATION +option +.Ic AS . +.Pp +Since there is no AS path loop check, this option is dangerous, and +requires you to add filters to prevent receiving your ASNs. +Intended to be used temporarily, for migrations to another AS. +.Pp +.It Ic log no +Disable neighbor specific logging. +.Pp +.It Ic log updates +Log received and sent updates for this neighbor. +.Pp +.It Xo +.Ic max-prefix Ar number +.Op Ic restart Ar number +.Xc +Terminate the session when the maximum +.Ar number +of prefixes received is exceeded +(no such limit is imposed by default). +If +.Ic restart +is specified, the session will be restarted after +.Ar number +minutes. +.Pp +.It Xo +.Ic max-prefix Ar number Ic out +.Op Ic restart Ar number +.Xc +Terminate the session when the maximum +.Ar number +of prefixes sent is exceeded +(no such limit is imposed by default). +If +.Ic restart +is specified, the session will be restarted after +.Ar number +minutes. +.Pp +.It Ic multihop Ar hops +Neighbors not in the same AS as the local +.Xr bgpd 8 +normally have to be directly connected to the local machine. +If this is not the case, the +.Ic multihop +statement defines the maximum hops the neighbor may be away. +.Pp +.It Ic passive +Do not attempt to actively open a TCP connection to the neighbor system. +.Pp +.It Ic port Ar port +Connect to the peer using +.Ar port +instead of the default BGP port 179. +.Pp +.It Xo +.Ic reject Ic as-set +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +.Em AS paths +attributes containing +.Em AS_SET +path segments will be rejected and +all prefixes will be treated as withdraws. +The default is inherited from the global +.Ic reject Ic as-set +setting. +.Pp +.It Ic remote-as Ar as-number +Set the AS number of the remote system. +.Pp +.It Xo +.Ic rde Ic evaluate +.Pq Ic default Ns | Ns Ic all +.Xc +If set to +.Ar all , +keep evaluating alternative paths in case the selected path is filtered +out. +By default if a path is filtered by the output filters then no alternative +path is sent to this peer. +The default is inherited from the global +.Ic rde Ic evaluate +setting. +.Pp +.It Ic rib Ar name +Bind the neighbor to the specified RIB. +.Pp +.It Ic role Ar role +Set the local role for this eBGP session. +Setting a role is required for ASPA verification, the open policy role +capability and Only-To-Customer (OTC) attribute of RFC 9234. +The role can be one of +.Ar none , +.Ar provider , +.Ar customer , +.Ar rs , +.Ar rs-client , +or +.Ar peer . +If the role is set to +.Ar none +the +.Ic announce Ic policy +will also be disabled. +On iBGP session the role setting is ignored and forced to +.Ar none . +.Pp +.It Ic route-reflector Op Ar address +Act as an RFC 4456 +.Em route-reflector +for this neighbor. +An optional cluster ID can be specified; otherwise the BGP ID will be used. +.Pp +.It Ic set Ar attribute ... +Set the +.Em AS path attributes +to some default per +.Ic neighbor +or +.Ic group +block: +.Bd -literal -offset indent +set localpref 300 +.Ed +.Pp +See also the +.Sx ATTRIBUTE SET +section. +Set parameters are applied to the received prefixes; the only exceptions are +.Ic prepend-self , +.Ic nexthop no-modify +and +.Ic nexthop self . +These sets are rewritten into filter rules and can be viewed with +.Dq bgpd -nv . +.Pp +.It Ic staletime Ar seconds +Set the upper bound stale time in seconds for graceful restart. +Inherited from the global configuration if not given. +.Pp +.It Ic tcp md5sig password Ar secret +.It Ic tcp md5sig key Ar secret +Enable TCP MD5 signatures per RFC 2385. +The shared secret can either be given as a password or hexadecimal key. +.Bd -literal -offset indent +tcp md5sig password mekmitasdigoat +tcp md5sig key deadbeef +.Ed +After changing keys, a session needs to be reset to use the new keys. +.Pp +.It Xo +.Ic transparent-as +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +attribute transparency is enabled. +See also the +.Ic transparent-as +setting in +.Sx GLOBAL CONFIGURATION . +The default is inherited from the global +.Ic transparent-as +setting. +.Pp +.It Xo +.Ic ttl-security +.Pq Ic yes Ns | Ns Ic no +.Xc +Enable or disable ttl-security. +When enabled, +outgoing packets are sent using a TTL of 255 +and a check is made against an incoming packet's TTL. +For directly connected peers, +incoming packets are required to have a TTL of 255, +ensuring they have not been routed. +For multihop peers, +incoming packets are required to have a TTL of 256 minus multihop distance, +ensuring they have not passed through more than the expected number of hops. +The default is +.Ic no . +.El +.Sh FILTER +.Xr bgpd 8 +filters all BGP +.Em UPDATE +messages, including its own announcements, and blocks them by default. +Filter rules may match on neighbor, direction, +.Em prefix +or +.Em AS path attributes . +Filter rules may also modify +.Em AS path attributes . +.Pp +For each +.Em UPDATE +processed by the filter, the filter rules are evaluated in sequential order, +from first to last. +The last matching +.Ic allow +or +.Ic deny +rule decides what action is taken. +The default action is to deny. +.Pp +The following actions can be used in the filter: +.Bl -tag -width xxxxxxxx +.It Ic allow +The +.Em UPDATE +is passed. +.It Ic deny +The +.Em UPDATE +is blocked. +.It Ic match +Apply the filter attribute set without influencing the filter decision. +.El +.Sh PARAMETERS +The rule parameters specify the +.Em UPDATES +to which a rule applies. +An +.Em UPDATE +always comes from, or goes to, one neighbor. +Most parameters are optional, but each can appear at most once per rule. +If a parameter is specified, the rule only applies to packets with +matching attributes. +.Pp +.Bl -tag -width Ds -compact +.It Xo +.Ar as-type Op Ar operator +.Ar as-number +.Xc +.It Ar as-type Ic as-set Ar name +This rule applies only to +.Em UPDATES +where the +.Em AS path +matches. +The +part of the +.Em AS path +specified by the +.Ar as-type +is matched against the +.Ar as-number +or the +.Ic as-set Ar name : +.Pp +.Bl -tag -width transmit-as -compact +.It Ic AS +(any part) +.It Ic peer-as +(leftmost AS number) +.It Ic source-as +(rightmost AS number) +.It Ic transit-as +(all but the rightmost AS number) +.El +.Pp +.Ar as-number +is an AS number as explained above under +.Sx GLOBAL CONFIGURATION . +It may be set to +.Ic neighbor-as , +which is expanded to the current neighbor remote AS number, or +.Ic local-as , +which is expanded to the locally assigned AS number. +.Pp +When specifying an +.Ic as-set Ar name , +the AS path will instead be matched against all the AS numbers in the set. +.Pp +The +.Ar operator +can be unspecified (this case is identical to the equality operator), or one +of the numerical operators +.Bd -literal -offset indent += (equal) +!= (unequal) +- (range including boundaries) +>< (except range) +.Ed +.Pp +>< and - +are binary operators (they take two arguments); with these, +.Ar as-number +cannot be set to +.Ic neighbor-as . +.Pp +Multiple +.Ar as-number +entries for a given type or +.Ar as-type as-number +entries may also be specified, +separated by commas or whitespace, +if enclosed in curly brackets: +.Bd -literal -offset indent +deny from any AS { 1, 2, 3 } +deny from any { AS 1, source-as 2, transit-as 3 } +deny from any { AS { 1, 2, 3 }, source-as 4, transit-as 5 } +.Ed +.Pp +.It Xo +.Ic avs +.Pq Ic valid | unknown | invalid +.Xc +This rule applies only to +.Em UPDATES +where the ASPA Validation State (AVS) matches. +.Pp +.It Xo +.Ic community +.Ar as-number Ns Li \&: Ns Ar local +.Xc +.It Ic community Ar name +This rule applies only to +.Em UPDATES +where the +.Ic community +path attribute is present and matches. +Communities are specified as +.Ar as-number : Ns Ar local , +where +.Ar as-number +is an AS number and +.Ar local +is a locally significant number between zero and +.Li 65535 . +Both +.Ar as-number +and +.Ar local +may be set to +.Sq * +to do wildcard matching. +Alternatively, well-known communities may be given by name instead and +include +.Ic BLACKHOLE , +.Ic GRACEFUL_SHUTDOWN , +.Ic NO_EXPORT , +.Ic NO_ADVERTISE , +.Ic NO_EXPORT_SUBCONFED , +and +.Ic NO_PEER . +Both +.Ar as-number +and +.Ar local +may be set to +.Ic neighbor-as , +which is expanded to the current neighbor remote AS number, or +.Ic local-as , +which is expanded to the locally assigned AS number. +.Pp +.It Xo +.Ic large-community +.Ar as-number : Ns Ar local : Ns Ar local +.Xc +This rule applies only to +.Em UPDATES +where the +.Ic Large community +path attribute is present and matches. +Communities are specified as +.Ar as-number : Ns Ar local : Ns Ar local , +where +.Ar as-number +is an AS number and +.Ar local +is a locally significant number between zero and +.Li 4294967295 . +Both +.Ar as-number +and +.Ar local +may be set to +.Sq * +to do wildcard matching, +.Ic neighbor-as , +which is expanded to the current neighbor remote AS number, or +.Ic local-as , +which is expanded to the locally assigned AS number. +.Pp +.It Xo +.Ic ext-community +.Ar subtype as-number : Ns Ar local +.Xc +.It Xo +.Ic ext-community +.Ar subtype IP : Ns Ar local +.Xc +.It Xo +.Ic ext-community +.Ar subtype numvalue +.Xc +.It Xo +.Ic ext-community +.Ic ovs +.Pq Ic valid | not-found | invalid +.Xc +This rule applies only to +.Em UPDATES +where the +.Em extended community +path attribute is present and matches. +Extended Communities are specified by a +.Ar subtype +and normally two values, a globally unique part (e.g. the AS number) and a +local part. +Both +.Ar as-number +and +.Ar local +may be set to +.Ic neighbor-as , +which is expanded to the current neighbor remote AS number, or +.Ic local-as , +which is expanded to the locally assigned AS number. +Wildcard matching is supported for +.Ar local , +.Ar numvalue +and +.Ar subtype . +If wildcard matching is used on the +.Ar subtype +then +.Ar numvalue +also needs to be set to +.Sq * . +See also the +.Sx ATTRIBUTE SET +section for further information about the encoding. +.Pp +.It Xo +.Pq Ic from Ns | Ns Ic to +.Ar peer +.Xc +This rule applies only to +.Em UPDATES +coming from, or going to, this particular neighbor. +This parameter must be specified. +.Ar peer +is one of the following: +.Pp +.Bl -tag -width "group descr" -compact +.It Ic any +Any neighbor will be matched. +.It Ic ibgp +All +.Em IBGP +neighbors will be matched. +.It Ic ebgp +All +.Em EBGP +neighbors will be matched. +.It Ar address +Neighbors with this address will be matched. +.It Ic group Ar descr +Neighbors in this group will be matched. +.It Ic AS Ar as-number +Neighbors with this AS will be matched. +.El +.Pp +Multiple +.Ar peer +entries may also be specified, +separated by commas or whitespace, +if enclosed in curly brackets: +.Bd -literal -offset indent +deny from { 128.251.16.1, 251.128.16.2, group hojo } +.Ed +.Pp +.It Pq Ic inet Ns | Ns Ic inet6 +Match only routes in the IPv4 or IPv6 address families, respectively. +.Ic inet +is an alias for +.Qq prefix 0.0.0.0/0 prefixlen >= 0 ; +.Ic inet6 +is an alias for +.Qq prefix ::/0 prefixlen >= 0 . +.Pp +.It Ic max-as-len Ar len +This rule applies only to +.Em UPDATES +where the +.Em AS path +has more than +.Ar len +elements. +.Pp +.It Ic max-as-seq Ar len +This rule applies only to +.Em UPDATES +where a single +.Em AS number +is repeated more than +.Ar len +times. +.Pp +.It Ic max-communities Ns | Ns Ic max-large-communities Ns | \ +Ns Ic max-ext-communities Ar num +This rule applies only to +.Em UPDATES +where the +.Em Basic , +.Em Large , +or +.Em Extended Community +attribute has more than +.Ar num +elements. +.Pp +.It Ic nexthop Ar address +This rule applies only to +.Em UPDATES +where the nexthop is equal to +.Ar address . +The +.Ar address +can be set to +.Em neighbor +in which case the nexthop is compared against the address of the neighbor. +Nexthop filtering is not supported on locally announced networks and one must +take into consideration previous rules overwriting nexthops. +.Pp +.It Ic origin-set Ar name +This rule applies only to +.Em UPDATES +that match the given origin-set +.Ar name . +.Pp +.It Xo +.Ic ovs +.Pq Ic valid | not-found | invalid +.Xc +This rule applies only to +.Em UPDATES +where the Origin Validation State (OVS) matches. +.Pp +.It Ic prefix Ar address Ns Li / Ns Ar len +.It Ic prefix Ar address Ns Li / Ns Ar len Ic prefixlen Ar range +.It Ic prefix Ar address Ns Li / Ns Ar len Ic or-longer +.It Ic prefix Ar address Ns Li / Ns Ar len Ic maxlen Ar mlen +This rule applies only to +.Em UPDATES +for the specified prefix. +.Pp +Multiple entries may be specified, +separated by commas or whitespace, +if enclosed in curly brackets: +.Bd -literal -offset indent +deny from any prefix { 192.168.0.0/16, 10.0.0.0/8 or-longer } +.Ed +.Pp +Multiple lists can also be specified, which is useful for +macro expansion: +.Bd -literal -offset indent +good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" +bad="{ 224.0.0.0/4 prefixlen >= 4, 240.0.0.0/4 prefixlen >= 4 }" +ugly="{ 127.0.0.1/8, 169.254.0.0/16 }" + +deny from any prefix { $good $bad $ugly } +.Ed +.Pp +Prefix length ranges are specified by using these operators: +.Bd -literal -offset indent += (equal) +!= (unequal) +< (less than) +<= (less than or equal) +> (greater than) +>= (greater than or equal) +- (range including boundaries) +>< (except range) +.Ed +.Pp +>< and - +are binary operators (they take two arguments). +For instance, to match all prefix lengths >= 8 and <= 12, and hence the +CIDR netmasks 8, 9, 10, 11 and 12: +.Bd -literal -offset indent +prefixlen 8-12 +.Ed +.Pp +Or, to match all prefix lengths < 8 or > 12, and hence the CIDR netmasks +0\(en7 and 13\(en32: +.Bd -literal -offset indent +prefixlen 8><12 +.Ed +.Pp +This will match all prefixes in the 10.0.0.0/8 netblock with netmasks longer +than 16: +.Bd -literal -offset indent +prefix 10.0.0.0/8 prefixlen > 16 +.Ed +.Pp +.Ic or-longer +is a shorthand for: +.Bd -literal -offset indent +.Ic prefix Ar address Ns Li / Ns Ar len Ic prefixlen >= Ar len +.Ed +.Pp +.Ic maxlen Ar mlen +is a shorthand for: +.Bd -literal -offset indent +.Ic prefix Ar address Ns Li / Ns Ar len Ic prefixlen <= Ar mlen +.Ed +.Pp +.It Ic prefix-set Ar name Op Ic or-longer +This rule applies only to +.Em UPDATES +that match the given prefix-set +.Ar name . +With +.Ic or-longer , +the +.Em UPDATES +will match any prefix in the prefix-set where +.Bd -literal -offset indent +.Ic address Ns Li / Ns Ar len Ic prefixlen >= Ar len +.Ed +.Pp +.It Ic quick +If an +.Em UPDATE +matches a rule which has the +.Ic quick +option set, this rule is considered the last matching rule, and evaluation +of subsequent rules is skipped. +.Pp +.It Ic rib Ar name +Apply rule only to the specified RIB. +This only applies for received updates, so not for rules using the +.Ar to peer +parameter. +.Pp +.It Ic set Ar attribute ... +All matching rules can set the +.Em AS path attributes +to some default. +The set of every matching rule is applied, not only the last matching one. +See also the following section. +.El +.Sh ATTRIBUTE SET +.Em AS path attributes +can be modified with +.Ic set . +.Pp +.Ic set +can be used on +.Ic network +statements, in +.Ic neighbor +or +.Ic group +blocks, and on filter rules. +Attribute sets can be expressed as lists. +.Pp +The following attributes can be modified: +.Pp +.Bl -tag -width Ds -compact +.It Xo +.Ic community Op Ar delete +.Ar as-number : Ns Ar local +.Xc +.It Xo +.Ic community Op Ar delete +.Ar name +.Xc +Set or delete the +.Em COMMUNITIES +AS path attribute. +Communities are specified as +.Ar as-number : Ns Ar local , +where +.Ar as-number +is an AS number and +.Ar local +is a locally significant number between zero and +.Li 65535 . +Alternately, well-known communities may be specified by name: +.Ic GRACEFUL_SHUTDOWN , +.Ic NO_EXPORT , +.Ic NO_ADVERTISE , +.Ic NO_EXPORT_SUBCONFED , +or +.Ic NO_PEER . +For +.Cm delete , +both +.Ar as-number +and +.Ar local +may be set to +.Sq * +to do wildcard matching. +.Pp +.It Xo +.Ic large-community Op Ar delete +.Ar as-number : Ns Ar local : Ns Ar local +.Xc +.It Xo +.Ic large-community Op Ar delete +.Ar name +.Xc +Set or delete the +.Em Large Communities +path attribute. +Communities are specified as +.Ar as-number : Ns Ar local : Ns Ar local , +where +.Ar as-number +is an AS number and +.Ar local +is a locally significant number between zero and +.Li 4294967295 . +For +.Cm delete , +both +.Ar as-number +and +.Ar local +may be set to +.Sq * +to do wildcard matching. +.Pp +.It Xo +.Ic ext-community Op Ar delete +.Ar subtype as-number : Ns Ar local +.Xc +.It Xo +.Ic ext-community Op Ar delete +.Ar subtype IP : Ns Ar local +.Xc +.It Xo +.Ic ext-community Op Ar delete +.Ar subtype numvalue +.Xc +.It Xo +.Ic ext-community Op Ar delete +.Ic ovs +.Pq Ic valid | not-found | invalid +.Xc +Set or delete the +.Em Extended Community +AS path attribute. +Extended Communities are specified by a +.Ar subtype +and normally two values, a globally unique part (e.g. the AS number) and a +local part. +The type is selected depending on the encoding of the global part. +Two-octet AS Specific Extended Communities and Four-octet AS Specific Extended +Communities are encoded as +.Ar as-number : Ns Ar local . +Four-octet encoding is used if the +.Ar as-number +is bigger than 65535 or if the AS_DOT encoding is used. +IPv4 Address Specific Extended Communities are encoded as +.Ar IP : Ns Ar local . +Opaque Extended Communities are encoded with a single numeric value. +The +.Ar ovs +subtype can only be set to +.Ar valid , +.Ar not-found , +or +.Ar invalid . +Currently the following subtypes are supported: +.Bd -literal -offset indent +bdc BGP Data Collection +defgw Default Gateway +esi-lab ESI Label +esi-rt ES-Import Route Target +l2vid L2VPN Identifier +mac-mob MAC Mobility +odi OSPF Domain Identifier +ort OSPF Route Type +ori OSPF Router ID +ovs BGP Origin Validation State +rt Route Target +soo Route Origin / Source of Origin +srcas Source AS +vrfri VRF Route Import +.Ed +.Pp +Not all type and subtype value pairs are allowed by IANA and the parser +will ensure that no invalid combination is created. +.Pp +For +.Cm delete , +.Ar subtype , +.Ar numvalue , +or +.Ar local , +may be set to +.Sq * +to do wildcard matching. +If wildcard matching is used on the +.Ar subtype +then +.Ar numvalue +also needs to be set to +.Sq * . +.Pp +.It Ic localpref Ar number +Set the +.Em LOCAL_PREF +AS path attribute. +If +.Ar number +starts with a plus or minus sign, +.Em LOCAL_PREF +will be adjusted by adding or subtracting +.Ar number ; +otherwise it will be set to +.Ar number . +The default is 100. +.Pp +.It Ic med Ar number +.It Ic metric Ar number +Set the +.Em MULTI_EXIT_DISC +AS path attribute. +If +.Ar number +starts with a plus or minus sign, +.Em MULTI_EXIT_DISC +will be adjusted by adding or subtracting +.Ar number ; +otherwise it will be set to +.Ar number . +.Pp +.It Xo +.Ic origin +.Sm off +.Pq Ic igp | egp | incomplete +.Sm on +.Xc +Set the +.Em ORIGIN +AS path attribute to mark the source of this +route as being injected from an igp protocol, an egp protocol +or being an aggregated route. +.Pp +.It Xo +.Ic nexthop +.Sm off +.Pq Ar address | Ic blackhole | reject | self | no-modify +.Sm on +.Xc +Set the +.Em NEXTHOP +AS path attribute +to a different nexthop address or use blackhole or reject routes. +.Em blackhole +and +.Em reject +only affect the FIB and will not alter the nexthop address. +.Em self +forces the nexthop to be set to the local interface address. +If set to +.Em no-modify , +the nexthop attribute is not modified for EBGP multihop sessions. +By default EBGP multihop sessions use the local interface address. +On other IBGP and directly connected EBGP sessions +.Em no-modify +is ignored. +The set +.Ar address +is used on IBGP session and on directly connected EBGP session if the +.Ar address +is part of the connected network. +On EBGP multihop session +.Em no-modify +has to be set to force the nexthop to +.Ar address . +.Bd -literal -offset indent +set nexthop 192.168.0.1 +set nexthop blackhole +set nexthop reject +set nexthop no-modify +set nexthop self +.Ed +.Pp +.It Ic pftable Ar table +Add the prefix in the update to the specified +.Xr pf 4 +table, regardless of whether or not the path was selected for routing. +This option may be useful in building realtime blacklists. +.Pp +.It Ic prepend-neighbor Ar number +Prepend the neighbor's AS +.Ar number +times to the +.Em AS path . +.Pp +.It Ic prepend-self Ar number +Prepend the local AS +.Ar number +times to the +.Em AS path . +.Pp +.It Ic rtlabel Ar label +Add the prefix to the kernel routing table with the specified +.Ar label . +.Pp +.It Ic weight Ar number +The +.Em weight +is used to tip prefixes with equally long AS paths in one or +the other direction. +A prefix is weighed at a very late stage in the decision process. +If +.Ar number +starts with a plus or minus sign, the +.Em weight +will be adjusted by adding or subtracting +.Ar number ; +otherwise it will be set to +.Ar number . +.Em Weight +is a local non-transitive attribute, and is a +.Xr bgpd 8 Ns -specific +extension. +For prefixes with equally long paths, the prefix with the larger weight +is selected. +.El +.Sh FILES +.Bl -tag -width "/etc/examples/bgpd.conf" -compact +.It Pa /etc/bgpd.conf +.Xr bgpd 8 +configuration file. +.It Pa /etc/examples/bgpd.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr strftime 3 , +.Xr ipsec 4 , +.Xr pf 4 , +.Xr rdomain 4 , +.Xr tcp 4 , +.Xr bgpctl 8 , +.Xr bgpd 8 , +.Xr ipsecctl 8 , +.Xr isakmpd 8 , +.Xr rc.conf.local 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 3.5 . diff --git a/static/openbsd/man5/bootparams.5 b/static/openbsd/man5/bootparams.5 new file mode 100644 index 00000000..32766736 --- /dev/null +++ b/static/openbsd/man5/bootparams.5 @@ -0,0 +1,78 @@ +.\" $OpenBSD: bootparams.5,v 1.13 2022/03/31 17:27:31 naddy Exp $ +.\" +.\" Copyright (c) 1994 Gordon W. Ross +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 31 2022 $ +.Dt BOOTPARAMS 5 +.Os +.Sh NAME +.Nm bootparams +.Nd boot parameter database +.Sh DESCRIPTION +The +.Nm bootparams +file specifies the boot parameters that +.Xr diskless 8 +clients may request when booting over the network. +Each client supported by this server must have an entry in the +.Nm bootparams +file containing the pathnames for its "root" and (optionally) "swap" areas. +.Pp +Each line in the file +(other than comment lines that begin with a +.Sq # ) +specifies the client name followed by the pathnames that +the client may request by their logical names. +The components of the line are delimited with blank or tab, +and may be continued onto multiple lines with a backslash. +.Pp +For example: +.Bd -literal -offset indent +client root=server:/export/client/root \e + swap=server:/export/client/swap \e + dump=server:/export/client/swap +.Ed +.Pp +When the client named "client" requests the pathname for +its logical "root", it will be given the server name "server" +and the pathname +.Pa /export/client/root +as the response to its +.Tn RPC +request. +.Pp +A line containing simply +.Sq + +will cause YP lookups to be done on the YP map "bootparams". +.Sh FILES +.Bl -tag -width /etc/bootparams -compact +.It Pa /etc/bootparams +default configuration file +.El +.Sh SEE ALSO +.Xr diskless 8 , +.Xr rpc.bootparamd 8 , +.Xr yp 8 diff --git a/static/openbsd/man5/bsd.re-config.5 b/static/openbsd/man5/bsd.re-config.5 new file mode 100644 index 00000000..543a890c --- /dev/null +++ b/static/openbsd/man5/bsd.re-config.5 @@ -0,0 +1,45 @@ +.\" $OpenBSD: bsd.re-config.5,v 1.3 2025/05/31 10:49:42 kn Exp $ +.\" +.\" Copyright (c) 2021 Paul de Weerd <weerd@weirdnet.nl> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: May 31 2025 $ +.Dt BSD.RE-CONFIG 5 +.Os +.Sh NAME +.Nm bsd.re-config +.Nd kernel configuration file +.Sh DESCRIPTION +The +.Nm +file contains kernel modification commands in +.Xr config 8 +format. +If present, it is used during system startup to configure the kernel +that will be running at the next boot. +It can be used to enable or disable specific devices in the kernel. +.Sh FILES +.Bl -tag -width /etc/bsd.re-config -compact +.It Pa /etc/bsd.re-config +Kernel configuration file. +.El +.Sh EXAMPLES +To enable the +.Xr ipmi 4 +driver, add the following line to +.Nm : +.Pp +.Dl enable ipmi +.Sh SEE ALSO +.Xr config 8 diff --git a/static/openbsd/man5/bt.5 b/static/openbsd/man5/bt.5 new file mode 100644 index 00000000..16d6bd84 --- /dev/null +++ b/static/openbsd/man5/bt.5 @@ -0,0 +1,210 @@ +.\" $OpenBSD: bt.5,v 1.17 2023/10/22 19:30:35 cheloha Exp $ +.\" +.\" Copyright (c) 2019 Martin Pieuchot <mpi@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: October 22 2023 $ +.Dt BT 5 +.Os +.Sh NAME +.Nm BT +.Nd Bug Tracing language +.Sh SYNTAX +.D1 Ar probe Ic \&/ Ar filter Ic \&/ \&{ Ar action Ic \&} +.Sh DESCRIPTION +The +.Nm +language, also known as BPFtrace syntax, describes how to format and display +information gathered from specified +.Ar probe +events. +.Pp +Events are generated by the dynamic tracer +.Xr dt 4 +when an enabled +.Ar probe +is triggered. +They are periodically collected by +.Xr btrace 8 , +which formats them using the corresponding +.Ar action . +If a recorded event doesn't match the optional +.Ar filter , +it will be silently ignored. +.Pp +A valid +.Nm +source file contains at least one +.Ar probe +clause associated with an +.Ar action +statement. +.Sh PROBE +The list of available probes may vary from system to system and can be queried +with +.Xr btrace 8 . +.Pp +The special probes +.Ic BEGIN +and +.Ic END +may be used to manipulate states before the first event is recorded and after +the last. +They cannot be combined with any +.Ar filter . +.Sh FILTER +Define under which condition an event should be recorded when its related +.Ar probe +is executed. +An empty +.Ar filter +means record all events. +.Pp +Variable names available in filters: +.Pp +.Bl -tag -width "kstack " -compact -offset indent +.It Va pid +Process ID of the current thread. +.It Va tid +Thread ID of the current thread. +.El +.Sh ACTION +An action is a sequence of statements that are evaluated for each event recorded +by the associated +.Ar probe . +.Pp +Variable names with special meaning: +.Pp +.Bl -tag -width "kstack " -compact -offset indent +.It Va $N +Command line argument +.Va N +after the script name. +.It Va argN +Argument +.Va N +of the corresponding probe. +.It Va comm +Command name of the current process. +.It Va cpu +ID of the processor that recorded the event. +.It Va kstack +Kernel stack of the current thread. +.It Va nsecs +Timestamp of the event in nanoseconds. +.It Va pid +Process ID of the current thread. +.It Va probe +Full name of the probe. +.It Va retval +Return value of the traced syscall. +.It Va tid +Thread ID of the current thread. +.It Va ustack +Userland stack of the current thread. +.El +.Pp +Functions: +.Bl -tag -width "lhist(value, min, max, step)" +.It Fn clear "@map" +Delete all (key, value) pairs from +.Va @map . +.It Fn delete "@map[key]" +Delete the pair indexed by +.Va key +from +.Va @map . +.It Fn exit +Terminate execution with exit code 0. +The +.Ic END +probe, +if any, +is executed and the contents of all non-empty maps are printed. +.It Fn hist "value" +Increment the bucket corresponding to +.Va value +in a power-of-two histogram. +.It Fn lhist "value" "min" "max" "step" +Increment the bucket corresponding to +.Va value +in the linear histogram spawning between the positive value +.Va min +and +.Va max +with buckets of +.Va step +size. +.It Fn print "@map" +Print all pairs from +.Va @map . +.It Fn print "@map" n +Print only the first +.Va n +entries in +.Va @map . +.It Fn printf "fmt" ... +Print formatted string +.Va fmt . +.It Fn str "$N" "[index]" +Return the string from argument +.Va $N , +truncated to +.Va index +characters (up to 64, the default) including a guaranteed NUL-terminator. +.It Fn time timefmt +Print timestamps using +.Xr strftime 3 . +.It Fn zero "@map" +Set all values from +.Va @map +to 0. +.El +.Pp +The following functions only work on a specific map entry. +.Bl -tag -width "lhist(value, min, max, step)" +.It "@map[key]" = Fn count +Increase the stored value for +.Va key +by one. +.It "@map[key]" = Fn max "value" +Store the maximum recorded value for +.Va key . +.It "@map[key]" = Fn min "value" +Store the minimum recorded value for +.Va key . +.It "@map[key]" = Fn sum "value" +Store the sum of all recorded values for +.Va key . +.El +.Sh SEE ALSO +.Xr awk 1 , +.Xr dt 4 , +.Xr btrace 8 +.Rs +.\"%A First Last +.%T BPFtrace reference guide +.%U https://github.com/iovisor/bpftrace/blob/master/docs/reference_guide.md +.\"%D November 1, 1901 +.Re +.Sh STANDARDS +The dialect +of the +.Nm +language described in this manual and supported by +.Xr btrace 8 +is compatible with BPFtrace. +The syntax is similar to +.Xr awk 1 +and dtrace. diff --git a/static/openbsd/man5/chio.conf.5 b/static/openbsd/man5/chio.conf.5 new file mode 100644 index 00000000..f33a82f7 --- /dev/null +++ b/static/openbsd/man5/chio.conf.5 @@ -0,0 +1,71 @@ +.\" $OpenBSD: chio.conf.5,v 1.2 2020/02/10 13:18:20 schwarze Exp $ +.\" +.\" Copyright (c) 2007 Jason McIntyre <jmc@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" +.Dd $Mdocdate: February 10 2020 $ +.Dt CHIO.CONF 5 +.Os +.Sh NAME +.Nm chio.conf +.Nd medium changer configuration file +.Sh DESCRIPTION +.Nm +is used to configure some aspects of +.Xr chio 1 , +a medium changer. +.Pp +The configuration file consists of a series of stanzas, +one per changer, +enclosed in curly braces. +Empty lines and lines beginning with +.Sq # +in either file are ignored. +.Pp +The following aspects may be configured: +.Bl -tag -width Ds +.It Ic drive +Provides a non-default mapping between +.Xr st 4 +devices and changer drives. +For example, +to map drive 0 to rst3 and drive 1 to rst2, for changer +.Pa /dev/ch0 : +.Bd -literal -offset indent +changer ch0 { + drive rst3 + drive rst2 +} +.Ed +.El +.Sh FILES +.Bl -tag -width /etc/examples/chio.conf -compact +.It /dev/ch0 +Default changer device. +.It /etc/chio.conf +Default location for +.Xr chio 1 +configuration file. +.It /etc/examples/chio.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr chio 1 , +.Xr mt 1 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 4.0 . diff --git a/static/openbsd/man5/crontab.5 b/static/openbsd/man5/crontab.5 new file mode 100644 index 00000000..ad547b4a --- /dev/null +++ b/static/openbsd/man5/crontab.5 @@ -0,0 +1,411 @@ +.\"/* Copyright 1988,1990,1993,1994 by Paul Vixie +.\" * All rights reserved +.\" */ +.\" +.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (c) 1997,2000 by Internet Software Consortium, Inc. +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $OpenBSD: crontab.5,v 1.43 2024/07/06 15:33:17 jmc Exp $ +.\" +.Dd $Mdocdate: July 6 2024 $ +.Dt CRONTAB 5 +.Os +.Sh NAME +.Nm crontab +.Nd tables for driving cron +.Sh DESCRIPTION +A +.Nm +file contains instructions to the +.Xr cron 8 +daemon of the general form: +.Dq at these times on these dates run this command . +There may be a system +.Nm +and each user may have their own +.Nm . +Commands in any given +.Nm +will be +executed either as the user who owns the +.Nm +or, in the case of the system +.Nm crontab , +as the user specified on the command line. +.Pp +While a +.Nm +is a text file, it is not intended to be directly edited. +Creation, modification, and removal of a +.Nm +should be done using +.Xr crontab 1 . +.Pp +Blank lines, leading spaces, and tabs are ignored. +Lines whose first non-space character is a pound sign +.Pq Ql # +are comments, and are ignored. +Note that comments are not allowed on the same line as +.Xr cron 8 +commands, since +they will be taken to be part of the command. +Similarly, comments are not +allowed on the same line as environment variable settings. +.Pp +An active line in a +.Nm +is either an environment variable setting or a +.Xr cron 8 +command. +.Pp +Environment variable settings create the environment +any command in the +.Nm +is run in. +An environment variable setting is of the form: +.Pp +.Dl name = value +.Pp +The spaces around the equal sign +.Pq Ql = +are optional, and any subsequent non-leading spaces in +.Ar value +will be part of the value assigned to +.Ar name . +The +.Ar value +string may be placed in quotes +.Pq single or double , but matching +to preserve leading or trailing blanks. +.Pp +Lines in the system +.Nm +have six fixed fields, an optional flags field, and a command, in the form: +.Bd -ragged -offset indent +.Ar minute +.Ar hour +.Ar day-of-month +.Ar month +.Ar day-of-week +.Ar user +.Op Ar flags +.Ar command +.Ed +.Pp +While lines in a user +.Nm +have five fixed fields, an optional flags field, and a command, in the form: +.Bd -ragged -offset indent +.Ar minute +.Ar hour +.Ar day-of-month +.Ar month +.Ar day-of-week +.Op Ar flags +.Ar command +.Ed +.Pp +Fields are separated by blanks or tabs. +The command may be one or more fields long. +The allowed values for the fields are: +.Bl -column "day-of-month" "allowed values" -offset indent +.It Sy field Ta Sy allowed values +.It Ar minute Ta *, ~, or 0\(en59 +.It Ar hour Ta *, ~, or 0\(en23 +.It Ar day-of-month Ta *, ~, or 1\(en31 +.It Ar month Ta *, ~, 1\(en12, or a name (see below) +.It Ar day-of-week Ta *, ~, 0\(en7, or a name (0 or 7 is Sunday) +.It Ar user Ta a valid username +.It Op Ar flags Ta runtime flags, denoted with '-' +.It Ar command Ta text +.El +.Pp +Lists are allowed. +A list is a set of numbers (or ranges) separated by commas. +For example, +.Dq 1,2,5,9 +or +.Dq 0\(en4,8\(en12 . +.Pp +Ranges of numbers are allowed. +Ranges are two numbers separated with a hyphen. +The specified range is inclusive. +For example, +8\(en11 for an +.Ar hour +entry specifies execution at hours 8, 9, 10 and 11. +.Pp +A random value for a field may be obtained using the +.Ql ~ +character. +A value is generated every time the tab is loaded. +On its own, +it denotes a random value appropriate for the field. +It can also be used in a range to make the interval more specific. +If either of the numbers in a range are omitted, +the appropriate limit (low or high) for that field will be used. +For example, both +.Dq 0~30 +and +.Dq ~30 +in the +.Ar minute +field would result in a random value between 0 and 30. +.Pp +Step values can be used in conjunction with ranges. +Following a range with +.No / Ns Ar number +specifies skips of +.Ar number +through the range. +For example, +.Dq 0\(en23/2 +can be used in the +.Ar hour +field to specify command execution every other hour. +Steps are also permitted after an asterisk, so to say +.Dq every two hours , +just use +.Dq */2 . +A step value after a random range will execute the command at a random +offset less than the step size. +For example, to avoid a thundering herd at the top and bottom of the hour, +.Dq 0~59/30 +.Po +or simply +.Dq ~/30 +.Pc +can be used in the +.Ar minute +field to specify that command execution happen twice an hour at +consistent intervals. +.Pp +An asterisk +.Pq Ql * +is short form for a range of all allowed values. +.Pp +Names can be used in the +.Ar month +and +.Ar day-of-week +fields. +Use the first three letters of the particular +day or month (case doesn't matter). +Ranges or lists of names are not allowed. +.Pp +Some +.Ar flags +relating to process operation can be provided before the +.Ar command +field. +Flags are denoted with '-' and may be combined. +.Bl -tag -width Ds +.It Fl n Ar command +No mail is sent after a successful run. +The execution output will only be mailed if the command exits with a non-zero +exit code. +The +.Fl n +option is an attempt to cure potentially copious volumes of mail coming from +.Xr cron 8 . +.It Fl q Ar command +Execution will not be logged. +.It Fl s Ar command +Only a single instance of +.Ar command +will be run concurrently. +Additional instances of +.Ar command +will not be scheduled until the earlier one completes. +.El +.Pp +The +.Ar command +field (the rest of the line) is the command to be +run. +The entire command portion of the line, up to a newline or % +character, will be executed by +.Pa /bin/sh +or by the shell +specified in the +.Ev SHELL +variable of the +.Nm crontab . +Percent signs +.Pq Ql % +in the command, unless escaped with a backslash +.Pq Ql \e , +will be changed into newline characters, and all data +after the first +.Ql % +will be sent to the command as standard input. +.Pp +Commands are executed by +.Xr cron 8 +when the +.Ar minute , +.Ar hour , +and +.Ar month +fields match the current time, +.Em and +when at least one of the two day fields +.Po Ar day-of-month +or +.Ar day-of-week Pc , +match the current time. +.Pp +Note: The day of a command's execution can be specified by two +fields \(em +.Ar day-of-month +and +.Ar day-of-week . +If both fields are restricted (i.e. aren't *), +the command will be run when +.Em either +field matches the current time. +For example, +.Pp +.Dl 30 4 1,15 * 5 +.Pp +would cause a command to be run at 4:30 am on the 1st and 15th of each +month, plus every Friday. +.Pp +Instead of the first five fields, one of eight special strings may appear: +.Bl -column "@midnight" "meaning" -offset indent +.It Sy string Ta Sy meaning +.It @reboot Ta Run once, at startup. +.It @yearly Ta Run every January 1 (0 0 1 1 *). +.It @annually Ta The same as @yearly. +.It @monthly Ta Run the first day of every month (0 0 1 * *). +.It @weekly Ta Run every Sunday (0 0 * * 0). +.It @daily Ta Run every midnight (0 0 * * *). +.It @midnight Ta The same as @daily. +.It @hourly Ta Run every hour, on the hour (0 * * * *). +.El +.Sh ENVIRONMENT +.Bl -tag -width "LOGNAMEXXX" +.It Ev HOME +Set from the user's +.Pa /etc/passwd +entry. +May be overridden by settings in the +.Nm . +.It Ev LOGNAME +Set from the user's +.Pa /etc/passwd +entry. +May not be overridden by settings in the +.Nm . +.It Ev MAILTO +If +.Ev MAILTO +is defined and non-empty, +mail is sent to the user so named. +If +.Ev MAILTO +is defined but empty +.Pq Ev MAILTO = Qq , +no mail will be sent. +Otherwise mail is sent to the owner of the +.Nm . +This is useful for pseudo-users that lack an alias +that would otherwise redirect the mail to a real person. +.It Ev SHELL +Set to +.Pa /bin/sh . +May be overridden by settings in the +.Nm . +.It Ev USER +Set from the user's +.Pa /etc/passwd +entry. +May not be overridden by settings in the +.Nm . +.El +.Sh FILES +.Bl -tag -width "/var/cron/tabs/<user>XXX" -compact +.It Pa /etc/crontab +System crontab. +.It Pa /var/cron/tabs/ Ns Aq Ar user +User crontab. +.El +.Sh EXAMPLES +.Bd -literal +# use /bin/sh to run commands, no matter what /etc/passwd says +SHELL=/bin/sh +# mail any output to `paul', no matter whose crontab this is +MAILTO=paul +# +# run five minutes after midnight, every day +5 0 * * * $HOME/bin/daily.job >> $HOME/tmp/out 2>&1 + +# run at 2:15pm on the first of every month -- job output will be sent +# to paul, but only if $HOME/bin/monthly exits with a non-zero exit code +15 14 1 * * -n $HOME/bin/monthly + +# run at 10 pm on weekdays, annoy Joe +0 22 * * 1-5 mail -s "It's 10pm" joe%Joe,%%Where are your kids?% + +23 0-23/2 * * * echo "run 23 minutes after midn, 2am, 4am ..., everyday" + +5 4 * * sun echo "run at 5 after 4 every sunday" + +# run hourly at a random time within the first 30 minutes of the hour +0~30 * * * * /usr/libexec/spamd-setup +.Ed +.Sh SEE ALSO +.Xr crontab 1 , +.Xr cron 8 +.Sh STANDARDS +The +.Nm +file format is compliant with the +.St -p1003.1-2008 +specification. +The behaviours described below are all extensions to that standard: +.Bl -dash +.It +The +.Ar day-of-week +field may use 7 to represent Sunday. +.It +Ranges may include +.Dq steps . +.It +Random intervals are supported using the +.Ql ~ +character. +.It +Months or days of the week can be specified by name. +.It +Environment variables can be set in a crontab. +.It +Command output can be mailed to a person other than the crontab +owner, or the feature can be turned off and no mail will be sent +at all. +.It +All of the +.Ql @ +commands that can appear in place of the first five fields. +.It +All of the +.Op Fl nqs +flags. +.El +.Sh AUTHORS +.Nm +was written by +.An Paul Vixie Aq Mt vixie@isc.org . diff --git a/static/openbsd/man5/cvs.5 b/static/openbsd/man5/cvs.5 new file mode 100644 index 00000000..9a692711 --- /dev/null +++ b/static/openbsd/man5/cvs.5 @@ -0,0 +1,325 @@ +.TH cvs 5 "12 February 1992" +.\" Full space in nroff; half space in troff +.de SP +.if n .sp +.if t .sp .5 +.. +.SH NAME +cvs \- Concurrent Versions System support files +.SH SYNOPSIS +.hy 0 +.na +.TP +.B $CVSROOT/CVSROOT/commitinfo,v +.TP +.B $CVSROOT/CVSROOT/cvsignore,v +.TP +.B $CVSROOT/CVSROOT/cvswrappers,v +.TP +.B $CVSROOT/CVSROOT/editinfo,v +.TP +.B $CVSROOT/CVSROOT/history +.TP +.B $CVSROOT/CVSROOT/loginfo,v +.TP +.B $CVSROOT/CVSROOT/modules,v +.TP +.B $CVSROOT/CVSROOT/rcsinfo,v +.TP +.B $CVSROOT/CVSROOT/taginfo,v +.ad b +.hy 1 +.SH DESCRIPTION +.B cvs +is a system for providing source control to hierarchical collections +of source directories. Commands and procedures for using \fBcvs\fP +are described in +.BR cvs ( 1 ). +.SP +.B cvs +manages \fIsource repositories\fP, the directories containing master +copies of the revision-controlled files, by copying particular +revisions of the files to (and modifications back from) developers' +private \fIworking directories\fP. In terms of file structure, each +individual source repository is an immediate subdirectory of +\fB$CVSROOT\fP. +.SP +The files described here are supporting files; they do not have to +exist for \fBcvs\fP to operate, but they allow you to make \fBcvs\fP +operation more flexible. +.SP +You can use the `\|modules\|' file to define symbolic names for +collections of source maintained with \fBcvs\fP. If there is no +`\|modules\|' file, developers must specify complete path names +(absolute, or relative to \fB$CVSROOT\fP) for the files they wish to +manage with \fBcvs\fP commands. +.SP +You can use the `\|commitinfo\|' file to define programs to execute +whenever `\|\fBcvs commit\fP\|' is about to execute. +These programs are used for ``pre-commit'' checking to verify that the +modified, added, and removed files are really ready to be committed. +Some uses for this check might be to turn off a portion (or all) of the +source repository from a particular person or group. +Or, perhaps, to verify that the changed files conform to the site's +standards for coding practice. +.SP +You can use the `\|cvswrappers\|' file to record +.B cvs +wrapper commands to be used when checking files into and out of the +repository. Wrappers allow the file or directory to be processed +on the way in and out of CVS. The intended uses are many, one +possible use would be to reformat a C file before the file is checked +in, so all of the code in the repository looks the same. +.SP +You can use the `\|loginfo\|' file to define programs to execute after +any +.BR commit , +which writes a log entry for changes in the repository. +These logging programs might be used to append the log message to a file. +Or send the log message through electronic mail to a group of developers. +Or, perhaps, post the log message to a particular newsgroup. +.SP +You can use the `\|taginfo\|' file to define programs to execute after +any +.BR tag " or " rtag +operation. These programs might be used to append a message to a file +listing the new tag name and the programmer who created it, or send mail +to a group of developers, or, perhaps, post a message to a particular +newsgroup. +.SP +You can use the `\|rcsinfo\|' file to define forms for log messages. +.SP +You can use the `\|editinfo\|' file to define a program to execute for +editing/validating `\|\fBcvs commit\fP\|' log entries. +This is most useful when used with a `\|rcsinfo\|' forms specification, as +it can verify that the proper fields of the form have been filled in by the +user committing the change. +.SP +You can use the `\|cvsignore\|' file to specify the default list of +files to ignore during \fBupdate\fP. +.SP +You can use the `\|history\|' file to record the \fBcvs\fP commands +that affect the repository. +The creation of this file enables history logging. +.SH FILES +.TP +.B modules +The `\|modules\|' file records your definitions of names for +collections of source code. \fBcvs\fP will use these definitions if +you use \fBcvs\fP to check in a file with the right format to +`\|\fB$CVSROOT/CVSROOT/modules,v\fP\|'. +.SP +The `\|modules\|' file may contain blank lines and comments (lines +beginning with `\|\fB#\fP\|') as well as module definitions. +Long lines can be continued on the next line by specifying a backslash +(``\e'') as the last character on the line. +.SP +A \fImodule definition\fP is a single line of the `\|modules\|' file, +in either of two formats. In both cases, \fImname\fP represents the +symbolic module name, and the remainder of the line is its definition. +.SP +\fImname\fP \fB\-a\fP \fIaliases\fP\|.\|.\|. +.br +This represents the simplest way of defining a module \fImname\fP. +The `\|\fB\-a\fP\|' flags the definition as a simple alias: \fBcvs\fP +will treat any use of \fImname\fP (as a command argument) as if the list +of names \fIaliases\fP had been specified instead. \fIaliases\fP may +contain either other module names or paths. When you use paths in +\fIaliases\fP, `\|\fBcvs checkout\fP\|' creates all intermediate +directories in the working directory, just as if the path had been +specified explicitly in the \fBcvs\fP arguments. +.SP +.nf +\fImname\fP [ \fIoptions\fP ] \fIdir\fP [ \fIfiles\fP\|.\|.\|. ] [ \fB&\fP\fImodule\fP\|.\|.\|. ] +.fi +.SP +In the simplest case, this form of module definition reduces to +`\|\fImname dir\fP\|'. This defines all the files in directory +\fIdir\fP as module \fImname\fP. \fIdir\fP is a relative path (from +\fB$CVSROOT\fP) to a directory of source in one of the source +repositories. In this case, on \fBcheckout\fP, a single directory +called \fImname\fP is created as a working directory; no intermediate +directory levels are used by default, even if \fIdir\fP was a path +involving several directory levels. +.SP +By explicitly specifying \fIfiles\fP in the module definition after +\fIdir\fP, you can select particular files from directory +\fIdir\fP. The sample definition for \fBmodules\fP is an example of +a module defined with a single file from a particular directory. Here +is another example: +.SP +.nf +.ft B +m4test unsupported/gnu/m4 foreach.m4 forloop.m4 +.ft P +.fi +.SP +With this definition, executing `\|\fBcvs checkout m4test\fP\|' +will create a single working directory `\|m4test\|' containing the two +files listed, which both come from a common directory several levels +deep in the \fBcvs\fP source repository. +.SP +A module definition can refer to other modules by including +`\|\fB&\fP\fImodule\fP\|' in its definition. \fBcheckout\fP creates +a subdirectory for each such \fImodule\fP, in your working directory. +.br +.I +New in \fBcvs\fP 1.3; +avoid this feature if sharing module definitions with older versions +of \fBcvs\fP. +.SP +Finally, you can use one or more of the following \fIoptions\fP in +module definitions: +.SP +\&`\|\fB\-d\fP \fIname\fP\|', to name the working directory something +other than the module name. +.br +.I +New in \fBcvs\fP 1.3; +avoid this feature if sharing module definitions with older versions +of \fBcvs\fP. +.SP +\&`\|\fB\-i\fP \fIprog\fP\|' allows you to specify a program \fIprog\fP +to run whenever files in a module are committed. \fIprog\fP runs with a +single argument, the full pathname of the affected directory in a +source repository. The `\|commitinfo\|', `\|loginfo\|', and +`\|editinfo\|' files provide other ways to call a program on \fBcommit\fP. +.SP +`\|\fB\-o\fP \fIprog\fP\|' allows you to specify a program \fIprog\fP +to run whenever files in a module are checked out. \fIprog\fP runs +with a single argument, the module name. +.SP +`\|\fB\-e\fP \fIprog\fP\|' allows you to specify a program \fIprog\fP +to run whenever files in a module are exported. \fIprog\fP runs +with a single argument, the module name. +.SP +`\|\fB\-t\fP \fIprog\fP\|' allows you to specify a program \fIprog\fP +to run whenever files in a module are tagged. \fIprog\fP runs with two +arguments: the module name and the symbolic tag specified to \fBrtag\fP. +.SP +`\|\fB\-u\fP \fIprog\fP\|' allows you to specify a program \fIprog\fP +to run whenever `\|\fBcvs update\fP\|' is executed from the top-level +directory of the checked-out module. \fIprog\fP runs with a +single argument, the full path to the source repository for this module. +.TP +\&\fBcommitinfo\fP, \fBloginfo\fP, \fBrcsinfo\fP, \fBeditinfo\fP +These files all specify programs to call at different points in the +`\|\fBcvs commit\fP\|' process. They have a common structure. +Each line is a pair of fields: a regular expression, separated by +whitespace from a filename or command-line template. +Whenever one of the regular expression matches a directory name in the +repository, the rest of the line is used. +If the line begins with a \fB#\fP character, the entire line is considered +a comment and is ignored. +Whitespace between the fields is also ignored. +.SP +For `\|loginfo\|', the rest of the +line is a command-line template to execute. +The templates can include not only +a program name, but whatever list of arguments you wish. If you write +`\|\fB%s\fP\|' somewhere on the argument list, \fBcvs\fP supplies, at +that point, the list of files affected by the \fBcommit\fP. +The first entry in the list is the relative path within the source +repository where the change is being made. +The remaining arguments list the files that are being modified, added, or +removed by this \fBcommit\fP invocation. +.SP +For `\|taginfo\|', the rest of the +line is a command-line template to execute. +The arguments passed to the command are, in order, the +.I tagname , +.I operation +(i.e. +.B add +for `tag', +.B mov +for `tag -F', and +.B del +for `tag -d`), +.I repository , +and any remaining are pairs of +.B "filename revision" . +A non-zero exit of the filter program will cause the tag to be aborted. +.SP +For `\|commitinfo\|', the rest of the line is a command-line template to +execute. +The template can include not only a program name, but whatever +list of arguments you wish. +The full path to the current source repository is appended to the template, +followed by the file names of any files involved in the commit (added, +removed, and modified files). +.SP +For `\|rcsinfo\|', the rest of the line is the full path to a file that +should be loaded into the log message template. +.SP +For `\|editinfo\|', the rest of the line is a command-line template to +execute. +The template can include not only a program name, but whatever +list of arguments you wish. +The full path to the current log message template file is appended to the +template. +.SP +You can use one of two special strings instead of a regular +expression: `\|\fBALL\fP\|' specifies a command line template that +must always be executed, and `\|\fBDEFAULT\fP\|' specifies a command +line template to use if no regular expression is a match. +.SP +The `\|commitinfo\|' file contains commands to execute \fIbefore\fP any +other \fBcommit\fP activity, to allow you to check any conditions that +must be satisfied before \fBcommit\fP can proceed. The rest of the +\fBcommit\fP will execute only if all selected commands from this file +exit with exit status \fB0\fP. +.SP +The `\|rcsinfo\|' file allows you to specify \fIlog templates\fP for +the \fBcommit\fP logging session; you can use this to provide a form +to edit when filling out the \fBcommit\fP log. The field after the +regular expression, in this file, contains filenames (of files +containing the logging forms) rather than command templates. +.SP +The `\|editinfo\|' file allows you to execute a script \fIbefore the +commit starts\fP, but after the log information is recorded. These +"edit" scripts can verify information recorded in the log file. If +the edit script exits wth a non-zero exit status, the commit is aborted. +.SP +The `\|loginfo\|' file contains commands to execute \fIat the end\fP +of a commit. The text specified as a commit log message is piped +through the command; typical uses include sending mail, filing an +article in a newsgroup, or appending to a central file. +.TP +\&\fBcvsignore\fP, \fB.cvsignore\fP +The default list of files (or +.BR sh ( 1 ) +file name patterns) to ignore during `\|\fBcvs update\fP\|'. +At startup time, \fBcvs\fP loads the compiled in default list of file name +patterns (see +.BR cvs ( 1 )). +Then the per-repository list included in \fB$CVSROOT/CVSROOT/cvsignore\fP +is loaded, if it exists. +Then the per-user list is loaded from `\|$HOME/.cvsignore\|'. +Finally, as \fBcvs\fP traverses through your directories, it will load any +per-directory `\|.cvsignore\|' files whenever it finds one. +These per-directory files are only valid for exactly the directory that +contains them, not for any sub-directories. +.TP +.B history +Create this file in \fB$CVSROOT/CVSROOT\fP to enable history logging +(see the description of `\|\fBcvs history\fP\|'). +.SH "SEE ALSO" +.BR cvs ( 1 ), +.SH COPYING +Copyright \(co 1992 Cygnus Support, Brian Berliner, and Jeff Polk +.PP +Permission is granted to make and distribute verbatim copies of +this manual provided the copyright notice and this permission notice +are preserved on all copies. +.PP +Permission is granted to copy and distribute modified versions of this +manual under the conditions for verbatim copying, provided that the +entire resulting derived work is distributed under the terms of a +permission notice identical to this one. +.PP +Permission is granted to copy and distribute translations of this +manual into another language, under the above conditions for modified +versions, except that this permission notice may be included in +translations approved by the Free Software Foundation instead of in +the original English. diff --git a/static/openbsd/man5/dhcp-options.5 b/static/openbsd/man5/dhcp-options.5 new file mode 100644 index 00000000..642d4549 --- /dev/null +++ b/static/openbsd/man5/dhcp-options.5 @@ -0,0 +1,698 @@ +.\" $OpenBSD: dhcp-options.5,v 1.37 2025/09/28 10:11:41 florian Exp $ +.\" +.\" Copyright (c) 1995, 1996, 1997, 1998 The Internet Software Consortium. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of The Internet Software Consortium nor the names +.\" of its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND +.\" CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +.\" DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR +.\" CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF +.\" USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT +.\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" This software has been written for the Internet Software Consortium +.\" by Ted Lemon <mellon@fugue.com> in cooperation with Vixie +.\" Enterprises. To learn more about the Internet Software Consortium, +.\" see ``http://www.isc.org/isc''. To learn more about Vixie +.\" Enterprises, see ``http://www.vix.com''. +.\" +.Dd $Mdocdate: September 28 2025 $ +.Dt DHCP-OPTIONS 5 +.Os +.Sh NAME +.Nm dhcp-options +.Nd DHCP options +.Sh DESCRIPTION +The Dynamic Host Configuration protocol allows the client to receive +.Ic options +from the DHCP server describing the network configuration and various +services that are available on the network. +When configuring +.Xr dhcpd 8 , +options must often be declared. +The syntax for declaring options, and the names and formats of the options +that can be declared, are documented here. +.Pp +DHCP +.Ic option +statements always start with the +.Ic option +keyword, followed by an option name, followed by option data. +The option names and data formats are described below. +It is not necessary to exhaustively specify all DHCP options \- +only those options which are needed by clients must be specified. +.Pp +Option data comes in a variety of formats, as defined below: +.Pp +The +.Ar ip-address +data type can be entered either as an explicit IP address +(e.g., 239.254.197.10) or as a domain name (e.g., haagen.isc.org). +A domain name must resolve to a single IP address. +.Pp +The +.Ar cidr +data type specifies a network in CIDR notion. +e.g. 1.2.3/24. +.Pp +The +.Ar int32 +data type specifies a signed 32-bit integer. +The +.Ar uint32 +data type specifies an unsigned 32-bit integer. +The +.Ar uint16 +data type specifies unsigned 16-bit integers. +The +.Ar uint8 +data type specifies unsigned 8-bit integers, +sometimes referred to as octets. +.Pp +The +.Ar string +data type specifies an +.Tn NVT +.Pq Network Virtual Terminal +.Tn ASCII +string, which must be enclosed in double quotes \- for example, +to specify a domain-name option, the syntax would be +.Pp +.Dl option domain-name \&"isc.org\&"; +.Pp +The +.Ar flag +data type specifies a boolean value. +Booleans can be either true or false +(or on or off, if that makes more sense to you). +.Pp +The +.Ar data-string +data type specifies either an +.Tn NVT ASCII +string enclosed in double quotes, or a series of octets specified in +hexadecimal, separated by colons. +For example: +.Pp +.Dl option dhcp-client-identifier \&"CLIENT-FOO\&"; +or +.Dl option dhcp-client-identifier 43:4c:49:45:4e:54:2d:46:4f:4f; +.Pp +The documentation for the various options mentioned below is taken +from the IETF draft document on DHCP options, RFC 2132. +Options which are not listed by name may be defined by the name +.Pf option- Ar nnn , +where +.Ar nnn +is the decimal number of the option code. +These options may be followed either by a string, enclosed in quotes, or by +a series of octets, expressed as two-digit hexadecimal numbers separated +by colons. +For example: +.Bd -literal -offset indent +option option-133 "my-option-133-text"; +option option-129 1:54:c9:2b:47; +.Ed +.Pp +Because +.Xr dhcpd 8 +does not know the format of these undefined option codes, +no checking is done to ensure the correctness of the entered data. +.Pp +The defined options are: +.Bl -tag -width Ds +.It Ic option all-subnets-local Ar flag ; +This option specifies whether or not the client may assume that all subnets +of the IP network to which the client is connected use the same MTU as the +subnet of that network to which the client is directly connected. +A value of 1 indicates that all subnets share the same MTU. +A value of 0 means that the client should assume that some subnets of the +directly connected network may have smaller MTUs. +.It Ic option arp-cache-timeout Ar uint32 ; +This option specifies the timeout in seconds for ARP cache entries. +.It Ic option autoproxy-script Ar string ; +Site-specific as of RFC 3942. +Widely used for Web Proxy Autodiscovery Protocol (WPAD). +.It Ic option boot-size Ar uint16 ; +This option specifies the length in 512-octet blocks of the default +boot image for the client. +.It Ic option bootfile-name Ar string ; +This option is used to identify a bootstrap file. +If supported by the client, it should have the same effect as the +.Ic filename +declaration. +BOOTP clients are unlikely to support this option. +Some DHCP clients will support it, and others actually require it. +.It Ic option broadcast-address Ar ip-address ; +This option specifies the broadcast address in use on the client's subnet. +Legal values for broadcast addresses are specified in section 3.2.1.3 of +RFC 1122. +.It Ic option classless-static-routes Ar cidr ip-address Oo , Ar cidr ip-address ... Oc ; +This option specifies a list of destination networks and the +associated gateways. +This option is defined in RFC 3442. +The RFC says that clients supporting this option must ignore the +.Ic Routers +option when both are present. +Thus default routes, if any, +must be included in the list. +The +.Ar cidr +of a default route is 0/0. +.It Ic option classless-ms-static-routes Ar cidr ip-address Oo , Ar cidr ip-address ... Oc ; +This option does the same as +.Ic classless-static-routes , +but uses option code 249 instead of 121, +since Windows XP and Windows Server 2003 ignore option 121. +.It Ic option cookie-servers Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic cookie-servers +option specifies a list of RFC 865 cookie servers available to the client. +Servers should be listed in order of preference. +.It Ic option default-ip-ttl Ar uint8 ; +This option specifies the default time-to-live that the client should +use on outgoing datagrams. +.It Ic option default-tcp-ttl Ar uint8 ; +This option specifies the default TTL that the client should use when +sending TCP segments. +The minimum value is 1. +.It Ic option dhcp-class-identifier Ar string ; +This option is used by DHCP clients to optionally identify the vendor type +and configuration of a DHCP client. +The information is a string of n octets, interpreted by servers. +Vendors may choose to define specific vendor class identifiers to convey +particular configuration or other identification information about a client. +For example, the identifier may encode the client's hardware configuration. +Servers not equipped to interpret the class-specific information sent by a +client must ignore it (although it may be reported). +Servers that respond should only use option 43 +.Pq Ic vendor-encapsulated-options +to return the vendor-specific information to the client. +.It Ic option dhcp-client-identifier Ar data-string ; +This option can be used to specify a DHCP client identifier in a +host declaration, so that +.Xr dhcpd 8 +can find the host record by matching against the client identifier. +.It Ic option dhcp-lease-time Ar uint32 ; +This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to +allow the client to request a lease time for the IP address. +In a server reply (DHCPOFFER), a DHCP server uses this option to specify the +lease time it is willing to offer. +.It Ic option dhcp-max-message-size Ar uint16 ; +This option specifies the maximum length +.Ic option dhcp-message +that the DHCP client is willing to accept. +The length is specified as an unsigned 16-bit integer. +A client may use the maximum DHCP message size option in DHCPDISCOVER or +DHCPREQUEST messages, but should not use the option in DHCPDECLINE messages. +.It Ic option dhcp-message Ar string ; +This option is used to send an error message to a DHCP client in +the event of a failure. +The maximum acceptable length of the message can be set with +.Ic option dhcp-max-message-size . +.It Ic option dhcp-message-type Ar uint8 ; +This option is used to convey the type of the DHCP message. +Values: 1=DHCPDISCOVER, 2=DHCPOFFER, 3=DHCPREQUEST, 4=DHCPDECLINE, 5=DHCPACK, +6=DHCPNAK, 7=DHCPRELEASE, 8=DHCPINFORM. +.It Ic option dhcp-option-overload Ar uint8 ; +This option is used to indicate that the DHCP 'sname' or 'file' fields are +being overloaded by using them to carry DHCP options. +A DHCP server inserts this option if the returned parameters will exceed +the usual space allotted for options. +If this option is present, the client interprets the specified additional +fields after it concludes interpretation of the standard option fields. +A value of 1 means the 'file' field is used to hold options. +A value of 2 means the 'sname' field is used to hold options. +A value of 3 means both fields are used to hold options. +.It Ic option dhcp-parameter-request-list Ar uint8 Oo , Ar uint8 ... Oc ; +This option is used by a DHCP client to request values for specified +configuration parameters. +The list of requested parameters is specified as n octets, where each +octet is a valid DHCP option code as defined in this document. +The client MAY list the options in order of preference. +The DHCP server is not required to return the options in the requested +order, but MUST try to insert the requested options in the order requested +by the client. +.It Ic option dhcp-rebinding-time Ar uint32 ; +This option specifies the time interval from address assignment until the +client transitions to the REBINDING state. +The value is in seconds. +.It Ic option dhcp-renewal-time Ar uint32 ; +This option specifies the time interval from address assignment until the +client transitions to the RENEWING state. +The value is in seconds. +.It Ic option dhcp-requested-address Ar ip-address ; +This option is used in a client request (DHCPDISCOVER) to allow the client +to request that a particular IP address be assigned. +.It Ic option dhcp-server-identifier Ar ip-address ; +This option is used in DHCPOFFER and DHCPREQUEST messages, and may +optionally be included in the DHCPACK and DHCPNAK messages. +DHCP servers include this option in the DHCPOFFER in order to allow the +client to distinguish between lease offers. +DHCP clients use the contents of the 'server identifier' field as the +destination address for any DHCP messages unicast to the DHCP server. +DHCP clients also indicate which of several lease offers is being accepted +by including this option in a DHCPREQUEST message. +The identifier is the IP address of the selected server. +.It Ic option domain-name Ar string ; +This option specifies the domain name that the client should use when +resolving hostnames via the Domain Name System. +.It Ic option domain-name-servers Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic domain-name-servers +option specifies a list of Domain Name System name servers +available to the client. +Servers should be listed in order of preference. +.It Ic option domain-search Ar string Oo , Ar string ... Oc ; +The +.Ic domain-search +option specifies a list of the domain names that should be +used during DNS name resolution. +.It Ic option extensions-path Ar string ; +A string to specify a file, retrievable via TFTP, which contains information +which can be interpreted in the same way as the 64-octet vendor-extension +field within the BOOTP response, with exceptions; see RFC 2132, Section 3.20 +for details. +.It Ic option finger-server Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic finger-server +option specifies a list of +.Xr finger 1 +servers available to the client. +Servers should be listed in order of preference. +.It Ic option font-servers Ar ip-address Oo , Ar ip-address ... Oc ; +This option specifies a list of X Window System Font servers available +to the client. +Servers should be listed in order of preference. +.It Ic option host-name Ar string ; +This option specifies the name of the client. +The name may or may not be qualified with the local domain name +(it is preferable to use the +.Ic domain-name +option to specify the domain name). +See RFC 1035 for character set restrictions. +.It Ic option ieee802-3-encapsulation Ar flag ; +This option specifies whether or not the client should use Ethernet +Version 2 (RFC 894) or IEEE 802.3 (RFC 1042) encapsulation if the +interface is an Ethernet. +A value of 0 indicates that the client should use RFC 894 encapsulation. +A value of 1 means that the client should use RFC 1042 encapsulation. +.It Ic option ien116-name-servers Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic ien116-name-servers +option specifies a list of IEN 116 name servers available to the client. +Servers should be listed in order of preference. +.It Ic option impress-servers Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic impress-servers +option specifies a list of Imagen Impress servers available to the client. +Servers should be listed in order of preference. +.It Ic option interface-mtu Ar uint16 ; +This option specifies the MTU to use on this interface. +The minimum legal value for the MTU is 68. +.It Ic option ip-forwarding Ar flag ; +This option specifies whether the client should configure its IP layer +for packet forwarding. +A value of 0 means disable IP forwarding, and a value of 1 means enable +IP forwarding. +.It Ic option ipv6-only-preferred Ar uint32 ; +This option specifies that NAT64 is available and the pool is IPv6-mostly +capable. +This option is specified in RFC 8925. +The value is in seconds. +.It Ic option irc-server Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic irc-server +option specifies a list of IRC servers available to the client. +Servers should be listed in order of preference. +.It Ic option log-servers Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic log-servers +option specifies a list of MIT-LCS UDP log servers available to the client. +Servers should be listed in order of preference. +.It Ic option lpr-servers Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic lpr-servers +option specifies a list of RFC 1179 line printer servers available to the +client. +Servers should be listed in order of preference. +.It Ic option mask-supplier Ar flag ; +This option specifies whether or not the client should respond to subnet mask +requests using ICMP. +A value of 0 indicates that the client should not respond. +A value of 1 means that the client should respond. +.It Ic option max-dgram-reassembly Ar uint16 ; +This option specifies the maximum size datagram that the client should be +prepared to reassemble. +The minimum legal value is 576. +.It Ic option merit-dump Ar string ; +This option specifies the pathname of a file to which the client's +core image should be dumped in the event the client crashes. +The path is formatted as a character string consisting of characters from +the +.Tn NVT ASCII +character set. +.It Ic option mobile-ip-home-agent Ar ip-address Oo , Ar ip-address ... Oc ; +This option specifies a list of IP addresses indicating Mobile IP +home agents available to the client. +Agents should be listed in order of preference, although normally there +will be only one such agent. +.It Ic option nds-context Ar data-string ; +This option specifies the initial NDS context the client should use. +NDS contexts are 16-bit Unicode strings. +For transmission in the NDS Context Option, an NDS context is +transformed into octets using UTF-8. +The string should NOT be zero terminated. +A single DHCP option can only contain 255 octets. +Since an NDS context name can be longer than that, this option can +appear more than once in the DHCP packet. +The contents of all NDS Context options in the packet should be +concatenated as suggested in the DHCP specification to get the +complete NDS context. +A single encoded character could be split between two NDS Context Options. +See RFC 2241 for details. +.It Ic option nds-servers Ar ip-address Oo , Ar ip-address ... Oc ; +This option specifies one or more NDS servers for the client to contact +for access to the NDS database. +Servers should be listed in order of preference. +See RFC 2241 for details. +.It Ic option nds-tree-name Ar data-string ; +This option specifies the name of the NDS tree the client will be contacting. +NDS tree names are 16-bit Unicode strings. +For transmission in the NDS Tree Name Option, an NDS tree name is +transformed into octets using UTF-8. +The string should not be zero terminated. +See RFC 2241 for details. +.It Ic option netbios-dd-server Ar ip-address Oo , Ar ip-address ... Oc ; +The NetBIOS datagram distribution server (NBDD) option specifies a +list of RFC 1001/1002 NBDD servers listed in order of preference. +.It Ic option netbios-name-servers Ar ip-address Oo , Ar ip-address ... Oc ; +The NetBIOS name server (NBNS) option specifies a list of RFC 1001/1002 +NBNS name servers listed in order of preference. +NetBIOS Name Service is currently more commonly referred to as WINS. +WINS servers can be specified using the +.Ic netbios-name-servers +option. +.It Ic option netbios-node-type Ar uint8 ; +The NetBIOS node type option allows NetBIOS over TCP/IP clients which +are configurable to be configured as described in RFC 1001/1002. +The value is specified as a single octet which identifies the client type. +.Pp +Possible node types are: +.Bl -tag -width Ds +.It 1 +B-node: Broadcast - no WINS +.It 2 +P-node: Peer - WINS only +.It 4 +M-node: Mixed - broadcast, then WINS +.It 8 +H-node: Hybrid - WINS, then broadcast +.El +.It Ic option netbios-scope Ar string ; +The NetBIOS scope option specifies the NetBIOS over TCP/IP scope +parameter for the client as specified in RFC 1001/1002. +See RFC 1001, RFC 1002, and RFC 1035 for character-set restrictions. +.It Ic option nis-domain Ar string ; +This option specifies the name of the client's NIS (Sun Network Information +Services) domain. +The domain is formatted as a character string consisting of characters +from the +.Tn NVT ASCII +character set. +.It Ic option nis-servers Ar ip-address Oo , Ar ip-address ... Oc ; +This option specifies a list of IP addresses indicating NIS servers +available to the client. +Servers should be listed in order of preference. +.It Ic option nisplus-domain Ar string ; +This option specifies the name of the client's NIS+ domain. +The domain is formatted as a character string consisting of characters +from the +.Tn NVT ASCII +character set. +.It Ic option nisplus-servers Ar ip-address Oo , Ar ip-address ... Oc ; +This option specifies a list of IP addresses indicating NIS+ servers +available to the client. +Servers should be listed in order of preference. +.It Ic option nntp-server Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic nntp-server +option specifies a list of NNTP servers available to the client. +Servers should be listed in order of preference. +.It Ic option non-local-source-routing Ar flag ; +This option specifies whether the client should configure its IP +layer to allow forwarding of datagrams with non-local source routes. +A value of 0 means disallow forwarding of such datagrams, and a value of 1 +means allow forwarding. +.It Ic option ntp-servers Ar ip-address Oo , Ar ip-address ... Oc ; +This option specifies a list of IP addresses indicating NTP (RFC 5905) +servers available to the client. +Servers should be listed in order of preference. +.It Ic option path-mtu-aging-timeout Ar uint32 ; +This option specifies the timeout (in seconds) to use when aging Path +MTU values discovered by the mechanism defined in RFC 1191. +.It Ic option path-mtu-plateau-table Ar uint16 Oo , Ar uint16 ... Oc ; +This option specifies a table of MTU sizes to use when performing +Path MTU Discovery as defined in RFC 1191. +The table is formatted as a list of 16-bit unsigned integers, +ordered from smallest to largest. +The minimum MTU value cannot be smaller than 68. +.It Ic option perform-mask-discovery Ar flag ; +This option specifies whether or not the client should perform subnet mask +discovery using ICMP. +A value of 0 indicates that the client should not perform mask discovery. +A value of 1 means that the client should perform mask discovery. +.It Ic option policy-filter Ar ip-address ip-address Oo , Ar ip-address ip-address ... Oc ; +This option specifies policy filters for non-local source routing. +The filters consist of a list of IP addresses and masks which specify +destination/mask pairs with which to filter incoming source routes. +.Pp +Any source-routed datagram whose next-hop address does not match one +of the filters should be discarded by the client. +.Pp +See RFC 1122 for further information. +.It Ic option pop-server Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic pop-server +option specifies a list of POP3 servers available to the client. +Servers should be listed in order of preference. +.It Ic option relay-agent-information Ar data-string ; +This is a "container" option for specific agent-supplied sub-options. +See RFC 3046 for details. +.It Ic option resource-location-servers Ar ip-address Oo , Ar ip-address ... Oc ; +This option specifies a list of RFC 887 Resource Location servers available +to the client. +Servers should be listed in order of preference. +.It Ic option root-path Ar string ; +This option specifies the pathname that contains the client's root disk. +The path is formatted as a character string consisting of characters from +the +.Tn NVT ASCII +character set. +.It Ic option router-discovery Ar flag ; +This option specifies whether or not the client should solicit routers using +the Router Discovery mechanism defined in RFC 1256. +A value of 0 indicates that the client should not perform router discovery. +A value of 1 means that the client should perform router discovery. +.It Ic option router-solicitation-address Ar ip-address ; +This option specifies the address to which the client should transmit +router solicitation requests. +.It Ic option routers Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic routers +option specifies a list of IP addresses for routers on the client's subnet. +Routers should be listed in order of preference. +.It Ic option smtp-server Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic smtp-server +option specifies a list of SMTP servers available to the client. +Servers should be listed in order of preference. +.It Ic option static-routes Ar ip-address ip-address Oo , Ar ip-address ip-address ... Oc ; +This option specifies a list of static routes that the client should +install in its routing cache. +If multiple routes to the same destination are specified, they are listed +in descending order of priority. +.Pp +The routes consist of a list of IP address pairs. +The first address is the destination address, +and the second address is the router for the destination. +.Pp +The default route (0.0.0.0) is an illegal destination for a static route. +To specify the default route, use the +.Ic routers +option. +Note that this option is obsolete and should be replaced by the +.Ic classless-static-routes +option. +.It Ic option streettalk-directory-assistance-server Ar ip-address Oo , Ar ip-address ... Oc ; +The StreetTalk Directory Assistance (STDA) server option specifies a +list of STDA servers available to the client. +Servers should be listed in order of preference. +.It Ic option streettalk-server Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic streettalk-server +option specifies a list of StreetTalk servers available to the client. +Servers should be listed in order of preference. +.It Ic option subnet-mask Ar ip-address ; +The +.Ic subnet-mask +option specifies the client's subnet mask as per RFC 950. +If no subnet-mask option is provided anywhere in scope, as a last resort +.Xr dhcpd 8 +will use the subnet mask from the subnet declaration for the network on +which an address is being assigned. +However, +.Em any +subnet-mask option declaration that is in scope for the address being +assigned will override the subnet mask specified in the subnet declaration. +.It Ic option swap-server Ar ip-address ; +This specifies the IP address of the client's swap server. +.It Ic option tcp-keepalive-garbage Ar flag ; +This option specifies whether or not the client should send TCP keepalive +messages with an octet of garbage for compatibility with older implementations. +A value of 0 indicates that a garbage octet should not be sent. +A value of 1 indicates that a garbage octet should be sent. +.It Ic option tcp-keepalive-interval Ar uint32 ; +This option specifies the interval (in seconds) that the client TCP +should wait before sending a keepalive message on a TCP connection. +The time is specified as a 32-bit unsigned integer. +A value of zero indicates that the client should not generate keepalive +messages on connections unless specifically requested by an application. +.It Ic option tftp-config-file Ar string ; +Option 144. +Per RFC 2132 options 128 \- 254 are site-specific. +RFC 3942 reclassifies options 128 to 223 as publicly defined options and +puts them in "Unavailable" state by IANA. +See RFC 3679 for "Unused DHCP Option Codes to be Reassigned to Future +DHCP Options". +See RFC 2939 for procedures for definitions of new DHCP options. +.It Ic option tftp-server-name Ar string ; +This option is used to identify a TFTP server and, if supported by the +client, should have the same effect as the +.Ic server-name +declaration. +BOOTP clients are unlikely to support this option. +Some DHCP clients will support it, and others actually require it. +.It Ic option time-offset Ar int32 ; +The +.Ic time-offset +option specifies the offset of the client's subnet in seconds from +Coordinated Universal Time (UTC). +.It Ic option time-servers Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic time-server +option specifies a list of RFC 868 time servers available to the client. +Servers should be listed in order of preference. +.It Ic option trailer-encapsulation Ar flag ; +This option specifies whether or not the client should negotiate the +use of trailers (RFC 893) when using the ARP protocol. +A value of 0 indicates that the client should not attempt to use trailers. +A value of 1 means that the client should attempt to use trailers. +.It Ic option user-class Ar string ; +This option is used by a DHCP client to optionally identify the type or +category of user or applications it represents. +A DHCP server uses the User Class option to choose the address pool it +allocates an address from and/or to select any other configuration option. +This option may carry multiple User Classes. +Servers may interpret the meanings of multiple class specifications in an +implementation dependent or configuration dependent manner, and so the use +of multiple classes by a DHCP client should be based on the specific server +implementation and configuration which will be used to process that User +class option. +See RFC 3004 for details. +.It Ic option vendor-encapsulated-options Ar data-string ; +This option is used by clients and servers to exchange vendor-specific +information. +The information is an opaque object of n octets, presumably interpreted by +vendor-specific code on the clients and servers. +See RFC 2132, Section 8.4 for details. +.It Ic option voip-configuration-server Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic voip-configuration-server +option specifies a list of (normally TFTP) servers that VoIP clients +may download their configuration information and software images +from. +Servers should be listed in order of preference. +.It Ic option www-server Ar ip-address Oo , Ar ip-address ... Oc ; +The +.Ic www-server +option specifies a list of WWW servers available to the client. +.It Ic option x-display-manager Ar ip-address Oo , Ar ip-address ... Oc ; +This option specifies a list of systems that are running the X Window +System Display Manager and are available to the client. +Addresses should be listed in order of preference. +.El +.Sh SEE ALSO +.Xr dhcpd.conf 5 , +.Xr dhcpd.leases 5 , +.Xr dhcpleased.conf 5 , +.Xr dhcpd 8 , +.Xr dhcpleased 8 +.Sh STANDARDS +.Rs +.%A R. Droms +.%D October 1993 +.%R RFC 1534 +.%T Interoperation Between DHCP and BOOTP +.Re +.Pp +.Rs +.%A R. Droms +.%D March 1997 +.%R RFC 2131 +.%T Dynamic Host Configuration Protocol +.Re +.Pp +.Rs +.%A S. Alexander +.%A R. Droms +.%D March 1997 +.%R RFC 2132 +.%T DHCP Options and BOOTP Vendor Extensions +.Re +.Pp +.Rs +.%A T. Lemon +.%A S. Cheshire +.%D November 2002 +.%R RFC 3396 +.%T Encoding Long Options in the Dynamic Host Configuration Protocol (DHCPv4) +.Re +.Pp +.Rs +.%A T. Lemon +.%A S. Cheshire +.%A B. Volz +.%D December 2002 +.%R RFC 3442 +.%T The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) version 4 +.Re +.Sh AUTHORS +.An -nosplit +.Xr dhcpd 8 +was written by +.An Ted Lemon Aq Mt mellon@vix.com +under a contract with Vixie Labs. +.Pp +The current implementation was reworked by +.An Henning Brauer Aq Mt henning@openbsd.org . diff --git a/static/openbsd/man5/dhcp6leased.conf.5 b/static/openbsd/man5/dhcp6leased.conf.5 new file mode 100644 index 00000000..5f254770 --- /dev/null +++ b/static/openbsd/man5/dhcp6leased.conf.5 @@ -0,0 +1,136 @@ +.\" $OpenBSD: dhcp6leased.conf.5,v 1.6 2025/07/08 14:26:45 schwarze Exp $ +.\" +.\" Copyright (c) 2018, 2021, 2024 Florian Obser <florian@openbsd.org> +.\" Copyright (c) 2005 Esben Norby <norby@openbsd.org> +.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: July 8 2025 $ +.Dt DHCP6LEASED.CONF 5 +.Os +.Sh NAME +.Nm dhcp6leased.conf +.Nd DHCPv6 client configuration file +.Sh DESCRIPTION +The +.Xr dhcp6leased 8 +daemon is a dynamic host configuration protocol client daemon for IPv6 prefix +delegation. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr dhcp6leased 8 . +.It Sx Prefix delegation +.Xr dhcp6leased 8 +requests prefix delegation from a DHCPv6 server and assigns prefixes +to interfaces. +This section defines on which interfaces prefix delegation should be +requested and to which interfaces prefixes should be assigned. +.El +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic interface ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Ss Global configuration +These settings affect the operation of the +.Xr dhcp6leased 8 +daemon as a whole. +.Bl -tag -width Ds +.It Ic request rapid commit +Send the rapid commit DHCPv6 option, requesting a two-message exchange +from the server instead of the normal four-message exchange. +.El +.Ss Prefix delegation +A list of interfaces on which to request prefix delegation: +.Bl -tag -width Ds +.It Ic request prefix delegation on Ar name Ic for Brq Ar name Ns Oo / Ns Ar prefix Oc Ar ... +.El +.Pp +This requests a prefix delegation on the upstream network interface +.Ar name +for the list of +.Ar name Ns Op / Ns Ar prefix +network interfaces. +If +.Ar prefix +is omitted a default of /64 is used. +.Pp +.Xr dhcp6leased 8 +will calculate the prefix length needed to cover all interfaces in the list. +When a prefix is delegated by a DHCPv6 server, +.Xr dhcp6leased 8 +splits the prefix into smaller prefixes and assigns them to the interfaces +in the order they are listed. +This might create unassigned gaps in the delegated prefix. +.Pp +For example if a /64 and /60 prefix are to be assigned to network interfaces, +.Xr dhcp6leased 8 +requests a /59 prefix. +The prefix is then split into two /60 prefixes and the first /64 out of the +first /60 prefix is assigned to the first interface. +The second /60 prefix from the delegated /59 is assigned to the +second interface. +This leaves 15 unused /64 prefixes in the first /60. +.Pp +Care should be taken to avoid renumbering of existing interfaces +when new interfaces are added or existing interfaces are removed. +New interfaces can be added to the end of the list or in places +where unassigned gaps were present. +.Pp +The special name +.Cm reserve +can be used to reserve space in the delegated prefix for later use or +when an interface is removed. +.Pp +Running +.Xr dhcp6leased 8 +in configtest mode with a verbosity of two or more will print the +configuration file with comments indicated how prefixes would be +assigned to network interfaces. +This can be used to check that existing interface are not renumbered. +.Pp +More than one prefix can be requested from a DHCPv6 server, however most ISP +DHCPv6 servers will only delegate a single prefix. +Therefore it is better to let +.Xr dhcp6leased 8 +request a single larger prefix and split it up. +.Xr dhcp6leased 8 +has a compile time limit on how many prefix requests per interface it can +handle. +.Sh FILES +.Bl -tag -width /etc/dhcp6leased.conf -compact +.It Pa /etc/dhcp6leased.conf +.Xr dhcp6leased 8 +configuration file. +.El +.Sh SEE ALSO +.Xr dhcp6leasectl 8 , +.Xr dhcp6leased 8 diff --git a/static/openbsd/man5/dhcpd.conf.5 b/static/openbsd/man5/dhcpd.conf.5 new file mode 100644 index 00000000..9ef9aeda --- /dev/null +++ b/static/openbsd/man5/dhcpd.conf.5 @@ -0,0 +1,937 @@ +.\" $OpenBSD: dhcpd.conf.5,v 1.27 2022/03/31 17:27:29 naddy Exp $ +.\" +.\" Copyright (c) 1995, 1996, 1997, 1998, 1998, 1999 +.\" The Internet Software Consortium. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of The Internet Software Consortium nor the names +.\" of its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND +.\" CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +.\" DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR +.\" CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF +.\" USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT +.\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" This software has been written for the Internet Software Consortium +.\" by Ted Lemon <mellon@fugue.com> in cooperation with Vixie +.\" Enterprises. To learn more about the Internet Software Consortium, +.\" see ``http://www.isc.org/isc''. To learn more about Vixie +.\" Enterprises, see ``http://www.vix.com''. +.\" +.Dd $Mdocdate: March 31 2022 $ +.Dt DHCPD.CONF 5 +.Os +.Sh NAME +.Nm dhcpd.conf +.Nd DHCP server configuration file +.Sh DESCRIPTION +The +.Nm +file contains configuration information for +.Xr dhcpd 8 , +the Internet Software Consortium DHCP Server. +.Pp +The +.Nm +file is a free-form ASCII text file. +It is parsed by the recursive-descent parser built into +.Xr dhcpd 8 . +The file may contain extra tabs and newlines for formatting purposes. +Keywords in the file are case-insensitive. +Comments may be placed anywhere within the file (except within quotes). +Comments begin with the +.Sq # +character and end at the end of the line. +.Pp +The file essentially consists of a list of statements. +Statements fall into two broad categories \- parameters and declarations. +.Pp +Parameter statements say how to do something (e.g., how long a +lease to offer), whether to do something (e.g., should +.Xr dhcpd 8 +provide addresses to unknown clients), or what parameters to provide to the +client (e.g., use gateway 220.177.244.7). +.Pp +Declarations are used to describe the topology of the +network, to describe clients on the network, to provide addresses that +can be assigned to clients, or to apply a group of parameters to a +group of declarations. +In any group of parameters and declarations, all parameters must be specified +before any declarations which depend on those parameters may be specified. +.Pp +Declarations about network topology include the +.Ic shared-network +and the +.Ic subnet +declarations. +If clients on a subnet are to be assigned addresses dynamically, a +.Ic range +declaration must appear within the +.Ic subnet +declaration. +For clients with statically assigned addresses, or for installations where +only known clients will be served, each such client must have a +.Ic host +declaration. +If parameters are to be applied to a group of declarations which are not +related strictly on a per-subnet basis, the +.Ic group +declaration can be used. +.Pp +For every subnet which will be served, and for every subnet +to which the dhcp server is connected, there must be one +.Ic subnet +declaration, which tells +.Xr dhcpd 8 +how to recognize that an address is on that subnet. +A +.Ic subnet +declaration is required for each subnet even if no addresses will be +dynamically allocated on that subnet. +.Pp +Some installations have physical networks on which more than one IP +subnet operates. +For example, if there is a site-wide requirement that 8-bit subnet masks +be used, but a department with a single physical Ethernet network expands +to the point where it has more than 254 nodes, it may be necessary to run +two 8-bit subnets on the same Ethernet until such time as a new physical +network can be added. +In this case, the +.Ic subnet +declarations for these two networks may be enclosed in a +.Ic shared-network +declaration. +.Pp +Some sites may have departments which have clients on more than one +subnet, but it may be desirable to offer those clients a uniform set +of parameters which are different than what would be offered to +clients from other departments on the same subnet. +For clients which will be declared explicitly with +.Ic host +declarations, these declarations can be enclosed in a +.Ic group +declaration along with the parameters which are common to that department. +For clients whose addresses will be dynamically assigned, there is currently no +way to group parameter assignments other than by network topology. +.Pp +When a client is to be booted, its boot parameters are determined by +first consulting that client's +.Ic host +declaration (if any), then consulting the +.Ic group +declaration (if any) which enclosed that +.Ic host +declaration, then consulting the +.Ic subnet +declaration for the subnet on which the client is booting, then consulting the +.Ic shared-network +declaration (if any) containing that subnet, and finally consulting the +top-level parameters which may be specified outside of any declaration. +.Pp +When +.Xr dhcpd 8 +tries to find a +.Ic host +declaration for a client, it first looks for a +.Ic host +declaration which has a +.Ar fixed-address +parameter which matches the subnet or shared network on which the client +is booting. +If it doesn't find any such entry, it then tries to find an entry which has no +.Ar fixed-address +parameter. +If no such entry is found, then +.Xr dhcpd 8 +acts as if there is no entry in the +.Nm +file for that client, even if there is an entry for that client on a +different subnet or shared network. +.Sh EXAMPLES +A typical +.Nm +file will look something like this: +.Pp +Example 1 +.Bd -unfilled -offset indent +.Ar global parameters... + +shared-network ISC-BIGGIE { +.Pf " " Ar shared-network-specific parameters ... + subnet 204.254.239.0 netmask 255.255.255.224 { +.Pf " " Ar subnet-specific parameters ... + range 204.254.239.10 204.254.239.30; + } + subnet 204.254.239.32 netmask 255.255.255.224 { +.Pf " " Ar subnet-specific parameters ... + range 204.254.239.42 204.254.239.62; + } +} + +subnet 204.254.239.64 netmask 255.255.255.224 { +.Pf " " Ar subnet-specific parameters ... + range 204.254.239.74 204.254.239.94; +} + +group { +.Pf " " Ar group-specific parameters ... + host zappo.test.isc.org { +.Pf " " Ar host-specific parameters ... + } + host beppo.test.isc.org { +.Pf " " Ar host-specific parameters ... + } + host harpo.test.isc.org { +.Pf " " Ar host-specific parameters ... + } +} +.Ed +.Pp +Notice that at the beginning of the file, there's a place +for global parameters. +These might be things like the organization's domain name, +the addresses of the name servers +(if they are common to the entire organization), and so on. +So, for example: +.Pp +Example 2 +.Bd -literal -offset indent +option domain-name \&"isc.org\&"; +option domain-name-servers ns1.isc.org, ns2.isc.org; +.Ed +.Pp +As you can see in Example 2, it's legal to specify host addresses in +parameters as hostnames rather than as numeric IP addresses. +.Pp +In Example 1, you can see that both the shared-network statement and +the subnet statements can have parameters. +Let us say that the shared network ISC-BIGGIE supports an entire department \- +perhaps the accounting department. +If accounting has its own domain, then a shared-network-specific parameter +might be: +.Pp +.Dl option domain-name \&"accounting.isc.org\&"; +.Pp +All subnet declarations appearing in the shared-network declaration +would then have the domain-name option set to +.Dq accounting.isc.org +instead of just +.Dq isc.org . +.Pp +The most obvious reason for having subnet-specific parameters as +shown in Example 1 is that each subnet, of necessity, has its own router. +So for the first subnet, for example, there should be something like: +.Pp +.Dl option routers 204.254.239.1; +.Pp +Note that the address here is specified numerically. +This is not required \- if you have a different hostname for each +interface on your router, it's perfectly legitimate to use the hostname +for that interface instead of the numeric address. +However, in many cases there may be only one hostname for all of a router's +IP addresses, and it would not be appropriate to use that name here. +.Pp +In Example 1 there is also a +.Ic group +statement, which provides common parameters for a set of three hosts \- zappo, +beppo and harpo. +As you can see, these hosts are all in the test.isc.org domain, so it +might make sense for a group-specific parameter to override the domain +name supplied to these hosts: +.Pp +.Dl option domain-name \&"test.isc.org\&"; +.Pp +Also, given the domain they're in, these are probably test machines. +If we wanted to test the DHCP leasing mechanism, we might set the +lease timeout somewhat shorter than the default: +.Bd -literal -offset indent +max-lease-time 120; +default-lease-time 120; +.Ed +.Pp +You may have noticed that while some parameters start with the +.Ic option +keyword, some do not. +Parameters starting with the +.Ic option +keyword correspond to actual DHCP options, while parameters that do not start +with the option keyword either control the behaviour of the DHCP server +(e.g., how long a lease +.Xr dhcpd 8 +will give out), or specify client parameters that are not optional in the +DHCP protocol (for example, server-name and filename). +.Pp +In Example 1, each host had +.Ar host-specific parameters . +These could include such things as the +.Ic hostname +option, the name of a file to download (the +.Ar filename +parameter) and the address of the server from which to download the file (the +.Ar next-server +parameter). +In general, any parameter can appear anywhere that parameters are allowed, +and will be applied according to the scope in which the parameter appears. +.Pp +Imagine that you have a site with a lot of NCD X-Terminals. +These terminals come in a variety of models, and you want to specify the +boot files for each model. +One way to do this would be to have host declarations for each server +and group them by model: +.Bd -literal -offset indent +group { + filename "Xncd19r"; + next-server ncd-booter; + + host ncd1 { hardware ethernet 0:c0:c3:49:2b:57; } + host ncd4 { hardware ethernet 0:c0:c3:80:fc:32; } + host ncd8 { hardware ethernet 0:c0:c3:22:46:81; } +} + +group { + filename "Xncd19c"; + next-server ncd-booter; + + host ncd2 { hardware ethernet 0:c0:c3:88:2d:81; } + host ncd3 { hardware ethernet 0:c0:c3:00:14:11; } +} + +group { + filename "XncdHMX"; + next-server ncd-booter; + + host ncd5 { hardware ethernet 0:c0:c3:11:90:23; } + host ncd6 { hardware ethernet 0:c0:c3:91:a7:8; } + host ncd7 { hardware ethernet 0:c0:c3:cc:a:8f; } +} +.Ed +.Sh REFERENCE: DECLARATIONS +The +.Ic shared-network +statement informs the DHCP server that some IP subnets actually +share the same physical network: +.Bd -unfilled -offset indent +.Ic shared-network Ar name No { +.Pf " " Op Ar parameters +.Pf " " Op Ar declarations +} +.Ed +.Pp +Any subnets in a shared network should be declared within a +.Ic shared-network +statement. +Parameters specified in the +.Ic shared-network +statement will be used when booting clients on those subnets unless +parameters provided at the subnet or host level override them. +If any subnet in a shared network has addresses available for dynamic +allocation, those addresses are collected into a common pool for that +shared network and assigned to clients as needed. +There is no way to distinguish on which subnet of a shared network a +client should boot. +.Pp +.Ar name +should be the name of the shared network. +This name is used when printing debugging messages, so it should be +descriptive for the shared network. +The name may have the syntax of a valid hostname +(although it will never be used as such), or it may be any arbitrary +name, enclosed in quotes. +.Pp +The +.Ic subnet +statement provides +.Xr dhcpd 8 +with enough information to tell whether or not an IP address is on that subnet: +.Bd -unfilled -offset indent +.Ic subnet Ar subnet-number Ic netmask Ar netmask No { +.Pf " " Op Ar parameters +.Pf " " Op Ar declarations +} +.Ed +.Pp +It may also be used to provide subnet-specific parameters and to +specify what addresses may be dynamically allocated to clients booting +on that subnet. +Such addresses are specified using the +.Ic range +declaration. +.Pp +The +.Ar subnet-number +and +.Ar netmask +should be specified as numeric IP addresses. +The subnet number, together with the netmask, are sufficient to determine +whether any given IP address is on the specified subnet. +.Pp +Although a netmask must be given with every subnet declaration, it is +recommended that if there is any variance in subnet masks at a site, a +subnet-mask option statement be used in each subnet declaration to set +the desired subnet mask, since any subnet-mask option statement will +override the subnet mask declared in the subnet statement. +.Pp +The +.Ic range +statement gives the lowest and highest IP addresses in a range: +.Bd -filled -offset indent +.Ic range Op Ic dynamic-bootp +.Ar low-address Oo Ar high-address Oc ; +.Ed +.Pp +For any subnet on which addresses will be assigned dynamically, there +must be at least one +.Ic range +statement. +All IP addresses in the range should be in the subnet in which the +.Ic range +statement is declared. +The +.Ic dynamic-bootp +flag may be specified if addresses in the specified range may be dynamically +assigned to BOOTP clients as well as DHCP clients. +When specifying a single address, +.Ar high-address +can be omitted. +.Pp +There must be at least one +.Ic host +statement for every BOOTP client that is to be served: +.Bd -unfilled -offset indent +.Ic host Ar hostname No { +.Pf " " Op Ar parameters +.Pf " " Op Ar declarations +} +.Ed +.Pp +.Ic host +statements may also be specified for DHCP clients, although this is +not required unless booting is only enabled for known hosts. +.Pp +If it is desirable to be able to boot a DHCP or BOOTP +client on more than one subnet with fixed addresses, more than one +address may be specified in the +.Ar fixed-address +parameter, or more than one +.Ic host +statement may be specified. +.Pp +If client-specific boot parameters must change based on the network +to which the client is attached, then multiple +.Ic host +statements should be used. +.Pp +If a client is to be booted using a fixed address if it's +possible, but should be allocated a dynamic address otherwise, then a +.Ic host +statement must be specified without a +.Ar fixed-address +clause. +.Ar hostname +should be a name identifying the host. +If a +.Ar hostname +option is not specified for the host, +.Ar hostname +is used. +.Pp +.Ic host +declarations are matched to actual DHCP or BOOTP clients by matching the +.Ic dhcp-client-identifier +option specified in the +.Ic host +declaration to the one supplied by the client or, if the +.Ic host +declaration or the client does not provide a +.Ic dhcp-client-identifier +option, by matching the +.Ar hardware +parameter in the +.Ic host +declaration to the network hardware address supplied by the client. +BOOTP clients do not normally provide a +.Ar dhcp-client-identifier , +so the hardware address must be used for all clients that may boot using +the BOOTP protocol. +.Pp +The +.Ic group +statement is used simply to apply one or more parameters to a group of +declarations: +.Bd -unfilled -offset indent +.Ic group No { +.Pf " " Op Ar parameters +.Pf " " Op Ar declarations +} +.Ed +.Pp +It can be used to group hosts, shared networks, subnets, or even other groups. +.Sh REFERENCE: ALLOW and DENY +The +.Ic allow +and +.Ic deny +statements can be used to control the behaviour of +.Xr dhcpd 8 +to various sorts of requests. +.Pp +The +.Ar unknown-clients +flag tells +.Xr dhcpd 8 +whether or not to dynamically assign addresses to unknown clients: +.Bd -literal -offset indent +allow unknown-clients; +deny unknown-clients; +.Ed +.Pp +Dynamic address assignment to unknown clients is allowed by default. +.Pp +The +.Ar bootp +flag tells +.Xr dhcpd 8 +whether or not to respond to bootp queries: +.Bd -literal -offset indent +allow bootp; +deny bootp; +.Ed +.Pp +Bootp queries are allowed by default. +.Pp +The +.Ar booting +flag tells +.Xr dhcpd 8 +whether or not to respond to queries from a particular client: +.Bd -literal -offset indent +allow booting; +deny booting; +.Ed +.Pp +This keyword only has meaning when it appears in a host declaration. +By default, booting is allowed, but if it is disabled for a particular client, +then that client will not be able to get an address from the DHCP server. +.Sh REFERENCE: PARAMETERS +The +.Ic default-lease-time +statement specifies the +.Ar time +in seconds that will be assigned to a lease +if the client requesting the lease does not ask for a specific expiration time: +.Pp +.D1 Ic default-lease-time Ar time ; +.Pp +The +.Ic max-lease-time +statement specifies the maximum +.Ar time +in seconds that will be assigned to a lease +if the client requesting the lease asks for a specific expiration time: +.Pp +.D1 Ic max-lease-time Ar time ; +.Pp +The +.Ic hardware +statement allows a +BOOTP client to be recognized in a +.Ic host +statement: +.Pp +.D1 Ic hardware Ar hardware-type hardware-address ; +.Pp +.Ar hardware-type +must be the name of a hardware interface type. +Currently, the +.Cm ethernet , +.Cm token-ring +and +.Cm fddi +physical interface types are recognized, +although support for DHCP-over-IPsec virtual interface type +.Cm ipsec-tunnel +is provided. +The +.Ar hardware-address +should be a set of colon-separated hexadecimal octets (0-ff) +or a hostname that can be looked up in +.Xr ethers 5 +when the configuration is read. +The +.Ic hardware +statement may also be used for DHCP clients. +.Pp +The +.Ic filename +statement can be used to specify the name of the initial boot file which +is to be loaded by a client: +.Pp +.D1 Ic filename Qq Ar filename ; +.Pp +The +.Ar filename +should be a filename recognizable to whatever file transfer protocol +the client can be expected to use to load the file. +.Pp +The +.Ic server-name +statement can be used to inform the client of the name of the server +from which it is booting: +.Pp +.D1 Ic server-name Qq Ar name ; +.Pp +.Ar name +should be the name that will be provided to the client. +.Pp +The +.Ic next-server +statement specifies the host address of +the server from which the initial boot file (specified in the +.Ic filename +statement) is to be loaded: +.Pp +.D1 Ic next-server Ar server-name ; +.Pp +.Ar server-name +should be a numeric IP address or a hostname. +If no +.Ic next-server +parameter applies to a given client, the DHCP server's IP address is used. +.Pp +The +.Ic fixed-address +statement assigns one or more fixed IP addresses to a client: +.Pp +.D1 Ic fixed-address Ar address Op , Ar address ... ; +.Pp +It should only appear in a +.Ic host +declaration. +If more than one address is supplied, then when the client boots, it will be +assigned the address which corresponds to the network on which it is booting. +If none of the addresses in the +.Ic fixed-address +statement are on the network on which the client is booting, that client will +not match the +.Ic host +declaration containing that +.Ic fixed-address +statement. +Each +.Ar address +should be either an IP address or a hostname which resolves to one +or more IP addresses. +.Pp +Clients with fixed addresses are not assigned DHCP leases, +and may therefore not be used with the +.Fl ACL +table options of +.Xr dhcpd 8 . +.Pp +The +.Ic dynamic-bootp-lease-cutoff +statement sets the ending time for all leases assigned dynamically to +BOOTP clients: +.Pp +.D1 Ic dynamic-bootp-lease-cutoff Ar date ; +.Pp +Because BOOTP clients do not have any way of renewing leases, +and don't know that their leases could expire, by default +.Xr dhcpd 8 +assigns infinite leases to all BOOTP clients. +However, it may make sense in some situations to set a cutoff date for all +BOOTP leases \- for example, the end of a school term, +or the time at night when a facility is closed and all +machines are required to be powered off. +.Pp +.Ar date +should be the date on which all assigned BOOTP leases will end. +The date is specified in the form: +.Pp +.Dl W YYYY/MM/DD HH:MM:SS +.Pp +W is the day of the week expressed as a number from zero (Sunday) +to six (Saturday). +YYYY is the year, including the century. +MM is the month expressed as a number from 1 to 12. +DD is the day of the month, counting from 1. +HH is the hour, from zero to 23. +MM is the minute and SS is the second. +The time is always in Coordinated Universal Time (UTC), not local time. +.Pp +The +.Ic dynamic-bootp-lease-length +statement sets the length of leases dynamically assigned to BOOTP clients: +.Pp +.D1 Ic dynamic-bootp-lease-length Ar length ; +.Pp +At some sites, it may be possible to assume that a lease is no longer in +use if its holder has not used BOOTP or DHCP to get its address within +a certain time period. +The period is specified in +.Ar length +as a number of seconds. +If a client reboots using BOOTP during the timeout period, the lease +duration is reset to +.Ar length , +so a BOOTP client that boots frequently enough will never lose its lease. +Needless to say, this parameter should be adjusted with extreme caution. +.Pp +The +.Ic get-lease-hostnames +statement tells +.Xr dhcpd 8 +whether or not to look up the hostname corresponding to the IP address of +each address in the lease pool and use that address for the DHCP +.Ic hostname +option: +.Pp +.D1 Ic get-lease-hostnames Ar flag ; +.Pp +If +.Ar flag +is true, then this lookup is done for all addresses in the current scope. +By default, or if +.Ar flag +is false, no lookups are done. +.Pp +If the +.Ic use-host-decl-names +parameter is true in a given scope, then for every host declaration within +that scope, the name provided for the host declaration will be supplied to +the client as its hostname: +.Pp +.D1 Ic use-host-decl-names Ar flag ; +.Pp +So, for example: +.Bd -literal -offset indent +group { + use-host-decl-names on; + + host joe { + hardware ethernet 08:00:2b:4c:29:32; + fixed-address joe.fugue.com; + } +} +.Ed +.Pp +is equivalent to: +.Bd -literal -offset indent +host joe { + hardware ethernet 08:00:2b:4c:29:32; + fixed-address joe.fugue.com; + option host-name "joe"; +} +.Ed +.Pp +An +.Ic option host-name +statement within a host declaration will override the use of the name +in the host declaration. +.Pp +The +.Ic authoritative +statement: +.Pp +.D1 Ic authoritative ; +.D1 Ic not authoritative ; +.Pp +The DHCP server will normally assume that the configuration +information about a given network segment is known to be correct and +is authoritative. +So if a client requests an IP address on a given network segment that the +server knows is not valid for that segment, the server will respond with a +DHCPNAK message, causing the client to forget its IP address and try to get +a new one. +.Pp +If a DHCP server is being configured by somebody who is not the +network administrator and who therefore does not wish to assert this +level of authority, then the statement +.Dq not authoritative +should be written in the appropriate scope in the configuration file. +.Pp +Usually, writing +.Ic not authoritative; +at the top level of the file should be sufficient. +However, if a DHCP server is to be set up so that it is aware of some +networks for which it is authoritative and some networks for which it is not, +it may be more appropriate to declare authority on a per-network-segment basis. +.Pp +Note that the most specific scope for which the concept of authority +makes any sense is the physical network segment \- either a +shared-network statement or a subnet statement that is not contained +within a shared-network statement. +It is not meaningful to specify that the server is authoritative for some +subnets within a shared network, but not authoritative for others, +nor is it meaningful to specify that the server is authoritative for some +host declarations and not others. +.Pp +The +.Ic use-lease-addr-for-default-route +statement: +.Pp +.D1 Ic use-lease-addr-for-default-route Ar flag ; +.Pp +If the +.Ic use-lease-addr-for-default-route +parameter is true in a given scope, then instead of sending the value +specified in the routers option (or sending no value at all), +the IP address of the lease being assigned is sent to the client. +This supposedly causes Win95 machines to ARP for all IP addresses, +which can be helpful if your router is configured for proxy ARP. +.Pp +If +.Ic use-lease-addr-for-default-route +is enabled and an option routers statement are both in scope, +the routers option will be preferred. +The rationale for this is that in situations where you want to use +this feature, you probably want it enabled for a whole bunch of +Windows 95 machines, and you want to override it for a few other machines. +Unfortunately, if the opposite happens to be true for your +site, you are probably better off not trying to use this flag. +.Pp +The +.Ic always-reply-rfc1048 +statement: +.Pp +.D1 Ic always-reply-rfc1048 Ar flag ; +.Pp +Some BOOTP clients expect RFC 1048-style responses, but do not follow +RFC 1048 when sending their requests. +You can tell that a client is having this problem if it is not getting +the options you have configured for it and if you see in the server log +the message +.Dq (non-rfc1048) +printed with each BOOTREQUEST that is logged. +.Pp +If you want to send RFC 1048 options to such a client, you can set the +.Ic always-reply-rfc1048 +option in that client's host declaration, and the DHCP server will +respond with an RFC 1048-style vendor options field. +This flag can be set in any scope, and will affect all clients covered +by that scope. +.Pp +The +.Ic server-identifier +statement can be used to define the value that is sent in the +DHCP Server Identifier option for a given scope: +.Pp +.D1 Ic server-identifier Ar hostname ; +.Pp +The value specified +.Em must +be an IP address for the DHCP server, and must be reachable by all +clients served by a particular scope. +.Pp +The use of the server-identifier statement is not recommended \- the only +reason to use it is to force a value other than the default value to be +sent on occasions where the default value would be incorrect. +The default value is the first IP address associated with the physical +network interface on which the request arrived. +.Pp +The usual case where the +.Ic server-identifier +statement needs to be sent is when a physical interface has more than one +IP address, and the one being sent by default isn't appropriate for some +or all clients served by that interface. +Another common case is when an alias is defined for the purpose of +having a consistent IP address for the DHCP server, and it is desired +that the clients use this IP address when contacting the server. +.Pp +Supplying a value for the +.Ic dhcp-server-identifier +option is equivalent to using the +.Ic server-identifier +statement. +.Pp +The +.Ic echo-client-id +statement controls RFC 6842 compliant behavior and has a default +value of true: +.Pp +.D1 Ic echo-client-id Ar flag ; +.Pp +Some devices, especially old printers, require +.Ic echo-client-id +to be false. +.Pp +When +.Ic echo-client-id +is true , +.Xr dhcpd 8 +copies option dhcp-client-identifier (code 61) +from +DHCP DISCOVER or REQUEST messages into +the DHCP ACK or NAK reply sent to the client. +.Sh REFERENCE: OPTION STATEMENTS +DHCP option statements are documented in the +.Xr dhcp-options 5 +manual page. +.Sh FILES +.Bl -tag -width /etc/examples/dhcpd.conf -compact +.It Pa /etc/examples/dhcpd.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr dhcp-options 5 , +.Xr dhcpd.leases 5 , +.Xr dhcpd 8 +.Sh STANDARDS +.Rs +.%A R. Droms +.%D March 1997 +.%R RFC 2131 +.%T Dynamic Host Configuration Protocol +.Re +.Pp +.Rs +.%A S. Alexander +.%A R. Droms +.%D March 1997 +.%R RFC 2132 +.%T DHCP Options and BOOTP Vendor Extensions +.Re +.Pp +.Rs +.%A M. Patrick +.%D January 2001 +.%R RFC 3046 +.%T DHCP Relay Agent Information Option +.Re +.Pp +.Rs +.%A B. Patel +.%A B. Aboba +.%A S. Kelly +.%A V. Gupta +.%D January 2003 +.%R RFC 3456 +.%T Dynamic Host Configuration Protocol (DHCPv4) Configuration of IPsec Tunnel Mode +.Re +.Sh AUTHORS +.An -nosplit +.Xr dhcpd 8 +was written by +.An Ted Lemon Aq Mt mellon@vix.com +under a contract with Vixie Labs. +.Pp +The current implementation was reworked by +.An Henning Brauer Aq Mt henning@openbsd.org . diff --git a/static/openbsd/man5/dhcpd.leases.5 b/static/openbsd/man5/dhcpd.leases.5 new file mode 100644 index 00000000..15ee8a30 --- /dev/null +++ b/static/openbsd/man5/dhcpd.leases.5 @@ -0,0 +1,190 @@ +.\" $OpenBSD: dhcpd.leases.5,v 1.14 2024/06/27 16:39:31 florian Exp $ +.\" +.\" Copyright (c) 1997, 1998 The Internet Software Consortium. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of The Internet Software Consortium nor the names +.\" of its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND +.\" CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +.\" DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR +.\" CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF +.\" USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT +.\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" This software has been written for the Internet Software Consortium +.\" by Ted Lemon <mellon@fugue.com> in cooperation with Vixie +.\" Enterprises. To learn more about the Internet Software Consortium, +.\" see ``http://www.isc.org/isc''. To learn more about Vixie +.\" Enterprises, see ``http://www.vix.com''. +.\" +.Dd $Mdocdate: June 27 2024 $ +.Dt DHCPD.LEASES 5 +.Os +.Sh NAME +.Nm dhcpd.leases +.Nd DHCP server lease database +.Sh DESCRIPTION +The Internet Software Consortium DHCP Server keeps a persistent +database of leases that it has assigned. +This database is a free-form ASCII file containing a series of +lease declarations. +Every time a lease is acquired, renewed or released, its new value is +recorded at the end of the lease file. +So if more than one declaration appears for a given lease, +the last one in the file is the current one. +.Sh FORMAT +Currently, the only declaration that is used in the +.Nm +file is the +.Ic lease +declaration. +.Pp +.D1 Ic lease Ar ip-address No { Ar statements... No } +.Pp +Each lease declaration includes the single IP address that has been +leased to the client. +The statements within the braces define the duration of the lease +and to whom it is assigned. +.Pp +The start and end time of a lease are recorded using the +.Ic starts +and +.Ic ends +statements: +.Pp +.D1 Ic starts Ar date ; +.D1 Ic ends Ar date ; +.Pp +Dates are specified as follows: +.Pp +.D1 Ar weekday year Ns / Ns Ar month Ns / Ns Ar day hour : Ns Ar minute : Ns Ar second +.Pp +The weekday is present to make it easy for a human to tell when a +lease expires \- it's specified as a number from zero to six, with zero +being Sunday. +The day of week is ignored on input. +The year is specified with the century, so it should generally be four digits +except for really long leases. +The month is specified as a number starting with 1 for January. +The day of the month is likewise specified starting with 1. +The hour is a number from 0 to 23, the minute a number from 0 to 59, +and the second also a number from 0 to 59. +.Pp +Lease times are specified in Coordinated Universal Time (UTC), not in the +local time zone. +.Pp +The MAC address of the network interface that was used to acquire the +lease is recorded with the +.Ic hardware +statement: +.Pp +.D1 Ic hardware Ar hardware-type mac-address ; +.Pp +The MAC address is specified as a series of hexadecimal octets, +separated by colons. +.Pp +If the client uses a client identifier to acquire its address, the +client identifier is recorded using the +.Ic uid +statement: +.Pp +.D1 Ic uid Ar client-identifier ; +.Pp +The client identifier is recorded as a series of hexadecimal octets, +regardless of whether the client specifies an ASCII string or uses the +newer hardware type/MAC address format. +.Pp +If the client sends a hostname using the +.Ic Client Hostname +option, as specified in some versions of the DHCP-DNS Interaction draft, that +hostname is recorded using the +.Ic client-hostname +statement. +.Pp +.D1 Ic client-hostname Qq Ar hostname ; +.Pp +If the client sends its hostname using the +.Ic Hostname +option, it is recorded using the +.Ic hostname +statement. +.Pp +.D1 Ic hostname Qq Ar hostname ; +.Pp +The DHCP server may determine that a lease has been misused in some +way, either because a client that has been assigned a lease NAKs it, +or because the server's own attempt to see if an address is in use +prior to reusing it reveals that the address is in fact already in +use. +In that case, the +.Ic abandoned +statement will be used to indicate that the lease should not be reassigned. +.Pp +.D1 Ic abandoned ; +.Pp +Abandoned leases are reclaimed automatically. +When a client asks for a new address, and the server finds that there +are no new addresses, it checks to see if there are any abandoned leases, +and allocates the least recently abandoned lease. +The standard mechanisms for checking for lease address conflicts are still +followed, so if the abandoned lease's IP address is still in use, +it will be reabandoned. +.Pp +If a client +.Em requests +an abandoned address, the server assumes that the reason the address was +abandoned was that the lease file was corrupted, and that the client is +the machine that responded when the lease was probed, +causing it to be abandoned. +In that case, the address is immediately assigned to the client. +.Sh FILES +.Bl -tag -width Ds -compact +.It Pa /var/db/dhcpd.leases +.El +.Sh SEE ALSO +.Xr dhcp-options 5 , +.Xr dhcpd.conf 5 , +.Xr dhcpd 8 +.Sh STANDARDS +.Rs +.%A R. Droms +.%D March 1997 +.%R RFC 2131 +.%T Dynamic Host Configuration Protocol +.Re +.Pp +.Rs +.%A S. Alexander +.%A R. Droms +.%D March 1997 +.%R RFC 2132 +.%T DHCP Options and BOOTP Vendor Extensions +.Re +.Sh AUTHORS +.An -nosplit +.Xr dhcpd 8 +was written by +.An Ted Lemon Aq Mt mellon@vix.com +under a contract with Vixie Labs. +.Pp +The current implementation was reworked by +.An Henning Brauer Aq Mt henning@openbsd.org . diff --git a/static/openbsd/man5/dhcpleased.conf.5 b/static/openbsd/man5/dhcpleased.conf.5 new file mode 100644 index 00000000..99425cb2 --- /dev/null +++ b/static/openbsd/man5/dhcpleased.conf.5 @@ -0,0 +1,129 @@ +.\" $OpenBSD: dhcpleased.conf.5,v 1.17 2025/07/08 14:26:45 schwarze Exp $ +.\" +.\" Copyright (c) 2018, 2021 Florian Obser <florian@openbsd.org> +.\" Copyright (c) 2005 Esben Norby <norby@openbsd.org> +.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: July 8 2025 $ +.Dt DHCPLEASED.CONF 5 +.Os +.Sh NAME +.Nm dhcpleased.conf +.Nd DHCP client configuration file +.Sh DESCRIPTION +The +.Xr dhcpleased 8 +daemon is a dynamic host configuration protocol client daemon. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Interfaces +If an interface requires non-default options, they can be defined in +this section. +Most configurations do not require this. +.El +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic interface ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Ss Interfaces +A list of interfaces to overwrite defaults: +.Bl -tag -width Ds +.It Ic interface Ar name Brq Ar option ... +.Pp +.Ic interface +options are as follows: +.Bl -tag -width Ds +.It Ic ignore dns +Ignore nameservers from leases on this interface. +The default is to not ignore nameservers. +.It Ic ignore routes +Ignore routes from leases on this interface. +The default is to not ignore routes. +.It Ic ignore Ar server-ip +Ignore leases from +.Ar server-ip . +This option can be listed multiple times. +The default is to not ignore servers. +.It Ic prefer ipv6 +Send the IPv6-Only preferred option to the server. +If the server responds with the option, no lease is configured. +.It Ic send client id Ar client-id +Send the DHCP client identifier option with a value of +.Ar client-id . +If +.Ar client-id +consists of a series of octets of two-digit hexadecimal numbers separated by +colons, the first octet is used as the type and the rest as value. +The MAC address 00:53:FF:AA:BB:CC would be configured as: +.Bd -literal -offset indent +send client id "01:00:53:FF:AA:BB:CC" +.Ed +.Pp +Otherwise the string +.Ar client-id +is sent verbatim. +The default is to send the interface's MAC address as client identifier. +.Pp +When +.Ar client-id +is not a hardware address, it is supposed to be sent as hardware type 0 but +the majority of DHCP clients and servers do not implement this and neither +does +.Nm . +If a server is encountered that requires this, a 0 byte can be encoded as \e0. +The client identifier +.Dq foobar +with hardware type 0 would be configured as: +.Bd -literal -offset indent +send client id "\e0foobar" +.Ed +.It Ic send host name Ar host-name +Send the DHCP client host name option with a value of +.Ar host-name . +The default is to send the name of the host. +.It Ic send no host name +Do not send a DHCP host name option. +The default is to send a DHCP host name option with the name of the host. +.It Ic send vendor class id Ar vendor-class-id +Send the DHCP vendor class identifier option with a value of +.Ar vendor-class-id . +The default is to not send a vendor class identifier. +.El +.El +.Sh FILES +.Bl -tag -width /etc/dhcpleased.conf -compact +.It Pa /etc/dhcpleased.conf +.Xr dhcpleased 8 +configuration file. +.El +.Sh SEE ALSO +.Xr dhcpleasectl 8 , +.Xr dhcpleased 8 diff --git a/static/openbsd/man5/disklabel.5 b/static/openbsd/man5/disklabel.5 new file mode 100644 index 00000000..8c9cbe9a --- /dev/null +++ b/static/openbsd/man5/disklabel.5 @@ -0,0 +1,158 @@ +.\" $OpenBSD: disklabel.5,v 1.22 2015/09/10 17:55:21 schwarze Exp $ +.\" $NetBSD: disklabel.5,v 1.3 1995/03/18 14:54:36 cgd Exp $ +.\" +.\" Copyright (c) 1987, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" This code is derived from software contributed to Berkeley by +.\" Symmetric Computer Systems. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)disklabel.5.5 8.1 (Berkeley) 6/5/93 +.\" +.Dd $Mdocdate: September 10 2015 $ +.Dt DISKLABEL 5 +.Os +.Sh NAME +.Nm disklabel +.Nd disk pack label +.Sh SYNOPSIS +.In sys/disklabel.h +.Sh DESCRIPTION +Each disk or disk pack on a system may contain a disk label +which provides detailed information +about the geometry of the disk and the partitions into which the disk +is divided. +It should be initialized when the disk is formatted, +and may be changed later with the +.Xr disklabel 8 +program. +This information is used by the system disk driver and by the bootstrap +program to determine how to program the drive +and where to find the filesystems on the disk partitions. +Additional information is used by the filesystem in order +to use the disk most efficiently and to locate important filesystem information. +The description of each partition contains an identifier for the partition +type (standard filesystem, swap area, etc.). +The filesystem updates the in-core copy of the label if it contains +incomplete information about the filesystem. +.Pp +The label is located in sector number +.Dv LABELSECTOR +of the drive, usually sector 0 where it may be found +without any information about the disk geometry. +It is at an offset +.Dv LABELOFFSET +from the beginning of the sector, to allow room for the initial bootstrap. +.Pp +A copy of the in-core label for a disk can be obtained with the +.Dv DIOCGDINFO +.Em ioctl ; +this works with a file descriptor for a block or character +.Pq Dq raw +device for any partition of the disk. +The in-core copy of the label is set by the +.Dv DIOCSDINFO +.Em ioctl . +The offset of a partition cannot generally be changed while it is open, +nor can it be made smaller while it is open. +One exception is that any change is allowed if no label was found +on the disk, and the driver was able to construct only a skeletal label +without partition information. +The +.Dv DIOCWDINFO +.Em ioctl +operation sets the in-core label and then updates the on-disk label; +there must be an existing label on the disk for this operation to succeed. +Thus, the initial label for a disk or disk pack must be installed +by writing to the raw disk. +The +.Dv DIOCGPDINFO +.Em ioctl +operation gets the default label for a disk. +This simulates the case +where there is no physical label on the disk itself and can be used to +see the label the kernel would construct in that case. +The +.Dv DIOCRLDINFO +.Em ioctl +operation causes the kernel to update its copy of the label based on the +physical label on the disk. +It can be used when the on-disk version +of the label was changed directly or, if there is no physical label, +to update the kernel's skeletal label if some variable affecting label +generation has changed (e.g. the fdisk partition table). +All of these operations are normally done using +.Xr disklabel 8 . +.Pp +Note that when a disk has no real +.Bx +disklabel the kernel creates a +default label so that the disk can be used. +This default label will include other partitions found on the disk if +they are supported on your architecture. +For example, on systems that support +.Xr fdisk 8 +partitions the default label will also include DOS and Linux partitions. +However, these entries are not dynamic, they are fixed at the time +.Xr disklabel 8 +is run. +That means that subsequent changes that affect +.Pf non- Ox +partitions will not be present in the default label, though you +may update them by hand. +To see the default label, run +.Xr disklabel 8 +with the +.Fl d +flag. +You can then run +.Xr disklabel 8 +with the +.Fl e +flag and paste any entries you want from the default label into the real +one. +.Sh SEE ALSO +.Xr disktab 5 , +.Xr disklabel 8 +.Sh CAVEATS +.Nm +only supports up to a maximum of 15 partitions, +.Sq a +through +.Sq p , +excluding +.Sq c . +The +.Sq c +partition is reserved for the entire physical disk. +By convention, the +.Sq a +partition of the boot disk is the root partition, and the +.Sq b +partition of the boot disk is the swap partition, +but all other letters can be used in any order for any other +partitions as desired. diff --git a/static/openbsd/man5/doas.conf.5 b/static/openbsd/man5/doas.conf.5 new file mode 100644 index 00000000..c547366a --- /dev/null +++ b/static/openbsd/man5/doas.conf.5 @@ -0,0 +1,153 @@ +.\" $OpenBSD: doas.conf.5,v 1.46 2023/05/03 14:29:57 kn Exp $ +.\" +.\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org> +.\" +.\"Permission to use, copy, modify, and distribute this software for any +.\"purpose with or without fee is hereby granted, provided that the above +.\"copyright notice and this permission notice appear in all copies. +.\" +.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.Dd $Mdocdate: May 3 2023 $ +.Dt DOAS.CONF 5 +.Os +.Sh NAME +.Nm doas.conf +.Nd doas configuration file +.Sh DESCRIPTION +The +.Xr doas 1 +utility executes commands as other users according to the rules +in the +.Nm +configuration file. +.Pp +The rules have the following format: +.Bd -ragged -offset indent +.Ic permit Ns | Ns Ic deny +.Op Ar options +.Ar identity +.Op Ic as Ar target +.Op Ic cmd Ar command Op Ic args No ... +.Ed +.Pp +Rules consist of the following parts: +.Bl -tag -width 11n +.It Ic permit Ns | Ns Ic deny +The action to be taken if this rule matches. +.It Ar options +Options are: +.Bl -tag -width keepenv +.It Ic nopass +The user is not required to enter a password. +.It Ic nolog +Do not log successful command execution to +.Xr syslogd 8 . +.It Ic persist +After the user successfully authenticates, do not ask for a password +again for some time. +.It Ic keepenv +Environment variables other than those listed in +.Xr doas 1 +are retained when creating the environment for the new process. +.It Ic setenv Brq Oo Ar variable ... Oc Oo Ar variable Ns = Ns Ar value ... Oc +Keep or set the space-separated specified variables. +Variables may also be removed with a leading +.Sq - +or set using the latter syntax. +If the first character of +.Ar value +is a +.Ql $ +then the value to be set is taken from the existing environment +variable of the indicated name. +This option is processed after the default environment has been created. +.El +.It Ar identity +The username to match. +Groups may be specified by prepending a colon +.Pq Sq \&: . +Numeric IDs are also accepted. +.It Ic as Ar target +The target user the running user is allowed to run the command as. +The default is all users. +.It Ic cmd Ar command +The command the user is allowed or denied to run. +The default is all commands. +Be advised that it is best to specify absolute paths. +If a relative path is specified, only a restricted +.Ev PATH +will be searched. +.It Ic args Op Ar argument ... +Arguments to command. +The command arguments provided by the user need to match those specified. +The keyword +.Ic args +alone means that command must be run without any arguments. +.El +.Pp +The last matching rule determines the action taken. +If no rule matches, the action is denied. +.Pp +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +.Pp +The following quoting rules apply: +.Bl -dash +.It +The text between a pair of double quotes +.Pq Sq \&" +is taken as is. +.It +The backslash character +.Pq Sq \e +escapes the next character, including new line characters, outside comments; +as a result, comments may not be extended over multiple lines. +.It +If quotes or backslashes are used in a word, +it is not considered a keyword. +.El +.Sh FILES +.Bl -tag -width /etc/examples/doas.conf -compact +.It Pa /etc/doas.conf +.Xr doas 1 +configuration file. +.It Pa /etc/examples/doas.conf +Example configuration file. +.El +.Sh EXAMPLES +The following example permits user aja to install packages +from a preferred mirror; +group wheel to execute commands as any user while keeping the environment +variables +.Ev PS1 +and +.Ev SSH_AUTH_SOCK +and +unsetting +.Ev ENV ; +permits tedu to run procmap as root without a password; +and additionally permits root to run unrestricted commands as itself +while retaining the original PATH. +.Bd -literal -offset indent +permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add +permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel +permit nopass tedu as root cmd /usr/sbin/procmap +permit nopass keepenv setenv { PATH } root as root +.Ed +.Sh SEE ALSO +.Xr doas 1 , +.Xr syslogd 8 +.Sh HISTORY +The +.Nm +configuration file first appeared in +.Ox 5.8 . +.Sh AUTHORS +.An Ted Unangst Aq Mt tedu@openbsd.org diff --git a/static/openbsd/man5/dvmrpd.conf.5 b/static/openbsd/man5/dvmrpd.conf.5 new file mode 100644 index 00000000..95da407e --- /dev/null +++ b/static/openbsd/man5/dvmrpd.conf.5 @@ -0,0 +1,173 @@ +.\" $OpenBSD: dvmrpd.conf.5,v 1.14 2025/07/08 14:26:45 schwarze Exp $ +.\" +.\" Copyright (c) 2005, 2006 Esben Norby <norby@openbsd.org> +.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: July 8 2025 $ +.Dt DVMRPD.CONF 5 +.Os +.Sh NAME +.Nm dvmrpd.conf +.Nd DVMRP routing daemon configuration file +.Sh DESCRIPTION +The +.Xr dvmrpd 8 +daemon implements the Distance Vector Multicast Routing Protocol as described +in draft-ietf-idmr-dvmrp-v3-11 DVMRP Version 3. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr dvmrpd 8 . +A number of global settings can be overruled in specific areas or interfaces. +.It Sx Groups +Groups are used to group similar interfaces, simplifying configuration. +.El +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic area , +.Ic interface , +or +.Ic hello-interval ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +hi="60" +group { + interface em0 { + query-interval $hi + } +} +.Ed +.Pp +The same can be accomplished by specifying the query-interval +globally or within the group declaration. +.Ss Global configuration +All interface related settings can be configured globally, per group and per +interface. +The only settings that can be set globally and not overruled are listed below. +.Bl -tag -width Ds +.It Xo +.Ic mfc-update +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +the kernel Multicast Forwarding Cache is updated with information from the +daemon. +The default is +.Ic yes . +.El +.Ss Groups +Groups can be used to easily configure similar interfaces. +All interface-specific parameters can +be configured per group, overruling the global settings. +.Bl -tag -width Ds +.It Ic group +Specify a group section, grouping one or more interfaces. +.Bd -literal -offset indent +group { + robustness 4 + + interface em0 + interface em1 +} +.Ed +.El +.Ss Interfaces +Each interface can have several parameters configured individually, otherwise +they are inherited. +.Bd -literal -offset indent +interface em0 { +} +.Ed +.Pp +Interface-specific parameters are listed below. +.Bl -tag -width Ds +.It Ic igmp-version Ar number +Do not use a newer version than specified. +Valid range 1\(en2. +The default version used is 2. +.It Ic last-member-query-count Ar count +The default value is equal to the default robustness variable; +valid range is 1\(en255. +.It Ic last-member-query-interval Ar seconds +The default value is 10; valid range is 1\(en65535. +.It Ic metric Ar cost +Set the interface metric a.k.a. cost. +The default value is 1; valid range is +1\(en31. +.It Ic passive +Prevent transmission and reception of IGMP and DVMRP packets on this interface. +.It Ic query-interval Ar seconds +Set the query interval. +The default value is 125 seconds; valid range is 1\(en65535 seconds. +.It Ic query-response-interval Ar seconds +Set the query-response-interval; note that this must be less +than the query-interval. +The default value is 100 seconds; valid range is 1\(en65535 seconds. +.It Ic robustness Ar factor +Set the robustness factor; note that this value might +have an impact on other variables. +The default value is 2; valid range is 1\(en4. +.It Ic startup-query-count Ar count +Set the startup-query-interval, used during startup to speed up the process of +building the IGMP table for an interface. +The default value is equal to the default robustness variable; valid range is +the same as the robustness variable. +.It Ic startup-query-interval Ar seconds +Used during startup, see the startup-query-interval. +The default value is query-interval / 4; valid range is the same as the +query-interval. +.El +.Sh FILES +.Bl -tag -width /etc/examples/dvmrpd.conf -compact +.It Pa /etc/dvmrpd.conf +.Xr dvmrpd 8 +configuration file. +.It Pa /etc/examples/dvmrpd.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr dvmrpctl 8 , +.Xr dvmrpd 8 , +.Xr rc.conf.local 8 +.Rs +.%R "draft-ietf-idmr-dvmrp-v3-11" +.%T "DVMRP Version 3" +.%D August 2000 +.Re +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 4.0 . diff --git a/static/openbsd/man5/editrc.5 b/static/openbsd/man5/editrc.5 new file mode 100644 index 00000000..43dc1ccd --- /dev/null +++ b/static/openbsd/man5/editrc.5 @@ -0,0 +1,318 @@ +.\" $OpenBSD: editrc.5,v 1.33 2020/04/23 21:28:08 jmc Exp $ +.\" $NetBSD: editrc.5,v 1.31 2016/04/28 15:50:34 christos Exp $ +.\" +.\" Copyright (c) 1997-2000 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" This file was contributed to The NetBSD Foundation by Luke Mewburn. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: April 23 2020 $ +.Dt EDITRC 5 +.Os +.Sh NAME +.Nm editrc +.Nd configuration file for editline library +.Sh DESCRIPTION +The +.Nm +file defines various settings to be used by the +.Xr editline 3 +library. +.Pp +The format of each line is: +.Pp +.Dl [prog:]command [arg ...] +.Pp +.Ar command +is one of the +.Xr editline 3 +builtin commands. +Refer to +.Sx BUILTIN COMMANDS +for more information. +.Pp +.Ar prog +is the program name string that a program defines when it calls +.Xr el_init 3 +to set up +.Xr editline 3 , +which is usually +.Va argv[0] . +.Ar command +will be executed for any program which matches +.Ar prog . +.Pp +.Ar prog +may also be a +.Xr regex 3 +style +regular expression, in which case +.Ar command +will be executed for any program that matches the regular expression. +.Pp +If +.Ar prog +is absent, +.Ar command +is executed for all programs. +.Sh BUILTIN COMMANDS +The +.Nm editline +library has some builtin commands, which affect the way +that the line editing and history functions operate. +These are based on similar named builtins present in the tcsh shell. +.Pp +The following builtin commands are available: +.Bl -tag -width 4n +.It Ic bind Oo Fl aeklrsv Oc Op Ar key Op Ar command +Without options and arguments, list all bound keys and macros, and +the editor command or input string to which each one is bound. +If only +.Ar key +is supplied, show the binding for that key or macro. +If +.Ar key command +is supplied, bind the editor +.Ar command +to that key or macro. +.Pp +The options are as follows: +.Bl -tag -width 4n +.It Fl a +List or change key bindings in the +.Xr vi 1 +mode alternate (command mode) key map. +.It Fl e +Bind all keys to the standard GNU Emacs-like bindings. +.It Fl k +.Ar key +is interpreted as a symbolic arrow key name, which may be one of +.Sq up , +.Sq down , +.Sq left +or +.Sq right . +.It Fl l +List all editor commands and a short description of each. +.It Fl r +Remove the binding of the key or macro +.Ar key . +.It Fl s +Define a keyboard macro rather than a key binding or command macro: +.Ar command +is taken as a literal string and appended to the input queue whenever +.Ar key +is typed. +Bound keys and macros in +.Ar command +are themselves reinterpreted, and this continues for ten levels of +interpretation. +.It Fl v +Bind all keys to the standard +.Xr vi 1 Ns -like +bindings. +.El +.Pp +The +.Xr editline 7 +manual documents all editor commands and contains more information +about macros and the input queue. +.Pp +.Ar key +and +.Ar command +can contain control characters of the form +.Sm off +.Sq No ^ Ar character +.Sm on +.Po +e.g.\& +.Sq ^A +.Pc , +and the following backslashed escape sequences: +.Pp +.Bl -tag -compact -offset indent -width 4n +.It Ic \ea +Bell +.It Ic \eb +Backspace +.It Ic \ee +Escape +.It Ic \ef +Formfeed +.It Ic \en +Newline +.It Ic \er +Carriage return +.It Ic \et +Horizontal tab +.It Ic \ev +Vertical tab +.Sm off +.It Sy \e Ar nnn +.Sm on +The ASCII character corresponding to the octal number +.Ar nnn . +.El +.Pp +.Sq \e +nullifies the special meaning of the following character, +if it has any, notably +.Sq \e +and +.Sq ^ . +.It Ic echotc Oo Fl sv Oc Ar arg ... +Exercise terminal capabilities given in +.Ar arg ... . +If +.Ar arg +is +.Sq baud , +.Sq cols , +.Sq lines , +.Sq rows , +.Sq meta , +or +.Sq tabs , +the value of that capability is printed, with +.Dq yes +or +.Dq no +indicating that the terminal does or does not have that capability. +.Pp +.Fl s +returns an empty string for non-existent capabilities, rather than +causing an error. +.Fl v +causes messages to be verbose. +.It Ic edit Op Li on | Li off +Enable or disable the +.Nm editline +functionality in a program. +.It Ic history Ar list | Ar size Dv n | Ar unique Dv n +The +.Ar list +command lists all entries in the history. +The +.Ar size +command sets the history size to +.Dv n +entries. +The +.Ar unique +command controls if history should keep duplicate entries. +If +.Dv n +is non zero, only keep unique history entries. +If +.Dv n +is zero, then keep all entries (the default). +.It Ic settc Ar cap val +Set the terminal capability +.Ar cap +to +.Ar val , +as defined in +.Xr termcap 5 . +No sanity checking is done. +.It Ic setty Xo +.Op Fl adqx +.Op Ar +mode +.Op Ar -mode +.Op Ar mode +.Op Ar char=c +.Xc +Control which tty modes that +.Nm +won't allow the user to change. +.Fl d , +.Fl q +or +.Fl x +tells +.Ic setty +to act on the +.Sq edit , +.Sq quote +or +.Sq execute +set of tty modes respectively; defaulting to +.Fl x . +.Pp +Without other arguments, +.Ic setty +lists the modes in the chosen set which are fixed on +.Po +.Sq +mode +.Pc +or off +.Po +.Sq -mode +.Pc . +.Fl a +lists all tty modes in the chosen set regardless of the setting. +With +.Ar +mode , +.Ar -mode +or +.Ar mode , +fixes +.Ar mode +on or off or removes control of +.Ar mode +in the chosen set. +.Pp +.Ic Setty +can also be used to set tty characters to particular values using +.Ar char=value . +If +.Ar value +is empty +then the character is set to +.Dv _POSIX_VDISABLE . +.It Ic telltc +List the values of all the terminal capabilities (see +.Xr termcap 5 ) . +.El +.Sh FILES +.Bl -tag -width "~/.editrcXXX" +.It Pa ~/.editrc +User configuration file for the +.Xr editline 3 +library. +.El +.Sh SEE ALSO +.Xr editline 3 , +.Xr regex 3 , +.Xr termcap 5 , +.Xr editline 7 +.Sh AUTHORS +.An -nosplit +The +.Nm editline +library was written by +.An Christos Zoulas , +and this manual was written by +.An Luke Mewburn , +with some sections inspired by tcsh. diff --git a/static/openbsd/man5/eigrpd.conf.5 b/static/openbsd/man5/eigrpd.conf.5 new file mode 100644 index 00000000..2c8a9fca --- /dev/null +++ b/static/openbsd/man5/eigrpd.conf.5 @@ -0,0 +1,295 @@ +.\" $OpenBSD: eigrpd.conf.5,v 1.14 2026/01/18 16:38:02 schwarze Exp $ +.\" +.\" Copyright (c) 2015 Renato Westphal <renato@openbsd.org> +.\" Copyright (c) 2005 Esben Norby <norby@openbsd.org> +.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: January 18 2026 $ +.Dt EIGRPD.CONF 5 +.Os +.Sh NAME +.Nm eigrpd.conf +.Nd EIGRP routing daemon configuration file +.Sh DESCRIPTION +The +.Xr eigrpd 8 +daemon implements the Enhanced Interior Gateway Routing Protocol. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr eigrpd 8 . +.It Sx Routing instances +Multiple routing instances can be defined. +Routing instances are defined hierarchically +by address-family and then autonomous-system. +.It Sx Interfaces configuration +Interface-specific parameters. +.El +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/eigrpd.sub.conf" +.Ed +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic bandwidth , +.Ic interface , +or +.Ic hello-interval ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +fastethernet="100000" +address-family ipv4 { + autonomous-system 1 { + interface em1 { + bandwidth $fastethernet + } + } +} +.Ed +.Pp +The same can be accomplished by specifying the bandwidth +globally or within the address-family or autonomous-system declaration. +.Sx Global configuration +Several settings can be configured globally, per address-family, per +autonomous-system and per interface. +The only settings that can be set globally and not overruled are listed below. +.Bl -tag -width Ds +.It Ic fib-priority-internal Ar prio +Set the routing priority of EIGRP internal routes to +.Ar prio . +The default is 28. +.It Ic fib-priority-external Ar prio +Set the routing priority of EIGRP external routes to +.Ar prio . +This option may be used as a simple loop-prevention mechanism when another +routing protocol is being redistributed into EIGRP. +The default is 28. +.It Ic fib-priority-summary Ar prio +Set the routing priority of EIGRP summary routes to +.Ar prio . +The default is 28. +.It Xo +.Ic fib-update +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic \&no , +do not update the Forwarding Information Base, a.k.a. the kernel +routing table. +The default is +.Ic yes . +.It Ic rdomain Ar tableid +Specifies the routing table +.Xr eigrpd 8 +should modify. +Table 0 is the default table. +.It Ic router-id Ar address +Set the router ID; if not specified, the numerically lowest IP address of +the router will be used. +.El +.Ss Routing instances +Multiple routing instances can be defined. +Routing instances are defined hierarchically +by address-family and then autonomous-system. +.Bd -literal -offset indent +address-family ipv4 { + ... + autonomous-system 1 { + ... + interface em0 { + ... + } + } +} +.Ed +.Pp +Routing-instance specific parameters are listed below. +.Bl -tag -width Ds +.It Ic active-timeout Ar minutes +Set the maximum time to wait before declaring a route to be in the stuck +in active state. +If 0 is given, the active timeout is disabled. +The default value is 3; valid range is 0\-65535. +.It Xo +.Ic address-family +.Pq Ic ipv4 Ns | Ns Ic ipv6 +.Xc +Specify an address-family section, grouping one or more autonomous-systems. +.It Ic autonomous-system Ar number +Specify the autonomous-system, grouping one or more interfaces. +Valid range is 1\-65535. +.It Ic default-metric Ar bandwidth delay reliability load mtu +Specify a default metric for all routes redistributed into EIGRP. +Valid ranges are: 1\-10000000 for the bandwidth, 1\-16777215 for the delay, +1\-255 for the reliability, 1\-255 for the load and 1\-65535 for the mtu. +.It Ic k-values Ar K1 Ar K2 Ar K3 Ar K4 Ar K5 Ar K6 +Set the coefficients used by the composite metric calculation. +Two routers become neighbors only if their K-values are the same. +For K1 and K3, The default value is 1. +For K2, K4, K5 and K6 the default value is 0; +valid range is 1\-254. +.It Ic maximum-hops Ar number +Advertise as unreachable the routes with a hop count higher than specified. +The default value is 100; valid range is 1\-255. +.It Ic maximum-paths Ar number +Specify the maximum number of ECMP paths to be installed in the FIB for +each route. +The default value is 4; valid range is 1\-32. +.It Xo +.Op Ic no +.Ic redistribute +.Sm off +.Po Ic static Ns | Ns Ic connected Ns | Ns Ic ospf | Ns Ic rip | Ns +.Ic default Pc +.Sm on +.Op Ic metric Ar bandwidth delay reliability load mtu +.Xc +.It Xo +.Op Ic no +.Ic redistribute Ar prefix +.Op Ic metric Ar bandwidth delay reliability load mtu +.Xc +If set to +.Ic connected , +routes to directly attached networks will be announced over EIGRP. +If set to +.Ic static , +static routes will be announced over EIGRP. +If set to +.Ic ospf , +OSPF routes will be announced over EIGRP. +If set to +.Ic rip , +RIP routes will be announced over EIGRP. +If set to +.Ic default , +a default route pointing to this router will be announced over EIGRP. +It is possible to specify a network range with +.Ar prefix ; +networks need to be part of that range to be redistributed. +By default no additional routes will be announced over EIGRP. +.Pp +.Ic redistribute +statements are evaluated in sequential order, from first to last. +The first matching rule decides if a route should be redistributed or not. +Matching rules starting with +.Ic no +will force the route to be not announced. +The only exception is +.Ic default , +which will be set no matter what, and additionally +.Ic no +cannot be used together with it. +.Pp +It is possible to set the route +.Ic metric +for each redistribute rule. +.It Ic variance Ar multiplier +Set the variance used to permit the installation of feasible successors in the +FIB if their metric is lower than the metric of the successor multiplied by the +specified multiplier. +The default value is 1; valid range is 1\-128. +.El +.Ss Interfaces configuration +Each interface can have several parameters configured individually, otherwise +they are inherited. +Interfaces can pertain to multiple routing instances. +An interface is specified by its name. +.Bd -literal -offset indent +interface em0 { + ... +} +.Ed +.Pp +Interface-specific parameters are listed below. +.Bl -tag -width Ds +.It Ic bandwidth Ar bandwidth +Set the interface bandwidth in kilobits per second. +The bandwidth is used as part of the EIGRP composite metric. +The default value is 100000; valid range is 1\-10000000. +.It Ic delay Ar delay +Set the interface delay in tens of microseconds. +The delay is used as part of the EIGRP composite metric. +The default value is 10; valid range is 1\-16777215. +.It Ic hello-interval Ar seconds +Set the hello interval. +The default value is 5; valid range is 1\-65535 seconds. +.It Ic holdtime Ar seconds +Set the hello holdtime. +The default value is 15; valid range is 1\-65535 seconds. +.It Ic passive +Prevent transmission and reception of EIGRP packets on this interface. +.It Xo +.Ic split-horizon +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic \&no , +the split horizon rule will be disabled on this interface. +This option should be used with caution since it can introduce routing loops +in point-to-point or broadcast networks. +The default is +.Ic yes . +.It Ic summary-address Ar address Ns Li / Ns Ar len +Configure a summary aggregate address for this interface. +Multiple summary addresses can be configured. +.El +.Sh FILES +.Bl -tag -width /etc/examples/eigrpd.conf -compact +.It Pa /etc/eigrpd.conf +.Xr eigrpd 8 +configuration file. +.It Pa /etc/examples/eigrpd.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr eigrpctl 8 , +.Xr eigrpd 8 , +.Xr rc.conf.local 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 5.9 . +.Sh AUTHORS +The +.Xr eigrpd 8 +program was written by +.An Renato Westphal Aq Mt renato@openbsd.org . diff --git a/static/openbsd/man5/exports.5 b/static/openbsd/man5/exports.5 new file mode 100644 index 00000000..2c1de1fd --- /dev/null +++ b/static/openbsd/man5/exports.5 @@ -0,0 +1,291 @@ +.\" $OpenBSD: exports.5,v 1.27 2020/05/16 16:58:11 jmc Exp $ +.\" $NetBSD: exports.5,v 1.9 1996/02/18 11:57:50 fvdl Exp $ +.\" +.\" Copyright (c) 1989, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)exports.5 8.3 (Berkeley) 3/29/95 +.\" +.Dd $Mdocdate: May 16 2020 $ +.Dt EXPORTS 5 +.Os +.Sh NAME +.Nm exports +.Nd define remote mount points for NFS mount requests +.Sh DESCRIPTION +The +.Nm +file specifies remote mount points for the NFS +mount protocol per the NFS server specification; see +.%T "Network File System Protocol Specification" , +RFC 1094, Appendix A and +.%T "NFS: Network File System Version 3 Specification" , +RFC 1813, Appendix I. +.Pp +Each line in the file +(other than comment lines that begin with a +.Dq # ) +specifies the mount point(s) and export flags within one local server +filesystem for one or more hosts. +A host may be specified only once for each local filesystem on the +server and there may be only one default entry for each server +filesystem that applies to all other hosts. +The latter exports the filesystem to the +.Dq world +and should +be used only when the filesystem contains public information. +.Pp +In a mount entry, +the first field(s) specify the directory path(s) within a server filesystem +that can be mounted on by the corresponding client(s). +There are two forms of this specification. +The first is to list all mount points as absolute +directory paths separated by whitespace. +The second is to specify the pathname of the root of the filesystem +followed by the +.Fl alldirs +flag; +this form allows the host(s) to mount at any point within the filesystem, +including regular files. +The pathnames must not have any symbolic links in them and should not have +any +.Dq \&. +or +.Dq \&.\&. +components. +Mount points for a filesystem may appear on multiple lines each with +different sets of hosts and export options. +.Pp +The second component of a line specifies how the filesystem is to be +exported to the host set. +The option flags specify whether the filesystem +is exported read-only or read-write and how the client UID is mapped to +user credentials on the server. +.Pp +Export options are specified as follows: +.Pp +.Sm off +.Fl maproot No = Ar user +.Sm on +The credential of the specified user is used for remote access by root. +The credential includes all the groups to which the user is a member +on the local machine (see +.Xr id 1 ) . +The +.Ar user +may be specified by name or number. +.Pp +.Sm off +.Fl maproot No = Ar user:group1:group2:... +.Sm on +The colon separated list is used to specify the precise credential +to be used for remote access by root. +The elements of the list may be either names or numbers. +Note that user: should be used to distinguish a credential containing +no groups from a complete credential for that user. +.Pp +.Sm off +.Fl mapall No = Ar user +.Sm on +or +.Sm off +.Fl mapall No = Ar user:group1:group2:... +.Sm on +Specifies a mapping for all client UIDs (including root) +using the same semantics as +.Fl maproot . +.Pp +The option +.Fl r +is a synonym for +.Fl maproot +in an effort to be backward compatible with older export file formats. +.Pp +In the absence of +.Fl maproot +and +.Fl mapall +options, remote accesses by root will result in using a credential of -2:-2. +All other users will be mapped to their remote credential. +If a +.Fl maproot +option is given, +remote access by root will be mapped to that credential instead of -2:-2. +If a +.Fl mapall +option is given, +all users (including root) will be mapped to that credential in +place of their own. +.Pp +The +.Fl ro +option specifies that the filesystem should be exported read-only +(default read/write). +The option +.Fl o +is a synonym for +.Fl ro +in an effort to be backward compatible with older export file formats. +.Pp +The third component of a line specifies the host set to which the line applies. +The set may be specified in three ways. +The first way is to list the host name(s) separated by whitespace. +(Standard internet +.Dq dot +addresses may be used in place of names.) +The second way is to specify a +.Dq netgroup +as defined in the netgroup file (see +.Xr netgroup 5 ) . +The third way is to specify an internet subnetwork using a network and +network mask that is defined as the set of all hosts with addresses within +the subnetwork. +This latter approach requires less overhead within the +kernel and is recommended for cases where the export line refers to a +large number of clients within an administrative subnet. +.Pp +The first two cases are specified by simply listing the name(s) separated +by whitespace. +All names are checked to see if they are +.Dq netgroup +names +first and are assumed to be hostnames otherwise. +Using the full domain specification for a hostname can normally +circumvent the problem of a host that has the same name as a netgroup. +The third case is specified by the flag +.Sm off +.Fl network No = Ar netname +.Sm on +and optionally +.Sm off +.Fl mask No = Ar netmask . +.Sm on +If the mask is not specified, it will default to the mask for that network +class (A, B or C; see +.Xr inet_addr 3 ) . +.Pp +For example: +.Bd -literal -offset indent +/usr /usr/local -maproot=0:10 friends +/usr -maproot=daemon grumpy.cis.uoguelph.ca 131.104.48.16 +/usr -ro -mapall=nobody +/u -maproot=bin: -network=131.104.48 -mask=255.255.255.0 +/u2 -maproot=root friends +/u2 -alldirs -network=cis-net -mask=cis-mask +.Ed +.Pp +Given that +.Pa /usr , +.Pa /u +and +.Pa /u2 +are +local filesystem mount points, the above example specifies the following: +.Pa /usr +is exported to hosts +.Em friends +where +.Em friends +is specified in the netgroup file +with users mapped to their remote credentials and +root mapped to UID 0 and GID 10. +It is exported read-write and the hosts in +.Dq friends +can mount either +.Pa /usr +or +.Pa /usr/local . +It is exported to +.Em 131.104.48.16 +and +.Em grumpy.cis.uoguelph.ca +with users mapped to their remote credentials and +root mapped to the user and groups associated with +.Dq daemon ; +it is exported to the rest of the world as read-only with +all users mapped to the user and groups associated with +.Dq nobody . +.Pp +.Pa /u +is exported to all hosts on the subnetwork +.Em 131.104.48 +with root mapped to the UID for +.Dq bin +and with no group access. +.Pp +.Pa /u2 +is exported to the hosts in +.Dq friends +with root mapped to UID and groups +associated with +.Dq root ; +it is exported to all hosts on network +.Dq cis-net +allowing mounts at any +directory within /u2. +.Sh FILES +.Bl -tag -width /etc/examples/exports -compact +.It Pa /etc/exports +Default remote mount point file. +.It Pa /etc/examples/exports +Example remote mount point file. +.El +.Sh SEE ALSO +.Xr netgroup 5 , +.Xr mountd 8 , +.Xr nfsd 8 , +.Xr showmount 8 +.Sh BUGS +The export options are tied to the local mount points in the kernel and +must be non-contradictory for any exported subdirectory of the local +server mount point. +It is recommended that all exported directories within the same server +filesystem be specified on adjacent lines going down the tree. +You cannot specify a hostname that is also the name of a netgroup. +Specifying the full domain specification for a hostname can normally +circumvent the problem. +.Pp +Regarding +.Fl alldirs , +because NFS mount filehandles are filesystem wide the +.Fl alldirs +option applies to exports of the entire filesystem \(em even mount points +that are higher up elsewhere in the directory hierarchy. +Hence if the server has a filesystem +.Pa /export +and you wished to export the sub-directory +.Bd -literal -offset indent +/export/root/client -alldirs client.foo.com +.Ed +.Pp +you must realize that this also allows mounts to be requested +against other locations in the +.Pa /export +filesystem; thus the host client.foo.com is also permitted to +mount the directory +.Pa /export/root/client2 +if it exists. diff --git a/static/openbsd/man5/forward.5 b/static/openbsd/man5/forward.5 new file mode 100644 index 00000000..f0bb8493 --- /dev/null +++ b/static/openbsd/man5/forward.5 @@ -0,0 +1,82 @@ +.\" $OpenBSD: forward.5,v 1.12 2024/09/05 06:33:04 jmc Exp $ +.\" +.\" Copyright (c) 2012 Gilles Chehade <gilles@poolp.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: September 5 2024 $ +.Dt FORWARD 5 +.Os +.Sh NAME +.Nm forward +.Nd email forwarding information file +.Sh DESCRIPTION +Users may put a +.Nm .forward +file in their home directory. +If this file exists, +.Xr smtpd 8 +forwards email to the destinations specified therein. +.Pp +A +.Nm .forward +file contains a list of expansion values, as described in +.Xr aliases 5 . +Each expansion value should be on a line by itself. +Expansion is performed under the user ID of the +.Nm .forward +file owner. +.Pp +Permissions on the +.Nm .forward +file are very strict and expansion is rejected if the file is +group or world-writable; +if the home directory is group writeable; +or if the file is not owned by the user. +.Pp +Users should avoid editing the +.Nm .forward +file directly, to prevent delivery failures from occurring if a message +arrives while the file is not fully written. +The best option is to use a temporary file and use the +.Xr mv 1 +command to atomically overwrite the former +.Nm .forward . +Alternatively, setting the +.Xr sticky 8 +bit on the home directory will cause the +.Nm .forward +lookup to return a temporary failure, causing mails to be deferred. +.Sh FILES +.Bl -tag -width "~/.forwardXXX" -compact +.It Pa ~/.forward +Email forwarding information. +.El +.Sh EXAMPLES +The following file forwards mail to +.Dq user@example.com , +and pipes the same mail to +.Dq examplemda . +.Bd -literal -offset indent +# empty lines are ignored + +user@example.com # anything after # is ignored +"|/path/to/examplemda" +.Ed +.Sh SEE ALSO +.Xr aliases 5 , +.Xr smtpd 8 +.Sh CAVEATS +The pipe +.Sq | +and :include: mechanisms are not allowed for the root user. diff --git a/static/openbsd/man5/gettytab.5 b/static/openbsd/man5/gettytab.5 new file mode 100644 index 00000000..3dbbddb3 --- /dev/null +++ b/static/openbsd/man5/gettytab.5 @@ -0,0 +1,346 @@ +.\" $OpenBSD: gettytab.5,v 1.28 2017/05/27 09:31:13 deraadt Exp $ +.\" Copyright (c) 1983, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" from: @(#)gettytab.5 8.4 (Berkeley) 4/19/94 +.\" +.Dd $Mdocdate: May 27 2017 $ +.Dt GETTYTAB 5 +.Os +.Sh NAME +.Nm gettytab +.Nd terminal configuration database +.Sh DESCRIPTION +The +.Nm +file +is a simplified version of the +.Xr termcap 5 +database +used to describe terminal lines. +The initial terminal login process +.Xr getty 8 +accesses the +.Nm +file each time it starts, allowing simpler +reconfiguration of terminal characteristics. +Each entry in the database +is used to describe one class of terminals. +.Pp +There is a default terminal class, +.Em default , +that is used to set global defaults for all other classes. +(That is, the +.Em default +entry is read, then the entry for the class required +is used to override particular settings.) +.Sh CAPABILITIES +Refer to +.Xr termcap 5 +for a description of the file layout. +The +.Em default +column below lists defaults obtained if there is +no entry in the table obtained, nor one in the special +.Em default +table. +.Bl -column "Name" "Type" "Default" "Description" +.It Sy Name Ta Sy Type Ta Sy Default Ta Sy Description +.It ap Ta bool Ta false Ta "Terminal uses any parity." +.It bk Ta str Ta 0377 Ta "Alternative end-of-line character (input break)." +.It c0 Ta num Ta unused Ta "TTY control flags to write messages." +.It c1 Ta num Ta unused Ta "TTY control flags to read login name." +.It c2 Ta num Ta unused Ta "TTY control flags to leave terminal as." +.It ce Ta bool Ta false Ta "Use CRT erase algorithm." +.It ck Ta bool Ta false Ta "Use CRT kill algorithm." +.It cl Ta str Ta Dv NULL Ta "Screen clear sequence." +.It co Ta bool Ta false Ta "Console; add" +.Ql \en +after login prompt. +.It ds Ta str Ta So Li ^Y Sc Ta "Delayed suspend character." +.It dx Ta bool Ta false Ta "Set" +.Dv DECCTLQ . +.It ec Ta bool Ta false Ta "Leave echo OFF." +.It ep Ta bool Ta false Ta "Terminal uses even parity." +.It er Ta str Ta So Li ^? Sc Ta "Erase character." +.It et Ta str Ta So Li ^D Sc Ta "End of text" +.Pq Dv EOF +character. +.It ev Ta str Ta Dv NULL Ta "Initial environment." +.It fl Ta str Ta So Li ^O Sc Ta "Output flush character." +.It hc Ta bool Ta false Ta "\&Do" +.Em not +hangup line on last close. +.It hn Ta str Ta hostname Ta "Hostname." +.It ht Ta bool Ta false Ta "Terminal has real tabs." +.It i0 Ta num Ta unused Ta "TTY input flags to write messages." +.It i1 Ta num Ta unused Ta "TTY input flags to read login name." +.It i2 Ta num Ta unused Ta "TTY input flags to leave terminal as." +.It ig Ta bool Ta false Ta "Ignore garbage characters in login name." +.It im Ta str Ta Dv NULL Ta "Initial (banner) message." +.It in Ta str Ta So Li ^C Sc Ta "Interrupt character." +.It is Ta num Ta unused Ta "Input speed." +.It kl Ta str Ta So Li ^U Sc Ta "Kill character." +.It l0 Ta num Ta unused Ta "TTY local flags to write messages." +.It l1 Ta num Ta unused Ta "TTY local flags to read login name." +.It l2 Ta num Ta unused Ta "TTY local flags to leave terminal as." +.It lc Ta bool Ta false Ta "Terminal has lower case." +.It lm Ta str Ta login: Ta "Login prompt." +.It ln Ta str Ta So Li ^V Sc Ta "``Literal next'' character." +.It lo Ta str Ta Pa /usr/bin/login Ta "Program to execute when name obtained." +.It mb Ta bool Ta false Ta "\&Do flow control based on carrier." +.It nl Ta bool Ta false Ta "Terminal has (or might have) a newline character." +.It np Ta bool Ta false Ta "Terminal uses no parity (i.e., 8-bit characters)." +.It nx Ta str Ta default Ta "Next table (for auto speed selection)." +.It o0 Ta num Ta unused Ta "TTY output flags to write messages." +.It o1 Ta num Ta unused Ta "TTY output flags to read login name." +.It o2 Ta num Ta unused Ta "TTY output flags to leave terminal as." +.It op Ta bool Ta false Ta "Terminal uses odd parity." +.It os Ta num Ta unused Ta "Output speed." +.It pc Ta str Ta So Li \e0 Sc Ta "Pad character." +.It pe Ta bool Ta false Ta "Use printer (hard copy) erase algorithm." +.It pf Ta num Ta 0 Ta "Delay" +between first prompt and following flush (seconds). +.It ps Ta bool Ta false Ta "Line connected to a MICOM port selector." +.It qu Ta str Ta So Li \&^\e Sc Ta "Quit character." +.It rp Ta str Ta So Li ^R Sc Ta "Line retype character." +.It rw Ta bool Ta false Ta "\&Do" +.Em not +use raw for input, use cbreak. +.It sp Ta num Ta unused Ta "Line speed (input and output)." +.It su Ta str Ta So Li ^Z Sc Ta "Suspend character." +.It tc Ta str Ta none Ta "Table continuation." +.It to Ta num Ta 0 Ta "Timeout (seconds)." +.It tt Ta str Ta Dv NULL Ta "Terminal type (for environment)." +.It ub Ta bool Ta false Ta "\&Do unbuffered output (of prompts etc)." +.It we Ta str Ta So Li ^W Sc Ta "Word erase character." +.It xc Ta bool Ta false Ta "\&Do" +.Em not +echo control characters as +.Ql ^X . +.It xf Ta str Ta So Li ^S Sc Ta Dv XOFF +(stop output) character. +.It xn Ta str Ta So Li ^Q Sc Ta Dv XON +(start output) character. +.El +.Pp +The following capabilities are no longer supported by +.Xr getty 8 : +.Bl -column "bd" "bool" "flase" "description" +.It bd Ta num Ta 0 Ta "Backspace delay." +.It cb Ta bool Ta false Ta "Use CRT backspace mode." +.It cd Ta num Ta 0 Ta "Carriage-return delay." +.It f0 Ta num Ta unused Ta "TTY mode flags to write messages." +.It f1 Ta num Ta unused Ta "TTY mode flags to read login name." +.It f2 Ta num Ta unused Ta "TTY mode flags to leave terminal as." +.It fd Ta num Ta 0 Ta "Form-feed (vertical motion) delay." +.It nd Ta num Ta 0 Ta "Newline (line-feed) delay." +.It uc Ta bool Ta false Ta "Terminal is known upper case only." +.El +.Pp +If no line speed is specified, speed will not be altered +from that which prevails when +.Xr getty 8 +is entered. +Specifying an input or output speed will override +line speed for stated direction only. +.Pp +Terminal modes to be used for the output of the message and +for input of the login name, +and to leave the terminal set as upon completion, +are derived from the boolean flags specified. +If the derivation should prove inadequate, +any (or all) of these three may be overridden +with one of the +.Em \&c0 , +.Em \&c1 , +.Em \&c2 , +.Em \&i0 , +.Em \&i1 , +.Em \&i2 , +.Em \&l0 , +.Em \&l1 , +.Em \&l2 , +.Em \&o0 , +.Em \&o1 , +or +.Em \&o2 +numeric specifications, which can be used to specify +(usually in octal, with a leading +.Ql 0 ) +the exact values of the flags. +These flags correspond to the termios +.Em c_cflag , +.Em c_iflag , +.Em c_lflag , +and +.Em c_oflag +fields, respectively. +Each of these sets must be completely specified to be effective. +.Pp +Should +.Xr getty 8 +receive a null character +(presumed to indicate a line break) +it will restart using the table indicated by the +.Em nx +entry. +If there is none, it will re-use its original table. +.Pp +Delays are specified in milliseconds; +the nearest possible delay available in the TTY driver will be used. +Should greater certainty be desired, delays +with values 0, 1, 2, and 3 are interpreted as +choosing that particular delay algorithm from the driver. +.Pp +The +.Em \&cl +screen clear string may be preceded by a (decimal) number +of milliseconds of delay required (a la +.Xr termcap 5 ) . +This delay is simulated by repeated use of the pad character +.Em \&pc . +.Pp +The initial message and login message +.Po +.Em \&im +and +.Em \&lm +.Pc +may include any of the following character sequences, which expand to +information about the environment in which +.Xr getty 8 +is running: +.Bl -tag -width \&%xxx +.It \&%d +The current date. +.It \&%h +The hostname of the machine, which is normally obtained from the +system using +.Xr gethostname 3 , +but may also be overridden by the +.Em \&hn +table entry. +.It \&%t +The TTY name. +.It "\&%m, \&%r, \&%s, \&%v" +The type of machine, release of the operating system, name of the +operating system, and version of the kernel, respectively, as +returned by +.Xr uname 3 . +.It \&%% +A +.Ql % +character. +.El +.Pp +When +.Xr getty 8 +executes the login process given in the +.Em \&lo +string (usually +.Pa /usr/bin/login ) , +it will have set +the environment to include the terminal type, as indicated +by the +.Em \&tt +string (if it exists). +The +.Em \&ev +string can be used to enter additional data into the environment. +It is a list of comma-separated strings, each of which +will presumably be of the form +.Em name=value . +.Pp +If a non-zero timeout is specified with +.Em \&to , +then +.Xr getty 8 +will exit within the indicated number of seconds, either having +received a login name and passed control to +.Xr login 1 , +or having received an alarm signal and exited. +This may be useful to hangup dial in lines. +.Pp +Output from +.Xr getty 8 +is even parity unless +.Em \&op +or +.Em \&np +is specified. +The +.Em \&op +string +may be specified with +.Em \&ap +to allow any parity on input, but generate odd parity output. +Note: this only applies while +.Xr getty 8 +is being run; +terminal driver limitations prevent a more complete implementation. +.Xr getty 8 +does not check parity of input characters in +.Dv RAW +mode. +.Pp +If a +.Em \&pp +string is specified and a PPP link bring-up sequence is recognized, +.Xr getty 8 +will invoke the program referenced by the +.Em \&pp +option. +This can be used to handle incoming PPP calls. +.Sh FILES +.Bl -tag -width "/etc/gettytab" -compact +.It Pa /etc/gettytab +Default location of the database file. +.El +.Sh SEE ALSO +.Xr login 1 , +.Xr gethostname 3 , +.Xr uname 3 , +.Xr termcap 5 , +.Xr getty 8 +.Sh HISTORY +The +.Nm +file format appeared in +.Bx 4.2 . +.Sh BUGS +The special characters (erase, kill, etc.) are reset to system defaults by +.Xr login 1 . +.Pp +The delay stuff is a real crock. +Apart from its general lack of flexibility, some +of the delay algorithms are not implemented. +The terminal driver should support sane delay settings. +.Pp +The +.Xr termcap 5 +format is horrid; something more rational should have been chosen. diff --git a/static/openbsd/man5/hostapd.conf.5 b/static/openbsd/man5/hostapd.conf.5 new file mode 100644 index 00000000..5983495e --- /dev/null +++ b/static/openbsd/man5/hostapd.conf.5 @@ -0,0 +1,836 @@ +.\" $OpenBSD: hostapd.conf.5,v 1.51 2026/01/18 16:38:02 schwarze Exp $ +.\" +.\" Copyright (c) 2004, 2005, 2006 Reyk Floeter <reyk@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: January 18 2026 $ +.Dt HOSTAPD.CONF 5 +.Os +.Sh NAME +.Nm hostapd.conf +.Nd configuration file for the Host Access Point daemon +.Sh DESCRIPTION +.Nm +is the configuration file for the +.Xr hostapd 8 +daemon. +.Pp +The +.Nm +file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx MACROS +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx TABLES +Tables provide a mechanism to handle a large number of link layer +addresses easily, with increased performance and flexibility. +.It Sx GLOBAL CONFIGURATION +Global runtime settings for +.Xr hostapd 8 . +.It Sx EVENT RULES +Event rules provide a powerful mechanism to trigger certain actions +when receiving specified IEEE 802.11 frames. +.It Sx IP ROAMING +The concepts and details about the optional IP based roaming in +.Xr hostapd 8 . +.El +.Pp +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment is effective until the end of the entire block. +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/hostapd.conf.local" +.Ed +.Sh MACROS +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic set , +.Ic interface , +or +.Ic hostap ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +wlan="ath0" +set iapp handle subtype { ! add notify, radiotap } +set iapp interface $wlan +.Ed +.Sh TABLES +Tables are named structures which can hold a collection of link layer +addresses, masked address ranges, and link layer to IP address +assignments. +Lookups against tables in +.Xr hostapd 8 +are relatively fast, making a single rule with tables much more +efficient, in terms of processor usage and memory consumption, than a +large number of rules which differ only in link layer addresses. +.Pp +Tables are used for +.Xr hostapd 8 +.Em event rules +to match specified IEEE 802.11 link layer addresses and address ranges, +and the capability to assign link layer to IP addresses and an option netmask +is a requirement for advanced IAPP functionality. +.Pp +Table options may be presented after the table name declaration. +The following options are supported: +.Bl -tag -width const +.It Ic const +The table is constant and cannot be later changed from its original +definition. +.El +.Pp +For example: +.Bd -literal -offset indent +cisco="00:40:06:ff:ff:ff & ff:ff:ff:00:00:00" + +table <black> { $cisco, 00:0d:60:ff:f1:2a } +table <myess> const { + 00:00:24:c3:40:18 -> 10.195.64.24, + 00:00:24:c3:40:19 -> 10.195.64.25, + 00:00:24:c3:40:1a -> 10.195.64.26 +} +table <myclient> const { + 00:05:4e:45:d4:b9 -> 172.23.5.1/30 +} +.Ed +.Sh GLOBAL CONFIGURATION +The following configuration settings are understood: +.Bl -tag -width Ds +.It Xo +.Ic set hostap interface +.Ar interface | +.Brq Ar interface0 , interface1 , ... +.Xc +Specify the wireless interface running in Host AP mode. +This option could be omitted to use +.Xr hostapd 8 +to log received IAPP messages. +Multiple hostap interfaces may be specified +as a comma-separated list, +surrounded by curly braces. +.It Ic set hostap mode Ar mode +Specify the Host AP capture mode. +The supported modes are: +.Pp +.Bl -tag -width radiotap -offset indent -compact +.It Ic radiotap +Capture IEEE 802.11 frames with additional radiotap headers. +They will provide optional but useful information like received frame +signal levels. +.It Ic pcap +Capture plain IEEE 802.11 frames. +.El +.It Xo +.Ic set hostap hopper interface +.Ar interface | +.Brq Ar interface0 , interface1 , ... +.Xc +Enable a channel hopper on the selected wireless interface. +Multiple hostap interfaces may be specified as a comma-separated list, +surrounded by curly braces. +.It Ic set hostap hopper delay Ar number +Set the delay in milliseconds for the channel hopper before hopping to +the next available channel. +The default value is 800 milliseconds. +.It Ic set iapp interface Ar interface +Specify the mandatory Inter-Access-Point (IAPP) interface. +It is important that the IAPP interface is on a trusted +network because there is no authentication and an attacker could force +disassociation of selected stations on all listening access points. +.It Xo +.Ic set iapp +.Op Ic address | route +.Ic roaming table +.Pf < Ar table Ns > +.Xc +Specify a table used for +.Em IP Roaming +lookups of link layer address to IP address or subnet assignments. +.It Xo +.Ic set iapp handle subtype +.Ar subtype | +.Brq Ar subtype0 , subtype1 , ... +.Xc +Specify the IAPP subtypes to use: +.Pp +.Bl -tag -width broadcast -offset indent -compact +.It Xo +.Op Ic not +.Ic add notify +.Xc +Send and receive +.Em ADD.notify +messages. +This option is enabled by default. +.It Xo +.Op Ic not +.Ic radiotap +.Xc +Receive +.Em radiotap +messages. +This option is enabled by default. +.It Xo +.Op Ic not +.Op Ic address |\ route +.Ic roaming +.Xc +Enable dynamic roaming of IP addresses or routes. +These options are disabled by default. +.El +.It Ic set iapp mode Ar mode +Specify the IAPP mode. +The supported modes are: +.Pp +.Bl -tag -width broadcast -offset indent -compact +.It Xo +.Ic multicast +.Op Ic address Ar ipv4addr +.Op Ic port Ar number +.Op Ic ttl Ar number +.Xc +Use +.Xr multicast 4 +frames. +A multicast time-to-live (TTL) of 2 or higher is required to allow +multicast forwarding, for example for use with +.Xr mrouted 8 . +.It Xo +.Ic broadcast +.Op Ic port Ar number +.Xc +Use broadcast frames. +.El +.Pp +The default is multicast using the multicast address 224.0.1.178 and +port 3517 with a TTL limited to 1 hop. +Some access point vendors still use broadcast with the pre-standard +IAPP port 2313. +.El +.Sh EVENT RULES +Event rules provide a powerful way to trigger a certain action when +receiving specified IEEE 802.11 frames on the +.Em hostap interface . +The rules are handled in sequential order, from first to last. +Rules are handled without a state: +each rule is processed independently from the others and from +any previous actions. +This behaviour is somewhat different to that of packet filter rules +specified in +.Xr pf.conf 5 . +.Pp +All +.Xr hostapd 8 +event rules are single line statements beginning with +the mandatory +.Ic hostap handle +keywords and optional rule options, interface, frame matching, +a specified action, a limit, and a minimal rate: +.Bd -filled -offset indent +.Ic hostap handle +.Op Ar option +.Op Ar interface +.Op Ar frame +.Op Ar action +.Op Ar limit +.Op Ar rate +.Ed +.Pp +Some rule statements support the optional keyword +.Ic not , +also represented by the +.Ic !\& +operator, +for inverse matching. +.Pp +The optional parts are defined below. +.Ss Rule Option +The rule +.Ar option +will modify the behaviour of handling the statement. +There are two possible options, +.Ic quick +and +.Ic skip . +If either the keyword +.Ic quick +or the keyword +.Ic skip +is specified, no further event rules will be handled for this frame +after processing this rule successfully. +The keyword +.Ic skip +additionally skips any further IAPP processing of the frame, +which is normally done after handling the event rules. +.Ss Rule Interface +The rule +.Ar interface +specifies the hostap interface the rule is matched on. +The available interface list is specified by the global +.Ic set hostap interface +configuration setting. +.Bd -filled -offset indent +.Ic on +.Op Ic not +.Ar interface +.Ed +.Pp +If not given, +the event rule is matched on all available hostap interfaces. +.Ss Rule Frame +The +.Ar frame +description specifies a mechanism to match IEEE 802.11 frames. +.Bl -tag -width Ds +.It Ic any +Match all frames. +.It Xo +.Ic frame +.Op Ar type +.Op Ar dir +.Op Ar from +.Op Ar to +.Op Ar bssid +.Op Ar radiotap +.Xc +Apply rules to frames matching the given parameters. +The parameters are explained below. +.Pp +The +.Ar type +parameter specifies the frame type to match on. +The frame type may be specified in the following ways: +.Bl -tag -width Ds +.It Ic type any +Match all frame types. +.It Xo +.Ic type +.Op Ic not +.Ic data +.Xc +Match data frames. +Presence of the +.Ic not +keyword negates the match and will match all non-data frames. +.It Xo +.Ic type +.Op Ic not +.Ic management +.Oo Op Ic not +.Ar subtype Oc +.Xc +Match management frames. +The +.Ar subtype +argument may be specified to optionally match management frames of the +given subtype. +The subtype match may be negated by specifying the +.Ic not +keyword. +See the +.Sx Management Frame Subtypes +section below for available subtypes specifications. +.El +.Pp +The +.Ar dir +parameter specifies the direction the frame is being sent. +The direction may be specified in the following ways: +.Bl -tag -width Ds +.It Ic dir any +Match all directions. +.It Ic dir Ar framedir +Match frames with the given direction +.Ar framedir . +See the +.Sx Frame Directions +section below for available direction specifications. +.El +.Pp +The +.Ar radiotap +rules allow parsing and matching of the extra information reported by +the radiotap header. +Support for the specified radiotap headers is optional and the +specific parameters depend on the radiotap elements reported +by the wireless interface. +Support for the radiotap data link type can be verified with the +.Xr tcpdump 8 +command. +These rules require +.Ic hostap mode radiotap +in the global configuration. +.Bl -tag -width Ds +.It Xo +.Ic signal +.Op Ic operator +.Ar percentage Ic % +.Xc +Match the signal quality of the received frame. +.It Xo +.Ic freq +.Op Ic operator +.Ar value Ic ( GHz | MHz ) +.Xc +Match the transmit rate of the received frame. +.It Xo +.Ic txrate +.Op Ic operator +.Ar rate Ic Mb +.Xc +Match the frequency of the received frame, +in Mbps. +.El +.Pp +The radiotap rules support the following operators. +If omitted, the specified value will be checked if it is equal or not. +.Bd -literal -offset indent += (equal) +!= (not equal) +< (less than) +<= (less than or equal) +> (greater than) +>= (greater than or equal) +.Ed +.Pp +The +.Ar from , to , +and +.Ar bssid +parameters specify the IEEE 802.11 address fields to match on. +They can be specified in the following ways: +.Bl -tag -width Ds +.It Xo +.Ic ( from | to | bssid ) Ic any +.Xc +Allow all addresses for the specified address field. +.It Xo +.Ic ( from | to | bssid ) +.Op Ic not +.Pf < Ar table Ns > +.Xc +Allow allow addresses from the given +.Ar table +(see +.Sx TABLES +above) +for the specified address field. +.It Xo +.Ic ( from | to | bssid ) +.Op Ic not +.Ar lladdr +.Xc +Allow the given address +.Ar lladdr +for the specified address field. +.El +.El +.Ss Rule Action +An optional +.Ar action +is triggered if a received IEEE 802.11 frame matches the frame +description. +The following actions are supported: +.Bl -tag -width Ds +.It Xo +.Ic with frame Ar type +.Op Ar dir +.Ar from to bssid +.Xc +Send an arbitrary constructed frame to the wireless network. +The arguments are as follows. +.Pp +The +.Ar type +describes the IEEE 802.11 frame type to send, specified in the +frame control header. +The following frames types are supported at present: +.Bl -tag -width Ds +.It Ic type data +Send a data frame. +This is normally used to encapsulate ordinary IEEE 802.3 +frames into IEEE 802.11 wireless frames. +.It Ic type management Ar subtype +Send a management frame with the specified subtype. +Management frames are used to control states and to find access points +and IBSS nodes in IEEE 802.11 networks. +See the +.Sx Management Frame Subtypes +section below for available subtypes specifications. +.El +.Pp +The +.Ar dir +describes the direction the IEEE 802.11 frame will be sent. +It has the following syntax: +.Bd -filled -offset indent +.Ic dir Ar framedir +.Ed +.Pp +See the +.Sx Frame Directions +section below for available direction specifications. +.Pp +The +.Ar from , to , +and +.Ar bssid +arguments specify the link layer address fields used in IEEE 802.11 +frames. +All address fields are mandatory in the frame action. +The optional fourth address field used by wireless distribution +systems (WDS) is currently not supported. +Each argument is specified by a keyword of the same name +.Po +.Ic from , to , +or +.Ic bssid +.Pc +followed by one of the following address specifications: +.Bl -tag -width "&refaddr" +.It Ar lladdr +Specify the link layer addresses used in the IEEE 802.11 frame address +field. +The link layer address +.Ql ff:ff:ff:ff:ff:ff +is the IEEE 802.11 broadcast address. +.It Li & Ns Ar refaddr +Fill in a link layer address from the previously matched IEEE 802.11 +frame. +.Ic &from +will use the source link layer address; +.Ic &to +the destination link layer address; and +.Ic &bssid +the BSSID link layer address of the previously matched frame. +.It Ic random +Use a random link layer address in the specified IEEE 802.11 frame +address field. +Multicast and broadcast link layer addresses will be skipped. +.El +.It Ic with iapp type Ar iapp-type +Send a +.Xr hostapd 8 +specific IAPP frame with a raw IEEE 802.11 packet dump of the received +frame to the wired network. +The only supported +.Ar iapp-type +is +.Ic radiotap . +.It Ic with log Op Ic verbose +Write informational messages to the local system log (see +.Xr syslogd 8 ) +or standard error. +If the +.Sx Rule Rate +has been specified, +log will print the actual rate. +.It Ic node add | delete Ar lladdr +Add or remove the specified node from the internal kernel +node table. +.It Ic resend +Resend the received IEEE 802.11 frame. +.El +.Ss Rule Limit +It is possible to limit handling of specific rules with the +.Ic limit +keyword: +.Bd -filled -offset indent +.Ic limit +.Ar number +.Ic sec | usec +.Ed +.Pp +In some cases it is absolutely necessary to use limited matching +to protect +.Xr hostapd 8 +against excessive flooding with IEEE 802.11 frames. +For example, beacon frames will be normally received every 100 ms. +.Ss Rule Rate +It is possible to tell +.Xr hostapd 8 +to trigger the action only after a specific +.Ic rate +of matched frames. +.Bd -filled -offset indent +.Ic rate +.Ar number +.Ar / +.Ar number +.Ic sec +.Ed +.Pp +This will help to detect excessive flooding of IEEE 802.11 frames. +For example, de-auth flooding is a denial of service (DoS) attack +against IEEE 802.11 wireless networks. +.Ss Management Frame Subtypes +The +.Ar subtype +describes the IEEE 802.11 frame subtype, specified in +the frame control header. +The choice of subtypes depends on the used frame type. +.Xr hostapd 8 +currently only supports management frame subtypes. +Most frame subtypes require an additional subtype-specific header +in the frame body, but currently only the +.Ic deauth +and +.Ic disassoc +reason codes are supported: +.Bl -ohang -offset 3n +.It Ic subtype beacon +A beacon frame. +Wireless access points and devices running in +.Em ibss +master or +.Em hostap +mode continuously send beacon frames to indicate their presence, +traffic load, and capabilities. +.It Ic subtype deauth Op Ar reason +A deauthentication frame with an optional reason code. +Deauthenticated stations will lose any IEEE 802.11 operational state. +.It Ic subtype disassoc Op Ar reason +A disassociation frame with an optional reason code. +.It Ic subtype assoc request +An association request frame. +.It Ic subtype assoc response +An association response frame. +.It Ic subtype atim +An announcement traffic indication message (ATIM frame). +.It Xo +.Ic subtype auth Op Ic open request | response +.Xc +An authentication frame. +.It Ic subtype probe request +A probe request frame. +Probe requests are used to probe for access points and IBSS nodes. +.It Ic subtype probe response +A probe response frame. +.It Ic subtype reassoc request +A re-association request frame. +.It Ic subtype reassoc response +A re-association response frame. +.El +.Pp +The +.Ar reason +defines a descriptive reason for the actual +.Em deauthentication +or +.Em disassociation +of a station: +.Bl -ohang -offset 3n +.It Ic reason assoc expire +Disassociated due to inactivity. +.It Ic reason assoc leave +Disassociated because the sending station is leaving or has left the +wireless network. +.It Ic reason assoc toomany +Disassociated because the access point has reached its limit of +associated stations. +.It Ic reason auth expire +Previous authentication no longer valid. +.It Ic reason auth leave +Deauthenticated because the sending station is leaving or has left the +wireless network. +.It Ic reason ie invalid +IEEE 802.11i extension. +.It Ic reason mic failure +IEEE 802.11i extension. +.It Ic reason not authed +Frame received from unauthenticated station. +.It Ic reason assoc not authed +Frame received from an associated but unauthenticated station. +.It Ic reason not assoced +Frame received from unassociated station. +.It Ic reason rsn required +IEEE 802.11i extension. +.It Ic reason rsn inconsistent +IEEE 802.11i extension. +.It Ic reason unspecified +Unspecified reason. +.El +.Ss Frame Directions +The direction a frame is being transmitted +.Pq Ar framedir +can be specified in the following ways: +.Bl -ohang -offset 3n +.It Ic dir no ds +No distribution system direction is used for management frames. +.It Ic dir to ds +A frame sent from a station to the distribution system, the access point. +.It Ic dir from ds +A frame from the distribution system, the access point, to a station. +.It Ic dir ds to ds +A frame direction used by wireless distribution systems (WDS) for +wireless access point to access point communication. +.El +.Sh EVENT RULE EXAMPLES +.Bd -literal +# Log probe requests locally +hostap handle type management subtype probe request \e + with log + +# Detect flooding of management frames except beacons. +# This will detect some possible denial of service attacks +# against the IEEE 802.11 protocol. +hostap handle skip type management subtype ! beacon \e + with log \e + rate 100 / 10 sec + +# Log rogue access points via IAPP, limited to every second, +# and skip further IAPP processing. +hostap handle skip type management subtype beacon bssid !<myess> \e + with iapp type radiotap limit 1 sec + +# Send deauthentication frames to stations associated to rogue APs +hostap handle type data bssid !<myess> with frame type management \e + subtype deauth reason auth expire \e + from &bssid to &from bssid &bssid + +# Send authentication requests from random station addresses to +# rogue access points. This is a common way to test the quality of +# various hostap implementations. +hostap handle skip type management subtype beacon bssid <pentest> \e + with frame type management subtype auth \e + from random to &bssid bssid &bssid + +# Re-inject a received IEEE 802.11 frame on the interface ath0 +hostap handle on ath0 type management subtype auth with resend + +# Remove a blacklisted node from the kernel node tree +hostap handle type management subtype auth from <blacklist> \e + with node delete &from + +# Log rogue access points with a strong signal quality on +# channel 3 (2.422GHz) transmitting frames with 1Mbps. +hostap handle type management subtype beacon bssid !<myess> \e + signal >= 50% txrate 1Mb freq 2.422GHz \e + with log +.Ed +.Sh IP ROAMING +In a traditional wireless network, multiple access points are +members of a single layer 3 broadcast domain. +The traffic is bridged between physical collision domains, +as with the +.Xr bridge 4 +interface in +.Ox . +This may cause problems in large wireless networks with a heavy load +of broadcast traffic, like broadcasted ARP, DHCP or ICMP requests. +.Pp +.Xr hostapd 8 +implements IP based roaming to build wireless networks +without the requirement of a single broadcast domain. +This works as follows: +.Pp +.Bl -enum -compact +.It +Every access point running +.Xr hostapd 8 +is a router to an individual internal broadcast domain, +.Em without +using the +.Xr bridge 4 +interface. +.It +An increased multicast TTL is used for IAPP communication +between access points in multiple network segments. +Multicast routing is required in the network infrastructure, +like an +.Ox +router running +.Xr mrouted 8 . +.It +The configuration file +.Nm +is used to assign IP subnets to link layer addresses. +If a station with the specified link layer address successfully +associates to the access point, +.Xr hostapd 8 +will configure the specified IP address and subnet on +the wireless interface. +.It +The +IAPP +.Em ADD.notify +message is used to notify other access points running +.Xr hostapd 8 +to remove the station and any assigned IP addresses or subnets from +the wireless interface. +.It +A dynamic routing daemon like +.Xr ospfd 8 +or +.Xr bgpd 8 +running on the access point will be used to announce the +new IP route to the internal network and routers. +.El +.Pp +For example: +.Bd -literal -offset indent +# Assign IP addresses to layer 2 addresses +table <clients> { + 00:02:6f:42:d0:01 -> 172.23.5.1/30, + 00:05:4e:45:d3:b8 -> 172.23.5.4/30, + 00:04:2e:12:03:e0 -> 172.23.5.8/30 +} + +# Global options +set hostap interface ath0 +set hostap mode radiotap +set iapp interface sis0 +set iapp address roaming table <clients> +set iapp handle subtype address roaming +set iapp mode multicast ttl 2 +.Ed +.Sh FILES +.Bl -tag -width /etc/examples/hostapd.conf -compact +.It Pa /etc/hostapd.conf +Default location of the configuration file. +.It Pa /etc/examples/hostapd.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr hostapd 8 +.Sh AUTHORS +The +.Xr hostapd 8 +program was written by +.An Reyk Floeter Aq Mt reyk@openbsd.org . +.Sh CAVEATS +.Em IP Roaming +requires statically assigned IP addresses of stations and does +not support DHCP at present. diff --git a/static/openbsd/man5/httpd.conf.5 b/static/openbsd/man5/httpd.conf.5 new file mode 100644 index 00000000..3053709a --- /dev/null +++ b/static/openbsd/man5/httpd.conf.5 @@ -0,0 +1,910 @@ +.\" $OpenBSD: httpd.conf.5,v 1.129 2026/01/18 16:38:02 schwarze Exp $ +.\" +.\" Copyright (c) 2014, 2015 Reyk Floeter <reyk@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: January 18 2026 $ +.Dt HTTPD.CONF 5 +.Os +.Sh NAME +.Nm httpd.conf +.Nd HTTP daemon configuration file +.Sh DESCRIPTION +.Nm +is the configuration file for the HTTP daemon, +.Xr httpd 8 . +.Pp +.Nm +is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr httpd 8 . +.It Sx Servers +Listening HTTP web servers. +.It Sx Types +Media types and extensions. +.El +.Pp +Within the sections, +a host +.Ar address +can be specified by IPv4 address, IPv6 address, interface name, +interface group, or DNS hostname. +If the address is an interface name, +.Xr httpd 8 +will look up the first IPv4 address and any other IPv4 and IPv6 +addresses of the specified network interface. +If +.Sq * +is given as an address, +.Xr httpd 8 +will listen on all IPv4 and IPv6 addresses. +.Ar 0.0.0.0 +means to listen on all IPv4 addresses and +.Ar :: +all IPv6 addresses. +A +.Ar port +can be specified by number or name. +The port name to number mappings are found in the file +.Pa /etc/services ; +see +.Xr services 5 +for details. +.Pp +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment is effective until the end of the entire block. +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/httpd.conf.local" +.Ed +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic directory , +.Ic log , +or +.Ic root ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +ext_ip="10.0.0.1" +server "example.com" { + listen on $ext_ip port 80 +} +.Ed +.Ss Global configuration +Here are the settings that can be set globally: +.Bl -tag -width Ds +.It Ic chroot Ar directory +Set the +.Xr chroot 2 +directory. +If not specified, it defaults to +.Pa /var/www , +the home directory of the www user. +.It Ic default type Ar type/subtype +Set the default media type that is used if the media type for a +specified extension is not found in the configured types or for files +without a file extension; +see the +.Sx Types +section below. +If not specified, the default type is set to +.Ar application/octet-stream . +.It Ic errdocs Ar directory +Let +.Xr httpd 8 +return custom error documents instead of the built-in ones. +.Pp +.Ar directory +is relative to the +.Ic chroot . +.Pp +Custom error documents are standalone +.Dq .html +files provided in one of the following ways: +.Bl -bullet -offset indent -compact +.It +As HTML files named after the 3-digit HTTP response code they are used +for, e.g., +.Pa 404.html . +.It +As a generic template file named +.Pa err.html +which is used for response codes no dedicated file is provided for. +.El +.Pp +In case the latter does not exist and there is no dedicated file available for +a certain response code, the built-in error document will be used as fallback. +.Pp +A custom error document may contain the following macros that will be expanded +at runtime: +.Pp +.Bl -tag -width $RESPONSE_CODE -offset indent -compact +.It Ic $HTTP_ERROR +The error message text. +.It Ic $RESPONSE_CODE +The 3-digit HTTP response code sent to the client. +.It Ic $SERVER_SOFTWARE +The server software name of +.Xr httpd 8 . +.El +.It Ic logdir Ar directory +Specifies the full path of the directory in which log files will be written. +If not specified, it defaults to +.Pa /logs +within the +.Xr chroot 2 +directory. +.It Ic no banner +Do not send the +.Va Server +HTTP response header, and hide the server software name in error documents. +The +.Va SERVER_SOFTWARE +CGI environment variable is always set in accordance with +.%R RFC 3875 . +.It Ic prefork Ar number +Run the specified number of server processes. +This increases the performance and prevents delays when connecting +to a server. +.Xr httpd 8 +runs 3 server processes by default. +.El +.Ss Servers +The configured web servers. +.Pp +Each +.Ic server +section starts with a declaration of the server +.Ar name . +If a request does not match any server name, it is handled by the +first defined +.Ic server +section that matches the listening port. +.Bl -tag -width Ds +.It Ic server Ar name Brq ... +Match the server name using shell globbing rules, +see +.Xr glob 7 . +This can be an explicit name, +.Ar www.example.com , +or a name including wildcards, +.Ar *.example.com . +.It Ic server match Ar name Brq ... +Match the server name using pattern matching, +see +.Xr patterns 7 . +.El +.Pp +Followed by a block of options enclosed in curly braces: +.Bl -tag -width Ds +.It Ic alias Ar name +Specify an additional alias +.Ar name +for this server. +.It Ic alias match Ar name +Like the +.Ic alias +option, +but +.Ic match +the +.Ar name +using pattern matching instead of shell globbing rules, +see +.Xr patterns 7 . +.It Oo Ic no Oc Ic authenticate Oo Ar realm Oc Ic with Pa htpasswd +Authenticate a remote user for +.Ar realm +by checking the credentials against the user authentication file +.Pa htpasswd . +The file name is relative to the +.Ic chroot +and must be readable by the www user. +Use the +.Ic no authenticate +directive to disable authentication in a location. +.It Oo Ic no Oc Ic banner +When prefixed with the +.Ic no +keyword, +suppress the +.Va Server +HTTP response header, and hide the server software name in error documents for +the current +.Ic server. +If +.Ic no +is omitted, enable the banner for the current +.Ic server +if it was disabled globally. +.It Ic block drop +Drop the connection without sending an error page. +.It Ic block Op Ic return Ar code Op Ar uri +Close the connection and send an error page. +If the optional return code is not specified, +.Xr httpd 8 +denies access with a +.Sq 403 Forbidden +response. +The optional +.Ar uri +argument can be used with return codes in the 3xx range to send an +HTTP Location header for redirection to a specified URI. +.Pp +It is possible to rewrite the request to redirect it to a different +external location. +The +.Ar uri +may contain predefined macros that will be expanded at runtime: +.Pp +.Bl -tag -width $DOCUMENT_URI -offset indent -compact +.It Ic $DOCUMENT_URI +The request path. +.It Ic $QUERY_STRING +The query string of the request. +.It Ic $QUERY_STRING_ENC +The URL-encoded query string of the request. +.It Ic $REMOTE_ADDR +The IP address of the connected client. +.It Ic $REMOTE_PORT +The TCP source port of the connected client. +.It Ic $REMOTE_USER +The remote user for HTTP authentication. +.It Ic $REQUEST_SCHEME +The request scheme (http or https). +.It Ic $REQUEST_URI +The request path and optional query string. +.It Ic $SERVER_ADDR +The configured IP address of the server. +.It Ic $SERVER_PORT +The configured TCP port of the server. +.It Ic $SERVER_NAME +The name of the server. +.It Ic $HTTP_HOST +The host from the HTTP Host header. +.It Pf % Ar n +The capture index +.Ar n +of a string that was captured by the enclosing +.Ic location match +option. +.El +.It Ic connection Ar option +Set the specified options and limits for HTTP connections. +Multiple options may be specified within curly braces. +Valid options are: +.Bl -tag -width Ds +.It Ic max request body Ar number +Set the maximum body size in bytes that the client can send to the server. +The default value is 1048576 bytes (1M). +.It Ic max requests Ar number +Set the maximum number of requests per persistent HTTP connection. +Persistent connections are negotiated using the Keep-Alive header in +HTTP/1.0 and enabled by default in HTTP/1.1. +The default maximum number of requests per connection is 100. +.It Ic request timeout Ar seconds +Specify the inactivity timeout for HTTP operations between client and server, +for example the maximum time to wait for a request from the client. +The default timeout is 60 seconds (1 minute). +The maximum is 2147483647 seconds (68 years). +.It Ic timeout Ar seconds +Specify the inactivity timeout in seconds for accepted sessions, +for example the maximum time to wait for I/O from the FastCGI backend. +The default timeout is 600 seconds (10 minutes). +The maximum is 2147483647 seconds (68 years). +.El +.It Ic default type Ar type/subtype +Set the default media type for the specified location, +overwriting the global setting. +.It Ic directory Ar option +Set the specified options when serving or accessing directories. +Multiple options may be specified within curly braces. +Valid options are: +.Bl -tag -width Ds +.It Oo Ic no Oc Ic auto index +If no index file is found, automatically generate a directory listing. +This is disabled by default. +.It Ic index Ar string +Set the directory index file. +If not specified, it defaults to +.Pa index.html . +.It Ic no index +Disable the directory index. +.Xr httpd 8 +will neither display nor generate a directory index. +.El +.It Oo Ic no Oc Ic errdocs Ar directory +Overrides or, if the +.Ic no +keyword is given, disables globally defined custom error documents for the +current +.Ic server . +.It Oo Ic no Oc Ic fastcgi Oo Ar option Oc +Enable FastCGI instead of serving files. +Multiple options may be specified within curly braces. +Valid options are: +.Bl -tag -width Ds +.It Ic socket Oo Cm tcp Oc Ar socket Oo Ar port Oc +.Nm httpd +passes HTTP requests to a FastCGI handler listening on the socket +.Ar socket . +The +.Ar socket +can either be a UNIX domain socket or a TCP socket. +If the FastCGI handler is listening on a UNIX domain socket, +.Ar socket +is a local path name within the +.Xr chroot 2 +root directory of +.Xr httpd 8 +and defaults to +.Pa /run/slowcgi.sock . +Alternatively if +the FastCGI handler is listening on a TCP socket, +.Ar socket +is a hostname or an IP address. +If the +.Ar port +is not specified, it defaults to port 9000. +.It Ic strip Ar number +Strip +.Ar number +path components from the beginning of DOCUMENT_ROOT and +SCRIPT_FILENAME before sending them to the FastCGI server. +This allows FastCGI server chroot to be a directory under httpd chroot. +.It Ic param Ar variable value +Sets a variable that will be sent to the FastCGI server. +Each statement defines one variable. +.El +.Pp +The FastCGI handler will be given the following variables by default: +.Pp +.Bl -tag -width GATEWAY_INTERFACE -offset indent -compact +.It Ic DOCUMENT_ROOT +The document root in which the script is located as configured by the +.Ic root +option for the server or location that matches the request. +.It Ic GATEWAY_INTERFACE +The revision of the CGI specification used. +.It Ic HTTP_* +Additional HTTP headers the connected client sent in the request, if +any. +.It Ic HTTPS +A variable that is set to +.Qq on +when the server has been configured to use TLS. +This variable is omitted otherwise. +.It Ic REQUEST_URI +The path and optional query string as requested by the connected client. +.It Ic DOCUMENT_URI +The canonicalized request path, possibly with a slash or +directory index file name appended. +This is the same as +.Ic PATH_INFO +appended to +.Ic SCRIPT_NAME . +.It Ic SCRIPT_NAME +The virtual URI path to the script. +.It Ic PATH_INFO +The optional path appended after the script name in the request path. +This variable is an empty string if no path is appended after the +script name. +.It Ic SCRIPT_FILENAME +The absolute, physical path to the script within the +.Xr chroot 2 +directory. +.It Ic QUERY_STRING +The optional query string of the request. +This variable is an empty +string if there is no query string in the request. +.It Ic REMOTE_ADDR +The IP address of the connected client. +.It Ic REMOTE_PORT +The TCP source port of the connected client. +.It Ic REMOTE_USER +The remote user when using HTTP authentication. +.It Ic REQUEST_METHOD +The HTTP method the connected client used when making the request. +.It Ic SERVER_ADDR +The configured IP address of the server. +.It Ic SERVER_NAME +The name of the server. +.It Ic SERVER_PORT +The configured TCP server port of the server. +.It Ic SERVER_PROTOCOL +The revision of the HTTP specification used. +.It Ic SERVER_SOFTWARE +The server software name of +.Xr httpd 8 . +.It Ic TLS_PEER_VERIFY +A variable that is set to a comma separated list of TLS client verification +features in use +.Pq omitted when TLS client verification is not in use . +.El +.It Ic gzip-static +Enable static gzip compression to save bandwidth. +.Pp +If gzip encoding is accepted and if the requested file exists with +an additional .gz suffix, use the compressed file instead and deliver +it with content encoding gzip. +.It Ic hsts Oo Ar option Oc +Enable HTTP Strict Transport Security. +Valid options are: +.Bl -tag -width Ds +.It Ic max-age Ar seconds +Set the maximum time in seconds a receiving user agent should regard +this host as an HSTS host. +The default is one year. +.It Ic preload +Confirm and authenticate that the site is permitted to be included in +a browser's preload list. +.It Ic subdomains +Signal to the receiving user agent that this host and all sub domains +of the host's domain should be considered HSTS hosts. +.El +.It Ic listen on Ar address Oo Ic tls Oc Ic port Ar number +Set the listen address and port. +This statement can be specified multiple times. +.It Ic location Oo Oo Ic not Oc Ic found Oc Ar path Brq ... +Specify server configuration rules for a specific location. +The +.Ar path +argument will be matched against the request path with shell globbing rules. +Optionally, it is also possible to match for +.Ic found +(i.e. accessible) or +.Ic not found +request paths only. +In case of multiple location statements in the same context, the +first matching location statement will be put into effect, while all +later ones will be ignored. +Therefore it is advisable to match for more specific paths first +and for generic ones later on. +A location section may include most of the server configuration rules +except +.Ic alias , +.Ic banner , +.Ic connection , +.Ic errdocs , +.Ic hsts , +.Ic listen on , +.Ic location , +.Ic tcp +and +.Ic tls . +.It Ic location Oo Oo Ic not Oc Ic found Oc Ic match Ar path Brq ... +Like the +.Ic location +option, +but +.Ic match +the +.Ar path +using pattern matching instead of shell globbing rules, +see +.Xr patterns 7 . +The pattern may contain captures that can be used in an enclosed +.Ic block return +or +.Ic request rewrite +option. +.It Oo Ic no Oc Ic log Op Ar option +Set the specified logging options. +Logging is enabled by default using the standard +.Ic access +and +.Ic error +log files, +but can be changed per server or location. +Use the +.Ic no log +directive to disable logging of any requests. +Multiple options may be specified within curly braces. +Valid options are: +.Bl -tag -width Ds +.It Ic access Ar name +Set the +.Ar name +of the access log file relative to the log directory. +If not specified, it defaults to +.Pa access.log . +.It Ic error Ar name +Set the +.Ar name +of the error log file relative to the log directory. +If not specified, it defaults to +.Pa error.log . +.It Ic style Ar style +Set the logging style. +The +.Ar style +can be +.Cm common , +.Cm combined , +.Cm forwarded +or +.Cm connection . +The styles +.Cm common +and +.Cm combined +write a log entry after each request similar to the standard Apache +and nginx access log formats. +The style +.Cm forwarded +extends the style +.Cm combined +by appending two fields containing the values of the headers +.Ar X-Forwarded-For +and +.Ar X-Forwarded-Port . +The style +.Cm connection +writes a summarized log entry after each connection, +that can have multiple requests, +similar to the format that is used by +.Xr relayd 8 . +If not specified, the default is +.Cm common . +.It Oo Ic no Oc Ic syslog +Enable or disable logging to +.Xr syslog 3 +instead of the log files. +.El +.It Ic pass +Disable any previous +.Ic block +in a location. +.It Ic request Ar option +Configure the options for the request path. +Multiple options may be specified within curly braces. +Valid options are: +.Bl -tag -width Ds +.It Oo Ic no Oc Ic rewrite Ar path +Enable or disable rewriting of the request. +Unlike the redirection with +.Ic block return , +this will change the request path internally before +.Nm httpd +makes a final decision about the matching location. +The +.Ar path +argument may contain predefined macros that will be expanded at runtime. +See the +.Ic block return +option for the list of supported macros. +.It Ic strip Ar number +Strip +.Ar number +path components from the beginning of the request path before looking +up the stripped-down path at the document root. +.El +.It Ic root Ar directory +Configure the document root of the server. +The +.Ar directory +is a pathname within the +.Xr chroot 2 +root directory of +.Nm httpd . +If not specified, it defaults to +.Pa /htdocs . +.It Ic tcp Ar option +Enable or disable the specified TCP/IP options; see +.Xr tcp 4 +and +.Xr ip 4 +for more information about the options. +Multiple options may be specified within curly braces. +Valid options are: +.Bl -tag -width Ds +.It Ic backlog Ar number +Set the maximum length the queue of pending connections may grow to. +The backlog option is 10 by default and is limited by the +.Va kern.somaxconn +.Xr sysctl 8 +variable. +.It Ic ip minttl Ar number +This option for the underlying IP connection may be used to discard packets +with a TTL lower than the specified value. +This can be used to implement the +Generalized TTL Security Mechanism (GTSM) +according to RFC 5082. +.It Ic ip ttl Ar number +Change the default time-to-live value in the IP headers. +.It Oo Ic no Oc Ic nodelay +Enable the TCP NODELAY option for this connection. +This is recommended to avoid delays in the data stream. +.It Oo Ic no Oc Ic sack +Use selective acknowledgements for this connection. +.It Ic socket buffer Ar number +Set the socket-level buffer size for input and output for this +connection. +This will affect the TCP window size. +.El +.It Ic tls Ar option +Set the TLS configuration for the server. +These options are only used if TLS has been enabled via the listen directive. +Multiple options may be specified within curly braces. +Valid options are: +.Bl -tag -width Ds +.It Ic certificate Ar file +Specify the certificate to use for this server. +The +.Ar file +should contain a PEM encoded certificate. +The default is +.Pa /etc/ssl/server.crt . +.It Ic ciphers Ar string +Specify the TLS cipher string. +If not specified, the default value +.Qq HIGH:!aNULL +will be used (strong crypto cipher suites without anonymous DH). +See the CIPHERS section of +.Xr openssl 1 +for information about TLS cipher suites and preference lists. +.It Ic client ca Ar cafile Oo Ic crl Ar crlfile Oc Op Ic optional +Require +.Po +or, if +.Ic optional +is specified, request but do not require +.Pc +TLS client certificates whose authenticity can be verified +against the CA certificate(s) in +.Ar cafile +in order to proceed beyond the TLS handshake. +With +.Ic crl +specified, additionally require that no certificate in the client chain be +listed as revoked in the CRL(s) in +.Ar crlfile . +CA certificates and CRLs should be PEM encoded. +.It Ic dhe Ar params +Specify the DHE parameters to use for DHE cipher suites. +Valid parameter values are none, legacy and auto. +For legacy a fixed key length of 1024 bits is used, whereas for auto the key +length is determined automatically. +The default is none, which disables DHE cipher suites. +.It Ic ecdhe Ar curves +Specify a comma separated list of elliptic curves to use for ECDHE cipher suites, +in order of preference. +The special value of "default" will use the default curves; see +.Xr tls_config_set_ecdhecurves 3 +for further details. +.It Ic key Ar file +Specify the private key to use for this server. +The +.Ar file +should contain a PEM encoded private key and reside outside of the +.Xr chroot 2 +root directory of +.Nm httpd . +The default is +.Pa /etc/ssl/private/server.key . +.It Ic ocsp Ar file +Specify an OCSP response to be stapled during TLS handshakes +with this server. +The +.Ar file +should contain a DER-format OCSP response retrieved from an +OCSP server for the +.Ar certificate +in use, +and can be created using +.Xr ocspcheck 8 . +The path to +.Ar file +is not relative to the chroot. +If the OCSP response in +.Ar file +is empty, OCSP stapling will not be used. +The default is to not use OCSP stapling. +.It Ic protocols Ar string +Specify the TLS protocols to enable for this server. +Refer to the +.Xr tls_config_parse_protocols 3 +function for valid protocol string values. +By default, TLSv1.3 and TLSv1.2 will be used. +.It Ic ticket lifetime Ar seconds +Enable TLS session tickets with a +.Ar seconds +session lifetime. +It is possible to set +.Ar seconds +to default to use the httpd default timeout of 2 hours. +.El +.El +.Ss Types +Configure the supported media types. +.Xr httpd 8 +will set the +.Ar Content-Type +of the response header based on the file extension listed in the +.Ic types +section. +If not specified, +.Xr httpd 8 +will use built-in media types for +.Ar text/css , +.Ar text/html , +.Ar text/plain , +.Ar image/gif , +.Ar image/png , +.Ar image/jpeg , +.Ar image/svg+xml , +and +.Ar application/javascript . +.Pp +The +.Ic types +section must include one or more lines of the following syntax, +enclosed in curly braces: +.Bl -tag -width Ds +.It Ar type/subtype Ar name Op Ar name ... +Set the media +.Ar type +and +.Ar subtype +to the specified extension +.Ar name . +One or more names can be specified per line. +Each line may end with an optional semicolon. +Later lines overwrite earlier lines. +.It Ic include Ar file +Include types definitions from an external file, for example +.Pa /usr/share/misc/mime.types . +.El +.Sh FILES +.Bl -tag -width /etc/examples/httpd.conf -compact +.It Pa /etc/examples/httpd.conf +Example configuration file. +.El +.Sh EXAMPLES +Example configuration files for +.Nm +and +.Xr acme-client 1 +are provided in +.Pa /etc/examples/httpd.conf +and +.Pa /etc/examples/acme-client.conf . +.Pp +The following example will start one server that is pre-forked two +times and is listening on all local IP addresses. +It additionally defines some media types overriding the defaults. +.Bd -literal -offset indent +prefork 2 + +server "example.com" { + listen on * port 80 +} + +types { + text/css css + text/html html htm + text/plain txt + image/gif gif + image/jpeg jpeg jpg + image/png png + application/javascript js + application/xml xml +} +.Ed +.Pp +The server can also be configured to only listen on the primary IP +address of the network interface that is a member of the +.Qq egress +group. +.Bd -literal -offset indent +server "example.com" { + listen on egress port 80 +} +.Ed +.Pp +Multiple servers can be configured to support hosting of different domains. +If the same address is repeated multiple times in the +.Ic listen on +statement, +the server will be matched based on the requested host name. +.Bd -literal -offset indent +server "www.example.com" { + alias "example.com" + listen on * port 80 + listen on * tls port 443 + root "/htdocs/www.example.com" +} + +server "www.a.example.com" { + listen on 203.0.113.1 port 80 + root "/htdocs/www.a.example.com" +} + +server "www.b.example.com" { + listen on 203.0.113.1 port 80 + root "/htdocs/www.b.example.com" +} + +server "intranet.example.com" { + listen on 10.0.0.1 port 80 + root "/htdocs/intranet.example.com" +} +.Ed +.Pp +Simple redirections can be configured with the +.Ic block +directive: +.Bd -literal -offset indent +server "example.com" { + listen on 10.0.0.1 port 80 + listen on 10.0.0.1 tls port 443 + block return 301 "$REQUEST_SCHEME://www.example.com$REQUEST_URI" +} + +server "www.example.com" { + listen on 10.0.0.1 port 80 + listen on 10.0.0.1 tls port 443 +} +.Ed +.Pp +The request can also be rewritten with the +.Ic request rewrite +directive: +.Bd -literal -offset indent +server "example.com" { + listen on * port 80 + location match "/old/(.*)" { + request rewrite "/new/%1" + } +} +.Ed +.Sh SEE ALSO +.Xr htpasswd 1 , +.Xr glob 7 , +.Xr patterns 7 , +.Xr httpd 8 , +.Xr ocspcheck 8 , +.Xr slowcgi 8 +.Sh AUTHORS +.An -nosplit +The +.Xr httpd 8 +program was written by +.An Reyk Floeter Aq Mt reyk@openbsd.org . diff --git a/static/openbsd/man5/ifstated.conf.5 b/static/openbsd/man5/ifstated.conf.5 new file mode 100644 index 00000000..6dda655a --- /dev/null +++ b/static/openbsd/man5/ifstated.conf.5 @@ -0,0 +1,203 @@ +.\" $OpenBSD: ifstated.conf.5,v 1.18 2025/07/08 14:26:45 schwarze Exp $ +.\" +.\" Copyright (c) 2005 Nikolay Sturm <sturm@openbsd.org> +.\" Copyright (c) 2005 Marco Pfatschbacher <mpf@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: July 8 2025 $ +.Dt IFSTATED.CONF 5 +.Os +.Sh NAME +.Nm ifstated.conf +.Nd Interface State daemon configuration file +.Sh DESCRIPTION +The +.Xr ifstated 8 +daemon runs commands in response to network state changes, which it +determines by monitoring interface link state or running external tests. +.Nm +is the configuration file for this daemon. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Global configuration +Global settings for +.Xr ifstated 8 . +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx State definitions +Definitions of states and transitions. +.El +.Ss Global configuration +.Bl -tag -width Ds +.It Ic init-state Ar state +Set the initial state to +.Ar state +instead of using the first state defined. +.El +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ar state +or +.Ar run ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +Macros are usually used to define tests for state transitions like interface +link state or external tests. +.Pp +Currently an interface can have three different link states: +.Pp +.Bl -tag -width xxxxxxxx -compact +.It Ar up +The physical link of the interface is up. +For +.Xr carp 4 +interfaces this equals the master state. +.It Ar down +The physical link of the interface is down. +For +.Xr carp 4 +interfaces this equals the backup state. +.It Ar unknown +The physical link of the interface is unknown. +This is because the interface driver does not provide information of the +physical link state. +For +.Xr carp 4 +interfaces this equals the init state. +.El +.Pp +In contrast to link state tests, external tests must be run periodically to +evaluate their status. +The frequency at which an external test is run is set, in seconds, with the +.Ar every +keyword. +.Pp +For example: +.Bd -literal -offset indent +links_up = "em0.link.up && em1.link.up" +net = '( "ping -q -c 1 -w 1 192.168.0.1 > /dev/null" every 10 && \e + "ping -q -c 1 -w 1 192.168.0.2 > /dev/null" every 10 )' +.Ed +.Ss Tests and events +.Xr ifstated 8 +delegates the process of testing to libevent which associates a value with +every test, in this case +.Em true +or +.Em false . +Whenever the value of a test associated with the current state changes, +an event is triggered and the state's body is processed. +.Ss State definitions +.Xr ifstated 8 +operates on a finite state machine with states and transitions. +.Pp +Each state consists of an +.Em init +block and a body. +The +.Em init +block is used to initialise the state and is executed each time the state +is entered. +The body of a state is only executed when that state is the current state +and an event occurs. +.Pp +The action taken within a certain state is typically made dependent on the +evaluation of one or more +.Em if +statements. +Possible actions include executing commands using the +.Em run +statement, or triggering a state transition with the +.Ar set-state +keyword. +It is also possible to write multiple nested +.Em if +blocks. +.Pp +For example: +.Bd -literal -offset indent +state one { + init { + run "logger -t ifstated entering state one" + run "ifconfig -g carp -carpdemote" + } + + if ! $net || urndis0.link.up + set-state two + + if ! $links_up { + run "ifconfig -g carp carpdemote" + + if urndis0.link.down + set-state three + } +} +.Ed +.Sh GRAMMAR +Syntax for +.Nm +in BNF: +.Bd -literal +grammar = entry grammar | entry + +entry = global_config | varset | action | state + +global_config = initstate +initstate = "init-state" string + +varset = string "=" string + +action_list = action [ action_list ] +action = "run" string | "set-state" string | + "if" expr action_block +action_block = "{" action_list "}" | action +expr = "!" expr | expr "&&" expr | expr "||" expr | term +term = if_test | ext_test | "(" expr ")" +if_test = string ".link." ( "up" | "down" | "unknown" ) +ext_test = string "every" number + +state = "state" string "{" stateopt_list "}" +stateopt_list = stateopt [ stateopt_list ] +stateopt = init | action +init = "init" action_block +.Ed +.Sh FILES +.Bl -tag -width /etc/examples/ifstated.conf -compact +.It Pa /etc/ifstated.conf +.Xr ifstated 8 +configuration file. +.It Pa /etc/examples/ifstated.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr carp 4 , +.Xr pf 4 , +.Xr ifstated 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 3.8 . diff --git a/static/openbsd/man5/iked.conf.5 b/static/openbsd/man5/iked.conf.5 new file mode 100644 index 00000000..d7f1c75b --- /dev/null +++ b/static/openbsd/man5/iked.conf.5 @@ -0,0 +1,1266 @@ +.\" $OpenBSD: iked.conf.5,v 1.103 2026/01/18 16:38:01 schwarze Exp $ +.\" +.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org> +.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: January 18 2026 $ +.Dt IKED.CONF 5 +.Os +.Sh NAME +.Nm iked.conf +.Nd IKEv2 configuration file +.Sh DESCRIPTION +.Nm +is the configuration file for +.Xr iked 8 , +the Internet Key Exchange version 2 (IKEv2) daemon for IPsec. +IPsec itself is a pair of protocols: +Encapsulating Security Payload (ESP), +which provides integrity and confidentiality; +and Authentication Header (AH), +which provides integrity. +The IPsec protocol itself is described in +.Xr ipsec 4 . +.Pp +In its most basic form, a flow is established between hosts and/or +networks, and then Security Associations (SA) are established, +which detail how the desired protection will be achieved. +IPsec uses flows to determine whether to apply security services to an +IP packet or not. +.Xr iked 8 +is used to set up flows and establish SAs automatically, +by specifying +.Sq ikev2 +policies in +.Nm +(see +.Sx Automatic keying policies , +below). +.Pp +Alternative methods of setting up flows and SAs are also possible +using manual keying or automatic keying using the older ISAKMP/Oakley +a.k.a. IKEv1 protocol. +Manual keying is not recommended, but can be convenient for quick +setups and testing. +See +.Xr ipsec.conf 5 +and +.Xr isakmpd 8 +for more information about manual keying and ISAKMP support. +.Sh IKED.CONF FILE FORMAT +.Nm +is divided into three main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr iked 8 . +.It Sx Automatic keying policies +Policies to set up IPsec flows and SAs automatically. +.El +.Pp +Lines beginning with +.Sq # +and empty lines are regarded as comments, +and ignored. +Lines may be split using the +.Sq \e +character. +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +.Pp +Addresses can be specified in CIDR notation (matching netblocks), +as symbolic host names, interface names, or interface group names. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/macros.conf" +.Ed +.Pp +Certain parameters can be expressed as lists, in which case +.Xr iked 8 +generates all the necessary flow combinations. +For example: +.Bd -literal -offset indent +ikev2 esp proto { tcp, udp } \e + from 192.168.1.1 to 10.0.0.18 \e + peer 192.168.10.1 +.Ed +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic flow , +.Ic from , +or +.Ic esp ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +remote_gw = "192.168.3.12" +ikev2 esp from 192.168.7.0/24 to 192.168.8.0/24 peer $remote_gw +.Ed +.Ss Global configuration +Here are the settings that can be set globally: +.Bl -tag -width xxxx +.It Ic set active +Set +.Xr iked 8 +to global active mode. +In active mode the per-policy +.Ar mode +setting is respected. +.Xr iked 8 +will initiate policies set to +.Ar active +and wait for incoming requests for policies set to +.Ar passive . +This is the default. +.It Ic set passive +Set +.Xr iked 8 +to global passive mode. +In passive mode no packets are sent to peers and no connections are +initiated by +.Xr iked 8 , +even for +.Ar active +policies. +This option is used for setups using +.Xr sasyncd 8 +and +.Xr carp 4 +to provide redundancy. +.Xr iked 8 +will run in passive mode until sasyncd has determined that the host +is the master and can switch to active mode. +.It Ic set couple +Load the negotiated security associations (SAs) and flows into the kernel. +This is the default. +.It Ic set decouple +Don't load the negotiated SAs and flows from the kernel. +This mode is only useful for testing and debugging. +.It Ic set dpd_check_interval Ar time +Specify the liveness check interval, in seconds. +Setting +.Ar time +to 0 disables DPD. +The default value is 60 seconds. +.It Ic set enforcesingleikesa +Allow only a single active IKE SA for each +.Ic dstid . +When a new SA with the same +.Ic dstid +is established, it replaces the old SA. +.It Ic set noenforcesingleikesa +Don't limit the number of IKE SAs per +.Ic dstid . +This is the default. +.It Ic set fragmentation +Enable IKEv2 Message Fragmentation (RFC 7383) support. +This allows IKEv2 to operate in environments that might block IP fragments. +.It Ic set nofragmentation +Disables IKEv2 Message Fragmentation support. +This is the default. +.It Ic set mobike +Enable MOBIKE (RFC 4555) support. +This is the default. +MOBIKE allows the peer IP address to be changed for IKE and IPsec SAs. +Currently +.Xr iked 8 +only supports MOBIKE when acting as a responder. +.It Ic set nomobike +Disables MOBIKE support. +.It Ic set cert_partial_chain +Allow partial certificate chain if at least one certificate is a trusted CA from +.Pa /etc/iked/ca/ . +.It Ic set ocsp Ar URL Op Ic tolerate Ar time Op Ic maxage Ar time +Enable OCSP and set the fallback URL of the OCSP responder. +This fallback will be used if the trusted CA from +.Pa /etc/iked/ca/ +does not have an OCSP-URL extension. +The matching responder certificates have to be placed in +.Pa /etc/iked/ocsp/responder.crt . +.Pp +The optional +.Ic tolerate +parameter specifies how much the OCSP response attribute +.Sq thisUpdate +may be in the future and how much +.Sq nextUpdate +may be in the past, with respect to the local time. +The optional +.Ic maxage +parameter specifies how much +.Sq thisUpdate +may be in the past. +If +.Ic tolerate +is set to 0 then the times are not verified at all. +This is the default setting. +.It Ic set vendorid +Send OpenIKED Vendor ID payload. +This is the default. +.It Ic set novendorid +Don't send a Vendor ID payload. +.It Ic user Ar name password +.Xr iked 8 +supports user-based authentication by tunneling the Extensible +Authentication Protocol (EAP) over IKEv2. +In its most basic form, the users will be authenticated against a +local, integrated password database that is configured with the +.Ic user +lines in +.Nm +and the +.Ar name +and +.Ar password +arguments. +The password has to be specified in plain text which is +required to support different challenge-based EAP methods like +EAP-MD5 or EAP-MSCHAPv2. +.El +.Ss Automatic keying policies +This section is used to configure policies that will be used by +.Xr iked 8 +to set up flows and SAs automatically. +Some examples of setting up automatic keying: +.Bd -literal -offset 3n +# Set up a VPN: +# First between the gateway machines 192.168.3.1 and 192.168.3.2 +# Second between the networks 10.1.1.0/24 and 10.1.2.0/24 +ikev2 esp from 192.168.3.1 to 192.168.3.2 +ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 +.Ed +.Pp +For incoming connections from remote peers, the policies are evaluated +in sequential order, from first to last. +The last matching policy decides what action is taken; if no policy matches +the connection, the default action is to ignore the connection attempt or +to use the +.Ar default +policy, if set. +See the +.Sx EXAMPLES +section for a detailed example of the policy evaluation. +.Pp +The first time an IKEv2 connection matches a policy, an IKE SA is +created; for subsequent packets the connection is identified by the +IKEv2 parameters that are stored in the SA without evaluating any +policies. +After the connection is closed or times out, the IKE SA is +automatically removed. +.Pp +The commands are as follows: +.Bl -tag -width xxxx -compact +.It Xo +.Ic ikev2 +.Op Ar name +.Xc +The mandatory +.Ic ikev2 +keyword will identify an IKEv2 automatic keying policy. +.Ar name +is an optional arbitrary string identifying the policy. +The name should only occur once in +.Nm +or any included files. +If omitted, +a name will be generated automatically for the policy. +.Pp +.It Op Ar eval +The +.Ar eval +option modifies the policy evaluation for this policy. +It can be one of +.Ar quick , +.Ar skip +or +.Ar default . +If a new incoming connection matches a policy with the +.Ar quick +option set, that policy is considered the last matching policy, +and evaluation of subsequent policies is skipped. +The +.Ar skip +option will disable evaluation of this policy for incoming connections. +The +.Ar default +option sets the default policy and should only be specified once. +.Pp +.It Op Ar mode +.Ar mode +specifies the IKEv2 mode to use: +one of +.Ar passive +or +.Ar active . +When +.Ar passive +is specified, +.Xr iked 8 +will not immediately start negotiation of this tunnel, but wait for an incoming +request from the remote peer. +When +.Ar active +is specified, negotiation will be started at once. +If omitted, +.Ar passive +mode will be used. +.Pp +.It Op Ar ipcomp +The keyword +.Ar ipcomp +specifies that +.Xr ipcomp 4 , +the IP Payload Compression protocol, is negotiated in addition to encapsulation. +The optional compression is applied before packets are encapsulated. +IPcomp must be enabled in the kernel: +.Pp +.Dl # sysctl net.inet.ipcomp.enable=1 +.Pp +.It Op Ar tmode +.Ar tmode +describes the encapsulation mode to be used. +Possible modes are +.Ar tunnel +and +.Ar transport ; +the default is +.Ar tunnel . +.Pp +.It Op Ar natt +.Ar natt +forces negotiation of NAT-Traversal after the initial handshake. +.Pp +.It Op Ar encap +.Ar encap +specifies the encapsulation protocol to be used. +Possible protocols are +.Ar esp +and +.Ar ah ; +the default is +.Ar esp . +.Pp +.It Op Ar af +This policy only applies to endpoints of the specified address family +which can be either +.Ar inet +or +.Ar inet6 . +This only matters for IKEv2 endpoints and does not +restrict the traffic selectors to negotiate flows with different +address families, e.g. IPv6 flows negotiated by IPv4 endpoints. +.Pp +.It Xo +.Ic proto Ar protocol +.Xc +.It Xo +.Ic proto +.Ic { Ar protocol ... Ic } +.Xc +The optional +.Ic proto +parameter restricts the flow to a specific IP protocol. +Common protocols are +.Xr icmp 4 , +.Xr tcp 4 , +and +.Xr udp 4 . +For a list of all the protocol name to number mappings used by +.Xr iked 8 , +see the file +.Pa /etc/protocols . +.Pp +Multiple +.Ar protocol +entries can be specified, separated by commas or whitespace, +if enclosed in curly brackets: +.Bd -literal -offset indent +proto { tcp, udp } +.Ed +.Pp +.It Ic rdomain Ar number +Specify a different routing domain for unencrypted traffic. +The resulting IPsec SAs will match outgoing packets in the specified +.Ic rdomain Ar number +and move the encrypted packets to the rdomain the +.Xr iked 8 +instance is running in. +Vice versa, incoming +.Xr ipsec 4 +traffic is moved to +.Ic rdomain Ar number +after decryption. +.Pp +.It Xo +.Ic from Ar src +.Op Ic port Ar sport +.Op Pq Ar srcnat +.Ic to Ar dst +.Op Ic port Ar dport +.Xc +Specify one or more traffic selectors for this policy which will be +used to negotiate the IPsec flows between the IKEv2 peers. +During the negotiation, the peers may decide to narrow a flow to a +subset of the configured traffic selector networks to match the +policies on each side. +.Pp +Each traffic selector will apply for packets with source address +.Ar src +and destination address +.Ar dst . +If the +.Ar src +argument specifies a fictional source ID, +the +.Ar srcnat +parameter can be used to specify the actual source address. +This can be used in outgoing NAT/BINAT scenarios as described below. +The keyword +.Ar any +will match any address (i.e. 0.0.0.0/0 and ::/0). +If the +.Ic config address +option is specified, the +.Ar dynamic +keyword can be used to create flows from or to the dynamically +assigned address. +.Pp +The optional +.Ic port +modifiers restrict the traffic selectors to the specified ports. +They are only valid in conjunction with the +.Xr tcp 4 +and +.Xr udp 4 +protocols. +Ports can be specified by number or by name. +For a list of all port name to number mappings used by +.Xr ipsecctl 8 , +see the file +.Pa /etc/services . +.Pp +.It Ic local Ar localip Ic peer Ar remote +The +.Ic local +parameter specifies the address or FQDN of the local endpoint. +Unless the gateway is multi-homed or uses address aliases, +this option is generally not needed. +.Pp +The +.Ic peer +parameter specifies the address or FQDN of the remote endpoint. +For host-to-host connections where +.Ar dst +is identical to +.Ar remote , +this option is generally not needed as it will be set to +.Ar dst +automatically. +If it is not specified or if the keyword +.Ar any +is given, the default peer is used. +.Pp +.It Xo +.Ic ikesa +.Ic auth Ar algorithm +.Ic enc Ar algorithm +.Ic prf Ar algorithm +.Ic group Ar group +.Xc +These parameters define the mode and cryptographic transforms to be +used for the IKE SA negotiation, also known as phase 1. +The IKE SA will be used to authenticate the machines and to set up an +encrypted channel for the IKEv2 protocol. +.Pp +Possible values for +.Ic auth , +.Ic enc , +.Ic prf , +.Ic group , +and the default proposals are described below in +.Sx CRYPTO TRANSFORMS . +If omitted, +.Xr iked 8 +will use the default proposals for the IKEv2 protocol. +.Pp +The keyword +.Ic ikesa +can be used multiple times as a delimiter between IKE SA proposals. +The order of the proposals depend on the order in the configuration. +The keywords +.Ic auth , +.Ic enc , +.Ic prf +and +.Ic group +can be used multiple times within a single proposal to configure +multiple crypto transforms. +.Pp +.It Xo +.Ic childsa +.Ic auth Ar algorithm +.Ic enc Ar algorithm +.Ic group Ar group +.Ic esn +.Xc +These parameters define the cryptographic transforms to be used for +the Child SA negotiation, also known as phase 2. +Each Child SA will be used to negotiate the actual IPsec SAs. +The initial Child SA is always negotiated with the initial IKEv2 key +exchange; additional Child SAs may be negotiated with additional +Child SA key exchanges for an established IKE SA. +.Pp +Possible values for +.Ic auth , +.Ic enc , +.Ic group , +.Ic esn , +and the default proposals are described below in +.Sx CRYPTO TRANSFORMS . +If omitted, +.Xr iked 8 +will use the default proposals for the ESP or AH protocol. +.Pp +The +.Ic group +option will only be used to enable Perfect Forward Secrecy (PFS) +for additional Child SAs exchanges that are not part of the initial +key exchange. +.Pp +The keyword +.Ic childsa +can be used multiple times as a delimiter between Child SA proposals. +The order of the proposals depend on the order in the configuration. +The keywords +.Ic auth , +.Ic enc +and +.Ic group +can be used multiple times within a single proposal to configure +multiple crypto transforms. +.Pp +.It Ic srcid Ar string Ic dstid Ar string +.Ic srcid +defines an ID of type +.Dq FQDN , +.Dq ASN1_DN , +.Dq IPV4 , +.Dq IPV6 , +or +.Dq UFQDN +that will be used by +.Xr iked 8 +as the identity of the local peer. +If the argument is an email address (reyk@example.com), +.Xr iked 8 +will use UFQDN as the ID type. +The ASN1_DN type will be used if the string starts with a slash +.Sq / +(/C=DE/../CN=10.0.0.1/emailAddress=reyk@example.com). +If the argument is an IPv4 address or a compressed IPv6 address, +the ID types IPV4 or IPV6 will be used. +Anything else is considered to be an FQDN. +.Pp +If +.Ic srcid +is omitted, +the default is to use the hostname of the local machine, +see +.Xr hostname 1 +to set or print the hostname. +.Pp +.Ic dstid +is similar to +.Ic srcid , +but instead specifies the ID to be used +by the remote peer. +.Pp +.It Ic ikelifetime Ar time +The optional +.Ic ikelifetime +parameter defines the IKE SA expiration timeout by the +.Ar time +SA was created. +A zero value disables active IKE SA rekeying. +This is the default. +.Pp +The accepted format of the +.Ar time +specification is described below. +.Pp +.It Ic lifetime Ar time Op Ic bytes Ar bytes +The optional +.Ic lifetime +parameter defines the Child SA expiration timeout by the +.Ar time +SA was in use and by the number of +.Ar bytes +that were processed using the SA. +Default values are 3 hours and 4 gigabytes which means that SA will be +rekeyed before reaching the time limit or 4 gigabytes of data +will pass through. +Zero values disable rekeying. +.Pp +Several unit specifiers are recognized (ignoring case): +.Ql m +and +.Ql h +for minutes and hours, and +.Ql K , +.Ql M +and +.Ql G +for kilo-, mega- and gigabytes accordingly. +.Pp +Rekeying must happen at least several times a day as +IPsec security heavily depends on frequent key renewals. +.Pp +.It Op Ar ikeauth +Specify a method to be used to authenticate the remote peer. +.Xr iked 8 +will automatically determine a method based on public keys or certificates +configured for the peer. +.Ar ikeauth +can be used to override this behaviour. +Non-psk modes will require setting up certificates and RSA or ECDSA public +keys; see +.Xr iked 8 +for more information. +.Pp +.Bl -tag -width $domain -compact -offset indent +.It Ic eap Ar type +Use EAP to authenticate the initiator. +Currently +.Ar MSCHAP-V2 +or +.Ar RADIUS +is supported for the EAP +.Ar type . +The responder will use RSA public key authentication. +To use RADIUS for EAP, +at least one RADIUS server should be configured. +See the +.Sx RADIUS CONFIGURATION +section for RADIUS support. +.It Ic ecdsa256 +Use ECDSA with a 256-bit elliptic curve key and SHA2-256 for authentication. +.It Ic ecdsa384 +Use ECDSA with a 384-bit elliptic curve key and SHA2-384 for authentication. +.It Ic ecdsa521 +Use ECDSA with a 521-bit elliptic curve key and SHA2-512 for authentication. +.It Ic psk Ar string +Use a pre-shared key +.Ar string +or hex value (starting with 0x) for authentication. +.It Ic psk file Ar path +Use a pre-shared hex key (without leading 0x) read from +.Ar path +for authentication. +.It Ic rfc7427 +Only use RFC 7427 signatures for authentication. +RFC 7427 signatures currently only support SHA2-256 as the hash. +.It Ic rsa +Use RSA public key authentication with SHA1 as the hash. +.El +.Pp +The default is to allow any signature authentication. +.Pp +.It Cm config Ar option address +.It Cm request Ar option address +Request or serve one or more optional configuration payloads (CP). +The configuration +.Ar option +can be one of the following with the expected address format: +.Pp +.Bl -tag -width Ds -compact -offset indent +.It Ic address Ar address +Assign a static address on the internal network. +.It Ic address Ar address/prefix +Assign a dynamic address on the internal network. +The address will be assigned from an address pool with the size specified by +.Ar prefix . +.It Ic netmask Ar netmask +The IPv4 netmask of the internal network. +.It Ic name-server Ar address +The DNS server address within the internal network. +.It Ic netbios-server Ar address +The NetBIOS name server (WINS) within the internal network. +This option is provided for compatibility with legacy clients. +.It Ic dhcp-server Ar address +The address of an internal DHCP server for further configuration. +.It Ic protected-subnet Ar address/prefix +The address of an additional IPv4 or IPv6 subnet reachable over the +gateway. +This option is used to notify the peer of a subnet behind the gateway (that +might require a second SA). +Networks specified in this SA's "from" or "to" options do not need to be +included. +.It Ic access-server Ar address +The address of an internal remote access server. +.El +.Pp +.It Ic iface Ar interface +Enable automatic network configuration as initiator. +Received addresses, routes and nameservers will be installed on the specified +.Ar interface . +.Pp +.It Ic tag Ar string +Add a +.Xr pf 4 +tag to all packets of IPsec SAs created for this connection. +This will allow matching packets for this connection by defining +rules in +.Xr pf.conf 5 +using the +.Cm tagged +keyword. +.Pp +The following variables can be used in tags to include information +from the remote peer on runtime: +.Pp +.Bl -tag -width $domain -compact -offset indent +.It Ar $id +The +.Ic dstid +that was proposed by the remote peer to identify itself. +It will be expanded to +.Ar id-value , +e.g.\& +.Ar FQDN/foo.example.com . +To limit the size of the derived tag, +.Xr iked 8 +will extract the common name +.Sq CN= +from ASN1_DN IDs, for example +.Ar ASN1_ID//C=DE/../CN=10.1.1.1/.. +will be expanded to +.Ar 10.1.1.1 . +.It Ar $eapid +For a connection using EAP, the identity (username) used by the remote peer. +.It Ar $domain +Extract the domain from IDs of type FQDN, UFQDN or ASN1_DN. +.It Ar $name +The name of the IKEv2 policy that was configured in +.Nm +or automatically generated by +.Xr iked 8 . +.El +.Pp +For example, if the ID is +.Ar FQDN/foo.example.com +or +.Ar UFQDN/user@example.com , +.Dq ipsec-$domain +expands to +.Dq ipsec-example.com . +The variable expansion for the +.Ar tag +directive occurs only at runtime (not when the file is parsed) +and must be quoted, or it will be interpreted as a macro. +.Pp +.It Ic tap Ar interface +Send the decapsulated IPsec traffic to the specified +.Xr enc 4 +.Ar interface +instead of +.Ar enc0 +for filtering and monitoring. +The traffic will be blocked if the specified +.Ar interface +does not exist. +.El +.Sh RADIUS CONFIGURATION +The configuration options for RADIUS are as follows: +.Bl -tag -width xxxx +.It Ic radius config Oo Ar af Oc Ar option Oo Ar vendor Oc Ar attr +Once RADIUS authentication has succeeded, +.Xr iked 8 +uses the RADIUS attributes containing the response from the RADIUS server to +construct IKEv2 configuration payloads (CP). +This configuration option defines a mapping from a RADIUS attribute to an IKE +CP with the following parameters: +.Pp +.Bl -tag -width "vendor attr" -compact +.It Op Ar af +Specify either +.Cm inet +or +.Cm inet6 +for the address family of the IKE CP option. +.It Ar option +Specify an IKE CP option. +Choose from +.Sx Automatic keying policies +config options +.Po +.Cm address , +.Cm netmask , +.Cm name-server , +.Cm netbios-server , +.Cm dhcp-server , +and +.Cm access-server +.Pc +or use +.Cm none +to disable the existing or default mapping. +.It Ar attr +For a standard RADIUS attribute, +specify its Attribute-Type for +.Ar attr . +.It Ar vendor Ar attr +For a vendor specific RADIUS attribute, +specify its Vendor-ID for +.Ar vendor +and the Attribute-Type for +.Ar attr . +.El +.Pp +By default, +.Xr iked 8 +uses the following attributes for the options: +.Bl -column "inet6 netbios-server" "Vendor" "Type" "MS-Secondary-NBNS-Server" \ +-offset "XX" +.It Em "Option" Ta Em "Vendor" Ta Em "Type" Ta Em "Attribute Name" +.It Li "inet address" Ta "" Ta "8" Ta "Framed-IP-Address" +.It Li "inet netmask" Ta "" Ta "9" Ta "Framed-IP-Netmask" +.It Li "inet name-server" Ta "0x137" Ta "28" Ta "MS-Primary-DNS-Server" +.It Li "inet name-server" Ta "0x137" Ta "29" Ta "MS-Secondary-DNS-Server" +.It Li "inet netbios-server" Ta "0x137" Ta "30" Ta "MS-Primary-NBNS-Server" +.It Li "inet netbios-server" Ta "0x137" Ta "31" Ta "MS-Secondary-NBNS-Server" +.El +.It Ic radius Oo Ic accounting Oc Ic server Ar address Oo port Ar number Oc \ +secret Ar secret +Specify the RADIUS server's IP address and the shared secret with the server. +For a RADIUS accounting server, +use the +.Cm accounting +keyword. +Optionally specify the port number, +otherwise the default port number, +1812 for authentication or +1813 for accounting, +is used as the default. +.It Ic radius Oo Ic accounting Oc Ic max-tries Ar number +Specify the maximum number of retransmissions for a server. +.Xr iked 8 +will retransmit 2, 6, 14, 22, 30 seconds after the first transmission +and subsequent retransmissions will occur every 8 seconds. +If the number of retransmissions per server reaches this value, +the current server is marked as failed, +and the next server is used for subsequent requests. +For RADIUS accounting requests, +use the +.Cm accounting +keyword. +The default value is 3. +.It Ic radius Oo Ic accounting Oc Ic max-failovers Ar number +If a positive number is specified, +.Xr iked 8 +will failover to the next server when the current server is marked +.Dq fail . +This key and value specifies the maximum number of failovers. +For RADIUS accounting requests, +use the +.Cm accounting +keyword. +The default value is 0. +.It Ic radius dae listen on Ar address Oo port Ar number Oc +Specify the local +.Ar address +.Xr iked 8 +should listen on for the Dynamic Authorization Extensions +.Pq DAE, RFC 5176 +requests. +Optionally specify a port +.Ar number ; +the default port number is 3799. +.It Ic radius dae client Ar address Ic secret Ar secret +Specify an +.Ar address +for a DAE client and +.Ar secret . +.El +.Sh PACKET FILTERING +IPsec traffic appears unencrypted on the +.Xr enc 4 +interface +and can be filtered accordingly using the +.Ox +packet filter, +.Xr pf 4 . +The grammar for the packet filter is described in +.Xr pf.conf 5 . +.Pp +The following components are relevant to filtering IPsec traffic: +.Bl -ohang -offset indent +.It external interface +Interface for IKE traffic and encapsulated IPsec traffic. +.It proto udp port 500 +IKE traffic on the external interface. +.It proto udp port 4500 +IKE NAT-Traversal traffic on the external interface. +.It proto ah | esp +Encapsulated IPsec traffic +on the external interface. +.It enc0 +Default interface for outgoing traffic before it's been encapsulated, +and incoming traffic after it's been decapsulated. +State on this interface should be interface bound; +see +.Xr enc 4 +for further information. +.It proto ipencap +[tunnel mode only] +IP-in-IP traffic flowing between gateways +on the enc0 interface. +.It tagged ipsec-example.org +Match traffic of IPsec SAs using the +.Ic tag +keyword. +.El +.Pp +If the filtering rules specify to block everything by default, +the following rule +would ensure that IPsec traffic never hits the packet filtering engine, +and is therefore passed: +.Bd -literal -offset indent +set skip on enc0 +.Ed +.Pp +In the following example, all traffic is blocked by default. +IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and +networks {10.0.1.0/24, 10.0.2.0/24} is permitted. +.Bd -literal -offset indent +block on ix0 +block on enc0 + +pass in on ix0 proto udp from 192.168.3.2 to 192.168.3.1 \e + port {500, 4500} +pass out on ix0 proto udp from 192.168.3.1 to 192.168.3.2 \e + port {500, 4500} + +pass in on ix0 proto esp from 192.168.3.2 to 192.168.3.1 +pass out on ix0 proto esp from 192.168.3.1 to 192.168.3.2 + +pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e + keep state (if-bound) +pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e + keep state (if-bound) +pass in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e + keep state (if-bound) +pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e + keep state (if-bound) +.Ed +.Pp +.Xr pf 4 +has the ability to filter IPsec-related packets +based on an arbitrary +.Em tag +specified within a ruleset. +The tag is used as an internal marker +which can be used to identify the packets later on. +This could be helpful, +for example, +in scenarios where users are connecting in from differing IP addresses, +or to support queue-based bandwidth control, +since the enc0 interface does not support it. +.Pp +The following +.Xr pf.conf 5 +fragment uses queues for all IPsec traffic with special +handling for developers and employees: +.Bd -literal -offset indent +queue std on ix0 bandwidth 100M +queue deflt parent std bandwidth 10M default +queue developers parent std bandwidth 75M +queue employees parent std bandwidth 5M +queue ipsec parent std bandwidth 10M + +pass out on ix0 proto esp set queue ipsec + +pass out on ix0 tagged ipsec-developers.example.com \e + set queue developers +pass out on ix0 tagged ipsec-employees.example.com \e + set queue employees +.Ed +.Pp +The following example assigns the tags in the +.Nm +configuration and also sets an alternative +.Xr enc 4 +device: +.Bd -literal -offset indent +ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e + tag "ipsec-$domain" tap "enc1" +.Ed +.Sh OUTGOING NETWORK ADDRESS TRANSLATION +In some network topologies it is desirable to perform NAT on traffic leaving +through the VPN tunnel. +In order to achieve that, +the +.Ar src +argument is used to negotiate the desired network ID with the peer +and the +.Ar srcnat +parameter defines the true local subnet, +so that a correct SA can be installed on the local side. +.Pp +For example, +if the local subnet is 192.168.1.0/24 and all the traffic +for a specific VPN peer should appear as coming from 10.10.10.1, +the following configuration is used: +.Bd -literal -offset indent +ikev2 esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 \e + peer 10.10.20.1 +.Ed +.Pp +Naturally, +a relevant NAT rule is required in +.Xr pf.conf 5 . +For the example above, +this would be: +.Bd -literal -offset indent +match out on enc0 from 192.168.1.0/24 to 192.168.2.0/24 \e + nat-to 10.10.10.1 +.Ed +.Pp +From the peer's point of view, +the local end of the VPN tunnel is declared to be 10.10.10.1 +and all the traffic arrives with that source address. +.Sh CRYPTO TRANSFORMS +The following authentication types are permitted with the +.Ic auth +keyword: +.Bl -column "Authentication" "Key Length" "Truncated Length" "Default" -offset indent +.It Em "Authentication" Ta Em "Key Length" Ta Em "Truncated Length" Ta Em "Default" +.It Li hmac-md5 Ta "128 bits" Ta "96 bits" Ta "" +.It Li hmac-sha1 Ta "160 bits" Ta "96 bits" Ta "x" +.It Li hmac-sha2-256 Ta "256 bits" Ta "128 bits" Ta "x" +.It Li hmac-sha2-384 Ta "384 bits" Ta "192 bits" Ta "x" +.It Li hmac-sha2-512 Ta "512 bits" Ta "256 bits" Ta "x" +.El +.Pp +The following pseudo-random function types are permitted with the +.Ic prf +keyword: +.Bl -column "hmac-sha2-512" "Key Length" "Default" "[IKE only]" -offset indent +.It Em "PRF" Ta Em "Key Length" Ta Em "Default" Ta "" +.It Li hmac-md5 Ta "128 bits" Ta "" Ta "[IKE only]" +.It Li hmac-sha1 Ta "160 bits" Ta "x" Ta "[IKE only]" +.It Li hmac-sha2-256 Ta "256 bits" Ta "x" Ta "[IKE only]" +.It Li hmac-sha2-384 Ta "384 bits" Ta "x" Ta "[IKE only]" +.It Li hmac-sha2-512 Ta "512 bits" Ta "x" Ta "[IKE only]" +.El +.Pp +The following cipher types are permitted with the +.Ic enc +keyword: +.Bl -column "chacha20-poly1305" "Key Length" "Default" "[ESP only]" -offset indent +.It Em "Cipher" Ta Em "Key Length" Ta Em "Default" Ta "" +.It Li 3des Ta "168 bits" Ta "x" Ta "" +.It Li aes-128 Ta "128 bits" Ta "x" Ta "" +.It Li aes-192 Ta "192 bits" Ta "x" Ta "" +.It Li aes-256 Ta "256 bits" Ta "x" Ta "" +.It Li aes-128-ctr Ta "160 bits" Ta "" Ta "[ESP only]" +.It Li aes-192-ctr Ta "224 bits" Ta "" Ta "[ESP only]" +.It Li aes-256-ctr Ta "288 bits" Ta "" Ta "[ESP only]" +.It Li aes-128-gcm Ta "160 bits" Ta "x" Ta "" +.It Li aes-192-gcm Ta "224 bits" Ta "" Ta "[ESP only]" +.It Li aes-256-gcm Ta "288 bits" Ta "x" Ta "" +.It Li aes-128-gcm-12 Ta "160 bits" Ta "" Ta "[IKE only]" +.It Li aes-256-gcm-12 Ta "288 bits" Ta "" Ta "[IKE only]" +.It Li blowfish Ta "160 bits" Ta "" Ta "[ESP only]" +.It Li cast Ta "128 bits" Ta "" Ta "[ESP only]" +.It Li chacha20-poly1305 Ta "288 bits" Ta "" Ta "[ESP only]" +.El +.Pp +The following cipher types provide only authentication, +not encryption: +.Bl -column "chacha20-poly1305" "Key Length" "Default" "[ESP only]" -offset indent +.It Li aes-128-gmac Ta "160 bits" Ta "" Ta "[ESP only]" +.It Li aes-192-gmac Ta "224 bits" Ta "" Ta "[ESP only]" +.It Li aes-256-gmac Ta "288 bits" Ta "" Ta "[ESP only]" +.It Li null Ta "" Ta "" Ta "[ESP only]" +.El +.Pp +The Extended Sequence Numbers option can be enabled or disabled with the +.Ic esn +or +.Ic noesn +keywords: +.Bl -column "noesn" "Default" "[ESP only]" -offset indent +.It Em ESN Ta Em "Default" Ta Em "" +.It Li esn Ta "x" Ta "[ESP only]" +.It Li noesn Ta "x" Ta "[ESP only]" +.El +.Pp +Transforms followed by +.Bq IKE only +can only be used with the +.Ic ikesa +keyword, transforms with +.Bq ESP only +can only be used with the +.Ic childsa +keyword. +.Pp +Using AES-GMAC or NULL with ESP will only provide authentication. +This is useful in setups where AH cannot be used, e.g. when NAT is involved. +.Pp +The following group types are permitted with the +.Ic group +keyword: +.Bl -column "sntrup761x25519" "Group" "1190 B" "Hybrid PQKE" "Default" -offset indent +.It Em Name Ta Em Group Ta Em Size Ta Em Type Ta Em Default +.It Li modp768 Ta grp1 Ta 768 Ta "MODP" Ta "" Ta "[insecure]" +.It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" Ta "x" Ta "[weak]" +.It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" Ta "x" Ta "[weak]" +.It Li modp2048 Ta grp14 Ta 2048 Ta "MODP" Ta "x" +.It Li modp3072 Ta grp15 Ta 3072 Ta "MODP" Ta "x" +.It Li modp4096 Ta grp16 Ta 4096 Ta "MODP" Ta "x" +.It Li modp6144 Ta grp17 Ta 6144 Ta "MODP" Ta "" +.It Li modp8192 Ta grp18 Ta 8192 Ta "MODP" Ta "" +.It Li ecp256 Ta grp19 Ta 256 Ta "ECP" Ta "x" +.It Li ecp384 Ta grp20 Ta 384 Ta "ECP" Ta "x" +.It Li ecp521 Ta grp21 Ta 521 Ta "ECP" Ta "x" +.It Li ecp224 Ta grp26 Ta 224 Ta "ECP" Ta "" +.It Li brainpool224 Ta grp27 Ta 224 Ta "ECP" Ta "" +.It Li brainpool256 Ta grp28 Ta 256 Ta "ECP" Ta "" +.It Li brainpool384 Ta grp29 Ta 384 Ta "ECP" Ta "" +.It Li brainpool512 Ta grp30 Ta 512 Ta "ECP" Ta "" +.It Li curve25519 Ta grp31 Ta 256 Ta "Curve25519" Ta "x" +.It Li sntrup761x25519 Ta "" Ta 1190 B Ta "Hybrid PQKE" Ta "" +.El +.Pp +The currently supported group types are either +MODP (exponentiation groups modulo a prime), +ECP (elliptic curve groups modulo a prime), +or Curve25519. +MODP groups of less than 2048 bits are considered +as weak or insecure (see RFC 8247 section 2.4) and only provided for +backwards compatibility. +.Sh FILES +.Bl -tag -width /etc/examples/iked.conf -compact +.It Pa /etc/iked.conf +.It Pa /etc/examples/iked.conf +.El +.Sh EXAMPLES +The first example is intended for a server with clients connecting to +.Xr iked 8 +as an IPsec gateway, or IKEv2 responder, using mutual public key +authentication and additional challenge-based EAP-MSCHAPv2 password +authentication: +.Bd -literal -offset indent +user "test" "password123" + +ikev2 "win7" esp \e + from dynamic to 172.16.2.0/24 \e + peer 10.0.0.0/8 local 192.168.56.0/24 \e + eap "mschap-v2" \e + config address 172.16.2.1 \e + tag "$name-$id" +.Ed +.Pp +The next example allows peers to authenticate using a pre-shared key +.Sq foobar : +.Bd -literal -offset indent +ikev2 "big test" \e + esp proto tcp \e + from 10.0.0.0/8 port 23 to 20.0.0.0/8 port 40 \e + from 192.168.1.1 to 192.168.2.2 \e + peer any local any \e + ikesa \e + enc aes-128-gcm \e + group ecp256 group curve25519 \e + ikesa \e + enc aes-128 auth hmac-sha2-256 \e + group ecp256 group curve25519 \e + childsa enc aes-128-gcm \e + childsa enc aes-128 auth hmac-sha2-256 \e + srcid host.example.com \e + dstid 192.168.0.254 \e + psk "foobar" +.Ed +.Pp +The following example illustrates the last matching policy +evaluation for incoming connections on an IKEv2 gateway. +The peer 192.168.1.34 will always match the first policy because of the +.Ar quick +keyword; +connections from the peers 192.168.1.3 and 192.168.1.2 will be matched +by one of the last two policies; +any other connections from 192.168.1.0/24 will be matched by the +.Sq subnet +policy; +and any other connection will be matched by the +.Sq catch all +policy. +.Bd -literal -offset indent +ikev2 quick esp from 10.10.10.0/24 to 10.20.20.0/24 \e + peer 192.168.1.34 +ikev2 "catch all" esp from 10.0.1.0/24 to 10.0.2.0/24 \e + peer any +ikev2 "subnet" esp from 10.0.3.0/24 to 10.0.4.0/24 \e + peer 192.168.1.0/24 +ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 +ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 +.Ed +.Pp +This example encrypts a +.Xr gre 4 +tunnel from local machine A (2001:db8::aa:1) to peer D (2001:db8::dd:4) based on +FQDN-based public key authentication; +.Ar transport +mode avoids double encapsulation: +.Bd -literal -offset indent +ikev2 transport \e + proto gre \e + from 2001:db8::aa:1 to 2001:db8::dd:4 \e + peer D.example.com +.Ed +.Sh SEE ALSO +.Xr enc 4 , +.Xr ipsec 4 , +.Xr ipsec.conf 5 , +.Xr pf.conf 5 , +.Xr ikectl 8 , +.Xr iked 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 4.8 . +.Sh AUTHORS +The +.Xr iked 8 +program was written by +.An Reyk Floeter Aq Mt reyk@openbsd.org . diff --git a/static/openbsd/man5/info.5 b/static/openbsd/man5/info.5 new file mode 100644 index 00000000..8380c536 --- /dev/null +++ b/static/openbsd/man5/info.5 @@ -0,0 +1,62 @@ +.\" info(5) +.\" $Id: info.5,v 1.1.1.2 2006/07/17 16:03:58 espie Exp $ +.\" +.\" Copyright (C) 1998 Free Software Foundation, Inc. +.\" +.\" Permission is granted to make and distribute verbatim copies of this +.\" manual provided the copyright notice and this permission notice are +.\" preserved on all copies. +.\" +.\" Permission is granted to copy and distribute modified versions of +.\" this manual under the conditions for verbatim copying, provided that +.\" the entire resulting derived work is distributed under the terms of a +.\" permission notice identical to this one. +.\" +.\" Permission is granted to copy and distribute translations of this +.\" manual into another language, under the above conditions for modified +.\" versions, except that this permission notice may be stated in a +.\" translation approved by the Foundation. +.\" +.TH INFO 5 "GNU Info" "FSF" +.SH NAME +info \- readable online documentation +.SH DESCRIPTION +The Info file format is an easily-parsable representation for online +documents. It can be read by +.I emacs(1) +and +.I info(1) +among other programs. +.PP +Info files are usually created from +.I texinfo(5) +sources by +.IR makeinfo(1) , +but can be created from scratch if so desired. +.PP +For a full description of the Texinfo language and associated tools, +please see the Texinfo manual (written in Texinfo itself). Most likely, +running this command from your shell: +.RS +.I info texinfo +.RE +or this key sequence from inside Emacs: +.RS +.I M-x info RET m texinfo RET +.RE +will get you there. +.SH AVAILABILITY +ftp://ftp.gnu.org/pub/gnu/texinfo-<version>.tar.gz +.br +or any GNU mirror site. +.SH "REPORTING BUGS" +Please send bug reports to bug-texinfo@gnu.org, +general questions and discussion to help-texinfo@gnu.org. +.SH "SEE ALSO" +info(1), install-info(1), makeinfo(1), texi2dvi(1), +.br +texindex(1). +.br +emacs(1), tex(1). +.br +texinfo(5). diff --git a/static/openbsd/man5/ipsec.conf.5 b/static/openbsd/man5/ipsec.conf.5 new file mode 100644 index 00000000..3969a478 --- /dev/null +++ b/static/openbsd/man5/ipsec.conf.5 @@ -0,0 +1,1019 @@ +.\" $OpenBSD: ipsec.conf.5,v 1.166 2026/01/18 16:38:01 schwarze Exp $ +.\" +.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: January 18 2026 $ +.Dt IPSEC.CONF 5 +.Os +.Sh NAME +.Nm ipsec.conf +.Nd IPsec configuration file +.Sh DESCRIPTION +The +.Nm +file specifies rules and definitions for IPsec, +which provides security services for IP datagrams. +IPsec itself is a pair of protocols: +Encapsulating Security Payload (ESP), +which provides integrity and confidentiality; +and Authentication Header (AH), +which provides integrity. +The IPsec protocol itself is described in +.Xr ipsec 4 . +.Pp +In its most basic form, a +.Em flow +is established between hosts and/or networks, +and then Security Associations (SAs) are established, +which detail how the desired protection will be achieved. +IPsec uses flows +to determine whether to apply security services to an IP packet or not. +.Pp +Generally speaking +an automated keying daemon, +such as +.Xr isakmpd 8 , +is used to set up flows and establish SAs, +by specifying an +.Sq ike +line in +.Nm +(see +.Sx AUTOMATIC KEYING , +below). +An authentication method, +such as public key authentication, +will also have to be set up: +see the PKI section of +.Xr isakmpd 8 +for information on the types of authentication available, +and the procedures for setting them up. +.Pp +The keying daemon, +.Xr isakmpd 8 , +can be enabled to run at boot time via +.Dq rcctl enable isakmpd . +Note that to avoid +.Xr keynote 4 +policy checking, it will probably need to be run with at least the +.Fl K +option via the +.Dq rcctl set isakmpd flags -K +command which sets +.Pp +.Dl isakmpd_flags=\(dq-K\(dq +.Pp +in +.Xr rc.conf.local 8 . +The +.Nm +configuration itself is loaded at boot time +if IPsec is enabled by using +.Dq rcctl enable ipsec , +which sets +.Pp +.Dl ipsec=YES +.Pp +in +.Xr rc.conf.local 8 . +A utility called +.Xr ipsecctl 8 +is also available to load +.Nm +configurations, and can additionally be used +to view and modify IPsec flows. +.Pp +An alternative method of setting up SAs is also possible using +manual keying. +Manual keying is not recommended, +but can be convenient for quick setups and testing. +Those procedures are documented within this page. +.Sh IPSEC.CONF FILE FORMAT +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment is effective until the end of the entire block. +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +.Pp +Addresses can be specified in CIDR notation (matching netblocks), +as symbolic host names, interface names, or interface group names. +.Pp +Certain parameters can be expressed as lists, in which case +.Xr ipsecctl 8 +generates all the necessary combinations. +For example: +.Bd -literal -offset indent +ike esp from {192.168.1.1, 192.168.1.2} to \e + {10.0.0.17, 10.0.0.18} peer 192.168.10.1 +.Ed +.Pp +Will expand to: +.Bd -literal -offset indent +ike esp from 192.168.1.1 to 10.0.0.17 peer 192.168.10.1 +ike esp from 192.168.1.1 to 10.0.0.18 peer 192.168.10.1 +ike esp from 192.168.1.2 to 10.0.0.17 peer 192.168.10.1 +ike esp from 192.168.1.2 to 10.0.0.18 peer 192.168.10.1 +.Ed +.Pp +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic flow , +.Ic from , +or +.Ic esp ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +remote_gw = "192.168.3.12" +flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer $remote_gw +.Ed +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/macros.conf" +.Ed +.Sh AUTOMATIC KEYING +In this scenario, +.Nm +is used to set up flows and SAs automatically using +.Xr isakmpd 8 +with the ISAKMP/Oakley a.k.a. IKEv1 protocol. +To configure automatic keying using the IKEv2 protocol, see +.Xr iked.conf 5 +instead. +Some examples of setting up automatic keying: +.Bd -literal -offset 3n +# Set up a VPN: +# First between the gateway machines 192.168.3.1 and 192.168.3.2 +# Second between the networks 10.1.1.0/24 and 10.1.2.0/24 +ike esp from 192.168.3.1 to 192.168.3.2 +ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 +.Ed +.Pp +The commands are as follows: +.Bl -tag -width xxxx +.It Xo +.Ic ike +.Op Ar mode +.Op Ar encap +.Op Ar tmode +.Xc +.Ar mode +specifies the IKEv1 mode to use: +one of +.Ar passive , +.Ar active , +or +.Ar dynamic . +When +.Ar passive +is specified, +.Xr isakmpd 8 +will not immediately start negotiation of this tunnel, but wait for an incoming +request from the remote peer. +When +.Ar active +or +.Ar dynamic +is specified, negotiation will be started at once. +The +.Ar dynamic +mode will additionally enable Dead Peer Detection (DPD) and use the +local hostname as the identity of the local peer, if not specified by +the +.Ic srcid +parameter. +.Ar dynamic +mode should be used for hosts with dynamic IP addresses like road +warriors or dialup hosts. +If omitted, +.Ar active +mode will be used. +.Pp +.Ar encap +specifies the encapsulation protocol to be used. +Possible protocols are +.Ar esp +and +.Ar ah ; +the default is +.Ar esp . +.Pp +.Ar tmode +describes the encapsulation mode to be used. +Possible modes are +.Ar tunnel +and +.Ar transport ; +the default is +.Ar tunnel . +.It Ic proto Ar protocol +The optional +.Ic proto +parameter restricts the flow to a specific IP protocol. +Common protocols are +.Xr icmp 4 , +.Xr tcp 4 , +and +.Xr udp 4 . +For a list of all the protocol name to number mappings used by +.Xr ipsecctl 8 , +see the file +.Pa /etc/protocols . +.It Xo +.Ic from Ar src +.Op Ic port Ar sport +.Op Pq Ar srcnat +.Ic to Ar dst +.Op Ic port Ar dport +.Xc +This rule applies for packets with source address +.Ar src +and destination address +.Ar dst . +The keyword +.Ar any +will match any address (i.e. 0.0.0.0/0). +If the +.Ar src +argument specifies a fictional source ID, +the +.Ar srcnat +parameter can be used to specify the actual source address. +This can be used in outgoing NAT/BINAT scenarios as described below in +.Sx OUTGOING NETWORK ADDRESS TRANSLATION . +Host addresses are parsed as type +.Dq IPV4_ADDR ; +adding the suffix /32 will change the type to +.Dq IPV4_ADDR_SUBNET , +which can improve interoperability with some IKEv1 implementations. +.Pp +The optional +.Ic port +modifiers restrict the flows to the specified ports. +They are only valid in conjunction with the +.Xr tcp 4 +and +.Xr udp 4 +protocols. +Ports can be specified by number or by name. +For a list of all port name to number mappings used by +.Xr ipsecctl 8 , +see the file +.Pa /etc/services . +.It Ic local Ar localip Ic peer Ar remote +The +.Ic local +parameter specifies the address or FQDN of the local endpoint. +Unless we are multi-homed or have aliases, +this parameter is generally not needed. +This parameter does not affect the set of IP addresses +.Xr isakmpd 8 +will listen on and send packets from. +The +.Em Listen-on +directive in +.Xr isakmpd.conf 5 +should additionally be used to ensure that the local endpoint will +send IKE messages with an appropriate source IP address. +.Pp +The +.Ic peer +parameter specifies the address or FQDN of the remote endpoint. +For host-to-host connections where +.Ar dst +is identical to +.Ar remote , +this option is generally not needed as it will be set to +.Ar dst +automatically. +If it is not specified or if the keyword +.Ar any +is given, the default peer is used. +.It Xo +.Ar mode +.Ic auth Ar algorithm +.Ic enc Ar algorithm +.Ic group Ar group +.Ic lifetime Ar time +.Xc +These parameters define the mode and cryptographic transforms to be +used for the phase 1 negotiation. +During phase 1 +the machines authenticate and set up an encrypted channel. +.Pp +The mode can be either +.Ar main , +which specifies main mode, or +.Ar aggressive , +which specifies aggressive mode. +Possible values for +.Ic auth , +.Ic enc , +and +.Ic group +are described below in +.Sx CRYPTO TRANSFORMS . +.Pp +The +.Ic lifetime +parameter specifies the phase 1 lifetime in seconds. +Two unit specifiers are recognized (ignoring case): +.Ql m +and +.Ql h +for minutes and hours, respectively. +.Pp +If omitted, +.Xr ipsecctl 8 +will use the default values +.Ar main , +.Ar hmac-sha1 , +.Ar aes , +.Ar modp3072 , +and +.Ar 3600 . +.It Xo +.Ic quick auth Ar algorithm +.Ic enc Ar algorithm +.Ic group Ar group +.Ic lifetime Ar time +.Xc +These parameters define the cryptographic transforms to be used for +the phase 2 negotiation. +During phase 2 +the actual IPsec negotiations happen. +.Pp +Possible values for +.Ic auth , +.Ic enc , +and +.Ic group +are described below in +.Sx CRYPTO TRANSFORMS . +Perfect Forward Secrecy (PFS) is enabled unless +.Ic group Ar none +is specified. +.Pp +The +.Ic lifetime +parameter specifies the phase 2 lifetime in seconds. +Two unit specifiers are recognized (ignoring case): +.Ql m +and +.Ql h +for minutes and hours, respectively. +.Pp +If omitted, +.Xr ipsecctl 8 +will use the default values +.Ar hmac-sha2-256 +and +.Ar aes ; +PFS will only be used if the remote side requests it. +The default phase 2 lifetime value is +.Ar 1200 . +.It Ic srcid Ar string Ic dstid Ar string +.Ic srcid +defines an ID of type +.Dq USER_FQDN +or +.Dq FQDN +that will be used by +.Xr isakmpd 8 +as the identity of the local peer. +If the argument is an email address (bob@example.com), +.Xr ipsecctl 8 +will use USER_FQDN as the ID type. +Anything else is considered to be an FQDN. +If +.Ic srcid +is omitted, +the default is to use the IP address of the connecting machine. +.Pp +.Ic dstid +is similar to +.Ic srcid , +but instead specifies the ID to be used +by the remote peer. +.It Ic psk Ar string +Use a pre-shared key +.Ar string +for authentication. +If this option is not specified, +public key authentication is used (see +.Xr isakmpd 8 ) . +.It Ic tag Ar string +Add a +.Xr pf 4 +tag to all packets of phase 2 SAs created for this connection. +This will allow matching packets for this connection by defining +rules in +.Xr pf.conf 5 +using the +.Cm tagged +keyword. +.Pp +The following variables can be used in tags to include information +from the remote peer on runtime: +.Pp +.Bl -tag -width $domain -compact -offset indent +.It Ar $id +The remote phase 1 ID. +It will be expanded to +.Ar id-type/id-value , +e.g.\& +.Ar fqdn/foo.bar.org . +.It Ar $domain +Extract the domain from IDs of type FQDN or UFQDN. +.El +.Pp +For example, if the ID is +.Ar fqdn/foo.bar.org +or +.Ar ufqdn/user@bar.org , +.Dq ipsec-$domain +expands to +.Dq ipsec-bar.org . +The variable expansion for the +.Ar tag +directive occurs only at runtime (not when the file is parsed) +and must be quoted, or it will be interpreted as a macro. +.El +.Sh PACKET FILTERING +IPsec traffic appears unencrypted on the +.Xr enc 4 +interface +and can be filtered accordingly using the +.Ox +packet filter, +.Xr pf 4 . +The grammar for the packet filter is described in +.Xr pf.conf 5 . +.Pp +The following components are relevant to filtering IPsec traffic: +.Bl -ohang -offset indent +.It external interface +Interface for ISAKMP traffic and encapsulated IPsec traffic. +.It proto udp port 500 +ISAKMP traffic on the external interface. +.It proto udp port 4500 +ISAKMP NAT-Traversal traffic on the external interface. +.It proto ah | esp +Encapsulated IPsec traffic +on the external interface. +.It enc0 +Interface for outgoing traffic before it's been encapsulated, +and incoming traffic after it's been decapsulated. +State on this interface should be interface bound; +see +.Xr enc 4 +for further information. +.It proto ipencap +[tunnel mode only] +IP-in-IP traffic flowing between gateways +on the enc0 interface. +.It tagged ipsec-example.org +Match traffic of phase 2 SAs using the +.Ic tag +keyword. +.El +.Pp +If the filtering rules specify to block everything by default, +the following rule +would ensure that IPsec traffic never hits the packet filtering engine, +and is therefore passed: +.Bd -literal -offset indent +set skip on enc0 +.Ed +.Pp +In the following example, all traffic is blocked by default. +IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and +networks {10.0.1.0/24, 10.0.2.0/24} is permitted. +.Bd -literal -offset indent +block on sk0 +block on enc0 + +pass in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \e + port {500, 4500} +pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \e + port {500, 4500} + +pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1 +pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2 + +pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e + keep state (if-bound) +pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e + keep state (if-bound) +pass in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e + keep state (if-bound) +pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e + keep state (if-bound) +.Ed +.Pp +.Xr pf 4 +has the ability to filter IPsec-related packets +based on an arbitrary +.Em tag +specified within a ruleset. +The tag is used as an internal marker +which can be used to identify the packets later on. +This could be helpful, +for example, +in scenarios where users are connecting in from differing IP addresses, +or to support queue-based bandwidth control, +since the enc0 interface does not support it. +.Pp +The following +.Xr pf.conf 5 +fragment uses queues for all IPsec traffic with special +handling for developers and employees: +.Bd -literal -offset indent +queue std on sk0 bandwidth 100M +queue deflt parent std bandwidth 10M default +queue developers parent std bandwidth 75M +queue employees parent std bandwidth 5M +queue ipsec parent std bandwidth 10M + +pass out on sk0 proto esp set queue ipsec + +pass out on sk0 tagged ipsec-developers.bar.org set queue developers +pass out on sk0 tagged ipsec-employees.bar.org set queue employees +.Ed +.Pp +The tags will be assigned by the following +.Nm +example: +.Bd -literal -offset indent +ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e + tag "ipsec-$domain" +.Ed +.Sh OUTGOING NETWORK ADDRESS TRANSLATION +In some network topologies it is desirable to perform NAT on traffic leaving +through the VPN tunnel. +In order to achieve that, +the +.Ar src +argument is used to negotiate the desired network ID with the peer +and the +.Ar srcnat +parameter defines the true local subnet, +so that a correct SA can be installed on the local side. +.Pp +For example, +if the local subnet is 192.168.1.0/24 and all the traffic +for a specific VPN peer should appear as coming from 10.10.10.1, +the following configuration is used: +.Bd -literal -offset indent +ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 \e + peer 10.10.20.1 +.Ed +.Pp +Naturally, +a relevant NAT rule is required in +.Xr pf.conf 5 . +For the example above, +this would be: +.Bd -literal -offset indent +match out on enc0 from 192.168.1.0/24 to 192.168.2.0/24 \e + nat-to 10.10.10.1 +.Ed +.Pp +From the peer's point of view, +the local end of the VPN tunnel is declared to be 10.10.10.1 +and all the traffic arrives with that source address. +.Sh CRYPTO TRANSFORMS +It is very important that keys are not guessable. +One practical way of generating keys is to use +.Xr openssl 1 . +The following generates a 160-bit (20-byte) key: +.Bd -literal -offset indent +$ openssl rand -hex 20 +.Ed +.Pp +The following authentication types are permitted with the +.Ic auth +keyword: +.Bl -column "Authentication" "Key Length" "Description" -offset indent +.It Em "Authentication" Ta Em "Key Length" Ta "" +.It Li hmac-md5 Ta "128 bits" Ta "" +.It Li hmac-ripemd160 Ta "160 bits" Ta "[phase 2 only]" +.It Li hmac-sha1 Ta "160 bits" Ta "" +.It Li hmac-sha2-256 Ta "256 bits" Ta "" +.It Li hmac-sha2-384 Ta "384 bits" Ta "" +.It Li hmac-sha2-512 Ta "512 bits" Ta "" +.El +.Pp +The following cipher types are permitted with the +.Ic enc +keyword: +.Bl -column "chacha20-poly1305" "128-256 bits" "Description" -offset indent +.It Em "Cipher" Ta Em "Key Length" Ta "" +.It Li 3des Ta "168 bits" Ta "" +.It Li aes Ta "128-256 bits" Ta "" +.It Li aes-128 Ta "128 bits" Ta "" +.It Li aes-192 Ta "192 bits" Ta "" +.It Li aes-256 Ta "256 bits" Ta "" +.It Li aesctr Ta "160 bits" Ta "[phase 2 only, IKE only]" +.It Li aes-128-ctr Ta "160 bits" Ta "[phase 2 only, IKE only]" +.It Li aes-192-ctr Ta "224 bits" Ta "[phase 2 only, IKE only]" +.It Li aes-256-ctr Ta "288 bits" Ta "[phase 2 only, IKE only]" +.It Li aes-128-gcm Ta "160 bits" Ta "[phase 2 only, IKE only]" +.It Li aes-192-gcm Ta "224 bits" Ta "[phase 2 only, IKE only]" +.It Li aes-256-gcm Ta "288 bits" Ta "[phase 2 only, IKE only]" +.It Li blowfish Ta "160 bits" Ta "" +.It Li cast128 Ta "128 bits" Ta "" +.It Li chacha20-poly1305 Ta "288 bits" Ta "" +.El +.Pp +The following cipher types provide only authentication, not encryption: +.Bl -column "chacha20-poly1305" "128-256 bits" "Description" -offset indent +.It Li aes-128-gmac Ta "160 bits" Ta "[phase 2 only, IKE only]" +.It Li aes-192-gmac Ta "224 bits" Ta "[phase 2 only, IKE only]" +.It Li aes-256-gmac Ta "288 bits" Ta "[phase 2 only, IKE only]" +.It Li null Ta "(none)" Ta "[phase 2 only]" +.El +.Pp +Transforms followed by +.Bq IKE only +can only be used with the +.Ic ike +keyword; transforms with +.Bq phase 2 only +can only be used with the +.Ic quick +keyword. +.Pp +3DES requires 24 bytes to form its 168-bit key. +This is because the most significant bit of each byte is used for parity. +.Pp +The keysize of AES-CTR can be 128, 192, or 256 bits. +However as well as the key, a 32-bit nonce has to be supplied. +Thus 160, 224, or 288 bits of key material, respectively, have to be supplied. +The same applies to AES-GCM, AES-GMAC and ChaCha20-Poly1305, +however in the latter case the keysize is 256 bits. +.Pp +Using AES-GMAC or NULL with ESP will only provide authentication. +This is useful in setups where AH cannot be used, e.g. when NAT is involved. +.Pp +The following group types are permitted with the +.Ic group +keyword: +.Bl -column "modp1024" "Size" "Description" -offset indent +.It Em Group Ta Em Size Ta "" +.It Li modp768 Ta 768 Ta "[DH group 1]" +.It Li modp1024 Ta 1024 Ta "[DH group 2]" +.It Li modp1536 Ta 1536 Ta "[DH group 5]" +.It Li modp2048 Ta 2048 Ta "[DH group 14]" +.It Li modp3072 Ta 3072 Ta "[DH group 15]" +.It Li modp4096 Ta 4096 Ta "[DH group 16]" +.It Li modp6144 Ta 6144 Ta "[DH group 17]" +.It Li modp8192 Ta 8192 Ta "[DH group 18]" +.It Li ecp256 Ta 256 Ta "[DH group 19]" +.It Li ecp384 Ta 384 Ta "[DH group 20]" +.It Li ecp521 Ta 512 Ta "[DH group 21]" +.It Li ecp224 Ta 224 Ta "[DH group 26]" +.It Li bp224 Ta 224 Ta "[DH group 27]" +.It Li bp256 Ta 256 Ta "[DH group 28]" +.It Li bp384 Ta 384 Ta "[DH group 29]" +.It Li bp512 Ta 512 Ta "[DH group 30]" +.It Li none Ta 0 Ta "[phase 2 only]" +.El +.Sh MANUAL FLOWS +In this scenario, +.Nm +is used to set up flows manually. +IPsec uses flows +to determine whether to apply security services to an IP packet or not. +Some examples of setting up flows: +.Bd -literal -offset 3n +# Set up two flows: +# First between the machines 192.168.3.14 and 192.168.3.100 +# Second between the networks 192.168.7.0/24 and 192.168.8.0/24 +flow esp from 192.168.3.14 to 192.168.3.100 +flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.12 +.Ed +.Pp +The following types of flow are available: +.Bl -tag -width xxxx +.It Ic flow esp +ESP can provide the following properties: +authentication, integrity, replay protection, and confidentiality of the data. +If no flow type is specified, +this is the default. +.It Ic flow ah +AH provides authentication, integrity, and replay protection, but not +confidentiality. +.It Ic flow ipip +IPIP does not provide authentication, integrity, replay protection, or +confidentiality. +However, it does allow tunnelling of IP traffic over IP, without setting up +.Xr gif 4 +interfaces. +.El +.Pp +The commands are as follows: +.Bl -tag -width xxxx +.It Ic in No or Ic out +This rule applies to incoming or outgoing packets. +If neither +.Ic in +nor +.Ic out +are specified, +.Xr ipsecctl 8 +will assume the direction +.Ic out +for this rule and will construct a proper +.Ic in +rule. +Thus packets in both directions will be matched. +.It Ic proto Ar protocol +The optional +.Ic proto +parameter restricts the flow to a specific IP protocol. +Common protocols are +.Xr icmp 4 , +.Xr tcp 4 , +and +.Xr udp 4 . +For a list of all the protocol name to number mappings used by +.Xr ipsecctl 8 , +see the file +.Pa /etc/protocols . +.It Xo +.Ic from Ar src +.Op Ic port Ar sport +.Ic to Ar dst +.Op Ic port Ar dport +.Xc +This rule applies for packets with source address +.Ar src +and destination address +.Ar dst . +The keyword +.Ar any +will match any address (i.e. 0.0.0.0/0). +The optional +.Ic port +modifiers restrict the flows to the specified ports. +They are only valid in conjunction with the +.Xr tcp 4 +and +.Xr udp 4 +protocols. +Ports can be specified by number or by name. +For a list of all port name to number mappings used by +.Xr ipsecctl 8 , +see the file +.Pa /etc/services . +.It Ic local Ar localip +The +.Ic local +parameter specifies the address or FQDN of the local endpoint of this +flow and can be usually left out. +.It Ic peer Ar remote +The +.Ic peer +parameter specifies the address or FQDN of the remote endpoint of this +flow. +For host-to-host connections where +.Ar dst +is identical to +.Ar remote , +the +.Ic peer +specification can be left out as it will be set to +.Ar dst +automatically. +Only if the keyword +.Ar any +is given is a flow without peer created. +.It Ic type Ar modifier +This optional parameter sets up special flows using modifiers. +By default, +.Xr ipsecctl 8 +will automatically set up normal flows with the corresponding type. +.Ar modifier +may be one of the following: +.Pp +.Bl -tag -width "acquireXX" -offset indent -compact +.It acquire +Use IPsec and establish SAs dynamically. +Unencrypted traffic is permitted until it is protected by IPsec. +.It bypass +Matching packets are not processed by IPsec. +.It deny +Matching packets are dropped. +.It dontacq +Use IPsec. +If no SAs are available, +does not trigger +.Xr isakmpd 8 . +.It require +Use IPsec and establish SAs dynamically. +Unencrypted traffic is not permitted until it is protected by IPsec. +.It use +Use IPsec. +Unencrypted traffic is permitted. +Does not trigger +.Xr isakmpd 8 . +.El +.El +.Sh MANUAL SECURITY ASSOCIATIONS (SAs) +In this scenario, +.Nm +is used to set up SAs manually. +The security parameters for a flow +are stored in the Security Association Database (SADB). +An example of setting up an SA: +.Bd -literal -offset 3n +# Set up an IPsec SA for flows between 192.168.3.14 and 192.168.3.12 +esp from 192.168.3.14 to 192.168.3.12 spi 0xdeadbeef:0xbeefdead \e + authkey file "auth14:auth12" enckey file "enc14:enc12" +.Ed +.Pp +Parameters specify the peers, Security Parameter Index (SPI), +cryptographic transforms, and key material to be used. +The following rules enter SAs in the SADB: +.Pp +.Bl -tag -width "tcpmd5XX" -offset indent -compact +.It Ic esp +Enter an ESP SA. +.It Ic ah +Enter an AH SA. +.It Ic ipcomp +Enter an IPCOMP SA. +.It Ic ipip +Enter an IPIP pseudo SA. +.It Ic tcpmd5 +Enter a TCP MD5 SA. +.El +.Pp +The commands are as follows: +.Bl -tag -width xxxx +.It Ar mode +For ESP and AH +.\".Ic ipcomp +the encapsulation mode can be specified. +Possible modes are +.Ar tunnel +and +.Ar transport . +When left out, +.Ar tunnel +is chosen. +For details on modes see +.Xr ipsec 4 . +.It Ic from Ar src Ic to Ar dst +This SA is for a +.Ar flow +between the peers +.Ar src +and +.Ar dst . +.It Ic spi Ar number +The SPI identifies a specific SA. +.Ar number +is a 32-bit value and needs to be unique. +.It Ic udpencap Op Ic port Ar dport +For NAT-Traversal encapsulate the IPsec traffic in UDP. +The port number of the peer can be set to +.Ar dport . +.It Ic auth Ar algorithm +For ESP and AH +an authentication algorithm can be specified. +Possible values +are described above in +.Sx CRYPTO TRANSFORMS . +.Pp +If no algorithm is specified, +.Xr ipsecctl 8 +will choose +.Ar hmac-sha2-256 +by default. +.It Ic enc Ar algorithm +For ESP +an encryption algorithm can be specified. +Possible values +are described above in +.Sx CRYPTO TRANSFORMS . +.Pp +If no algorithm is specified, +.Xr ipsecctl 8 +will choose +.Ar aes +by default. +.It Ic authkey Ar keyspec +.Ar keyspec +defines the authentication key to be used. +It is either a hexadecimal string or a path to a file containing the key. +The filename may be given as either an absolute path to the file +or a relative pathname, +and is specified as follows: +.Bd -literal -offset indent +authkey file "filename" +.Ed +.It Ic enckey Ar keyspec +The encryption key is defined similarly to +.Ic authkey . +.It Ic bundle Ar identifier +Several SAs can be attached to a single flow. +The cryptographic transforms are applied in order. +The type of the first SA has to match the type of the flow. +All SAs with identical +.Ar src , dst , +and +.Ar identifier +are grouped together. +.It Xo +.Ic tcpmd5 +.Ic from Ar src +.Ic to Ar dst +.Ic spi Ar number +.Ic authkey Ar keyspec +.Xc +TCP MD5 signatures are generally used between BGP daemons, such as +.Xr bgpd 8 . +Since +.Xr bgpd 8 +itself already provides this functionality, +this option is generally not needed. +More information on TCP MD5 signatures can be found in +.Xr tcp 4 , +.Xr bgpd.conf 5 , +and RFC 2385. +.Pp +This rule applies for packets with source address +.Ar src +and destination address +.Ar dst . +The parameter +.Ic spi +is a 32-bit value defining the Security Parameter Index (SPI) for this SA. +The encryption key is defined similarly to +.Ic authkey . +.El +.Pp +Since an SA is directional, a second SA is normally configured in the +reverse direction. +This is done by adding a second, colon-separated, value to +.Ic spi , +.Ic authkey , +and +.Ic enckey . +.Sh FILES +.Bl -tag -width /etc/examples/ipsec.conf -compact +.It Pa /etc/ipsec.conf +.It Pa /etc/examples/ipsec.conf +.El +.Sh SEE ALSO +.Xr openssl 1 , +.Xr enc 4 , +.Xr ipcomp 4 , +.Xr ipsec 4 , +.Xr tcp 4 , +.Xr pf.conf 5 , +.Xr ipsecctl 8 , +.Xr isakmpd 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 3.8 . diff --git a/static/openbsd/man5/isakmpd.conf.5 b/static/openbsd/man5/isakmpd.conf.5 new file mode 100644 index 00000000..fa56a88c --- /dev/null +++ b/static/openbsd/man5/isakmpd.conf.5 @@ -0,0 +1,1393 @@ +.\" $OpenBSD: isakmpd.conf.5,v 1.140 2025/04/30 03:53:21 tb Exp $ +.\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ +.\" +.\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. +.\" Copyright (c) 2000, 2001, 2002 Håkan Olsson. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" This code was written under funding by Ericsson Radio Systems. +.\" +.\" Manual page, using -mandoc macros +.\" +.Dd $Mdocdate: April 30 2025 $ +.Dt ISAKMPD.CONF 5 +.Os +.Sh NAME +.Nm isakmpd.conf +.Nd configuration file for isakmpd +.Sh DESCRIPTION +.Nm +is the configuration file for the +.Xr isakmpd 8 +daemon, managing security association and key management for the +IPsec layer of the kernel's networking stack. +.Pp +The file is of a well-known type of format called .INI style, named after +the suffix used by an overrated windowing environment for its configuration +files. +This format consists of sections, each beginning with a line looking like: +.Bd -unfilled +.Bq Sy Section name +.Ed +Between the brackets is the name of the section following this section header. +Inside a section many tag/value pairs can be stored, each one looking like: +.Bd -unfilled +.Ar Tag Ns = Ns Ar Value +.Ed +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment remains in effect until the end of the entire current line. +.Pp +Often the right-hand side values consist of other section names. +This results in a tree structure. +Some values are treated as a list of several scalar values. +Such lists always use a comma character as the separator. +Some values are formatted like this: X,Y:Z, which +is an offer/accept syntax, where X is a value we offer and Y:Z is a range of +accepted values, inclusive. +.Pp +To activate changes to +.Nm +without restarting +.Xr isakmpd 8 , +send a +.Dv SIGHUP +signal to the daemon process. +.Sh AUTO-GENERATED PARTS OF THE CONFIGURATION +Some predefined section names are recognized by the daemon, avoiding the need +to fully specify the Main Mode transforms and Quick Mode suites, protocols, +and transforms. +.Pp +For Main Mode: +.\" cipher-hash[-group][-RSA_SIG] +.Bl -inset -compact +.It Xo +.Sm off +.Ar cipher No - Ar hash +.Op - Ar group +.Op -RSA_SIG +.Sm on +.Xc +.El +.Pp +where: +.Bl -tag -width "cipher" -offset indent -compact +.It Ar cipher +is either BLF, 3DES, CAST, AES, AES-128, AES-192 or AES-256 +.It Ar hash +is either MD5, SHA, or SHA2-{256,384,512} +.It Ar group +is either GRP1, GRP2, GRP5, GRP14, GRP15, GRP16, GRP17, GRP18, +GRP19, GRP20, GRP21, GRP26, GRP27, GRP28, GRP29 or GRP30. +.El +.Pp +For Quick Mode: +.\" QM-proto[-TRP]-cipher[-hash][-PFS[-group]]-SUITE +.Bl -inset -compact +.It Xo +.Sm off +.No QM- Ar proto Op -TRP +.No - Ar cipher Op - Ar hash +.Op -PFS Op - Ar group +.No -SUITE +.Sm on +.Xc +.El +.Pp +where: +.Bl -tag -width "cipher" -offset indent -compact +.It Ar proto +is either ESP or AH +.It Ar cipher +is either 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR, +AESCTR-128, AESCTR-192, AESCTR-256, +AESGCM-128, AESGCM-192, AESGCM-256, AESGMAC-128, AESGMAC-192, AESGMAC-256 +or NULL +.It Ar hash +is either MD5, SHA, RIPEMD, or SHA2-{256,384,512} +.It Ar group +is either GRP1, GRP2, GRP5, GRP14, GRP15, GRP16, GRP17, GRP18, +GRP19, GRP20, GRP21, GRP26, GRP27, GRP28, GRP29 or GRP30. +.El +.Pp +For example, AES-SHA2-256 means: AES encryption, SHA2-256 hash, and +authorization by pre-shared keys. +Adding "-RSA_SIG" will enable public key authentication, +e.g. AES-SHA2-256-RSA_SIG. +Similarly, QM-ESP-3DES-SHA-PFS-SUITE means: ESP protocol, 3DES encryption, +SHA hash, and use Perfect Forward Secrecy. +.Pp +Unless explicitly stated with -GRP1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, +26, 27, 28, 29 or 30, transforms and PFS suites use DH group 2. +There are currently no predefined ESP+AH Quick Mode suites. +.Pp +The predefinitions include some default values for the special +sections "General", "Keynote", "X509-certificates", and +"Default-phase-1-configuration". +These default values are presented in the example below. +.Pp +All autogenerated values can be overridden by manual entries by using the +same section and tag names in the configuration file. +In particular, the default phase 1 (Main or Aggressive Mode) and phase 2 +(Quick Mode) lifetimes can be overridden by these tags under the "General" +section: +.Bd -literal -offset indent +[General] +Default-phase-1-lifetime= 3600,60:86400 +Default-phase-2-lifetime= 1200,60:86400 +.Ed +.Pp +The Main Mode lifetime currently defaults to one hour (minimum 60 +seconds, maximum 1 day). +The Quick Mode lifetime defaults to 20 minutes +(minimum 60 seconds, maximum 1 day). +.Pp +Also, the default phase 1 ID can be set by creating a +.Aq Sy Phase1-ID +section, as shown below, and adding this tag under the "General" +section: +.Bd -literal -offset indent +[General] +Default-phase-1-ID= Phase1-ID-name + +[Phase1-ID-name] +ID-type= USER_FQDN +Name= foo@bar.com +.Ed +.Sh ROOTS +.Bl -hang -width 8n +.It Bq Sy General +Generic global configuration parameters +.Bl -tag -width Ds +.It Em Acquire-Only +If this tag is defined, +.Xr isakmpd 8 +will not set up flows automatically. +This is useful when flows are configured with +.Xr ipsecctl 8 +or by other programs like +.Xr bgpd 8 . +Thus +.Xr isakmpd 8 +only takes care of the SA establishment. +.It Em Check-interval +The interval between watchdog checks of connections we want up at all +times, in seconds. +The default value is 60 seconds. +.It Em Default-phase-1-ID +Optional default phase 1 ID name. +.It Em Default-phase-1-lifetime +The default lifetime for autogenerated transforms (phase 1). +If unspecified, the value 3600,60:86400 is used as the default. +.It Em Default-phase-2-lifetime +The default lifetime for autogenerated suites (phase 2). +If unspecified, the value 1200,60:86400 is used as the default. +.It Em Default-phase-2-suites +A list of phase 2 suites that will be used when establishing dynamic +SAs. +If left unspecified, QM-ESP-3DES-SHA-PFS-SUITE is used as the default. +.It Em DPD-check-interval +The interval between RFC 3706 (Dead Peer Detection) messages, in seconds. +The default value is 0 (zero), which means DPD is disabled. +.It Em Exchange-max-time +How many seconds should an exchange maximally take to set up before we +give up. +.It Em Listen-on +A list of IP addresses or interface names OK to listen on. +This list is used as a filter for the set of addresses the interfaces +configured provides. +This means that we won't see if an address given here does not exist +on this host, and thus no error is given for that case. +On multi-homed systems, this parameter can be used to enforce the +use of particular source IP addresses in packets sent by +.Xr isakmpd 8 . +.It Em Loglevel +A list of the form +.Ar class Ns = Ns Ar level , +where both +.Ar class +and +.Ar level +are numbers. +This is similar to the +.Fl D +command line switch of +.Xr isakmpd 8 . +.It Em Logverbose +If this tag is defined, whatever the value is, verbose logging is enabled. +This is similar to the +.Fl v +command line switch of +.Xr isakmpd 8 . +.It Em NAT-T-Keepalive +The number of seconds between NAT-T keepalive messages, sent by the +peer behind NAT to keep the mapping active. +Defaults to 20. +.It Em Policy-file +The name of the file that contains +.Xr keynote 4 +policies. +The default is +.Pa /etc/isakmpd/isakmpd.policy . +.It Em Pubkey-directory +The directory in which +.Nm +looks for explicitly trusted public keys. +The default is +.Pa /etc/isakmpd/pubkeys . +Read +.Xr isakmpd 8 +for the required naming convention of the files in here. +.It Em Renegotiate-on-HUP +If this tag is defined, whatever the value is, +.Xr isakmpd 8 +will renegotiate all current phase 2 SAs when the daemon receives a +.Dv SIGHUP +signal, or an +.Sq R +is sent to the FIFO interface (see +.Xr isakmpd 8 ) . +.It Em Retransmits +How many times should a message be retransmitted before giving up. +.It Em Shared-SADB +If this tag is defined, whatever the value is, some semantics of +.Nm +are changed so that multiple instances can run on top of one SADB +and set up SAs with each other. +Specifically this means replay +protection will not be asked for, and errors that can occur when +updating an SA with its parameters a 2nd time will be ignored. +.It Em Use-Keynote +This tag controls the use of +.Xr keynote 4 +policy checking. +The default value is +.Qq yes , +which enables the policy checking. +When set to any other value, policies will not be checked. +This is useful when policies for flows and SA establishment are arranged by +other programs like +.Xr ipsecctl 8 +or +.Xr bgpd 8 . +.El +.It Bq Sy Phase 1 +ISAKMP SA negotiation parameter root +.Bl -tag -width Ds +.It Em Default +A name of the default ISAKMP peer. +Incoming phase 1 connections from other IP addresses will use this peer name. +This name is used as the section name for further information to be found. +Look at +.Aq Sy ISAKMP-peer +below. +.It Aq Em IP-address +A name of the ISAKMP peer at the given IP address. +.El +.It Bq Sy Phase 2 +IPsec SA negotiation parameter root +.Bl -tag -width Ds +.It Em Connections +A list of directed IPsec "connection" names that should be brought up +automatically, either on first use if the system supports it, or at +startup of the daemon. +These names are section names where further information can be found. +Look at +.Aq Sy IPsec-connection +below. +Normally any connections mentioned here are treated as part of the +"Passive-connection" list we present below; however there is a flag, +.Em Active-only , +that disables this behaviour. +This too is mentioned in the +.Aq Sy IPsec-connection +section, in the "Flags" tag. +.It Em Passive-connections +A list of IPsec "connection" names we recognize and accept initiations for. +These names are section names where further information can be found. +Look at +.Aq Sy IPsec-connection +below. +Currently only the Local-ID and Remote-ID tags +are looked at in those sections, as they are matched against the IDs given +by the initiator. +.El +.It Bq Sy KeyNote +KeyNote configuration section +.Bl -tag -width Ds +.It Em Credential-directory +A directory containing directories named after IDs (IP +addresses, +.Dq user@domain , +or hostnames) that contain files named +.Dq credentials +and +.Dq private_key . +.Pp +The credentials file contains +.Xr keynote 4 +credentials that are sent to a remote IKE daemon when we use the +associated ID, or credentials that we may want to consider when doing +an exchange with a remote IKE daemon that uses that ID. +Note that, in the former case, the last credential in the file +MUST contain our public key in its Licensees field. +More than one credentials may exist in the file. +They are separated by whitelines (the format is essentially the same as +that of the policy file). +The credentials are of the same format as the policies described in +.Xr isakmpd.policy 5 . +The only difference is that the Authorizer field contains a public +key, and the assertion is signed. +Signed assertions can be generated using the +.Xr keynote 1 +utility. +.Pp +The private_key file contains the private RSA key we use for +authentication. +If the directory (and the files) exist, they take precedence over X509-based +authentication. +.El +.It Bq Sy X509-Certificates +X509-certificate configuration section +.Bl -tag -width Ds +.It Em Accept-self-signed +If this tag is defined, whatever the value is, certificates that +do not originate from a trusted CA but are self-signed will be +accepted. +.It Em Ca-directory +A directory containing PEM certificates of certification authorities +that we trust to sign other certificates. +Note that for a CA to be really trusted, it needs to be somehow +referred to by policy, in +.Xr isakmpd.policy 5 . +The certificates in this directory are used for the actual X.509 +authentication and for cross-referencing policies that refer to +Distinguished Names (DNs). +Keeping a separate directory (as opposed to integrating policies +and X.509 CA certificates) allows for maintenance of a list of +"well-known" CAs without actually having to trust all (or any) of them. +.It Em Cert-directory +A directory containing PEM certificates that we trust to be valid. +These certificates are used in preference to those passed in messages and +are required to have a subjectAltName extension containing the certificate +holder identity; usually IP address, FQDN, or User FQDN. +.It Em Private-key +The private key matching the public key of our certificate (which should be +in the "Cert-directory", and have an appropriate subjectAltName field). +.It Em Private-key-directory +A directory containing private keys named after an ID (IP addresses, +.Dq user@domain , +or hostnames). +.El +.El +.Sh REFERRED-TO SECTIONS +.Bl -hang -width Ds +.It Aq Sy ISAKMP-peer +Parameters for negotiation with an ISAKMP peer +.Bl -tag -width Ds +.It Em Address +If existent, the IP address of the peer. +.It Em Authentication +If existent, authentication data for this specific peer. +In the case of a pre-shared key, this is the key value itself. +.It Em Configuration +The name of the ISAKMP-configuration section to use. +Look at +.Aq Sy ISAKMP-configuration +below. +If unspecified, defaults to "Default-phase-1-configuration". +.It Em Flags +A comma-separated list of flags controlling the further +handling of the ISAKMP SA. +Currently there are no specific ISAKMP SA flags defined. +.It Em ID +If existent, the name of the section that describes the +local client ID that we should present to our peer. +If not present, it +defaults to the address of the local interface we are sending packets +over to the remote daemon. +Look at +.Aq Sy Phase1-ID +below. +.It Em Local-address +The Local IP address to use, if we are multi-homed, or have aliases. +.It Em Phase +The constant +.Sq 1 , +as ISAKMP-peers and IPsec-connections +really are handled by the same code inside +.Xr isakmpd 8 . +.It Em Port +For UDP, the UDP port number to send to. +This is optional; +the default value is 500 which is the IANA-registered number for ISAKMP. +.It Em Remote-ID +If existent, the name of the section that describes the remote client +ID we expect the remote daemon to send us. +If not present, it defaults to the address of the remote daemon. +Look at +.Aq Sy Phase1-ID +below. +.It Em Transport +The name of the transport protocol; defaults to UDP. +.El +.It Aq Sy Phase1-ID +Parameters for Phase 1 negotiation +.Bl -tag -width Ds +.It Em Address +If the ID-type is +.Li IPV4_ADDR +or +.Li IPV6_ADDR , +this tag should exist and be an IP address. +.It Em ID-type +The ID type as given by the RFC specifications. +For phase 1 this is currently +.Li IPV4_ADDR , +.Li IPV4_ADDR_SUBNET , +.Li IPV6_ADDR , +.Li IPV6_ADDR_SUBNET , +.Li FQDN , +.Li USER_FQDN , +or +.Li KEY_ID . +.It Em Name +If the ID-type is +.Li FQDN , +.Li USER_FQDN , +or +.Li KEY_ID , +this tag should exist and contain a domain name, user@domain, or +other identifying string respectively. +.Pp +In the case of +.Li KEY_ID , +note that the IKE protocol allows any octet sequence to be sent or +received under this payload, potentially including non-printable +ones. +.Xr isakmpd 8 +can only transmit printable +.Li KEY_ID +payloads, but can receive and process arbitrary +.Li KEY_ID +payloads. +This effectively means that non-printable +.Li KEY_ID +remote identities cannot be verified through this means, although it +is still possible to do so through +.Xr isakmpd.policy 5 . +.It Em Netmask +If the ID-type is +.Li IPV4_ADDR_SUBNET +or +.Li IPV6_ADDR_SUBNET , +this tag should exist and +be a network subnet mask. +.It Em Network +If the ID-type is +.Li IPV4_ADDR_SUBNET +or +.Li IPV6_ADDR_SUBNET , +this tag should exist and +be a network address. +.El +.It Aq Sy ISAKMP-configuration +Parameters for ISAKMP configuration +.Bl -tag -width Ds +.It Em DOI +The domain of interpretation as given by the RFCs. +Normally +.Li IPSEC . +If unspecified, defaults to +.Li IPSEC . +.It Em EXCHANGE_TYPE +The exchange type as given by the RFCs. +For main mode this is +.Li ID_PROT +and for aggressive mode it is +.Li AGGRESSIVE . +.It Em Transforms +A list of proposed transforms to use for protecting the +ISAKMP traffic. +These are actually names for sections +further describing the transforms. +Look at +.Aq Sy ISAKMP-transform +below. +.El +.It Aq Sy ISAKMP-transform +Parameters for ISAKMP authentication +.Bl -tag -width Ds +.It Em AUTHENTICATION_METHOD +The authentication method as the RFCs name it, or ANY. +.It Em ENCRYPTION_ALGORITHM +The encryption algorithm as the RFCs name it, or ANY to denote that any +encryption algorithm proposed will be accepted. +.It Em GROUP_DESCRIPTION +The group used for Diffie-Hellman exponentiations, or ANY. +The names are symbolic, like +.Li MODP_768 , MODP_1024 , EC_155 , +and +.Li EC_185 . +.It Em HASH_ALGORITHM +The hash algorithm as the RFCs name it, or ANY. +.It Em KEY_LENGTH +For encryption algorithms with variable key length, this is +where the offered/accepted keylengths are described. +The value is of the offer-accept kind described above. +.It Em Life +A list of lifetime descriptions, or ANY. +In the former case, each +element is in itself a name of the section that defines the lifetime. +Look at +.Aq Sy Lifetime +below. +If it is set to ANY, then any type of +proposed lifetime type and value will be accepted. +.It Em PRF +The algorithm to use for the keyed pseudo-random function (used for key +derivation and authentication in phase 1), or ANY. +.El +.It Aq Sy Lifetime +Parameters for connection duration +.Bl -tag -width Ds +.It Em LIFE_DURATION +An offer/accept kind of value; see above. +Can also be set to ANY. +.It Em LIFE_TYPE +.Li SECONDS +or +.Li KILOBYTES +depending on the type of the duration. +Notice that this field may NOT be set to ANY. +.El +.It Aq Sy IPsec-connection +Parameters for IPsec connection configuration +.Bl -tag -width Ds +.It Em Configuration +The name of the IPsec-configuration section to use. +Look at +.Aq Sy IPsec-configuration +below. +.It Em Flags +A comma-separated list of flags controlling the further +handling of the IPsec SA. +Currently only one flag is defined: +.Bl -tag -width 12n +.It Em Active-only +If this flag is given and this +.Aq Sy IPsec-connection +is part of the phase 2 +connections we automatically keep up, it will not automatically be used for +accepting connections from the peer. +.El +.It Em ISAKMP-peer +The name of the ISAKMP-peer to talk to in order to +set up this connection. +The value is the name of an +.Aq Sy ISAKMP-peer +section. +See above. +.It Em Local-ID +If existent, the name of the section that describes the +optional local client ID that we should present to our peer. +It is also used when we act as responders to find out what +.Aq Sy IPsec-connection +we are dealing with. +Look at +.Aq Sy IPsec-ID +below. +.It Em Phase +The constant +.Sq 2 , +as ISAKMP-peers and IPsec-connections +really are handled by the same code inside +.Xr isakmpd 8 . +.It Em Remote-ID +If existent, the name of the section that describes the +optional remote client ID that we should present to our peer. +It is also used when we act as responders to find out what +.Aq Sy IPsec-connection +we are dealing with. +Look at +.Aq Sy IPsec-ID +below. +.It Em PF-Tag +Add a +.Xr pf 4 +tag to all packets of phase 2 SAs created for this connection. +This will allow matching packets for this connection by defining +rules in +.Xr pf.conf 5 +using the +.Em tagged +keyword. +.Pp +The following variables can be used in tags to include information +from the remote peer on runtime: +.Pp +.Bl -tag -width $domain -compact -offset indent +.It Ar $id +The remote phase 1 ID. +It will be expanded to +.Ar id-type/id-value , +e.g.\& +.Ar fqdn/foo.bar.org . +.It Ar $domain +Extract the domain from IDs of type FQDN or UFQDN. +.El +.Pp +For example, if the ID is +.Ar fqdn/foo.bar.org +or +.Ar ufqdn/user@bar.org , +.Dq PF-Tag=ipsec-$domain +expands to +.Dq ipsec-bar.org . +The variable expansion for the +.Ar PF-Tag +directive occurs only at runtime, not during configuration file parse time. +.It Em Interface +Specify a +.Xr sec 4 +interface minor number that the SAs will be used with. +Configuring +.Ar Interface +also disables the insertion of flows, and instead relies on the +routing of packets over the associated +.Xr sec 4 +interface. +.El +.It Aq Sy IPsec-configuration +Parameters for IPsec configuration +.Bl -tag -width Ds +.It Em DOI +The domain of interpretation as given by the RFCs. +Normally +.Li IPSEC . +If unspecified, defaults to +.Li IPSEC . +.It Em EXCHANGE_TYPE +The exchange type as given by the RFCs. +For quick mode this is +.Li QUICK_MODE . +.It Em Suites +A list of protection suites (bundles of protocols) usable for +protecting the IP traffic. +Each of the list elements is a name of an +.Aq Sy IPsec-suite +section. +See below. +.El +.It Aq Sy IPsec-suite +Parameters for IPsec protection suite configuration +.Bl -tag -width Ds +.It Em Protocols +A list of the protocols included in this protection suite. +Each of the list elements is a name of an +.Aq Sy IPsec-protocol +section. +See below. +.El +.It Aq Sy IPsec-protocol +Parameters for IPsec protocol configuration +.Bl -tag -width Ds +.It Em PROTOCOL_ID +The protocol as given by the RFCs. +Acceptable values are currently +.Li IPSEC_AH +and +.Li IPSEC_ESP . +.It Em ReplayWindow +The size of the window used for replay protection. +This is normally left alone. +Look at the ESP and AH RFCs for a better description. +.It Em Transforms +A list of transforms usable for implementing the protocol. +Each of the list elements is a name of an +.Aq Sy IPsec-transform +section. +See below. +.El +.It Aq Sy IPsec-transform +Parameters for IPsec transform configuration +.Bl -tag -width Ds +.It Em AUTHENTICATION_ALGORITHM +The optional authentication algorithm, or ANY in the case of this +being an ESP transform. +.It Em ENCAPSULATION_MODE +The encapsulation mode as given by the RFCs. +This means TRANSPORT or TUNNEL. +.It Em GROUP_DESCRIPTION +An optional (provides PFS if present) Diffie-Hellman group +description. +The values are the same as those for GROUP_DESCRIPTION in +.Aq Sy ISAKMP-transform +sections shown above. +.It Em KEY_LENGTH +For encryption algorithms with variable key length, this is +where the offered keylength is described. +.It Em Life +List of lifetimes, each element is a +.Aq Sy Lifetime +section name. +.It Em TRANSFORM_ID +The transform ID as given by the RFCs, or ANY to denote that any +transform proposed will be accepted. +.El +.It Aq Sy IPsec-ID +Parameters for IPsec ID configuration +.Bl -tag -width Ds +.It Em Address +If the ID-type is +.Li IPV4_ADDR +or +.Li IPV6_ADDR , +this tag should exist and be an IP address, an interface name, or the +.Em default +keyword. +If an interface is used, the first address of the appropriate +family will be used. +The +.Em default +keyword uses the interface associated with the default route. +In the case of IPv6, link-local addresses will be skipped if +addresses which are not link-local exist. +If the address on the interface changes, +.Xr isakmpd 8 +will not track the change. +The configuration must be reloaded to learn the new address. +.It Em ID-type +The ID type as given by the RFCs. +For IPsec this is currently +.Li IPV4_ADDR , +.Li IPV6_ADDR , +.Li IPV4_ADDR_SUBNET , +or +.Li IPV6_ADDR_SUBNET . +.It Em Netmask +If the ID-type is +.Li IPV4_ADDR_SUBNET +or +.Li IPV6_ADDR_SUBNET , +this tag should exist and +be a network subnet mask or an interface. +When an interface is specified, the netmask is the mask associated with the +.Em Network . +The +.Em default +keyword uses the interface associated with the default route. +.It Em Network +If the ID-type is +.Li IPV4_ADDR_SUBNET +or +.Li IPV6_ADDR_SUBNET , +this tag should exist and be a network address, an interface, or the +.Em default +keyword. +When an interface is specified, the network is selected as with the +.Em Address +tag. +.It Em Port +If the ID-type is +.Li IPV4_ADDR , +.Li IPV4_ADDR_SUBNET , +.Li IPV6_ADDR , +or +.Li IPV6_ADDR_SUBNET , +this tag indicates what source or destination port is allowed to be +transported over the SA (depending on whether this is a local or +remote ID). +If left unspecified, all ports of the given transport protocol +will be transmitted (or permitted) over the SA. +The +.Em Protocol +tag must be specified in conjunction with this tag. +.It Em Protocol +If the ID-type is +.Li IPV4_ADDR , +.Li IPV4_ADDR_SUBNET , +.Li IPV6_ADDR , +or +.Li IPV6_ADDR_SUBNET , +this tag indicates what transport protocol should be transmitted over +the SA. +If left unspecified, all transport protocols between the two address +(ranges) will be sent (or permitted) over that SA. +.El +.El +.Sh OTHER SECTIONS +.Bl -hang -width 8n +.It Aq Sy IKECFG-ID +Parameters to use with IKE mode-config. +One ID per peer. +.Pp +An IKECFG-ID is written as [<ID-type>/<name>]. +The following ID types are supported: +.Pp +.Bl -tag -width "ASN1_DNXX" -offset indent -compact +.It IPv4 +[ipv4/A.B.C.D] +.It IPv6 +[ipv6/abcd:abcd::ab:cd] +.It FQDN +[fqdn/foo.bar.org] +.It UFQDN +[ufqdn/user@foo.bar.org] +.It ASN1_DN +[asn1_dn//C=aa/O=cc/...] (Note the double slashes as the DN itself +starts with a +.Sq / . ) +.El +.Pp +Each section specifies what configuration values to return to the peer +requesting IKE mode-config. +Currently supported values are: +.Pp +.Bl -tag -width "WINS-serverXX" -offset indent -compact +.It Em Address +The peer's network address. +.It Em Netmask +The peer's netmask. +.It Em Nameserver +The IP address of a DNS nameserver. +.It Em WINS-server +The IP address of a WINS server. +.El +.It Aq Sy Initiator-ID +Parameters for peer initiator configuration +.Pp +During phase 1 negotiation +.Xr isakmpd 8 +looks for a pre-shared key in the +.Aq Sy ISAKMP-peer +section. +If no Authentication data is specified in that section, and +.Xr isakmpd 8 +is not the initiator, it looks for Authentication data in a section named after +the initiator's phase 1 ID. +This allows mobile users with dynamic IP addresses +to have different shared secrets. +.Pp +This only works for aggressive mode because in main mode the remote +initiator ID would not yet be known. +Note, however, that use of aggressive mode is discouraged. +See +.Sx CAVEATS , +below. +.Pp +The name of the +.Aq Sy Initiator-ID +section depends on the ID type sent by the initiator. +Currently this can be: +.Pp +.Bl -tag -width "UFQDNXX" -offset indent -compact +.It IPv4 +[A.B.C.D] +.It IPv6 +[abcd:abcd::ab:cd] +.It FQDN +[foo.bar.org] +.It UFQDN +[user@foo.bar.org] +.El +.El +.Sh FILES +.Bl -tag -width /etc/isakmpd/isakmpd.conf +.It Pa /etc/isakmpd/isakmpd.conf +The default +.Xr isakmpd 8 +configuration file. +.El +.Sh EXAMPLES +An example of a configuration file: +.Bd -literal +# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKEv1) daemon. + +[General] +Listen-on= 10.1.0.2 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +10.1.0.1= ISAKMP-peer-west + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. This means we can do on-demand keying. +[Phase 2] +Connections= IPsec-east-west + +# Default values are commented out. +[ISAKMP-peer-west] +Phase= 1 +#Transport= udp +Local-address= 10.1.0.2 +Address= 10.1.0.1 +#Port= isakmp +#Port= 500 +#Configuration= Default-phase-1-configuration +Authentication= mekmitasdigoat +#Flags= + +[IPsec-east-west] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-west +Configuration= Default-quick-mode +Local-ID= Net-east +Remote-ID= Net-west +#Flags= + +[Net-west] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.1.0 +Netmask= 255.255.255.0 + +[Net-east] +ID-type= IPV4_ADDR_SUBNET +Network= 192.168.2.0 +Netmask= 255.255.255.0 + +# Quick mode descriptions + +[Default-quick-mode] +EXCHANGE_TYPE= QUICK_MODE +Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE + +# Data for an IKE mode-config peer +[asn1_dn//C=SE/L=SomeCity/O=SomeCompany/CN=SomePeer.company.com] +Address= 192.168.1.123 +Netmask= 255.255.255.0 +Nameserver= 192.168.1.10 +WINS-server= 192.168.1.11 + +# pre-shared key based on initiator's phase 1 ID +[foo.bar.org] +Authentication= mekmitasdigoat + +# +# ##################################################################### +# All configuration data below this point is not required as the example +# uses the predefined Main Mode transform and Quick Mode suite names. +# It is included here for completeness. Note the default values for the +# [General] and [X509-certificates] sections just below. +# ##################################################################### +# + +[General] +Policy-file= /etc/isakmpd/isakmpd.policy +Retransmits= 3 +Exchange-max-time= 120 + +# KeyNote credential storage +[KeyNote] +Credential-directory= /etc/isakmpd/keynote/ + +# Certificates stored in PEM format +[X509-certificates] +CA-directory= /etc/isakmpd/ca/ +Cert-directory= /etc/isakmpd/certs/ +CRL-directory= /etc/isakmpd/crls/ +Private-key= /etc/isakmpd/private/local.key + +# Default phase 1 description (Main Mode) + +[Default-phase-1-configuration] +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Main mode transforms +###################### + +# 3DES + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_MAIN_MODE + +# AES + +[AES-SHA] +ENCRYPTION_ALGORITHM= AES_CBC +KEY_LENGTH= 128,128:256 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_MAIN_MODE + +# AES-128 + +[AES-128-SHA] +ENCRYPTION_ALGORITHM= AES_CBC +KEY_LENGTH= 128,128:128 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_MAIN_MODE + +# AES-192 + +[AES-192-SHA] +ENCRYPTION_ALGORITHM= AES_CBC +KEY_LENGTH= 192,192:192 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_MAIN_MODE + +# AES-256 + +[AES-256-SHA] +ENCRYPTION_ALGORITHM= AES_CBC +KEY_LENGTH= 256,256:256 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_MAIN_MODE + +# Blowfish + +[BLF-SHA] +ENCRYPTION_ALGORITHM= BLOWFISH_CBC +KEY_LENGTH= 128,96:192 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_MAIN_MODE + +# Blowfish, using DH group 4 (non-default) +[BLF-SHA-EC185] +ENCRYPTION_ALGORITHM= BLOWFISH_CBC +KEY_LENGTH= 128,96:192 +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= EC2N_185 +Life= LIFE_MAIN_MODE + +# Quick mode protection suites +############################## + +# 3DES + +[QM-ESP-3DES-SHA-SUITE] +Protocols= QM-ESP-3DES-SHA + +[QM-ESP-3DES-SHA-PFS-SUITE] +Protocols= QM-ESP-3DES-SHA-PFS + +# AES + +[QM-ESP-AES-SHA-SUITE] +Protocols= QM-ESP-AES-SHA + +[QM-ESP-AES-SHA-PFS-SUITE] +Protocols= QM-ESP-AES-SHA-PFS + +# AES-128 + +[QM-ESP-AES-128-SHA-SUITE] +Protocols= QM-ESP-AES-128-SHA + +[QM-ESP-AES-128-SHA-PFS-SUITE] +Protocols= QM-ESP-AES-128-SHA-PFS + +# AES-192 + +[QM-ESP-AES-192-SHA-SUITE] +Protocols= QM-ESP-AES-192-SHA + +[QM-ESP-AES-192-SHA-PFS-SUITE] +Protocols= QM-ESP-AES-192-SHA-PFS + +# AES-256 + +[QM-ESP-AES-256-SHA-SUITE] +Protocols= QM-ESP-AES-256-SHA + +[QM-ESP-AES-256-SHA-PFS-SUITE] +Protocols= QM-ESP-AES-256-SHA-PFS + +# AH + +[QM-AH-MD5-SUITE] +Protocols= QM-AH-MD5 + +[QM-AH-MD5-PFS-SUITE] +Protocols= QM-AH-MD5-PFS + +# AH + ESP (non-default) + +[QM-AH-MD5-ESP-3DES-SHA-SUITE] +Protocols= QM-AH-MD5,QM-ESP-3DES-SHA + +[QM-ESP-3DES-SHA-AH-MD5-SUITE] +Protocols= QM-ESP-3DES-SHA,QM-AH-MD5 + +# Quick mode protocols + +# 3DES + +[QM-ESP-3DES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-3DES-SHA-XF + +[QM-ESP-3DES-SHA-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-3DES-SHA-PFS-XF + +[QM-ESP-3DES-SHA-TRP] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-3DES-SHA-TRP-XF + +# AES + +[QM-ESP-AES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-SHA-XF + +[QM-ESP-AES-SHA-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-SHA-PFS-XF + +[QM-ESP-AES-SHA-TRP] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-SHA-TRP-XF + +# AES-128 + +[QM-ESP-AES-128-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-128-SHA-XF + +[QM-ESP-AES-128-SHA-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-128-SHA-PFS-XF + +[QM-ESP-AES-128-SHA-TRP] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-128-SHA-TRP-XF + +# AES-192 + +[QM-ESP-AES-192-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-192-SHA-XF + +[QM-ESP-AES-192-SHA-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-192-SHA-PFS-XF + +[QM-ESP-AES-192-SHA-TRP] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-192-SHA-TRP-XF + +# AES-256 + +[QM-ESP-AES-256-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-256-SHA-XF + +[QM-ESP-AES-256-SHA-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-256-SHA-PFS-XF + +[QM-ESP-AES-256-SHA-TRP] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-256-SHA-TRP-XF + + +# AH MD5 + +[QM-AH-MD5] +PROTOCOL_ID= IPSEC_AH +Transforms= QM-AH-MD5-XF + +[QM-AH-MD5-PFS] +PROTOCOL_ID= IPSEC_AH +Transforms= QM-AH-MD5-PFS-XF + +# Quick mode transforms + +# 3DES + +[QM-ESP-3DES-SHA-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_QUICK_MODE + +[QM-ESP-3DES-SHA-PFS-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_QUICK_MODE + +[QM-ESP-3DES-SHA-TRP-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TRANSPORT +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_QUICK_MODE + +# AES + +[QM-ESP-AES-SHA-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +KEY_LENGTH= 128 +Life= LIFE_QUICK_MODE + +[QM-ESP-AES-SHA-PFS-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +GROUP_DESCRIPTION= MODP_1024 +KEY_LENGTH= 128 +Life= LIFE_QUICK_MODE + +[QM-ESP-AES-SHA-TRP-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TRANSPORT +AUTHENTICATION_ALGORITHM= HMAC_SHA +KEY_LENGTH= 128 +Life= LIFE_QUICK_MODE + +# AES-128 + +[QM-ESP-AES-128-SHA-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +KEY_LENGTH= 128 +Life= LIFE_QUICK_MODE + +[QM-ESP-AES-128-SHA-PFS-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +GROUP_DESCRIPTION= MODP_1024 +KEY_LENGTH= 128 +Life= LIFE_QUICK_MODE + +[QM-ESP-AES-128-SHA-TRP-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TRANSPORT +AUTHENTICATION_ALGORITHM= HMAC_SHA +KEY_LENGTH= 128 +Life= LIFE_QUICK_MODE + +# AES-192 + +[QM-ESP-AES-192-SHA-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +KEY_LENGTH= 192 +Life= LIFE_QUICK_MODE + +[QM-ESP-AES-192-SHA-PFS-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +GROUP_DESCRIPTION= MODP_1024 +KEY_LENGTH= 192 +Life= LIFE_QUICK_MODE + +[QM-ESP-AES-192-SHA-TRP-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TRANSPORT +AUTHENTICATION_ALGORITHM= HMAC_SHA +KEY_LENGTH= 192 +Life= LIFE_QUICK_MODE + +# AES-256 + +[QM-ESP-AES-256-SHA-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +KEY_LENGTH= 256 +Life= LIFE_QUICK_MODE + +[QM-ESP-AES-256-SHA-PFS-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +GROUP_DESCRIPTION= MODP_1024 +KEY_LENGTH= 256 +Life= LIFE_QUICK_MODE + +[QM-ESP-AES-256-SHA-TRP-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TRANSPORT +AUTHENTICATION_ALGORITHM= HMAC_SHA +KEY_LENGTH= 256 +Life= LIFE_QUICK_MODE + + +# AH + +[QM-AH-MD5-XF] +TRANSFORM_ID= MD5 +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_MD5 +Life= LIFE_QUICK_MODE + +[QM-AH-MD5-PFS-XF] +TRANSFORM_ID= MD5 +ENCAPSULATION_MODE= TUNNEL +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_QUICK_MODE + +[Sample-Life-Time] +LIFE_TYPE= SECONDS +LIFE_DURATION= 3600,1800:7200 + +[Sample-Life-Volume] +LIFE_TYPE= KILOBYTES +LIFE_DURATION= 1000,768:1536 +.Ed +.Sh SEE ALSO +.Xr keynote 1 , +.Xr openssl 1 , +.Xr ipsec 4 , +.Xr keynote 4 , +.Xr isakmpd.policy 5 , +.Xr isakmpd 8 +.Sh CAVEATS +Using aggressive mode is discouraged due to various design problems. +If your peer only supports aggressive mode, consider replacing that +peer with a sane ISAKMP/IKE implementation. +For details see +.Lk http://www.usenix.org/publications/login/1999-12/features/harmful.html . +.Sh BUGS +The RFCs do not permit differing DH groups in the same proposal for +aggressive and quick mode exchanges. +Mixing both PFS and non-PFS suites in a quick mode proposal is not possible, +as PFS implies using a DH group. diff --git a/static/openbsd/man5/isakmpd.policy.5 b/static/openbsd/man5/isakmpd.policy.5 new file mode 100644 index 00000000..0e2e6fc3 --- /dev/null +++ b/static/openbsd/man5/isakmpd.policy.5 @@ -0,0 +1,636 @@ +.\" $OpenBSD: isakmpd.policy.5,v 1.51 2022/02/06 00:29:02 jsg Exp $ +.\" $EOM: isakmpd.policy.5,v 1.24 2000/11/23 12:55:25 niklas Exp $ +.\" +.\" Copyright (c) 1999-2001, Angelos D. Keromytis. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" +.\" Manual page, using -mandoc macros +.\" +.Dd $Mdocdate: February 6 2022 $ +.Dt ISAKMPD.POLICY 5 +.Os +.Sh NAME +.Nm isakmpd.policy +.Nd policy configuration file for isakmpd +.Sh DESCRIPTION +.Nm +is the policy configuration file for the +.Xr isakmpd 8 +daemon, managing security association and key management for the +.Xr ipsec 4 +layer of the kernel's networking stack. +The +.Xr isakmpd 8 +daemon, +also known as the IKEv1 key management daemon, +implements the Internet Key Exchange version 1 (IKEv1) protocol. +It follows then that references to IKE in this document +pertain to IKEv1 only, +and not IKEv2. +.Pp +.Xr isakmpd 8 +is used when two +systems need to automatically set up a pair of Security Associations +(SAs) for secure communication using IPsec. +IKEv1 operates in two stages: +.Pp +In the first stage (Main or Identity Protection Mode), the two IKE +daemons establish a secure link between themselves, fully +authenticating each other and establishing key material for +encrypting/authenticating future communications between them. +This step is typically only performed once for every pair of IKE daemons. +.Pp +In the second stage (also called Quick Mode), the two IKE daemons +create the pair of SAs for the parties that wish to communicate using +IPsec. +These parties may be the hosts the IKE daemons run on, a host +and a network behind a firewall, or two networks behind their +respective firewalls. +At this stage, the exact parameters of the SAs +(e.g., algorithms to use, encapsulation mode, lifetime) and the +identities of the communicating parties (hosts, networks, etc.) are +specified. +The reason for the existence of Quick Mode is to allow for fast +SA setup, once the more heavy-weight Main Mode has been completed. +Generally, Quick Mode uses the key material derived from Main Mode to +provide keys to the IPsec transforms to be used. +.Pp +Alternatively, a new +Diffie-Hellman computation may be performed, which significantly slows +down the exchange, but at the same time provides Perfect Forward +Secrecy (PFS). +Briefly, this means that even should an attacker +manage to break long-term keys used in other sessions (or, +specifically, if an attacker breaks the Diffie-Hellman exchange +performed during Main Mode), they will not be able to decrypt this +traffic. +Normally, no PFS is provided (the key material used by the +IPsec SAs established as a result of this exchange will be derived +from the key material of the Main Mode exchange), allowing for a +faster Quick Mode exchange (no public key computations). +.Pp +IKE proposals are "suggestions" by the initiator of an exchange to the +responder as to what protocols and attributes should be used on a +class of packets. +For example, a given exchange may ask for ESP with +3DES and MD5 and AH with SHA1 (applied successively on the same +packet), or just ESP with Blowfish and RIPEMD-160. +The responder +examines the proposals and determines which of them are acceptable, +according to policy and any credentials. +.Pp +The following paragraphs assume some knowledge of the contents of the +.Xr keynote 4 +and +.Xr keynote 5 +man pages. +.Pp +In the KeyNote policy model for IPsec, no distinction is currently +made based on the ordering of AH and ESP in the packet. +Should this +change in the future, an appropriate attribute (see below) will be +added. +.Pp +The goal of security policy for IKE is thus to determine, based on +local policy (provided in the +.Nm +file), credentials provided during the IKE exchanges (or obtained +through other means), the SA attributes proposed during the exchange, +and perhaps other (side-channel) information, whether a pair of SAs +should be installed in the system (in fact, whether both the IPsec SAs +and the flows should be installed). +For each proposal suggested by or +to the remote IKE daemon, the KeyNote system is consulted as to +whether the proposal is acceptable based on local policy (contained in +.Nm , +in the form of policy assertions) and remote credentials (e.g., +KeyNote credentials or X.509 certificates provided by the remote IKE +daemon). +.Pp +.Nm +is simply a flat +.Xr ascii 7 +file containing KeyNote policy assertions, separated by blank lines +(note that KeyNote assertions may not contain blank lines). +.Nm +is read when +.Xr isakmpd 8 +is first started, and every time it receives a +.Dv SIGHUP +signal. +The new policies read will be used for all new Phase 2 (IPsec) +SAs established from that point on (even if the associated Phase 1 SA +was already established when the new policies were loaded). +The policy change will not affect already established Phase 2 SAs. +.Pp +For more details on KeyNote assertion format, see +.Xr keynote 5 . +Briefly, KeyNote policy assertions used in IKE have the following +characteristics: +.Bl -bullet +.It +The Authorizer field is typically "POLICY" (but see the examples +below, for use of policy delegation). +.It +The Licensees field can be an expression of passphrases used for +authentication of the Main Mode exchanges, and/or public keys +(typically, X.509 certificates), and/or X.509 distinguished names. +.It +The Conditions field contains an expression of attributes from the +IPsec policy action set (see below as well as the keynote syntax man +page for more details). +.It +The ordered return-values set for IPsec policy is "false, true". +.El +.Pp +For an explanation of these fields and their semantics, see +.Xr keynote 5 . +.Pp +For example, the following policy assertion: +.Bd -literal + Authorizer: "POLICY" + Licensees: "passphrase:foobar" || "x509-base64:abcd==" || + "passphrase-md5-hex:3858f62230ac3c915f300c664312c63f" || + "passphrase-sha1-hex:8843d7f92416211de9ebb963ff4ce28125932878" + Conditions: app_domain == "IPsec policy" && esp_present == "yes" + && esp_enc_alg != "null" -> "true"; +.Ed +.Pp +says that any proposal from a remote host that authenticates using the +passphrase "foobar" or the public key contained in the X.509 +certificate encoded as "abcd==" will be accepted, as long as it +contains ESP with a non-null algorithm (i.e., the packet will be +encrypted). +The last two authorizers are the MD5 and SHA1 hashes respectively of +the passphrase "foobar". +This form may be used instead of the "passphrase:..." one to protect +the passphrase as included in the policy file (or as distributed in a +signed credential). +.Pp +The following policy assertion: +.Bd -literal + Authorizer: "POLICY" + Licensees: "DN:/CN=CA Certificate" + Conditions: app_domain == "IPsec policy" && esp_present == "yes" + && esp_enc_alg != "null" -> "true"; +.Ed +.Pp +is similar to the previous one, but instead of including a complete +X.509 credential in the Licensees field, only the X.509 certificate's +Subject Canonical Name needs to be specified (note that the "DN:" +prefix is necessary). +.Pp +KeyNote credentials have the same format as policy assertions, with +one difference: the Authorizer field always contains a public key, and +the assertion is signed (and thus its integrity can be +cryptographically verified). +Credentials are used to build chains of delegation of authority. +They can be exchanged during an IKE exchange, +or can be retrieved through some out-of-band mechanism (no such +mechanism is currently supported in this implementation however). +See +.Xr isakmpd.conf 5 +on how to specify what credentials to send in an IKE exchange. +.Pp +Passphrases that appear in the Licensees field are encoded as the +string "passphrase:", followed by the passphrase itself +(case-sensitive). +Alternatively (and preferably), they may be encoded using the +"passphrase-md5-hex:" or "passphrase-sha1-hex:" prefixes, followed +by the +.Xr md5 1 +or +.Xr sha1 1 +hash of the passphrase itself, encoded as a hexadecimal string (using +lower-case letters only). +.Pp +When X.509-based authentication is performed in Main Mode, any X.509 +certificates received from the remote IKE daemon are converted to very +simple KeyNote credentials. +The conversion is straightforward: the +issuer of the X.509 certificate becomes the Authorizer of the KeyNote +credential, the subject becomes the only Licensees entry, while the +Conditions field simply asserts that the credential is only valid for +"IPsec policy" use (see the app_domain action attribute below). +.Pp +Similarly, any X.509 CA certificates present in the directory pointed +to by the appropriate +.Xr isakmpd.conf 5 +entry are converted to such pseudo-credentials. +This allows one to +write KeyNote policies that delegate specific authority to CAs (and +the keys those CAs certify, recursively). +.Pp +For more details on KeyNote assertion format, see +.Xr keynote 5 . +.Pp +Information about the proposals, the identity of the remote IKE +daemon, the packet classes to be protected, etc. are encoded in what +is called an action set. +The action set is composed of name-value +attributes, similar in some ways to shell environment variables. +These values are initialized by +.Xr isakmpd 8 +before each query to the KeyNote system, and can be tested against in +the Conditions field of assertions. +See +.Xr keynote 4 +and +.Xr keynote 5 +for more details on the format and semantics of the Conditions field. +.Pp +Note that assertions and credentials can make references to +non-existent attributes without catastrophic failures (access may be +denied, depending on the overall structure, but will not be +accidentally granted). +One reason for credentials referencing +non-existent attributes is that they were defined within a specific +implementation or network only. +.Pp +In the following attribute set, IPv4 addresses are encoded as ASCII +strings in the usual dotted-quad format. +However, all quads are three digits long. +For example, the IPv4 address 10.128.1.12 would be encoded as 010.128.001.012. +Similarly, IPv6 addresses are encoded in the standard x:x:x:x:x:x:x:x +format, where the 'x's are the hexadecimal values of the eight 16-bit +pieces of the address. +All 'x's are four digits long. +For example, the address 1080:0:12:0:8:800:200C:417A +would be encoded as 1080:0000:0012:0000:0008:0800:200C:417A. +.Pp +The following attributes are currently defined: +.Bl -tag -width Ds +.It ah_auth_alg +One of +.Va hmac-md5 , +.Va hmac-sha , +.Va des-mac , +.Va kpdk , +.Va hmac-sha2-256 , +.Va hmac-sha2-384 , +.Va hmac-sha2-512 , +or +.Va hmac-ripemd . +based on the authentication method specified in the AH proposal. +.It ah_ecn, esp_ecn, comp_ecn +Set to +.Va yes +or +.Va no , +based on whether ECN was requested for the IPsec tunnel. +.It ah_encapsulation, esp_encapsulation, comp_encapsulation +Set to +.Va tunnel +or +.Va transport , +based on the AH, ESP, and compression proposal. +.It ah_group_desc, esp_group_desc, comp_group_desc +The Diffie-Hellman group identifier from the AH, ESP, and compression +proposal, used for PFS during Quick Mode (see the pfs attribute +below). +If more than one of these attributes are set to a value other +than zero, they should have the same value (in valid IKE proposals). +Valid values are 1 (768-bit MODP), 2 (1024-bit MODP), 3 (155-bit EC), +4 (185-bit EC), 5 (1536-bit MODP), 14 (2048-bit MODP), 15 (3072-bit MODP), +16 (4096-bit MODP), 17 (6144-bit MODP), and 18 (8192-bit MODP). +.It ah_hash_alg +One of +.Va md5 , +.Va sha , +.Va ripemd , +.Va sha2-256 , +.Va sha2-384 , +.Va sha2-512 , +or +.Va des , +based on the hash algorithm specified in the AH proposal. +This attribute describes the generic transform to be used in the AH +authentication. +.It ah_key_length, esp_key_length +The number of key bits to be used by the authentication and encryption +algorithms respectively (for variable key-size algorithms). +.It ah_key_rounds, esp_key_rounds +The number of rounds of the authentication and encryption algorithms +respectively (for variable round algorithms). +.It ah_life_kbytes, esp_life_kbytes, comp_life_kbytes +Set to the lifetime of the AH, ESP, and compression proposal, in +kbytes of traffic. +If no lifetime was proposed for the corresponding +protocol (e.g., there was no proposal for AH), the corresponding +attribute will be set to zero. +.It ah_life_seconds, esp_life_seconds, comp_life_seconds +Set to the lifetime of the AH, ESP, and compression proposal, in +seconds. +If no lifetime was proposed for the corresponding protocol +(e.g., there was no proposal for AH), the corresponding attribute will +be set to zero. +.It ah_present, esp_present, comp_present +Set to +.Va yes +if an AH, ESP, or compression proposal was received respectively, +.Va no +otherwise. +.It app_domain +Always set to +.Va IPsec policy . +.It comp_alg +One of +.Va oui +or +.Va deflate , +based on the compression algorithm specified in the compression +proposal. +.It comp_dict_size +Specifies the log2 maximum size of the dictionary, according to the +compression proposal. +.It comp_private_alg +Set to an integer specifying the private algorithm in use, according +to the compression proposal. +.It doi +Always set to +.Va ipsec . +.It esp_auth_alg +One of +.Va hmac-md5 , +.Va hmac-sha , +.Va des-mac , +.Va kpdk , +.Va hmac-sha2-256 , +.Va hmac-sha2-384 , +.Va hmac-sha2-512 , +or +.Va hmac-ripemd +based on the authentication method specified in the ESP proposal. +.It esp_enc_alg +One of +.Va des , +.Va des-iv64 , +.Va 3des , +.Va rc4 , +.Va idea , +.Va cast , +.Va blowfish , +.Va 3idea , +.Va des-iv32 , +.Va rc4 , +.Va null , +or +.Va aes , +based on the encryption algorithm specified in the ESP proposal. +.It GMTTimeOfDay +Set to the UTC date/time, in YYYYMMDDHHmmSS format. +.It initiator +Set to +.Va yes +if the local daemon is initiating the Phase 2 SA, +.Va no +otherwise. +.It local_negotiation_address +Set to the IPv4 or IPv6 address of the local interface used by the local IKE +daemon for this exchange. +.It LocalTimeOfDay +Set to the local date/time, in YYYYMMDDHHmmSS format. +.It pfs +Set to +.Va yes +if a Diffie-Hellman exchange will be performed during this Quick Mode, +.Va no +otherwise. +.It phase_1 +Set to +.Va aggressive +if aggressive mode was used to establish the Phase 1 SA, or +.Va main +if main mode was used instead. +.It phase1_group_desc +The Diffie-Hellman group identifier used in IKE Phase 1. +Takes the same values as +.Va ah_group_desc . +.It remote_filter, local_filter, remote_id +When the corresponding filter_type specifies an address range or +subnet, these are set to the upper and lower part of the address +space separated by a dash ('-') character (if the type specifies a +single address, they are set to that address). +.Pp +For FQDN and User FQDN types, these are set to the respective string. +For Key ID, these are set to the hexadecimal representation of the +associated byte string (lower-case letters used) if the Key ID payload +contains non-printable characters. +Otherwise, they are set to the respective string. +.Pp +For ASN1 DN, these are set to the text encoding of the Distinguished +Name in the payload sent or received. +The format is the same as that used in the Licensees field. +.It remote_filter_addr_lower, local_filter_addr_lower, remote_id_addr_lower +When the corresponding filter_type is +.Va IPv4 address +or +.Va IPv6 address , +these contain the respective address. +For +.Va IPv4 range +or +.Va IPv6 range , +these contain the lower end of the address range. +For +.Va IPv4 subnet +or +.Va IPv6 subnet , +these contain the lowest address in the specified subnet. +.It remote_filter_addr_upper, local_filter_addr_upper, remote_id_addr_upper +When the corresponding filter_type is +.Va IPv4 address +or +.Va IPv6 address , +these contain the respective address. +For +.Va IPv4 range +or +.Va IPv6 range , +they contain the upper end of the address range. +For +.Va IPv4 subnet +or +.Va IPv6 subnet , +they contain the highest address in the specified subnet. +.It remote_filter_port, local_filter_port, remote_id_port +Set to the transport protocol port. +.It remote_filter_proto, local_filter_proto, remote_id_proto +Set to +.Va etherip , +.Va tcp , +.Va udp , +or the transport protocol number, depending on the transport protocol set +in the IDci, IDcr, and Main Mode peer ID respectively. +.It remote_filter_type, local_filter_type, remote_id_type +Set to +.Va IPv4 address , +.Va IPv4 range , +.Va IPv4 subnet , +.Va IPv6 address , +.Va IPv6 range , +.Va IPv6 subnet , +.Va FQDN , +.Va User FQDN , +.Va ASN1 DN , +.Va ASN1 GN , +or +.Va Key ID , +based on the Quick Mode Initiator ID, Quick Mode Responder ID, and +Main Mode peer ID respectively. +.It remote_negotiation_address +Set to the IPv4 or IPv6 address of the remote IKE daemon. +.El +.Sh FILES +.Bl -tag -width /etc/isakmpd/isakmpd.policy +.It Pa /etc/isakmpd/isakmpd.policy +The default +.Xr isakmpd 8 +policy configuration file. +.El +.Sh EXAMPLES +.Bd -literal + Authorizer: "POLICY" + Comment: This bare-bones assertion accepts everything + + + + Authorizer: "POLICY" + Licensees: "passphrase-md5-hex:10838982612aff543e2e62a67c786550" + Comment: This policy accepts anyone using shared-secret + authentication using the password mekmitasdigoat, + and does ESP with some form of encryption (not null). + Conditions: app_domain == "IPsec policy" && + esp_present == "yes" && + esp_enc_alg != "null" -> "true"; + + + + Authorizer: "POLICY" + Licensees: "subpolicy1" || "subpolicy2" + Comment: Delegate to two other sub-policies, so we + can manage our policy better. Since these subpolicies + are not "owned" by a key (and are thus unsigned), they + have to be in isakmpd.policy. + Conditions: app_domain == "IPsec policy"; + + + + KeyNote-Version: 2 + Licensees: "passphrase-md5-hex:9c42a1346e333a770904b2a2b37fa7d3" + Conditions: esp_present == "yes" -> "true"; + Authorizer: "subpolicy1" + + + + Conditions: ah_present == "yes" -> + { + ah_auth_alg == "md5" -> "true"; + ah_auth_alg == "sha" && + esp_present == "no" -> "true"; + }; + Licensees: "passphrase:otherpassword" || + "passphrase-sha1-hex:f5ed6e4abd30c36a89409b5da7ecb542c9fbf00f" + Authorizer: "subpolicy2" + + + + keynote-version: 2 + comment: this is an example of a policy delegating to a CN. + authorizer: "POLICY" + licensees: "DN:/CN=CA Certificate/emailAddress=ca@foo.bar.com" + + + + keynote-version: 2 + comment: This is an example of a policy delegating to a key. + authorizer: "POLICY" + licensees: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\e + FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\e + NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\e + m91cC5jby51azAeFw05OTEwMTEyMjQ5MzhaFw05OTExMTAyMjQ5\e + MzhaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\e + GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\e + dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\e + QCxyAte2HEVouXg1Yu+vDihbnjDRn+6k00Rv6cZqbwA3BQ30mC/\e + 3TFJ09VGXCaM0UKfpnxIpkBYLmOA3FWkKI0RvPU7E1AhKkhC1Ds\e + PSBFjYHrB15T5lYzgfwKJCIxTDzZDx2iobUgPa0FRNGVUjpQ4/k\e + MJ2BF4Wh7zY3X08rMzsQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\e + DWJ5pbTcE7iKHWLQTMYiz8i9jGi5+Eo1yr1Bab90tgaGQV0zrRH\e + jDHgAAy1h8WSXuyQrXfgbx2rnWFPhx9CfmuAXn7sZmQE3mnUqeP\e + ZL2dW87jdBGqtoUdNcoz5zKBkC943yasNui/O01MiqgadTThTJH\e + d1Pn17LbJC1ZVRNjR5" + conditions: app_domain == "IPsec policy" && doi == "ipsec" && + pfs == "yes" && esp_present == "yes" && ah_present == "no" && + (esp_enc_alg == "3des" || esp_enc_alg == "aes") -> "true"; + + + + keynote-version: 2 + comment: This is an example of a credential, the signature does + not really verify (although the keys are real). + licensees: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\e + FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\e + NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\e + m91cC5jby51azAeFw05OTEwMTEyMzA2MjJaFw05OTExMTAyMzA2\e + MjJaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\e + GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\e + dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\e + QDaCs+JAB6YRKAVkoi1NkOpE1V3syApjBj0Ahjq5HqYAACo1JhM\e + +QsPwuSWCNhBT51HX6G6UzfY3mOUz/vou6MJ/wor8EdeTX4nucx\e + NSz/r6XI262aXezAp+GdBviuJZx3Q67ON/IWYrB4QtvihI4bMn5\e + E55nF6TKtUMJTdATvs/wIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\e + MaQOSkaiR8id0h6Zo0VSB4HpBnjpWqz1jNG8N4RPN0W8muRA2b9\e + 85GNP1bkC3fK1ZPpFTB0A76lLn11CfhAf/gV1iz3ELlUHo5J8nx\e + Pu6XfsGJm3HsXJOuvOog8Aean4ODo4KInuAsnbLzpGl0d+Jqa5u\e + TZUxsyg4QOBwYEU92H" + authorizer: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\e + FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\e + NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\e + m91cC5jby51azAeFw05OTEwMTEyMjQ5MzhaFw05OTExMTAyMjQ5\e + MzhaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\e + GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\e + dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\e + QCxyAte2HEVouXg1Yu+vDihbnjDRn+6k00Rv6cZqbwA3BQ30mC/\e + 3TFJ09VGXCaM0UKfpnxIpkBYLmOA3FWkKI0RvPU7E1AhKkhC1Ds\e + PSBFjYHrB15T5lYzgfwKJCIxTDzZDx2iobUgPa0FRNGVUjpQ4/k\e + MJ2BF4Wh7zY3X08rMzsQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\e + DWJ5pbTcE7iKHWLQTMYiz8i9jGi5+Eo1yr1Bab90tgaGQV0zrRH\e + jDHgAAy1h8WSXuyQrXfgbx2rnWFPhx9CfmuAXn7sZmQE3mnUqeP\e + ZL2dW87jdBGqtoUdNcoz5zKBkC943yasNui/O01MiqgadTThTJH\e + d1Pn17LbJC1ZVRNjR5" +conditions: app_domain == "IPsec policy" && doi == "ipsec" && + pfs == "yes" && esp_present == "yes" && ah_present == "no" && + (esp_enc_alg == "3des" || esp_enc_alg == "aes") -> "true"; +Signature: "sig-x509-sha1-base64:ql+vrUxv14DcBOQHR2jsbXayq6T\e + mmtMiUB745a8rjwSrQwh+KIVDlUrghPnqhSIkWSDi9oWWMbfg\e + mkdudZ0wjgeTLMI2NI4GibMMsToakOKMex/0q4cpdpln3DKcQ\e + IcjzRv4khDws69FT3QfELjcpShvbLrXmh1Z00OFmxjyqDw=" +.Ed +.Sh SEE ALSO +.Xr ipsec 4 , +.Xr keynote 4 , +.Xr keynote 5 , +.Xr isakmpd 8 +.Sh BUGS +A more sane way of expressing IPv6 address ranges is needed. diff --git a/static/openbsd/man5/iscsi.conf.5 b/static/openbsd/man5/iscsi.conf.5 new file mode 100644 index 00000000..105d83c1 --- /dev/null +++ b/static/openbsd/man5/iscsi.conf.5 @@ -0,0 +1,214 @@ +.\" $OpenBSD: iscsi.conf.5,v 1.8 2026/01/18 16:38:02 schwarze Exp $ +.\" +.\" Copyright (c) 2012 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: January 18 2026 $ +.Dt ISCSI.CONF 5 +.Os +.Sh NAME +.Nm iscsi.conf +.Nd ISCSI daemon configuration file +.Sh DESCRIPTION +The +.Xr iscsid 8 +daemon implements the Internet Small Computer Systems Interface as described +in RFC 3720. +.Pp +The +.Nm +configuration file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr iscsid 8 . +.It Sx Target configuration +Target-specific parameters. +.El +.Pp +With the exception of macros, +the sections should be grouped and appear in +.Nm +in the order shown above. +.Pp +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment is effective until the end of the entire block. +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/iscsi-target.conf" +.Ed +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic target +or +.Ic port ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +target1="1.2.3.4" +target "disk1" { + targetaddr $target1 +} +.Ed +.Ss Global configuration +There are a few settings that affect the operation of the +.Xr iscsid 8 +daemon globally. +.Pp +.Bl -tag -width Ds -compact +.It Xo +.Ic isid +.Pq Ic oui Ns | Ns Ic en Ns | Ns Ic rand +.Ar base qual +.Xc +The Initiator Session ID +.Ic isid +specifies the initiator part of the Session Identifier. +It is set during startup of +.Xr iscsid 8 +and is used for session reinstatement. +By default a random +.Ic isid +is generated on startup. +The random +.Ic rand +form has a 24-bit random number as +.Ar base +and a 16-bit +.Ar qual +qualifier. +The +.Ic oui +format uses a 22-bit +.Ar base +OUI and a 24-bit +.Ar qual +qualifier. +The IANA enterprise number format +.Ic en +uses the 24-bit enterprise number in +.Ar base +and a 16-bit +.Ar qual +qualifier. +.El +.Ss Target configuration +.Xr iscsid 8 +establishes TCP connections to iSCSI targets. +Each target is specified by a +.Em target +section, which allows properties to be set specifically for that target: +.Bd -literal -offset indent +target disk1 { + targetaddr 10.0.0.2 + targetname "iqn.1994-04.org.netbsd.iscsi-target:target:0" +} +.Ed +.Pp +There are several target properties: +.Bl -tag -width Ds +.It Op Ic disabled Ns | Ns Ic enabled +No session will be established to the target if +.Ic disabled +is set. +The default value is +.Ic enabled . +.It Op Ic discovery Ns | Ns Ic normal +Define the type of session that will be established. +It is possible to initiate a special +.Ic discovery +session to a target to enumerate the available volumes. +.It Xo +.Ic initiatoraddr Ar addr +.Op Ic inet Ns | Ns Ic inet6 +.Xc +When +.Xr iscsid 8 +initiates the TCP connection to the target system, it normally does not +bind to a specific IP address and port. +If an +.Ic initiatoraddr +is given, +it binds to this address first. +.It Ic initiatorname Ar string +Specify the +.Ic initiatorname +used to connect to the remote target. +The +.Ic initiatorname +can be used to restrict access to a target. +If not given, +.Xr iscsid 8 +will use +.Em iqn.1995-11.org.openbsd.iscsid +as default. +.It Xo +.Ic targetaddr Ar addr +.Op Ic inet Ns | Ns Ic inet6 +.Op Ic port Ar num +.Xc +Define the target IP address which +.Xr iscsid 8 +should connect to. +By default port 3260 will be used. +.It Ic targetname Ar string +The +.Ic targetname +specifies which LUN or disk should be requested by +.Xr iscsid 8 . +It is possible to enumerate remote systems with a +.Ic discovery +session. +.El +.Sh FILES +.Bl -tag -width "/etc/iscsi.confXXX" -compact +.It Pa /etc/iscsi.conf +.Xr iscsid 8 +configuration file. +.El +.Sh SEE ALSO +.Xr tcp 4 , +.Xr iscsictl 8 , +.Xr iscsid 8 , +.Xr rc.conf.local 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 4.9 . diff --git a/static/openbsd/man5/keynote.5 b/static/openbsd/man5/keynote.5 new file mode 100644 index 00000000..dbbdfc3a --- /dev/null +++ b/static/openbsd/man5/keynote.5 @@ -0,0 +1,697 @@ +.\" $OpenBSD: keynote.5,v 1.26 2022/02/18 10:24:32 jsg Exp $ +.\" +.\" The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu) +.\" +.\" This code was written by Angelos D. Keromytis in Philadelphia, PA, USA, +.\" in April-May 1998 +.\" +.\" Copyright (C) 1998, 1999 by Angelos D. Keromytis. +.\" +.\" Permission to use, copy, and modify this software with or without fee +.\" is hereby granted, provided that this entire notice is included in +.\" all copies of any software which is or includes a copy or +.\" modification of this software. +.\" You may use this code under the GNU public license if you so wish. Please +.\" contribute changes back to the author. +.\" +.\" THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR +.\" IMPLIED WARRANTY. IN PARTICULAR, THE AUTHORS MAKES NO +.\" REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE +.\" MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR +.\" PURPOSE. +.\" +.Dd $Mdocdate: February 18 2022 $ +.Dt KEYNOTE 5 +.\" .TH KeyNote 5 local +.Os +.Sh NAME +.Nm keynote +.Nd assertion format +.Sh SYNOPSIS +.Bd -literal +KeyNote-Version: 2 +Local-Constants: <assignments> +Authorizer: <public key or tag> +Licensees: <public key or tag expression> +Comment: <comment text> +Conditions: <logic predicates> +Signature: <public key signature> +.Ed +.Sh DESCRIPTION +For more details on +.Nm keynote , +see RFC 2704. +.Pp +KeyNote assertions are divided into sections, called +.Sq fields , +that serve various semantic functions. +Each field starts with an +identifying label at the beginning of a line, followed by the +.Qq \&: +character and the field's contents. +There can be at most one field per line. +.Pp +A field may be continued over more than one line by indenting +subsequent lines with at least one ASCII SPACE or TAB character. +Whitespace (a SPACE, TAB, or NEWLINE character) separates tokens but +is otherwise ignored outside of quoted strings. +Comments with a leading octothorp character ('#') may begin in any column. +.Pp +One mandatory field is required in all assertions: Authorizer. +.Pp +Six optional fields may also appear: Comment, Conditions, +KeyNote-Version, Licensees, Local-Constants, Signature. +.Pp +All field names are case-insensitive. +The +.Qq KeyNote-Version +field, if present, appears first. +The +.Qq Signature +field, if present, appears last. +Otherwise, fields may appear in any order. +Each field may appear at most once in any assertion. +.Pp +Blank lines are not permitted in assertions. +Multiple assertions +stored in a file (e.g., in application policy configurations), +therefore, can be separated from one another unambiguously by the use +of blank lines between them. +.Sh COMMENTS +The octothorp character +.Pf ( Sq # , +ASCII 35 decimal) can be used to +introduce comments. +Outside of quoted strings, all characters from the +.Qq # +character through the end of the current line are ignored. +However, commented text is included in the computation of assertion +signatures. +.Sh STRINGS +A +.Sq string +is a lexical object containing a sequence of characters. +Strings may contain any non-NUL characters, including newlines and +nonprintable characters. +Strings may be given as literals, computed from complex expressions, +or dereferenced from attribute names. +.Sh STRING LITERALS +A string literal directly represents the value of a string. +String literals must be quoted by preceding and following them with the +double-quote character (ASCII 34 decimal). +.Pp +A printable character may be +.Sq escaped +inside a quoted string literal by preceding it with the backslash +character (ASCII 92 decimal) e.g., +.Qo like \& +.No \e Ns Qo this Ns \e +.Qc . +.\".Pf { Qo mike Ns Qc 12 +.Qc . +This permits the inclusion of the double-quote and backslash characters +inside string literals. +.Pp +A similar escape mechanism is also used to represent non-printable +characters. +.Qq \en +represents the newline character (ASCII character 10 +decimal), +.Qq \er +represents the carriage-return character (ASCII +character 13 decimal), +.Qq \et +represents the tab character (ASCII character 9 decimal), and +.Qq \ef +represents the form-feed character (ASCII character 12 decimal). +A backslash character followed by a newline suppresses all subsequent +whitespace (including the newline) up to the next non-whitespace character +(this allows the continuation of long string constants across lines). +Un-escaped newline and return characters are illegal inside string literals. +.Pp +The constructs +.Qq \e0o , +.Qq \e0oo , +and +.Qq \eooo +(where o represents any octal digit) may be used to represent any non-NUL +ASCII characters with their corresponding octal values (thus, +.Qq \e012 +is the same as +.Qq \en , +.Qq \e101 +is +.Qq A , +and +.Qq \e377 +is the ASCII character 255 decimal). +However, the NUL character cannot be encoded in this manner; +.Qq \e0 , +.Qq \e00 , +and +.Qq \e000 +are converted to the strings +.Qq 0 , +.Qq 00 , +and +.Qq 000 +respectively. +Similarly, all other escaped characters have the +leading backslash removed (e.g., +.Qq \ea +becomes +.Qq a , +and +.Qq \e\e +becomes +.Qq \e ) . +The following four strings are equivalent: +.Bd -literal + "this string contains a newline\en followed by one space." + "this string contains a newline\en \e + followed by one space." + "this str\e + ing contains a \e + newline\en followed by one space." + "this string contains a newline\e012\e040followed by one space." +.Ed +.Sh STRING EXPRESSIONS +In general, anywhere a quoted string literal is allowed, a +.Sq string expression +can be used. +A string expression constructs a string from string constants, +dereferenced attributes (described below), and a string concatenation +operator. +String expressions may be parenthesized. +.Bd -literal + <StrEx>:: <StrEx> "." <StrEx> /* String concatenation */ + | <StringLiteral> /* Quoted string */ + | "(" <StrEx> ")" + | <DerefAttribute> + | "$" <StrEx> ; +.Ed +.Pp +The +.Qq $ +operator has higher precedence than the +.Qq .\& +operator. +.Sh DEREFERENCED ATTRIBUTES +Action attributes provide the primary mechanism for applications to +pass information to assertions. +Attribute names are strings from a +limited character set (see below), and attribute values are +represented internally as strings. +An attribute is dereferenced simply by using its name. +In general, KeyNote allows the use of an attribute anywhere a string literal +is permitted. +.Pp +Attributes are dereferenced as strings by default. +When required, +dereferenced attributes can be converted to integers or floating point +numbers with the type conversion operators +.Qq @ +and +.Qq & . +Thus, an attribute named +.Qq foo +having the value +.Qq 1.2 +may be interpreted as the string +.Qq 1.2 +(foo), the integer value 1 (@foo), or the floating point +value 1.2 (&foo). +.Pp +Attributes converted to integer and floating point numbers are +represented according to the ANSI C +.Sq long +and +.Sq float +types, respectively. +In particular, integers range from -2147483648 to 2147483647, whilst floats +range from 1.17549435E-38F to 3.40282347E+38F. +.Pp +Any uninitialized attribute has the empty-string value when +dereferenced as a string and the value zero when dereferenced as an +integer or float. +.Pp +Attribute names may be given literally or calculated from string +expressions and may be recursively dereferenced. +In the simplest case, +an attribute is dereferenced simply by using its name outside of +quotes; e.g., the string value of the attribute named +.Qq foo +is by reference to +.Sq foo +(outside of quotes). +The +.Qo $ Ns Ao StrEx +.Ac +.Qc +construct dereferences the attribute named in the string expression +.Aq StrEx . +For example, if the attribute named +.Qq foo +contains the string +.Qq bar , +the attribute named +.Qq bar +contains the string +.Qq xyz , +and the attribute +.Qq xyz +contains the string +.Qq qua , +the following string comparisons are all true: +.Bd -literal + foo == "bar" + $("foo") == "bar" + $foo == "xyz" + $(foo) == "xyz" + $$foo == "qua" +.Ed +.Pp +If +.Aq StrEx +evaluates to an invalid or uninitialized attribute name, its value is +considered to be the empty string (or zero if used as a numeric). +.Pp +The +.Aq DerefAttribute +token is defined as: +.Bd -literal + <DerefAttribute>:: <AttributeID> ; + <AttributeID>:: {Any string starting with a-z, A-Z, or the + underscore character, followed by any number of + a-z, A-Z, 0-9, or underscore characters} ; +.Ed +.Sh PRINCIPAL IDENTIFIERS +Principals are represented as ASCII strings called +.Sq Principal Identifiers . +Principal Identifiers may be arbitrary labels whose structure is not +interpreted by the KeyNote system or they may encode cryptographic keys +that are used by KeyNote for credential signature verification. +.Bd -literal + <PrincipalIdentifier>:: <OpaqueID> + | <KeyID> ; +.Ed +.Sh OPAQUE PRINCIPAL IDENTIFIERS +Principal Identifiers that are used by KeyNote only as labels are +said to be +.Sq opaque . +Opaque identifiers are encoded in assertions as strings (as defined above): +.Pp +.Dl <OpaqueID>:: <StrEx>\ \&; +.Pp +Opaque identifier strings should not contain the +.Qq \&: +character. +.Sh CRYPTOGRAPHIC PRINCIPAL IDENTIFIERS +Principal Identifiers that are used by KeyNote as keys, e.g., to +verify credential signatures, are said to be +.Sq cryptographic . +Cryptographic identifiers are also lexically encoded as strings: +.Pp +.Dl <KeyID>:: <StrEx>\ \&; +.Pp +Unlike Opaque Identifiers, however, Cryptographic Identifier strings +have a special form. +To be interpreted by KeyNote (for signature +verification), an identifier string should be of the form: +.Pp +.Dl <IDString>:: <ALGORITHM>":"<ENCODEDBITS>\ \&; +.Pp +.Qq ALGORITHM +is an ASCII substring that describes the algorithms to be +used in interpreting the key's bits. +The ALGORITHM identifies the major cryptographic algorithm (e.g., RSA +.Bq RSA78 , +DSA +.Bq DSA94 , +etc.), +structured format (e.g., PKCS1 +.Bq PKCS1 ) , +and key bit encoding (e.g., HEX or BASE64). +By convention, the ALGORITHM +substring starts with an alphabetic character and can contain letters, +digits, underscores, or dashes i.e., it should match the regular expression +.Qq Bo a-zA-Z Bc Ns Bo a-zA-Z0-9_- Bc Ns * . +The IANA (or some other appropriate authority) will provide a registry of +reserved algorithm identifiers. +.Pp +.Qq ENCODEDBITS +is a substring of characters representing the key's bits, the encoding and +format of which depends on the ALGORITHM. +By convention, hexadecimal encoded keys use lower-case ASCII characters. +.Pp +Cryptographic Principal Identifiers are converted to a normalized +canonical form for the purposes of any internal comparisons between +them; see RFC 2704 for more details. +.Sh KEYNOTE-VERSION FIELD +The KeyNote-Version field identifies the version of the KeyNote +assertion language under which the assertion was written. +The KeyNote-Version field is of the form: +.Bd -literal + <VersionField>:: "KeyNote-Version:" <VersionString> ; + <VersionString>:: <StringLiteral> + | <IntegerLiteral> ; +.Ed +.Pp +.Aq VersionString +is an ASCII-encoded string. +Assertions in production versions of KeyNote use decimal digits in the version +representing the version number of the KeyNote language under which they are +to be interpreted. +Assertions written to conform with this document should be identified with the +version string +.Qq 2 +(or the integer 2). +The KeyNote-Version field, if included, should appear first. +.Sh LOCAL-CONSTANTS FIELD +This field adds or overrides action attributes in the current +assertion only. +This mechanism allows the use of short names for (frequently lengthy) +cryptographic principal identifiers, especially to make the Licensees field +more readable. +The Local-Constants field is of the form: +.Bd -literal + <LocalConstantsField>:: "Local-Constants:" <Assignments> ; + <Assignments>:: /* can be empty */ + | <AttributeID> "=" <StringLiteral> <Assignments> ; +.Ed +.Pp +.Aq AttributeID +is an attribute name from the action attribute namespace. +The name is available for use as an attribute in any subsequent field. +If the Local-Constants field defines more than one identifier, it can occupy +more than one line and be indented. +.Aq StringLiteral +is a string literal as described previously. +Attributes defined in the Local-Constants field override any attributes with +the same name passed in with the action attribute set. +.Pp +An attribute may be initialized at most once in the Local-Constants field. +If an attribute is initialized more than once in an assertion, the entire +assertion is considered invalid and is not considered by the KeyNote +compliance checker in evaluating queries. +.Sh AUTHORIZER FIELD +The Authorizer identifies the Principal issuing the assertion. +This field is of the form: +.Bd -literal + <AuthField>:: "Authorizer:" <AuthID> ; + <AuthID>:: <PrincipalIdentifier> + | <DerefAttribute> ; +.Ed +.Pp +The Principal Identifier may be given directly or by reference to the +attribute namespace. +.Sh LICENSEES FIELD +The Licensees field identifies the principals authorized by the +assertion. +More than one principal can be authorized, and authorization can be +distributed across several principals through the use of +.Sq and +and threshold constructs. +This field is of the form: +.Bd -literal + <LicenseesField>:: "Licensees:" <LicenseesExpr> ; + + <LicenseesExpr>:: /* can be empty */ + | <PrincExpr> ; + + <PrincExpr>:: "(" <PrincExpr> ")" + | <PrincExpr> "&&" <PrincExpr> + | <PrincExpr> "||" <PrincExpr> + | <K>"-of(" <PrincList> ")" /* Threshold */ + | <PrincipalIdentifier> + | <DerefAttribute> ; + + <PrincList>:: <PrincipalIdentifier> + | <DerefAttribute> + | <PrincList> "," <PrincList> ; + + <K>:: {Decimal number starting with a digit from 1 to 9} ; +.Ed +.Pp +The +.Qq && +operator has higher precedence than the +.Qq || +operator. +.Aq K +is an ASCII-encoded positive decimal integer. +If a +.Aq PrincList +contains fewer than +.Aq K +principals, the entire assertion is omitted from processing. +.Sh CONDITIONS FIELD +This field gives the +.Sq conditions +under which the Authorizer trusts the Licensees to perform an action. +.Sq Conditions +are predicates that operate on the action attribute set. +The Conditions field is of the form: +.Bd -literal + <ConditionsField>:: "Conditions:" <ConditionsProgram> ; + + <ConditionsProgram>:: /* Can be empty */ + | <Clause> ";" <ConditionsProgram> ; + + <Clause>:: <Test> "->" "{" <ConditionsProgram> "}" + | <Test> "->" <Value> + | <Test> ; + + <Value>:: <StrEx> ; + + <Test>:: <RelExpr> ; + + <RelExpr>:: "(" <RelExpr> ")" /* Parentheses */ + | <RelExpr> "&&" <RelExpr> /* Logical AND */ + | <RelExpr> "||" <RelExpr> /* Logical OR */ + | "!" <RelExpr> /* Logical NOT */ + | <IntRelExpr> + | <FloatRelExpr> + | <StringRelExpr> + | "true" /* case insensitive */ + | "false" ; /* case insensitive */ + + <IntRelExpr>:: <IntEx> "==" <IntEx> + | <IntEx> "!=" <IntEx> + | <IntEx> "<" <IntEx> + | <IntEx> ">" <IntEx> + | <IntEx> "<=" <IntEx> + | <IntEx> ">=" <IntEx> ; + + <FloatRelExpr>:: <FloatEx> "<" <FloatEx> + | <FloatEx> ">" <FloatEx> + | <FloatEx> "<=" <FloatEx> + | <FloatEx> ">=" <FloatEx> ; + + <StringRelExpr>:: <StrEx> "==" <StrEx> /* String equality */ + | <StrEx> "!=" <StrEx> /* String inequality */ + | <StrEx> "<" <StrEx> /* Alphanum. comparisons */ + | <StrEx> ">" <StrEx> + | <StrEx> "<=" <StrEx> + | <StrEx> ">=" <StrEx> + | <StrEx> "~=" <RegExpr> ; /* Reg. expr. matching */ + + <IntEx>:: <IntEx> "+" <IntEx> /* Integer */ + | <IntEx> "-" <IntEx> + | <IntEx> "*" <IntEx> + | <IntEx> "/" <IntEx> + | <IntEx> "%" <IntEx> + | <IntEx> "^" <IntEx> /* Exponentiation */ + | "-" <IntEx> + | "(" <IntEx> ")" + | <IntegerLiteral> + | "@" <StrEx> ; + + <FloatEx>:: <FloatEx> "+" <FloatEx> /* Floating point */ + | <FloatEx> "-" <FloatEx> + | <FloatEx> "*" <FloatEx> + | <FloatEx> "/" <FloatEx> + | <FloatEx> "^" <FloatEx> /* Exponentiation */ + | "-" <FloatEx> + | "(" <FloatEx> ")" + | <FloatLiteral> + | "&" <StrEx> ; + + <IntegerLiteral>:: {Decimal number of at least one digit} ; + <FloatLiteral>:: <IntegerLiteral>"."<IntegerLiteral> ; + + <StringLiteral> is a quoted string as defined in previously + <AttributeID> is defined previously. +.Ed +.Pp +The operation precedence classes are (from highest to lowest): +.Bd -literal + { (, ) } + {unary -, @, &, $} + {^} + {*, /, %} + {+, -, .} +.Ed +.Pp +Operators in the same precedence class are evaluated left-to-right. +.Pp +Note the inability to test for floating point equality, as most +floating point implementations (hardware or otherwise) do not +guarantee accurate equality testing. +.Pp +Also note that integer and floating point expressions can only be used +within clauses of condition fields, but in no other KeyNote field. +.Pp +The keywords +.Qq true +and +.Qq false +are not reserved; they can be used as attribute or principal identifier +names (although this practice makes assertions difficult to understand +and is discouraged). +.Pp +.Aq RegExpr +is a standard regular expression, conforming to the +.St -p1003.2 +regular expression syntax and semantics (see +.Xr regex 3 ) . +.Pp +Any string expression (or attribute) containing the ASCII +representation of a numeric value can be converted to an integer or +float with the use of the +.Qq @ +and +.Qq & +operators, respectively. +Any fractional component of an attribute value dereferenced as an integer +is rounded down. +If an attribute dereferenced as a number cannot be properly converted +(e.g., it contains invalid characters or is empty) its value is considered +to be zero. +.Sh COMMENT FIELD +The Comment field allows assertions to be annotated with information +describing their purpose. +It is of the form: +.Pp +.Dl <CommentField>:: \&"Comment:\&" <text>\ \&; +.Pp +No interpretation of the contents of this field is performed by +KeyNote. +Note that this is one of two mechanisms for including +comments in KeyNote assertions; comments can also be inserted anywhere +in an assertion's body by preceding them with the +.Qq # +character (except inside string literals). +.Sh SIGNATURE FIELD +The Signature field identifies a signed assertion and gives the +encoded digital signature of the principal identified in the +Authorizer field. +The Signature field is of the form: +.Bd -literal + <SignatureField>:: "Signature:" <Signature> ; + <Signature>:: <StrEx> ; +.Ed +.Pp +The <Signature> string should be of the form: +.Pp +.Dl <IDString>:: <ALGORITHM>":"<ENCODEDBITS>\ \&; +.Pp +The formats of the +.Qq ALGORITHM +and +.Qq ENCODEDBITS +substrings are as described for Cryptographic Principal Identifiers. +The algorithm name should be the same as that of the principal appearing +in the Authorizer field. +The IANA (or some other suitable authority) will provide a registry of +reserved names. +It is not necessary that the encodings of the signature and the authorizer +key be the same. +.Pp +If the signature field is included, the principal named in the +Authorizer field must be a Cryptographic Principal Identifier, the +algorithm must be known to the KeyNote implementation, and the +signature must be correct for the assertion body and authorizer key. +.Pp +The signature is computed over the assertion text, beginning with the +first field (including the field identifier string), up to (but not +including) the Signature field identifier. +The newline preceding the signature field identifier is the last character +included in signature calculation. +The signature is always the last field in a KeyNote assertion. +Text following this field is not considered part of the assertion. +.Sh EXAMPLES +Note that the keys and signatures in these examples are fictional, and +generally much shorter than would be required for real security, in +the interest of readability. +.Bd -literal + Authorizer: "POLICY" + Licensees: "RSA:abc123" + + KeyNote-Version: 2 + Local-Constants: Alice="DSA:4401ff92" # Alice's key + Bob="RSA:d1234f" # Bob's key + Authorizer: "RSA:abc123" + Licensees: Alice || Bob + Conditions: (app_domain == "RFC822-EMAIL") && + (address ~= # only applies to one domain + "^.*@keynote\e.research\e.att\e.com$") -> + "true"; + Signature: "RSA-SHA1:213354f9" + + KeyNote-Version: 2 + Authorizer: "DSA:4401ff92" # the Alice CA + Licensees: "DSA:12340987" # mab's key + Conditions: ((app_domain == "RFC822-EMAIL") -> { + (name == "M. Blaze" || name == "") && + (address == + "mab@keynote.research.att.com")); + (name == "anonymous") -> "logandaccept"; + } + + Signature: "DSA-SHA1:ab23487" + + KeyNote-Version: "2" + Authorizer: "DSA:4401ff92" # the Alice CA + Licensees: "DSA:abc991" || # jf's DSA key + "RSA:cde773" || # jf's RSA key + "BFIK:fd091a" # jf's BFIK key + Conditions: ((app_domain == "RFC822-EMAIL") && + (name == "J. Feigenbaum" || name == "") && + (address == "jf@keynote.research.att.com")); + Signature: "DSA-SHA1:8912aa" +.Ed +.Sh SEE ALSO +.Xr keynote 1 , +.Xr keynote 3 , +.Xr keynote 4 +.Rs +.%A M. Blaze +.%A J. Feigenbaum +.%A J. Lacy +.%D 1996 +.%J IEEE Symposium on Security and Privacy +.%T Decentralized Trust Management +.Re +.Rs +.%A M. Blaze +.%A J. Feigenbaum +.%A M. Strauss +.%D 1998 +.%J Financial Crypto Conference +.%T Compliance-Checking in the PolicyMaker Trust Management System +.Re +.Sh STANDARDS +.Rs +.%A M. Blaze +.%A J. Feigenbaum +.%A J. Ioannidis +.%A A. Keromytis +.%D September 1999 +.%R RFC 2704 +.%T The KeyNote Trust-Management System Version 2 +.Re +.Sh AUTHORS +.An Angelos D. Keromytis Aq Mt angelos@cs.columbia.edu +.Sh WEB PAGE +.Lk https://www1.cs.columbia.edu/~angelos/keynote.html diff --git a/static/openbsd/man5/ldapd.conf.5 b/static/openbsd/man5/ldapd.conf.5 new file mode 100644 index 00000000..6b4d0db5 --- /dev/null +++ b/static/openbsd/man5/ldapd.conf.5 @@ -0,0 +1,372 @@ +.\" $OpenBSD: ldapd.conf.5,v 1.30 2026/01/18 16:38:02 schwarze Exp $ +.\" +.\" Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> +.\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> +.\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" +.Dd $Mdocdate: January 18 2026 $ +.Dt LDAPD.CONF 5 +.Os +.Sh NAME +.Nm ldapd.conf +.Nd LDAP daemon configuration file +.Sh DESCRIPTION +.Nm +is the configuration file for the LDAP daemon +.Xr ldapd 8 . +.Pp +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment is effective until the end of the entire block. +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +Arguments containing whitespace should be surrounded by double quotes +.Pq \&" . +.Pp +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ar listen , +.Ar namespace , +or +.Ar port ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +wan_if = "fxp0" +listen on $wan_if +listen on $wan_if tls +.Ed +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/ldap/sub.namespace.conf" +.Ed +.Pp +Additional schema files can be included with the +.Ic schema +keyword, for example: +.Bd -literal -offset indent +schema "/etc/ldap/inetorgperson.schema" +.Ed +.Pp +The syntax of +.Nm +is described below. +.Sh GLOBAL CONFIGURATION +.Bl -tag -width Ds +.It Xo +.Ic listen on Ar interface +.Op Ic port Ar port +.Op Ic legacy +.Op Ic tls | ldaps | secure +.Op Ic certificate Ar name +.Xc +Specify an +.Ar interface +and +.Ar port +to listen on. +An IP address, domain name or absolute path may be used in place of +.Ar interface . +An absolute path is used to listen on a unix domain socket. +.Pp +Secured connections are provided either using STARTTLS +.Pq Ic tls , +by default on port 389, +or LDAPS +.Pq Ic ldaps , +by default on port 636. +.Ic tls +and +.Ic ldaps +connections will use the defaults from libtls. +If compatibility with the insecure TLSv1.0 and TLSv1.1 +protocols and ciphers is required, +they can be enabled with the +.Ic legacy +keyword. +Creation of certificates is documented in +.Xr starttls 8 . +If no certificate +.Ar name +is specified, the +.Pa /etc/ldap/certs +directory is searched for a file named by joining +the interface name with a .crt extension, e.g.\& +.Pa /etc/ldap/certs/fxp0.crt . +.Pp +If the certificate name is an absolute path, a .crt and .key extension +are appended to form the certificate path and key path respectively. +.Pp +Only secured connections accept plain text password authentication. +Connections using TLS or unix domain sockets are always considered secured. +The +.Ic secure +keyword can be used to mark an otherwise insecure connection +secured, e.g. if IPsec is used. +.It referral Ar URL +Specify a default referral. +If no namespace matches the base DN in a request, the request is +delegated to another LDAP server instead of returning an error. +.Pp +This option can be given multiple times, in which case the URLs are +considered equal. +Clients may choose to follow any of the referral URLs. +.Pp +The URL has the following format: +.Bd -literal -offset indent +ldap://ldap.example.com +ldaps://ldap.example.com:3890 +.Ed +.It rootdn Ar dn +Specify the distinguished name of the root user for all namespaces. +The root user is always allowed to read and write entries in all +local namespaces. +.It rootpw Ar password +Password for the root user. +Specified either in plain text, or in hashed format. +See AUTHENTICATION in +.Xr ldapd 8 . +.It schema Ar filename +Add schema definitions from the specified file. +For a description of the schema file syntax see +.Sx SCHEMA +below. +.El +.Sh NAMESPACES +A namespace is a subtree of the global X.500 DIT (Directory Information Tree), +also known as a naming context. +All entries' distinguished names (DN) have the same suffix, which is used to +identify the namespace. +The suffix should consist of the domain components, in reverse order, of your +domain name, as recommended by RFC 2247. +.Bd -literal -offset indent +namespace "dc=example,dc=com" { + rootdn "cn=admin,dc=example,dc=com" + rootpw "secret" +} +.Ed +.Pp +When matching requests against namespace suffixes, the most specific +match is used. +Each namespace stores data in a separate database file. +.Pp +A namespace has the following configuration properties: +.Bl -tag -width Ds +.It referral Ar URL +Specify a referral to return for requests matching the suffix. +.It rootdn Ar dn +Specify the distinguished name of the root user for the namespace. +The root user is always allowed to read and write entries in the namespace. +The distinguished name must have the same suffix as the namespace. +.It rootpw Ar password +Password for the root user. +Specified either in plain text, or in hashed format. +See AUTHENTICATION in +.Xr ldapd 8 . +.It index Ar attribute +Maintain an index on the specified attribute. +This index can be used for equality, presence, prefix substring and range searches. +.Xr ldapd 8 +will update the index on each modification. +If you add an index to an existing namespace, you need to run +.Xr ldapctl 8 +to index the existing entries. +.It fsync Ar on | off +If +.Ar off , +data will not be forced to disk after each commit. +Disabling fsync can increase write speed substantially, but may lead to data +loss. +The default value is on. +.It cache-size Ar size +Set the cache size for data entries. +The +.Ar size +is specified in number of pages. +Note that more than the configured number of pages may exist in the cache, as +dirty pages and pages referenced by cursors are excluded from cache expiration. +.Pp +Cached pages are expired in a least recently used (LRU) order. +.It index-cache-size Ar size +Set the cache size for the index database. +.It relax schema +Disables checking of required and optional object attributes against schema. +All attributes and values are matched as case-insensitive strings. +All attributes are considered multi-valued. +.It strict schema +Enables checking of required and optional object attributes against schema. +This is the default. +.It Ic allow | deny +Allow or deny access to parts of the namespace. +.Pp +Each request to the +.Xr ldapd 8 +daemon evaluates the filter rules in sequential order, from first to last. +The last matching rule decides what action is taken. +If no rule matches the request, the default action is to allow the request. +The root DN is always allowed to perform any request. +.Pp +The allow/deny statement operates on all access types by default. +This can be restricted by an access type specification: +.Bl -tag -width Ds +.It read access +Restricts the filter rule to search operations. +.It write access +Restricts the filter rule to add, delete and modify operations. +.It bind access +Restricts the filter rule to bind operations. +.El +.Pp +The scope of the filter rule can be restricted by the +.Em to +keyword: +.Bl -tag -width Ds +.It to subtree Ar DN +The filter rule applies to the distinguished name, +as well as for all its descendants. +.It to children of Ar DN +The filter rule applies to all the direct children of the distinguished name. +.It to Ar DN +The filter rule applies to the distinguished name only. +.It to any +The filter rule applies to any distinguished name in the namespace. +This is the default if no scope is specified. +.It to root +The filter rule applies to the root DSE. +.El +.Pp +The scope can be restricted to an optional attribute: +.Bl -tag -width Ds +.It attribute Ar name +The filter rule applies to the specified attribute. +.El +.Pp +Finally, the filter rule can match a bind DN: +.Bl -tag -width Ds +.It by any +The filter rule matches by any bind dn, including anonymous binds. +.It by Ar DN +The filter rule matches only if the requestor has previously performed +a bind as the specified distinguished name. +.It by self +The filter rule matches only if the requestor has previously performed +a bind as the distinguished name that is being requested. +Typically used to allow users to modify their own data. +.El +.It use compression Op level Ar level +Enable compression of entries and optionally specify compression level (0 - 9). +By default, no compression is used. +.El +.Sh SCHEMA +Schema files define the structure and format of entries in the directory tree. +There are three types of definitions in a schema file: +.Bl -tag -width Ds +.It attributetype +.Po +.Ar oid +.Op NAME name +.Op DESC description +.Op OBSOLETE +.Op SUP oid +.Op EQUALITY oid +.Op ORDERING oid +.Op SUBSTR oid +.Op SYNTAX oid +.Op SINGLE-VALUE +.Op COLLECTIVE +.Op NO-USER-MODIFICATION +.Op USAGE Brq userApplications | directoryOperation | distributedOperation | dSAOperation +.Pc +.Pp +An attribute type definition specifies the syntax of attribute values, whether +it allows multiple values and how it can be compared in search requests. +For a complete description of attribute type definitions, see section +4.1.2 in RFC 4512. +.It objectclass +.Po +.Ar oid +.Op NAME name +.Op DESC description +.Op OBSOLETE +.Op SUP oids +.Op Brq ABSTRACT | STRUCTURAL | AUXILIARY +.Op MUST oids +.Op MAY oids +.Pc +.Pp +An object class definition specifies which attributes are required +and which are allowed. +For a complete description of object class definitions, see section +4.1.1 in RFC 4512. +.It objectidentifier Ar symbolic-name Ar OID +Defines a symbolic name for the object identifier. +A symbolic name can be used in place of a numeric OID in definitions +of attribute types, object classes and other symbolic OIDs. +A descendant OID can be defined in terms of another symbolic OID by appending +a numeric OID after a colon, for example: +.Bd -literal -offset indent +objectidentifier MyOidRoot 1.2.3.4 +objectidentifier MyOidAttributes MyOidRoot:5.6 +objectidentifier MyOidObjects MyOidRoot:7 +.Ed +.Pp +This would define MyOidAttributes as a symbolic name for the OID +1.2.3.4.5.6, and MyOidObjects for 1.2.3.4.7. +.El +.Sh FILES +.Bl -tag -width /etc/examples/ldapd.conf -compact +.It Pa /etc/ldapd.conf +Default +.Xr ldapd 8 +configuration file. +.It Pa /etc/examples/ldapd.conf +Example configuration file. +.It Pa /etc/ldap/*.schema +Default schema definition files. +.It Pa /etc/ldap/certs/ +Default directory for TLS certificates. +.El +.Sh SEE ALSO +.Xr ldapctl 8 , +.Xr ldapd 8 +.Sh STANDARDS +.Rs +.%A K. Zeilenga +.%D June 2006 +.%R RFC 4512 +.%T Lightweight Directory Access Protocol (LDAP): Directory Information Models +.Re +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 4.8 . diff --git a/static/openbsd/man5/ldom.conf.5 b/static/openbsd/man5/ldom.conf.5 new file mode 100644 index 00000000..46825b60 --- /dev/null +++ b/static/openbsd/man5/ldom.conf.5 @@ -0,0 +1,167 @@ +.\" $OpenBSD: ldom.conf.5,v 1.18 2022/10/06 21:35:52 kn Exp $ +.\" +.\" Copyright (c) 2012 Mark Kettenis <kettenis@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: October 6 2022 $ +.Dt LDOM.CONF 5 sparc64 +.Os +.Sh NAME +.Nm ldom.conf +.Nd Logical Domain configuration +.Sh DESCRIPTION +.Nm +is the configuration file to configure logical domains. +.Pp +Domains are defined in the following format: +.Bl -tag -width Ds +.It Ic domain Ar name Brq ... +Declare a scope for resources assigned to the specified domain. +The scope must be opened and closed with curly braces and contains +one or more of the following keywords, each on a separate line. +A scope with +.Ar name +.Dq primary +configures resources for the primary domain. +If no configuration for the primary domain exists, it is assigned +all CPU and memory resources not used by any guest domains. +.It Ic vcpu Ar number Ns Op : Ns Ar stride +Declare the number of virtual CPUs assigned to a domain. +Optionally a stride can be specified to allocate +.Ar stride +VCPUs at a time but assign only +.Ar number +VCPUs to the domain. +This can be used to distribute virtual CPUs over the available CPU cores. +.It Ic memory Ar bytes +Declare the amount of memory assigned to a domain, in bytes. +.Ar bytes +can be specified with a human-readable scale, using the format described in +.Xr scan_scaled 3 , +e.g. 512M. +.It Ic iodevice Ar device +Assign the specified PCIe device to the guest domain. +.Ar device +may be either a device path +.Pq Pa /@400/@2/@0/@8 +or a pseudonym +.Pq Pa /SYS/MB/PCIE0 . +This keyword can be used multiple times. +.It Ic variable Ar name Ns = Ns Ar value +Set the specified NVRAM variable for the domain. +See +.Xr eeprom 8 +for a list of OpenPROM variables. +This keyword can be used multiple times. +.It Ic vdisk Ar file Op Ar keyword Ns = Ns Ar value ... +The specified file is used to back a virtual disk of the guest +domain. +.Ar file +can be a block device node or a disk image file created with the +.Cm create-vdisk +command. +This keyword can be used multiple times. +Unless +.Ar boot-device +is set with the +.Cm variable +command, the first disk will be the default boot device. +Valid options are: +.Bl -tag -width Ds +.It Ic devalias Ns = Ns Ar name +Alias the virtual disk as +.Ar name . +.El +.It Ic vnet Op Ar keyword Ns = Ns Ar value ... +Assign a +.Xr vnet 4 +network interface to the guest domain. +This keyword can be used multiple times. +Valid options are: +.Bl -tag -width Ds +.It Ic mac-addr Ns = Ns Ar address +Configure the MAC address of the interface. +.It Ic mtu Ns = Ns Ar number +Configure the MTU of the interface. +.It Ic devalias Ns = Ns Ar name +Alias the interface as +.Ar name . +.El +.El +.Sh EXAMPLES +Define a domain with 12 virtual cores, 4GB memory, two file based virtual disks +and one virtual network interface: +.Bd -literal -offset indent +domain "puffy" { + vcpu 12 + memory 4G + vdisk "/home/puffy/vdisk0" + vdisk "/home/puffy/vdisk1" + vnet +} +.Ed +.Pp +Define another one with slightly less resources: +.Bd -literal -offset indent +domain "salmah" { + vcpu 8 + memory 2G + vdisk "/home/salmah/vdisk0" + vdisk "/home/salmah/vdisk1" + vnet +} +.Ed +.Pp +On a machine with 32 cores and 64GB physical memory, this leaves 12 cores and +58GB memory to the primary domain. +.Pp +Use a +.Ar stride +step size to distribute VCPUs: +.Bd -literal -offset indent +domain "marlus" { + vcpu 2:4 + memory 4G + vdisk "/home/marlus/vdisk0" +} +.Ed +.Pp +On a machine with eight threads per physical core, this allocates two strides +of four VCPUs each for the guest domain but assigns only two VCPUs to it, i.e.\& +makes it occupy an entire physical core while running on two threads only. +.Sh SEE ALSO +.Xr eeprom 8 , +.Xr ldomctl 8 , +.Xr ldomd 8 +.Sh BUGS +The hypervisor requires a machine dependent amount of physical memory that is +reserved automatically. +Although the Physical Resource Inventory +.Pq PRI +seems to account for this by presenting less available memory, using the entire +amount via +.Ic memory +is not always successful, e.g. the hypervisor would reject the configuration and +fallback to +.Dq factory-default +upon resetting the machine. +.Pp +If in doubt, assign +.Ic memory +to the +.Dq primary +.Ic domain +explicitly, +such that enough memory remains unused for the hypervisor to reserve. +On T4 based machines, 1024 megabytes has proven to suffice. diff --git a/static/openbsd/man5/ldpd.conf.5 b/static/openbsd/man5/ldpd.conf.5 new file mode 100644 index 00000000..3665960a --- /dev/null +++ b/static/openbsd/man5/ldpd.conf.5 @@ -0,0 +1,407 @@ +.\" $OpenBSD: ldpd.conf.5,v 1.45 2026/01/18 16:38:02 schwarze Exp $ +.\" +.\" Copyright (c) 2013, 2016 Renato Westphal <renato@openbsd.org> +.\" Copyright (c) 2009 Michele Marchetto <michele@openbsd.org> +.\" Copyright (c) 2005, 2006 Esben Norby <norby@openbsd.org> +.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: January 18 2026 $ +.Dt LDPD.CONF 5 +.Os +.Sh NAME +.Nm ldpd.conf +.Nd LDP routing daemon configuration file +.Sh DESCRIPTION +The +.Xr ldpd 8 +daemon implements the Label Distribution Protocol as described in RFC 5036. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr ldpd 8 . +.It Sx Address-family configuration +Address-family specific parameters. +.It Sx Interfaces configuration +Interface-specific parameters. +.It Sx Targeted neighbors configuration +Targeted neighbor specific parameters. +.It Sx Neighbors configuration +Neighbor-specific parameters. +.It Sx Layer 2 VPNs configuration +Layer 2 VPNs parameters as per RFC 4447. +.El +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/ldpd.sub.conf" +.Ed +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic neighbor ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Ss Global configuration +Several settings can be configured globally or within a more restricted scope, +like per address-family or per interface. +The only settings that can be set globally and not overruled are listed below. +.Pp +.Bl -tag -width Ds -compact +.It Xo +.Ic ds-cisco-interop +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +Cisco non-compliant format will be used to send and interpret the Dual-Stack +capability TLV. +The default is +.Ic no . +.Pp +.It Xo +.Ic fib-update +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic no , +do not update the Label Forwarding Information Base, a.k.a. the kernel routing +table. +The default is +.Ic yes . +.Pp +.It Ic rdomain Ar tableid +Specifies the routing table +.Xr ldpd 8 +should modify. +Table 0 is the default table. +.Pp +.It Ic router-id Ar address +Set the router ID; in combination with labelspace it forms the LSR-ID. +If not specified, the numerically lowest IP address of the router will be used. +.Pp +.It Xo +.Ic tcp md5sig password Ar secret +.Op Ar lsr-id Ns Op / Ns Ar prefix +.Xc +.It Xo +.Ic tcp md5sig key Ar secret +.Op Ar lsr-id Ns Op / Ns Ar prefix +.Xc +.It Xo +.Ic no tcp md5sig +.Op Ar lsr-id Ns Op / Ns Ar prefix +.Xc +Enable or disable TCP MD5 signatures per RFC 5036. +The shared secret can either be given as a password or hexadecimal key. +An optional prefix may be specified to scope the key configuration to a +set of neighbors with the specified LSR-IDs. +.Bd -literal -offset indent +tcp md5sig password mekmitasdigoat 192.168.0.0/24 +no tcp md5sig 192.168.0.25 +.Ed +.Pp +.It Xo +.Ic transport-preference +.Pq Ic ipv4 Ns | Ns Ic ipv6 +.Xc +Specify the preferred address-family for TCP transport connections. +If two dual-stack LSRs preferences does not match, no LDP session will +be established. +The default is +.Ic ipv6 . +.El +.Ss Address-family configuration +Each address-family can have several parameters configured +individually, otherwise they are inherited. +.Bd -literal -offset indent +address-family ipv6 { + explicit-null yes + transport-address 2001:db8::50 + interface em0 +} +.Ed +.Pp +.Bl -tag -width Ds -compact +.It Xo +.Ic explicit-null +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +advertise explicit-null labels in place of implicit-null labels for directly +connected prefixes. +The default is +.Ic no . +.Pp +.It Xo +.Ic gtsm-enable +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +.Xr ldpd 8 +will use the GTSM procedures described in RFC 6720 (for the IPv4 address-family) +and RFC 7552 (for the IPv6 address-family). +.Pp +Since GTSM is mandatory for LDPv6, the only effect of disabling GTSM for the +IPv6 address-family is that +.Xr ldpd 8 +will not discard packets with a hop limit below 255. +This may be necessary to interoperate with older implementations. +Outgoing packets will still be sent using a hop limit of 255 +for maximum compatibility. +.Pp +If GTSM is enabled, multi-hop neighbors should have either GTSM disabled +individually or configured with an appropriate gtsm-hops distance. +The default is +.Ic yes . +.Pp +.It Ic keepalive Ar seconds +Set the keepalive timeout in seconds. +The default value is 180; valid range is 3\-65535. +.Pp +.It Xo +.Ic targeted-hello-accept +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +allow LDP sessions to be established with remote neighbors that have not been +specifically configured. +The default is +.Ic no . +.Pp +.It Ic transport-address Ar address +Set the local address to be used in the TCP sessions. +For the IPv4 address-family, the router-id will be used if this option is not specified. +For the IPv6 address-family, this option must be specified. +.El +.Ss Interfaces configuration +Each interface can have several parameters configured individually, otherwise +they are inherited. +.Bd -literal -offset indent +address-family ipv4 { + interface em0 { + link-hello-holdtime 9 + link-hello-interval 3 + } +} +.Ed +.Pp +Interface-specific parameters are listed below. +.Bl -tag -width Ds +.It Ic link-hello-holdtime Ar seconds +Set the hello holdtime in seconds. +The maximum time +.Xr ldpd 8 +will wait between two consecutive hello messages from a peer before it is +marked as being down. +The default value is 15; valid range is 3\-65535. +.It Ic link-hello-interval Ar seconds +Set the hello interval in seconds. +The default value is 5; valid range is 1\-65535. +.El +.Ss Targeted neighbors configuration +Each targeted neighbor can have several parameters configured individually, +otherwise they are inherited. +.Bd -literal -offset indent +address-family ipv4 { + targeted-neighbor A.B.C.D { + targeted-hello-holdtime 90 + targeted-hello-interval 10 + } +} +address-family ipv6 { + targeted-neighbor 2001:db8::1 +} +.Ed +.Pp +Targeted-neighbor specific parameters are listed below. +.Bl -tag -width Ds +.It Ic targeted-hello-holdtime Ar seconds +Set the hello holdtime in seconds. +The maximum time +.Xr ldpd 8 +will wait between two consecutive hello messages from a peer before it is +marked as being down. +The default value is 45. +.It Ic targeted-hello-interval Ar seconds +Set the hello interval in seconds. +The default value is 5; valid range is 1\-65535. +.El +.Ss Neighbors configuration +The +.Ic neighbor +section allows for the configuration of neighbor-specific parameters. +Note, however, that +.Xr ldpd 8 +uses the hello discovery mechanism to discover its neighbors. +Without an underlying adjacency these commands have no effect. +A neighbor is identified by its LSR-ID, not by its remote address. +The neighbor-specific parameters apply for both LDPoIPv4 and LDPoIPv6 sessions. +.Bd -literal -offset indent +neighbor A.B.C.D { +} +.Ed +.Pp +Neighbor-specific parameters are listed below. +.Bl -tag -width Ds +.It Ic keepalive Ar seconds +Set the keepalive timeout in seconds. +Inherited from the global configuration if not given. +Valid range is 3\-65535. +.It Xo +.Ic gtsm-enable +.Pq Ic yes Ns | Ns Ic no +.Xc +Override the inherited configuration and enable/disable GTSM for this neighbor. +.It Ic gtsm-hops Ar hops +Set the maximum number of hops the neighbor may be away. +When GTSM is enabled for this neighbor, incoming packets are required to have +a TTL/hop limit of 256 minus this value, ensuring they have not passed +through more than the expected number of hops. +The default value is 1; valid range is 1\-255. +.It Ic tcp md5sig password Ar secret +Enable TCP MD5 signatures per RFC 5036 with the specified password. +.It Ic tcp md5sig key Ar secret +Enable TCP MD5 signatures per RFC 5036 with the specified hexadecimal key. +.It Ic no tcp md5sig +Disable the use of TCP MD5 signatures. +.El +.Ss Layer 2 VPNs configuration +.Xr ldpd 8 +implements the signaling of pseudowires which can be used to +implement either the VPWS solution (also known as PWE3) or the VPLS +solution. +Currently only the VPLS solution is supported. +.Bd -literal -offset indent +l2vpn name type vpls { + bridge bridge0 + interface em1 + pseudowire mpw1 { + pw-id 100 + neighbor-id 192.168.1.10 + } + pseudowire mpw2 { + pw-id 200 + neighbor-id 10.0.1.5 + } +} +.Ed +.Pp +Layer 2 VPN specific parameters are listed below. +.Bl -tag -width Ds +.It Ic bridge Ar interface +Set the bridge interface the VPLS is associated with. +This parameter is optional and is only used to remove MAC addresses received +from MAC address withdrawal messages. +Only one bridge interface can be set. +.It Ic interface Ar interface +Configure a non pseudowire interface pertaining to the VPLS. +This parameter is optional and is only used to send MAC address withdrawal +messages when the specified interface is shutdown. +Multiple interfaces can be configured. +.It Ic mtu Ar number +Set the MTU advertised in the pseudowires. +Local and remote MTUs must match for a pseudowire to be set up. +The default value is 1500. +.It Xo +.Ic type +.Pq Ic ethernet Ns | Ns Ic ethernet-tagged +.Xc +Specify the type of the configured pseudowires. +The type must be the same at both endpoints. +The default is +.Ic ethernet . +.El +.Sh PSEUDOWIRES +Each +.Xr mpw 4 +pseudowire interface can have several parameters configured individually, +otherwise they are inherited. +A pseudowire interface is specified by its name. +.Bd -literal -offset indent +pseudowire mpw5 { + pw-id 5000 + neighbor-id 172.16.1.50 +} +.Ed +.Pp +Pseudowire-specific parameters are listed below. +.Bl -tag -width Ds +.It Xo +.Ic control-word +.Pq Ic yes Ns | Ns Ic no +.Xc +Specify whether the use of the control word is preferred or not +preferred. +The default is +.Ic yes . +.It Ic neighbor-addr Ar address +Specify the IPv4 or IPv6 address of the remote endpoint of the pseudowire. +A targeted neighbor will automatically be created for this address. +By default, the LSR-ID of the remote endpoint of the pseudowire will be used. +.It Ic neighbor-id Ar address +Specify the LSR-ID of the remote endpoint of the pseudowire. +.It Ic pw-id Ar number +Set the PW ID used to identify the pseudowire. +The PW ID must be the same at both endpoints. +Valid range is 1\-4294967295. +.It Xo +.Ic status-tlv +.Pq Ic yes Ns | Ns Ic no +.Xc +Specify whether the use of the Status TLV is preferred or not +preferred. +The default is +.Ic yes . +.El +.Sh FILES +.Bl -tag -width /etc/examples/ldpd.conf -compact +.It Pa /etc/ldpd.conf +.Xr ldpd 8 +configuration file. +.It Pa /etc/examples/ldpd.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr ldpctl 8 , +.Xr ldpd 8 , +.Xr rc.conf.local 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 4.6 . diff --git a/static/openbsd/man5/magic.5 b/static/openbsd/man5/magic.5 new file mode 100644 index 00000000..d6fcf8e0 --- /dev/null +++ b/static/openbsd/man5/magic.5 @@ -0,0 +1,206 @@ +.TH MAGIC 5 "Public Domain" +.\" install as magic.4 on USG, magic.5 on V7 or Berkeley systems. +.SH NAME +magic \- file command's magic number file +.SH DESCRIPTION +This manual page documents the format of the magic file as +used by the +.BR file (1) +command, version 3.22. The +.B file +command identifies the type of a file using, +among other tests, +a test for whether the file begins with a certain +.IR "magic number" . +The file +.I /usr/local/etc/magic +specifies what magic numbers are to be tested for, +what message to print if a particular magic number is found, +and additional information to extract from the file. +.PP +Each line of the file specifies a test to be performed. +A test compares the data starting at a particular offset +in the file with a 1-byte, 2-byte, or 4-byte numeric value or +a string. If the test succeeds, a message is printed. +The line consists of the following fields: +.IP offset \w'message'u+2n +A number specifying the offset, in bytes, into the file of the data +which is to be tested. +.IP type +The type of the data to be tested. The possible values are: +.RS +.IP byte \w'message'u+2n +A one-byte value. +.IP short +A two-byte value (on most systems) in this machine's native byte order. +.IP long +A four-byte value (on most systems) in this machine's native byte order. +.IP string +A string of bytes. +.IP date +A four-byte value interpreted as a unix date. +.IP beshort +A two-byte value (on most systems) in big-endian byte order. +.IP belong +A four-byte value (on most systems) in big-endian byte order. +.IP bedate +A four-byte value (on most systems) in big-endian byte order, +interpreted as a unix date. +.IP leshort +A two-byte value (on most systems) in little-endian byte order. +.IP lelong +A four-byte value (on most systems) in little-endian byte order. +.IP ledate +A four-byte value (on most systems) in little-endian byte order, +interpreted as a unix date. +.RE +.PP +The numeric types may optionally be followed by +.B & +and a numeric value, +to specify that the value is to be AND'ed with the +numeric value before any comparisons are done. Prepending a +.B u +to the type indicates that ordered comparisons should be unsigned. +.IP test +The value to be compared with the value from the file. If the type is +numeric, this value +is specified in C form; if it is a string, it is specified as a C string +with the usual escapes permitted (e.g. \en for new-line). +.IP +Numeric values +may be preceded by a character indicating the operation to be performed. +It may be +.BR = , +to specify that the value from the file must equal the specified value, +.BR < , +to specify that the value from the file must be less than the specified +value, +.BR > , +to specify that the value from the file must be greater than the specified +value, +.BR & , +to specify that the value from the file must have set all of the bits +that are set in the specified value, +.BR ^ , +to specify that the value from the file must have clear any of the bits +that are set in the specified value, or +.BR x , +to specify that any value will match. If the character is omitted, +it is assumed to be +.BR = . +.IP +Numeric values are specified in C form; e.g. +.B 13 +is decimal, +.B 013 +is octal, and +.B 0x13 +is hexadecimal. +.IP +For string values, the byte string from the +file must match the specified byte string. +The operators +.BR = , +.B < +and +.B > +(but not +.BR & ) +can be applied to strings. +The length used for matching is that of the string argument +in the magic file. This means that a line can match any string, and +then presumably print that string, by doing +.B >\e0 +(because all strings are greater than the null string). +.IP message +The message to be printed if the comparison succeeds. If the string +contains a +.BR printf (3S) +format specification, the value from the file (with any specified masking +performed) is printed using the message as the format string. +.PP +Some file formats contain additional information which is to be printed +along with the file type. A line which begins with the character +.B > +indicates additional tests and messages to be printed. The number of +.B > +on the line indicates the level of the test; a line with no +.B > +at the beginning is considered to be at level 0. +Each line at level +.IB n \(pl1 +is under the control of the line at level +.IB n +most closely preceding it in the magic file. +If the test on a line at level +.I n +succeeds, the tests specified in all the subsequent lines at level +.IB n \(pl1 +are performed, and the messages printed if the tests succeed. The next +line at level +.I n +terminates this. +If the first character following the last +.B > +is a +.B ( +then the string after the parenthesis is interpreted as an indirect offset. +That means that the number after the parenthesis is used as an offset in +the file. The value at that offset is read, and is used again as an offset +in the file. Indirect offsets are of the form: +.BI (( x [.[bsl]][+-][ y ]). +The value of +.I x +is used as an offset in the file. A byte, short or long is read at that offset +depending on the +.B [bsl] +type specifier. To that number the value of +.I y +is added and the result is used as an offset in the file. The default type +if one is not specified is long. +.PP +Sometimes you do not know the exact offset as this depends on the length of +preceding fields. You can specify an offset relative to the end of the +last uplevel field (of course this may only be done for sublevel tests, i.e. +test beginning with +.B > +). Such a relative offset is specified using +.B & +as a prefix to the offset. +.SH BUGS +The formats +.IR long , +.IR belong , +.IR lelong , +.IR short , +.IR beshort , +.IR leshort , +.IR date , +.IR bedate , +and +.I ledate +are system-dependent; perhaps they should be specified as a number +of bytes (2B, 4B, etc), +since the files being recognized typically come from +a system on which the lengths are invariant. +.PP +There is (currently) no support for specified-endian data to be used in +indirect offsets. +.SH SEE ALSO +.BR file (1) +\- the command that reads this file. +.\" +.\" From: guy@sun.uucp (Guy Harris) +.\" Newsgroups: net.bugs.usg +.\" Subject: /etc/magic's format isn't well documented +.\" Message-ID: <2752@sun.uucp> +.\" Date: 3 Sep 85 08:19:07 GMT +.\" Organization: Sun Microsystems, Inc. +.\" Lines: 136 +.\" +.\" Here's a manual page for the format accepted by the "file" made by adding +.\" the changes I posted to the S5R2 version. +.\" +.\" Modified for Ian Darwin's version of the file command. +.\" @(#)$Id: magic.5,v 1.1 2000/10/10 20:40:37 beck Exp $ diff --git a/static/openbsd/man5/mailer.conf.5 b/static/openbsd/man5/mailer.conf.5 new file mode 100644 index 00000000..288ff4f4 --- /dev/null +++ b/static/openbsd/man5/mailer.conf.5 @@ -0,0 +1,104 @@ +.\" $OpenBSD: mailer.conf.5,v 1.18 2018/09/17 15:46:37 jmc Exp $ +.\" $NetBSD: mailer.conf.5,v 1.1 1999/03/25 16:40:17 is Exp $ +.\" +.\" Copyright (c) 1998 +.\" Perry E. Metzger. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgment: +.\" This product includes software developed for the NetBSD Project +.\" by Perry E. Metzger. +.\" 4. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: September 17 2018 $ +.Dt MAILER.CONF 5 +.Os +.Sh NAME +.Nm mailer.conf +.Nd configuration file for mailwrapper(8) +.Sh DESCRIPTION +The file +.Pa /etc/mailer.conf +contains a series of pairs. +The first member of each pair is the name of a program invoking +.Xr mailwrapper 8 +which is typically a symbolic link to +.Pa /usr/sbin/sendmail . +(On a typical system, +.Xr newaliases 8 +and +.Xr mailq 8 +would be set up this way.) +The second member of each pair is the name of the program to +actually execute when the first name is invoked. +The file may also contain comments, denoted by a +.Ql # +character in the first column of any line. +.Sh FILES +.Bl -tag -width /etc/mailer.conf -compact +.It Pa /etc/mailer.conf +.El +.Sh EXAMPLES +The following is an example of how to set up +.Nm +for the default +.Xr smtpd 8 +MTA suite: +.Bd -literal +# Emulate sendmail using smtpd +sendmail /usr/sbin/smtpctl +send-mail /usr/sbin/smtpctl +mailq /usr/sbin/smtpctl +makemap /usr/sbin/smtpctl +newaliases /usr/sbin/smtpctl +.Ed +.Pp +This example shows how to invoke the traditional +.Xr sendmail 8 +MTA suite in place of +.Xr smtpd 8 : +.Bd -literal +# Execute the "real" sendmail program +sendmail /usr/local/libexec/sendmail/sendmail +send-mail /usr/local/libexec/sendmail/sendmail +mailq /usr/local/libexec/sendmail/sendmail +makemap /usr/local/libexec/sendmail/makemap +newaliases /usr/local/libexec/sendmail/sendmail +hoststat /usr/local/libexec/sendmail/sendmail +purgestat /usr/local/libexec/sendmail/sendmail +.Ed +.Sh SEE ALSO +.Xr mail 1 , +.Xr mailq 8 , +.Xr mailwrapper 8 , +.Xr newaliases 8 , +.Xr smtpd 8 +.Sh AUTHORS +.An Perry E. Metzger Aq Mt perry@piermont.com +.Sh BUGS +The entire reason this program exists is a crock. +Instead, a command for how to submit mail should be standardized, +and all the "behave differently if invoked with a different name" +behavior of things like +.Xr mailq 8 +should go away. diff --git a/static/openbsd/man5/man.conf.5 b/static/openbsd/man5/man.conf.5 new file mode 100644 index 00000000..2ba8cde4 --- /dev/null +++ b/static/openbsd/man5/man.conf.5 @@ -0,0 +1,133 @@ +.\" $OpenBSD: man.conf.5,v 1.8 2020/02/10 14:42:03 schwarze Exp $ +.\" +.\" Copyright (c) 2015, 2017 Ingo Schwarze <schwarze@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: February 10 2020 $ +.Dt MAN.CONF 5 +.Os +.Sh NAME +.Nm man.conf +.Nd configuration file for man +.Sh DESCRIPTION +This is the configuration file +for the +.Xr man 1 , +.Xr apropos 1 , +and +.Xr makewhatis 8 +utilities. +Its presence, and all directives, are optional. +.Pp +This file is an ASCII text file. +Leading whitespace on lines, lines starting with +.Sq # , +and blank lines are ignored. +Words are separated by whitespace. +The first word on each line is the name of a configuration directive. +.Pp +The following directives are supported: +.Bl -tag -width Ds +.It Ic manpath Ar path +Override the default search +.Ar path +for +.Xr man 1 , +.Xr apropos 1 , +and +.Xr makewhatis 8 . +It can be used multiple times to specify multiple paths, +with the order determining the manual page search order. +.Pp +Each path is a tree containing subdirectories +whose names consist of the strings +.Sq man +and/or +.Sq cat +followed by the names of sections, usually single digits. +The former are supposed to contain unformatted manual pages in +.Xr mdoc 7 +and/or +.Xr man 7 +format; file names should end with the name of the section +preceded by a dot. +The latter should contain preformatted manual pages; +file names should end with +.Ql .0 . +.Pp +Creating a +.Xr mandoc.db 5 +database with +.Xr makewhatis 8 +in each directory configured with +.Ic manpath +is recommended and necessary for +.Xr apropos 1 +to work, and also for +.Xr man 1 +on operating systems like +.Ox +that install each manual page with only one file name in the file system, +even if it documents multiple utilities or functions. +.It Ic output Ar option Op Ar value +Configure the default value of an output option. +These directives are overridden by the +.Fl O +command line options of the same names. +For details, see the +.Xr mandoc 1 +manual. +.Pp +.Bl -column fragment integer "ascii, utf8" -compact +.It Ar option Ta Ar value Ta used by Fl T Ta purpose +.It Ta Ta Ta +.It Ic fragment Ta none Ta Cm html Ta print only body +.It Ic includes Ta string Ta Cm html Ta path to header files +.It Ic indent Ta integer Ta Cm ascii , utf8 Ta left margin +.It Ic man Ta string Ta Cm html Ta path for \&Xr links +.It Ic paper Ta string Ta Cm ps , pdf Ta paper size +.It Ic style Ta string Ta Cm html Ta CSS file +.It Ic toc Ta none Ta Cm html Ta print table of contents +.It Ic width Ta integer Ta Cm ascii , utf8 Ta right margin +.El +.El +.Sh FILES +.Bl -tag -width /etc/examples/man.conf -compact +.It Pa /etc/man.conf +.It Pa /etc/examples/man.conf +.El +.Sh EXAMPLES +The following configuration file reproduces the defaults: +installing it is equivalent to not having a +.Nm +file at all. +.Bd -literal -offset indent +manpath /usr/share/man +manpath /usr/X11R6/man +manpath /usr/local/man +.Ed +.Sh SEE ALSO +.Xr apropos 1 , +.Xr man 1 , +.Xr makewhatis 8 +.Sh HISTORY +A relatively complicated +.Nm +file format first appeared in +.Bx 4.3 Reno . +For +.Ox 5.8 , +it was redesigned from scratch, aiming for simplicity. +.Sh AUTHORS +.An Ingo Schwarze Aq Mt schwarze@openbsd.org diff --git a/static/openbsd/man5/netid.5 b/static/openbsd/man5/netid.5 new file mode 100644 index 00000000..6d818e43 --- /dev/null +++ b/static/openbsd/man5/netid.5 @@ -0,0 +1,120 @@ +.\" $OpenBSD: netid.5,v 1.13 2013/07/16 11:13:34 schwarze Exp $ +.\" +.\" Copyright (c) 2008 Ingo Schwarze <schwarze@usta.de> +.\" Copyright (c) 1996 Mats O Jansson <moj@stacken.kth.se> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS +.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd $Mdocdate: July 16 2013 $ +.Dt NETID 5 +.Os +.Sh NAME +.Nm netid +.Nd YP network credential file +.Sh DESCRIPTION +The file +.Pa /etc/netid +consists of newline separated ASCII records. +Each record consists of a key, a single blank character, and a value. +The key and the value may be arbitrary strings except that neither +may contain blank characters. +.Pp +Records in the file +.Pa /etc/netid +and in the +.Pa netid.byname +YP map are ignored by the system unless they have the following form: +.Bd -literal +unix.<uid>@<yp-domain> <uid>:<gid>,<gid>,... +.Ed +.Pp +When YP is enabled in the +.Xr group 5 +file, such records specify that the function +.Xr getgrouplist 3 +shall return the specified groups in addition to the groups +found in the group file. +The file +.Pa /etc/netid +is parsed before the +.Pa netid.byname +YP map. +Only the first matching record is used. +.Pp +The main use of the +.Pa /etc/netid +file is to allow certain users to log in even while YP is enabled but +temporarily unavailable. +These users must also be listed in the local +.Xr master.passwd 5 +file. +If consistency of group membership information is required while YP is +enabled and available, all records in the +.Pa /etc/netid +file must agree with records in the +.Pa netid.byname +YP map, although the latter may contain additional records. +If consistency of group membership information is required even while YP is +enabled but unavailable, the records in the +.Pa /etc/netid +file must not grant more group memberships than the +.Xr group 5 +file, and users having their own record in the +.Pa /etc/netid +file must not show up in the +.Pa group.byname +and +.Pa group.bygid +YP maps. +.Pp +On a YP master server, +.Xr Makefile.yp 8 +uses the +.Xr mknetid 8 +utility to generate the +.Pa netid.byname +YP map. +In this case, the YP map will also contain records of the following form: +.Bd -literal +unix.<hostname>@<yp-domain> 0:<hostname> +.Ed +.Pp +Such records are ignored by the system. +.Sh FILES +.Bl -tag -width /etc/netid -compact +.It Pa /etc/netid +.El +.Sh EXAMPLES +A netid file or YP map might look like the following: +.Bd -literal -offset indent +unix.10714@kaka 10714:400,10 +unix.jodie@kaka 0:jodie +.Ed +.Sh SEE ALSO +.Xr getgrouplist 3 , +.Xr group 5 , +.Xr Makefile.yp 8 , +.Xr mknetid 8 , +.Xr yp 8 +.Sh AUTHORS +.An Mats O Jansson Aq Mt moj@stacken.kth.se diff --git a/static/openbsd/man5/npppd-users.5 b/static/openbsd/man5/npppd-users.5 new file mode 100644 index 00000000..e79472ff --- /dev/null +++ b/static/openbsd/man5/npppd-users.5 @@ -0,0 +1,74 @@ +.\" $OpenBSD: npppd-users.5,v 1.9 2019/09/02 21:18:41 deraadt Exp $ +.\" +.\" Copyright (c) 2012 YASUOKA Masahiko <yasuoka@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" The following requests are required for all man pages. +.\" +.Dd $Mdocdate: September 2 2019 $ +.Dt NPPPD-USERS 5 +.Os +.Sh NAME +.Nm npppd-users +.Nd user database file +.Sh DESCRIPTION +The +.Nm +file describes +the various attributes of users. +Refer to +.Xr cgetent 3 +for a description of the file layout. +Each entry in the database is used to describe one user. +The record name is the username. +The following attributes can be specified: +.Bl -column "framed-ip-network" +.It Sy Name Ta Sy Description +.It password Ta +User's password. +Some characters are needed to be represented by the escape sequence. +See +.Xr cgetent 3 +for the escape sequence. +.It framed-ip-address Ta +IPv4 address to be assigned for the user. +.It framed-ip-netmask Ta +IPv4 netmask to be used for the user. +.It calling-number Ta +Calling phone number to check user's phone number. +.El +.Sh FILES +.Bl -tag -width "/etc/npppd/npppd-users" +.It Pa /etc/npppd/npppd-users +User database file. +.El +.Sh EXAMPLES +.Bd -literal +taro:\\ + :password=taro's password:\\ + :framed-ip-address=192.168.0.101: + +hana:\\ + :password=hana's password:\\ + :framed-ip-address=192.168.0.102: +.Ed +.Sh SEE ALSO +.Xr cgetent 3 , +.Xr npppd.conf 5 , +.Xr npppd 8 +.Sh BUGS +Colon +.Pq Sq \&: +characters or vertical bar +.Pq Sq | +characters cannot be used in the username. diff --git a/static/openbsd/man5/npppd.conf.5 b/static/openbsd/man5/npppd.conf.5 new file mode 100644 index 00000000..a1c93894 --- /dev/null +++ b/static/openbsd/man5/npppd.conf.5 @@ -0,0 +1,749 @@ +.\" $OpenBSD: npppd.conf.5,v 1.36 2025/07/08 14:26:45 schwarze Exp $ +.\" +.\" Copyright (c) 2012 YASUOKA Masahiko <yasuoka@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: July 8 2025 $ +.Dt NPPPD.CONF 5 +.Os +.Sh NAME +.Nm npppd.conf +.Nd NPPP daemon configuration file +.Sh DESCRIPTION +.Nm +is the configuration file for the PPP daemon +.Xr npppd 8 . +.Pp +.Nm +is divided into the following main sections: +.Pp +.Bl -tag -width "AuthenticationXXX" -offset indent -compact +.It Sx Global +Global settings. +.It Sx Tunnel +Tunneling protocol and PPP settings. +.It Sx IPCP +Internet Protocol Configuration Protocol (IPCP) of PPP. +.It Sx Interface +Interface settings. +.It Sx Authentication +Authentication settings. +.It Sx Bind +Bind settings. +.It Sx RADIUS +RADIUS settings. +.El +.Ss Global +The global options are as follows: +.Bl -tag -width Ds +.It Ic set max-session Ar number +Specify the maximum number of sessions. +.Sq 0 +means no limit. +The default value is 0. +.It Ic set user-max-session Ar number +Specify the maximum number of sessions for each user. +.Sq 0 +means no limit. +The default value is 0. +.El +.Ss Tunnel +The +.Ic tunnel +setting is described below: +.Pp +.Ic tunnel Ar name Ic protocol Ar protocol Op Ar option ... +.Pp +Specify the tunnel +.Ar protocol : +.Pp +.Bl -tag -width "pppoeXXX" -offset indent -compact +.It Ic l2tp +Layer Two Tunneling Protocol (RFC 2661) +.It Ic pppoe +PPP Over Ethernet (RFC 2516) +.It Ic pptp +Point-to-Point Tunneling Protocol (RFC 2637) +.El +.Pp +The supported options are as follows: +.Bl -tag -width Ds +.It Ic listen on Ar address Op Ic port Ar port +Specify the IP address that this tunnel listens on. +Both IPv4 and IPv6 addresses can be used for L2TP. +Only IPv4 address can be used for PPTP. +If the port is omitted, the default port numbers are used. +The default port numbers are 1723 for PPTP and 1701 for L2TP. +The default value is 0.0.0.0. +This option is for PPTP and L2TP only. +This option can be used multiple times. +.It Ic listen on interface Ar interface-name +Specify the interface name that this PPPoE tunnel listens on. +The interface must be an Ethernet interface. +This option is for PPPoE only. +.It Ic l2tp-hostname Ar string +Specify an L2TP hostname. +The default value is the value that is returned by +.Xr gethostname 3 . +This option is for L2TP only. +.It Ic l2tp-vendor-name Ar string +Specify an L2TP vendor name. +The default value is "" (an empty string). +This option is for L2TP only. +.It Ic l2tp-hello-interval Ar number +Specify the interval time between L2TP hello requests, in seconds. +The default value is 60. +This option is for L2TP only. +.It Ic l2tp-hello-timeout Ar number +Specify the maximum time that +.Xr npppd 8 +waits for L2TP hello responses, in seconds. +The default value is 30. +This option is for L2TP only. +.It Ic l2tp-accept-dialin Ar yes | no +If +.Dq yes +is specified, +.Xr npppd 8 +accepts Proxy-LCP and Proxy-Authentication AVPs from LAC +to do +.Dq compulsory tunneling mode . +The default is +.Dq no . +This option is for L2TP only. +.It Ic l2tp-lcp-renegotiation Ar yes | no +If +.Dq yes +is specified, +.Xr npppd 8 +will basically use the LCP that is received by Proxied-LCP AVPs, +but if the LCP is not acceptable +.Xr npppd 8 +will negotiate LCP again. +The default is +.Dq yes . +This option is for L2TP only. +.It Ic l2tp-force-lcp-renegotiation Ar yes | no +If +.Dq yes +is specified, +.Xr npppd 8 +will not use the LCP that is received by Proxied-LCP AVPs, +it will negotiate LCP again. +The default is +.Dq no . +This option is for L2TP only. +.It Ic l2tp-data-use-seq Ar yes | no +Specify +.Dq yes +to use sequencing for L2TP Data communications. +The default is +.Dq yes . +This option is for L2TP only. +.It Ic l2tp-require-ipsec Ar yes | no +Specify +.Dq yes +to refuse L2TP connections without IPsec encapsulation. +The default is +.Dq no . +This option is for L2TP only. +.It Ic pptp-hostname Ar string +Specify a PPTP hostname. +The default value is "" (an empty string). +This option is for PPTP only. +.It Ic pptp-vendor-name Ar string +Specify a PPTP vendor name. +The default value is "" (an empty string). +This option is for PPTP only. +.It Ic pptp-echo-interval Ar number +Specify the interval time between PPTP echo requests, in seconds. +The default value is 60. +This option is for PPTP only. +.It Ic pptp-echo-timeout Ar number +Specify the maximum time that +.Xr npppd 8 +waits for PPTP echo replies, in seconds. +The default value is 60. +This option is for PPTP only. +.It Ic pppoe-service-name Ar string +Specify a service name. +The default is "" (an empty string). +This option is for PPPoE only. +.It Ic pppoe-accept-any-service Ar yes | no +If +.Dq yes +is specified, +.Xr npppd 8 +accepts requests from clients that are accepting any service names. +The default value is +.Dq yes . +This option is for PPPoE only. +.It Ic pppoe-ac-name Ar string +Specify the access concentrator (AC) name. +The default value is created by the MAC address +of the listening interface. +This option is for PPPoE only. +.It Ic mru Ar number +Specify the Maximum Receive Unit (MRU). +This value is used for LCP negotiation to ask the peer not to send packets +greater than the MRU octets. +The peer may use the MRU to decide its MTU, but this depends on the +implementation. +The default values are 1360 for L2TP, 1400 for PPTP, and 1492 for PPPoE. +.It Ic lcp-keepalive Ar yes | no +Specify whether +.Xr npppd 8 +uses LCP keepalive. +The default value is +.Dq no +for L2TP and +.Dq yes +for PPTP and PPPoE. +.It Ic lcp-keepalive-interval Ar number +Specify the interval time between LCP echo requests, in seconds. +The default value is 300. +.It Ic lcp-keepalive-retry-interval Ar number +Specify the interval time between retrying LCP echo requests +without receiving the echo reply from the peer. +The value must be specified in seconds. +The default value is 60. +.It Ic lcp-keepalive-max-retries Ar number +Specify the maximum number of LCP echo retries. +If the peer doesn't respond and the number of retries reaches this value, +.Xr npppd 8 +treats the link as dead and closes it. +The default value is 3. +.It Ic lcp-timeout Ar number +Specify the timeout value for LCP retransmission in seconds. +The default value is 3. +.It Ic lcp-max-configure Ar number +Specify the maximum number of LCP configure request transmissions. +The default value is 10. +.It Ic lcp-max-terminate Ar number +Specify the maximum number of LCP terminate request transmissions. +The default value is 2. +.It Ic lcp-max-nak-loop Ar number +Specify the maximum number of LCP configure NAK loops. +The default value is 5. +.It Ic authentication-method Ar authentication-method ... +Specify an authentication method: +.Pp +.Bl -tag -width mschapv2 -compact +.It Ic pap +Password Authentication Protocol. +.It Ic chap +PPP Challenge Handshake Authentication Protocol (RFC 1994). +.It Ic mschapv2 +Microsoft PPP CHAP Extensions, Version 2 (RFC 2749). +.El +.Pp +.Ic mschapv2 +is used as the default for PPTP; +.Ic pap chap mschapv2 +is used as the default for other protocols. +.It Ic ccp-timeout Ar number +Specify the timeout value for CCP retransmission, in seconds. +The default value is 3. +.It Ic ccp-max-configure Ar number +Specify the maximum number of CCP configure request transmissions. +The default value is 10. +.It Ic ccp-max-terminate Ar number +Specify the maximum number of CCP terminate request transmissions. +The default value is 2. +.It Ic ccp-max-nak-loop Ar number +Specify the maximum number of CCP configure NAK loops. +The default value is 5. +.It Ic ipcp-timeout Ar number +Specify the timeout value for IPCP retransmission, in seconds. +The default value is 3. +.It Ic ipcp-max-configure Ar number +Specify the maximum number of IPCP configure request transmissions. +The default value is 10. +.It Ic ipcp-max-terminate Ar number +Specify the maximum number of IPCP terminate request transmissions. +The default value is 2. +.It Ic ipcp-max-nak-loop Ar number +Specify the maximum number of IPCP configure NAK loops. +The default value is 5. +.It Ic mppe Ar yes | no | required +If +.Dq yes +is specified, +.Xr npppd 8 +will negotiate to use Microsoft Point-to-Point Encryption (MPPE), and it +will continue the PPP even if the negotiation fails. +If +.Dq required +is specified, +.Xr npppd 8 +will negotiate to use MPPE, and it will not continue the PPP if the +negotiation fails. +If +.Dq no +is specified, +.Xr npppd 8 +will negotiate not to use MPPE and it will refuse to use MPPE. +The default value is +.Dq required +for PPTP and +.Dq yes +for L2TP and PPPoE. +.It Ic mppe-key-length Ar key-length ... +Specify key lengths for this configuration. +The following key lengths can be used: +.Pp +.Bl -tag -width "128XXX" -compact +.It Ic 128 +128-bit encryption. +.It Ic 56 +56-bit encryption. +.It Ic 40 +40-bit encryption. +.El +.It Ic mppe-key-state Ar mode ... +Specify the key change modes that this configuration supports. +The following modes can be used: +.Pp +.Bl -tag -width "statelessXXX" -compact +.It Ic stateful +Stateful mode key changes. +.It Ic stateless +Stateless mode key changes. +.El +.It Ic idle-timeout Ar number +Specify the value for the idle timer, in seconds. +The link is disconnected if there are no data packets sent or received +for more than the amount of the +.Ar idle-timeout . +The default is 0, which disables the idle timer. +This value must be 0 for +.Xr pppx 4 +sessions. +.It Ic tcp-mss-adjust Ar yes | no +If +.Dq yes +is specified, +.Xr npppd 8 +adjusts TCP SYN packets so that the value of TCP maximum segment size (MSS) +is less than the value calculated from the link MTU. +The default value is +.Dq no . +.It Ic ingress-filter Ar yes | no +If +.Dq yes +is specified, +.Xr npppd 8 +applies an ingress filter for incoming packets. +The ingress filter drops all packets whose source address does not match +the address assigned by +.Xr npppd 8 +for the link. +The default value is +.Dq no . +.It Ic pipex Ar yes | no +Specify whether +.Xr npppd 8 +uses +.Xr pipex 4 . +The default is +.Dq yes . +The +.Xr sysctl 8 +variable +.Va net.pipex.enable +should also be enabled to use +.Xr pipex 4 . +This value must be +.Dq yes +for +.Xr pppx 4 +interfaces. +.It Ic debug-dump-pktin Ar protocol ... +If this option is specified, +.Xr npppd 8 +dumps received packets which match the specified protocol. +The following protocols can be specified: +.Pp +.Bl -tag -width "mppeXXX" -offset indent -compact +.It Ic ip +Internet Protocol (IP) +.It Ic lcp +Link Configuration Protocol (LCP) +.It Ic pap +Password Authentication Protocol (PAP) +.It Ic chap +Challenge Handshake Authentication Protocol (CHAP) +.\" .It Ic eap +.\" Extended Authentication Protocol (EAP) +.It Ic mppe +Microsoft Point-to-Point Encryption (MPPE) +.It Ic ccp +Compression Control Protocol (CCP) +.It Ic ipcp +IP Configuration Protocol (IPCP) +.El +.It Ic debug-dump-pktout Ar protocol ... +If this option is specified, +.Xr npppd 8 +dumps sent packets which match the specified protocol. +See +.Ic debug-dump-pktin +section for +.Ar protocol . +.It Ic l2tp-ctrl-in-pktdump Ar yes | no +Specify whether +.Xr npppd 8 +dumps received L2TP control packets for debugging. +The default is +.Dq no . +.It Ic l2tp-ctrl-out-pktdump Ar yes | no +Specify whether +.Xr npppd 8 +dumps sent L2TP control packets for debugging. +The default is +.Dq no . +.It Ic l2tp-data-in-pktdump Ar yes | no +Specify whether +.Xr npppd 8 +dumps received L2TP data packets for debugging. +The default is +.Dq no . +.It Ic l2tp-data-out-pktdump Ar yes | no +Specify whether +.Xr npppd 8 +dumps sent L2TP data packets for debugging. +The default is +.Dq no . +.It Ic pptp-ctrl-in-pktdump Ar yes | no +Specify whether +.Xr npppd 8 +dumps received PPTP control packets for debugging. +The default is +.Dq no . +.It Ic pptp-ctrl-out-pktdump Ar yes | no +Specify whether +.Xr npppd 8 +dumps sent PPTP control packets for debugging. +The default is +.Dq no . +.It Ic pptp-data-in-pktdump Ar yes | no +Specify whether +.Xr npppd 8 +dumps received PPTP data packets for debugging. +The default is +.Dq no . +.It Ic pptp-data-out-pktdump Ar yes | no +Specify whether +.Xr npppd 8 +dumps sent PPTP data packets for debugging. +The default is +.Dq no . +.It Ic pppoe-desc-in-pktdump Ar yes | no +Specify whether +.Xr npppd 8 +dumps received PPPoE discovery packets for debugging. +The default is +.Dq no . +.It Ic pppoe-desc-out-pktdump Ar yes | no +Specify whether +.Xr npppd 8 +dumps sent PPPoE discovery packets for debugging. +The default is +.Dq no . +.It Ic pppoe-session-in-pktdump Ar yes | no +Specify whether +.Xr npppd 8 +dumps received PPPoE session packets for debug. +The default is +.Dq no . +.It Ic pppoe-session-out-pktdump Ar yes | no +Specify whether +.Xr npppd 8 +dumps sent PPPoE session packets for debug. +The default is +.Dq no . +.El +.Ss IPCP +The +.Ic ipcp +setting is described below: +.Pp +.Ic ipcp Ar name Op Ar option ... +.Pp +.Ar name +specifies the name of this +.Ic ipcp +setting. +The maximum number of +.Ic ipcp +settings is 8. +.Pp +The supported options are as follows: +.Bl -tag -width Ds +.It Ic pool-address Ar address-range | address-mask Op Ic for Ar dynamic | static +Specify the IP address space that is pooled for this IPCP setting. +The address space can be specified by +.Ar address-range +(e.g. 192.168.0.2-192.168.0.254) +or +.Ar address-mask +(e.g. 192.168.0.0/24). +.Ar dynamic +means the address space is reserved for dynamic allocation; +.Ar static +means the address space is reserved for static allocation. +The default is +.Ar dynamic . +This option can be used multiple times. +.It Ic dns-servers Ar primary-server-address Op Ar secondary-server-address +Specify the DNS servers' IP addresses. +When this option is not specified and the authenticated realm +.Pq the RADIUS server +specifies the DNS servers' addresses, +they are used as the default. +To stop using them, set this option to +.Qq 0.0.0.0 . +.It Ic nbns-servers Ar primary-server-address Op Ar secondary-server-address +Specify the NetBIOS name servers' IP addresses. +When this option is not specified and the authenticated realm +.Pq the RADIUS server +specifies the NetBIOS servers' addresses, +they are used as the default. +To stop using them, set this option to +.Qq 0.0.0.0 . +.It Ic allow-user-selected-address Ar yes | no +Specify whether +.Xr npppd 8 +is allowed to assign an address selected by the user. +The default is +.Dq yes . +.It Ic max-session Ar number +Specify the maximum number of sessions for this +.Ic ipcp +setting. +.Sq 0 +means no limit. +The default value is 0. +.El +.Ss Interface +The +.Ic interface +setting is described below: +.Pp +.Ic interface Ar ifname Ic address Ar address Ic ipcp Ar ipcp +.Pp +Use +.Xr pppac 4 +or +.Xr pppx 4 +and +specify its name to +.Ar ifname . +.Ar address +is the IP address of this interface, and it is used as the tunnel address +to the tunnel peer. +.Ic ipcp +specifies the +setting name that is used with this interface. +The maximum number of +.Ic interface +settings is 8. +.Ss Authentication +The +.Ic authentication +setting is described below: +.Pp +.Ic authentication Ar name Ic type Ar type Ic { Ar option ... Ic } +.Pp +Specify a +.Ar name +for this authentication setting. +For +.Ar type , +one of the following can be specified: +.Pp +.Bl -tag -offset indent -compact -width "radiusXXX" +.It Ic local +Authenticates using local file. +.It Ic radius +Authenticates using remote RADIUS servers. +.El +.Pp +The supported options are as follows: +.Bl -tag -width Ds +.It Ic username-suffix Ar string +Specify the suffix of the username +so that +.Xr npppd 8 +selects this authentication setting only for a user who has the username +that matches this suffix pattern. +.\" .It Ic eap-capable Ar yes | no +.\" Specify whether this authentication server is able to use EAP. +.\" Default is `yes'. +.It Ic strip-nt-domain Ar yes | no +Specify whether +.Xr npppd 8 +removes the NT domain prefix, +such as '\e\eNTDOMAIN\e', +from the username before contacting the authentication server. +The default is +.Dq yes . +.It Ic strip-atmark-realm Ar yes | no +Specify whether +.Xr npppd 8 +removes the realm part that begins with an at sign ('@') +from the username before contacting the authentication server. +The default is +.Dq no . +.It Ic users-file Ar string +Specify the path for +.Xr npppd-users 5 +that describes users' account information. +The path must be under +.Pa /etc/npppd/ +because +.Xr npppd 8 +is restricted to accessing files only in certain directories. +.It Ic authentication-server Op Ar radius-config +This option describes the settings for a RADIUS authentication server. +.Bl -tag -width Ds +.It Ic address Ar address Oo Ic port Ar port Oc Op Ic secret Ar secret +Specify the IP +.Ar address +and +.Ar port +of the RADIUS server, +using shared +.Ar secret . +.Ar secret +must be less than 127 characters. +The default port is 1812 for +.Ic authentication-server ; +1813 for +.Ic accounting-server . +This option can be specified multiple times (maximum 16) in a +.Ar radius-config . +.It Ic timeout Ar number +Specify the maximum time for waiting for a response, in seconds. +The default is 9. +.It Ic max-tries Ar number +Specify the maximum number of retransmissions. +The default is 3. +.It Ic max-failovers Ar number +Specify the maximum number of failovers. +The default is 1. +.El +.It Ic accounting-server { Ar radius-config Ic } +This option describes the settings for a RADIUS accounting server. +See +.Ic authentication-server +section for details of +.Ar radius-config . +.It Ic user-max-session Ar number +Specify the maximum number of sessions for each user for this +.Ic authentication +setting. +.El +.Ss Bind +.Ic bind +describes a group of +.Ar tunnel , +.Ar authentication , +and +.Ar interface +settings so that they are used together. +.Pp +.Ic bind tunnel from Ar tunnel Ic authenticated by Ar authentication +.Ic to Ar ifname +.Ss RADIUS +.Ic radius +configures the RADIUS features. +The supported options are as follows: +.Bl -tag -width Ds +.It Ic radius nas-id Ar identifier +Specify the +.Ar identifier +that is noticed to the RADIUS peers in the NAS-Identifier attribute. +.It Ic radius dae listen on Ar address Oo port Ar number Oc +Enable the Dynamic Authorization Extensions for RADIUS +.Po DAE, RFC 5176 Pc +server. +Specify the local +.Ar address +.Xr npppd 8 +should listen on for the DAE requests. +Optionally specify a port +.Ar number , +the default port number is 3799. +.It Ic radius dae client Ar address Ic secret Ar secret +Specify +.Ar address +for a DAE client and +.Ar secret . +.El +.Sh EXAMPLES +A very simple configuration example is below: +.Bd -literal -offset indent +tunnel L2TP protocol l2tp +tunnel PPTP protocol pptp +ipcp IPCP { + pool-address 10.0.0.2-10.0.0.254 + dns-servers 8.8.8.8 +} +interface pppx0 address 10.0.0.1 ipcp IPCP +authentication LOCAL type local { + users-file "/etc/npppd/npppd-users" +} +bind tunnel from L2TP authenticated by LOCAL to pppx0 +bind tunnel from PPTP authenticated by LOCAL to pppx0 +.Ed +.Pp +Another simple configuration, but with two authentication realms: +.Bd -literal -offset indent +tunnel L2TP protocol l2tp { + listen on 203.0.113.100 +} +ipcp IPCP { + pool-address 10.0.0.2-10.0.0.254 + dns-servers 8.8.8.8 +} +interface pppac0 address 10.0.0.1 ipcp IPCP +interface pppac1 address 10.0.0.1 ipcp IPCP +authentication RADIUS type radius { + username-suffix "@example.com" + authentication-server { + address 192.168.0.1 secret "hogehoge" + } + accounting-server { + address 192.168.0.1 secret "hogehoge" + } +} +authentication LOCAL type local { + username-suffix "@local" + users-file "/etc/npppd/npppd-users" +} +bind tunnel from L2TP authenticated by RADIUS to pppac0 +bind tunnel from L2TP authenticated by LOCAL to pppac1 +.Ed +.Sh SEE ALSO +.Xr pipex 4 , +.Xr pppx 4 , +.Xr npppctl 8 , +.Xr npppd 8 , +.Xr sysctl 8 +.Sh BUGS +The current version of +.Xr npppd 8 +does not support adding or removing tunnel settings or changing listener +settings (listen address, port and l2tp-ipsec-require). diff --git a/static/openbsd/man5/ntpd.conf.5 b/static/openbsd/man5/ntpd.conf.5 new file mode 100644 index 00000000..8ad372ad --- /dev/null +++ b/static/openbsd/man5/ntpd.conf.5 @@ -0,0 +1,265 @@ +.\" $OpenBSD: ntpd.conf.5,v 1.49 2023/03/02 17:09:53 jmc Exp $ +.\" +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN +.\" AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: March 2 2023 $ +.Dt NTPD.CONF 5 +.Os +.Sh NAME +.Nm ntpd.conf +.Nd NTP daemon configuration file +.Sh DESCRIPTION +This manual page describes the format of the +.Xr ntpd 8 +configuration file. +.Pp +.Nm +has the following format: +.Pp +Empty lines and lines beginning with the +.Sq # +character are ignored. +.Pp +Keywords may be specified multiple times within the configuration file. +The basic configuration options are as follows: +.Bl -tag -width Ds +.It Xo Ic listen on Ar address +.Op Ic rtable Ar table-id +.Xc +Specify a local IP address or a hostname the +.Xr ntpd 8 +daemon should listen on. +If it appears multiple times, +.Xr ntpd 8 +will listen on each given address. +If +.Sq * +is given as an address, +.Xr ntpd 8 +will listen on all local addresses using the specified routing table. +.Xr ntpd 8 +does not listen on any address by default. +The optional +.Ic rtable +keyword will specify which routing table to listen on. +By default +.Xr ntpd 8 +will listen using the current routing table. +For example: +.Bd -literal -offset indent +listen on * +.Ed +.Pp +or +.Bd -literal -offset indent +listen on 127.0.0.1 +listen on ::1 +listen on 127.0.0.1 rtable 4 +.Ed +.It Ic query from Ar sourceaddr +Specify a local IP address the +.Xr ntpd 8 +daemon should use for outgoing queries to subsequently specified servers, +which is useful on machines with multiple interfaces. +For example: +.Bd -literal -offset indent +query from 192.0.2.1 +query from 2001:db8::1 +.Ed +.It Xo Ic sensor Ar device +.Op Ic correction Ar microseconds +.Op Ic refid Ar ID-string +.Op Ic stratum Ar stratum-value +.Op Ic trusted +.Op Ic weight Ar weight-value +.Xc +Specify a timedelta sensor device +.Xr ntpd 8 +should use. +The sensor can be specified multiple times: +.Xr ntpd 8 +will use each given sensor that actually exists. +Non-existent sensors are ignored. +If +.Sq * +is given as device name, +.Xr ntpd 8 +will use all timedelta sensors it finds. +.Xr ntpd 8 +does not use any timedelta sensor by default. +For example: +.Bd -literal -offset indent +sensor * +sensor nmea0 +.Ed +.Pp +A +.Ic correction +in microseconds can be given to compensate +for the sensor's offset. +The maximum correction is 127 seconds. +For example, if a DCF77 receiver is lagging 70ms behind +actual time: +.Bd -literal -offset indent +sensor udcf0 correction 70000 +.Ed +.Pp +A +.Ic refid +.Ar ID-string +of up to 4 ASCII characters can be +given to publish the sensor type to clients. +RFC 2030 suggests some common reference identifiers, but new identifiers +"can be contrived as appropriate." +If an +.Ar ID-string +is not given, +.Xr ntpd 8 +will use a generic reference ID. +For example: +.Bd -literal -offset indent +sensor nmea0 refid GPS +.Ed +.Pp +The +.Ic stratum +keyword can be used to change the stratum value from the default of 1. +.Pp +The +.Ic trusted +keyword indicates the time learned is secure, trustworthy, +and not vulnerable to man-in-the-middle attacks, so +.Ic constraints +validation is skipped. +This is useful for boot-time correction in environments where +.Ic constraints +cannot be used. +.Pp +The +.Ic weight +keyword permits finer control over the relative importance +of time sources (servers or sensor devices). +Weights are specified in the range 1 to 10; +if no weight is given, +the default is 1. +A server with a weight of 5, for example, +will have five times more influence on time offset calculation +than a server with a weight of 1. +.It Xo Ic server Ar address +.Op Ic trusted +.Op Ic weight Ar weight-value +.Xc +Specify the IP address or the hostname of an NTP +server to synchronize to. +If it appears multiple times, +.Xr ntpd 8 +will try to synchronize to all of the servers specified. +If a hostname resolves to multiple IPv4 and/or IPv6 addresses, +.Xr ntpd 8 +uses the first address. +If it does not get a reply, +.Xr ntpd 8 +retries with the next address and continues to do so until a working address +is found. +For example: +.Bd -literal -offset indent +server 10.0.0.2 weight 5 +server ntp.example.org weight 1 +.Ed +.Pp +To provide redundancy, it is good practice to configure multiple servers. +In general, best accuracy is obtained by using servers that have a low +network latency. +.It Xo Ic servers Ar address +.Op Ic trusted +.Op Ic weight Ar weight-value +.Xc +As with +.Cm server , +specify the IP address or hostname of an NTP server to synchronize to. +If it appears multiple times, +.Xr ntpd 8 +will try to synchronize to all of the servers specified. +Should the hostname resolve to multiple IP addresses, +.Xr ntpd 8 +will try to synchronize to all of them. +For example: +.Bd -literal -offset indent +servers pool.ntp.org +servers pool.ntp.org weight 5 +.Ed +.El +.Sh CONSTRAINTS +.Xr ntpd 8 +can be configured to query the +.Sq Date +from trusted HTTPS servers via TLS. +This time information is not used for precision but acts as an +authenticated constraint, +thereby reducing the impact of unauthenticated NTP +man-in-the-middle attacks. +Received NTP packets with time information falling outside of a range +near the constraint will be discarded and such NTP servers +will be marked as invalid. +.Bl -tag -width Ds +.It Ic constraint from Ar url [ip...] +Specify the URL, IP address or the hostname of an HTTPS server to +provide a constraint. +If the url is followed by one or more addresses, the url and addresses will be +tried until a working one is found. +The url path and expected certificate name is always taken from the +url specified. +If +.Ic constraint from +is used more than once, +.Xr ntpd 8 +will calculate a median constraint from all the servers specified. +.Bd -literal -offset indent +server ntp.example.org +constraint from www.example.com +constraint from "https://9.9.9.9" "2620:fe::9" +.Ed +.It Ic constraints from Ar url +As with +.Ic constraint from , +specify the URL, IP address or the hostname of an HTTPS server to +provide a constraint. +Should the hostname resolve to multiple IP addresses, +.Xr ntpd 8 +will calculate a median constraint from all of them. +For example: +.Bd -literal -offset indent +servers pool.ntp.org +constraints from "https://www.google.com/" +.Ed +.El +.Sh FILES +.Bl -tag -width /etc/examples/ntpd.conf -compact +.It Pa /etc/ntpd.conf +Default +.Xr ntpd 8 +configuration file. +.It Pa /etc/examples/ntpd.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr ntpctl 8 , +.Xr ntpd 8 , +.Xr sysctl 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 3.6 . diff --git a/static/openbsd/man5/openssl.cnf.5 b/static/openbsd/man5/openssl.cnf.5 new file mode 100644 index 00000000..4047eb05 --- /dev/null +++ b/static/openbsd/man5/openssl.cnf.5 @@ -0,0 +1,361 @@ +.\" $OpenBSD: openssl.cnf.5,v 1.11 2024/07/08 15:02:28 jmc Exp $ +.\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100 +.\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 1999, 2000, 2004, 2013, 2015, 2016, 2017 The OpenSSL Project. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: July 8 2024 $ +.Dt OPENSSL.CNF 5 +.Os +.Sh NAME +.Nm openssl.cnf +.Nd OpenSSL configuration files +.Sh DESCRIPTION +The OpenSSL CONF library can be used to read configuration files; see +.Xr CONF_modules_load_file 3 . +It is used for the OpenSSL master configuration file +.Pa /etc/ssl/openssl.cnf +and in a few other places such as certificate extension files for the +.Xr openssl 1 +.Cm x509 +utility. +OpenSSL applications can also use the CONF library for their own +purposes. +.Pp +A configuration file is divided into a number of sections. +Each section starts with a line +.Bq Ar section_name +and ends when a new section is started or the end of the file is reached. +A section name can consist of alphanumeric characters and underscores. +.Pp +The first section of a configuration file is special and is referred to +as the +.Dq default section . +It is usually unnamed and extends from the start of file to the +first named section. +When a name is being looked up, it is first looked up in a named +section (if any) and then in the default section. +.Pp +The environment is mapped onto a section called +.Ic ENV . +.Pp +Comments can be included by preceding them with the +.Ql # +character. +.Pp +Each section in a configuration file consists of a number of name and +value pairs of the form +.Ar name Ns = Ns Ar value . +.Pp +The +.Ar name +string can contain any alphanumeric characters as well as a few +punctuation symbols such as +.Ql \&. +.Ql \&, +.Ql \&; +and +.Ql _ . +.Pp +The +.Ar value +string consists of the string following the +.Ql = +character until the end of the line with any leading and trailing +whitespace removed. +.Pp +The value string undergoes variable expansion. +This can be done by including substrings of the form +.Pf $ Ar name +or +.Pf $ Brq Ar name : +this will substitute the value of the named variable in the current +section. +It is also possible to substitute a value from another section using the +syntax +.Pf $ Ar section Ns :: Ns Ar name +or +.Pf $ Brq Ar section Ns :: Ns Ar name . +By using the form +.Pf $ Ic ENV Ns :: Ns Ar name , +environment variables can be substituted. +It is also possible to assign values to environment variables by using +the name +.Ic ENV Ns :: Ns Ar name . +This will work if the program looks up environment variables using +the CONF library instead of calling +.Xr getenv 3 +directly. +The value string must not exceed 64k in length after variable expansion or an +error will occur. +.Pp +It is possible to escape certain characters by using any kind of quote +or the +.Ql \e +character. +By making the last character of a line a +.Ql \e , +a +.Ar value +string can be spread across multiple lines. +In addition the sequences +.Ql \en , +.Ql \er , +.Ql \eb , +and +.Ql \et +are recognized. +.Sh OPENSSL LIBRARY CONFIGURATION +Applications can automatically configure certain aspects of OpenSSL +using the master OpenSSL configuration file, or optionally an +alternative configuration file. +The +.Xr openssl 1 +utility includes this functionality: any sub command uses the master +OpenSSL configuration file unless an option is used in the sub command +to use an alternative configuration file. +.Pp +To enable library configuration, the default section needs to contain +an appropriate line which points to the main configuration section. +The default name is +.Ic openssl_conf , +which is used by the +.Xr openssl 1 +utility. +Other applications may use an alternative name such as +.Sy myapplication_conf . +All library configuration lines appear in the default section +at the start of the configuration file. +.Pp +The configuration section should consist of a set of name value pairs +which contain specific module configuration information. +The +.Ar name +represents the name of the configuration module. +The meaning of the +.Ar value +is module specific: it may, for example, represent a further +configuration section containing configuration module specific +information. +For example: +.Bd -literal -offset indent +# The following line must be in the default section. +openssl_conf = openssl_init + +[openssl_init] +oid_section = new_oids + +[new_oids] +\&... new oids here ... +.Ed +.Pp +The features of each configuration module are described below. +.Ss ASN1 Object Configuration Module +This module has the name +.Ic oid_section . +The value of this variable points to a section containing name value +pairs of OIDs: the name is the OID short and long name, and the value is the +numerical form of the OID. +Although some of the +.Xr openssl 1 +utility subcommands already have their own ASN1 OBJECT section +functionality, not all do. +By using the ASN1 OBJECT configuration module, all the +.Xr openssl 1 +utility subcommands can see the new objects as well as any compliant +applications. +For example: +.Bd -literal -offset indent +[new_oids] +some_new_oid = 1.2.3.4 +some_other_oid = 1.2.3.5 +.Ed +.Pp +It is also possible to set the value to the long name followed by a +comma and the numerical OID form. +For example: +.Pp +.Dl shortName = some object long name, 1.2.3.4 +.Sh FILES +.Bl -tag -width /etc/ssl/openssl.cnf -compact +.It Pa /etc/ssl/openssl.cnf +standard configuration file +.El +.Sh EXAMPLES +Here is a sample configuration file using some of the features +mentioned above: +.Bd -literal -offset indent +# This is the default section. +HOME=/temp +RANDFILE= ${ENV::HOME}/.rnd +configdir=$ENV::HOME/config + +[ section_one ] +# We are now in section one. + +# Quotes permit leading and trailing whitespace +any = " any variable name " + +other = A string that can \e +cover several lines \e +by including \e\e characters + +message = Hello World\en + +[ section_two ] +greeting = $section_one::message +.Ed +.Pp +This next example shows how to expand environment variables safely. +.Pp +Suppose you want a variable called +.Sy tmpfile +to refer to a temporary filename. +The directory it is placed in can determined by the +.Ev TEMP +or +.Ev TMP +environment variables but they may not be set to any value at all. +If you just include the environment variable names and the variable +doesn't exist then this will cause an error when an attempt is made to +load the configuration file. +By making use of the default section both values can be looked up with +.Ev TEMP +taking priority and +.Pa /tmp +used if neither is defined: +.Bd -literal -offset indent +TMP=/tmp +# The above value is used if TMP isn't in the environment +TEMP=$ENV::TMP +# The above value is used if TEMP isn't in the environment +tmpfile=${ENV::TEMP}/tmp.filename +.Ed +.Pp +More complex OpenSSL library configuration. +Add OID: +.Bd -literal -offset indent +# Default appname: should match "appname" parameter (if any) +# supplied to CONF_modules_load_file et al. +openssl_conf = openssl_conf_section + +[openssl_conf_section] +# Configuration module list +oid_section = new_oids + +[new_oids] +# New OID, just short name +newoid1 = 1.2.3.4.1 +# New OID shortname and long name +newoid2 = New OID 2 long name, 1.2.3.4.2 +.Ed +.Pp +The above examples can be used with any application supporting library +configuration if "openssl_conf" is modified to match the appropriate +"appname". +.Pp +For example if the second sample file above is saved to "example.cnf" +then the command line: +.Pp +.Dl OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1 +.Pp +will output: +.Dl 0:d=0 hl=2 l= 4 prim: OBJECT :newoid1 +.Pp +showing that the OID "newoid1" has been added as "1.2.3.4.1". +.Sh SEE ALSO +.Xr openssl 1 , +.Xr CONF_modules_load_file 3 , +.Xr OPENSSL_config 3 , +.Xr x509v3.cnf 5 +.Sh CAVEATS +If a configuration file attempts to expand a variable that doesn't +exist, then an error is flagged and the file will not load. +This can also happen if an attempt is made to expand an environment +variable that doesn't exist. +For example, in a previous version of OpenSSL the default OpenSSL +master configuration file used the value of +.Ev HOME +which may not be defined on non Unix systems and would cause an error. +.Pp +This can be worked around by including a default section to provide +a default value: then if the environment lookup fails, the default +value will be used instead. +For this to work properly, the default value must be defined earlier +in the configuration file than the expansion. +See the +.Sx EXAMPLES +section for an example of how to do this. +.Pp +If the same variable is defined more than once in the same section, +then all but the last value will be silently ignored. +In certain circumstances such as with DNs, the same field may occur +multiple times. +This is usually worked around by ignoring any characters before an +initial +.Ql \&. , +for example: +.Bd -literal -offset indent +1.OU="My first OU" +2.OU="My Second OU" +.Ed +.Sh BUGS +Currently there is no way to include characters using the octal +.Pf \e Ar nnn +form. +Strings are all NUL terminated, so NUL bytes cannot form part of +the value. +.Pp +The escaping isn't quite right: if you want to use sequences like +.Ql \en , +you can't use any quote escaping on the same line. +.Pp +Files are loaded in a single pass. +This means that a variable expansion will only work if the variables +referenced are defined earlier in the file. diff --git a/static/openbsd/man5/ospf6d.conf.5 b/static/openbsd/man5/ospf6d.conf.5 new file mode 100644 index 00000000..8f31e252 --- /dev/null +++ b/static/openbsd/man5/ospf6d.conf.5 @@ -0,0 +1,358 @@ +.\" $OpenBSD: ospf6d.conf.5,v 1.29 2026/01/18 16:38:02 schwarze Exp $ +.\" +.\" Copyright (c) 2005 Esben Norby <norby@openbsd.org> +.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: January 18 2026 $ +.Dt OSPF6D.CONF 5 +.Os +.Sh NAME +.Nm ospf6d.conf +.Nd OSPF for IPv6 routing daemon configuration file +.Sh DESCRIPTION +The +.Xr ospf6d 8 +daemon implements the Open Shortest Path First protocol version 3 as described +in RFC 5340. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr ospf6d 8 . +A number of global settings can be overruled in specific areas or interfaces. +.It Sx Areas +An OSPF router must be a member of at least one area. +Areas are used to group interfaces, simplifying configuration. +.El +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/ospf6d.sub.conf" +.Ed +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic area , +.Ic interface , +or +.Ic hello-interval ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +hi="5" +area 0.0.0.0 { + interface em0 { + hello-interval $hi + } +} +.Ed +.Pp +The same can be accomplished by specifying the hello-interval +globally or within the area declaration. +.Ss Global configuration +All interface related settings can be configured globally, per area and per +interface. +The only settings that can be set globally and not overruled are listed below. +.Pp +.Bl -tag -width Ds -compact +.It Ic fib-priority Ar prio +Set the routing priority to +.Ar prio . +The default is 32. +.Pp +.It Xo +.Ic fib-update +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic \&no , +do not update the Forwarding Information Base, a.k.a. the kernel +routing table. +The default is +.Ic yes . +Setting +.Ic fib-update +to +.Ic \&no +will implicitly set the +.Ic stub router +option to ensure that no traffic tries to transit via this router. +.Pp +.It Ic rdomain Ar tableid +Specifies the routing table +.Xr ospfd 8 +should modify. +Table 0 is the default table. +.Pp +.It Xo +.Op Ic no +.Ic redistribute +.Sm off +.Po Ic static Ns | Ns Ic connected Ns | Ns +.Ic default Pc +.Sm on +.Op Ic set ...\& +.Bk -words +.Op Ic depend on Ar interface +.Ek +.Xc +.It Xo +.Op Ic no +.Ic redistribute Ar prefix Op Ic set ...\& +.Op Ic depend on Ar interface +.Xc +.It Xo +.Op Ic no +.Ic redistribute rtlabel Ar label Op Ic set ...\& +.Op Ic depend on Ar interface +.Xc +If set to +.Ic connected , +routes to directly attached networks will be announced over OSPF. +If set to +.Ic static , +static routes will be announced over OSPF. +If set to +.Ic default , +a default route pointing to this router will be announced over OSPF. +It is possible to specify a network range with +.Ar prefix ; +networks need to be part of that range to be redistributed. +Additionally it is possible to redistribute based on route labels +using the +.Ic rtlabel +keyword. +By default no additional routes will be announced over OSPF. +.Pp +.Ic redistribute +statements are evaluated in sequential order, from first to last. +The first matching rule decides if a route should be redistributed or not. +Matching rules starting with +.Ic no +will force the route to be not announced. +The only exception is +.Ic default , +which will be set no matter what, and additionally +.Ic no +cannot be used together with it. +.Pp +With the +.Ic depend on +option, redistributed routes will have a metric of 65535 if the specified +.Ar interface +is down or in state backup. +This is especially useful on a carp cluster to ensure all traffic goes to +the carp master. +.Pp +It is possible to set the route +.Ic metric +and +.Ic type +for each redistribute rule. +.Ic type +is either 1 or 2. +The default value for +.Ic type +is 1 and for +.Ic metric +is 100. +Setting more than one option needs curly brackets: +.Bd -literal -offset indent +redistribute static set { metric 300 type 2 } +.Ed +.Pp +.It Ic router-id Ar address +Set the router ID; if not specified, the lowest IPv4 address of +the interfaces used by +.Xr ospf6d 8 +will be used. +A router ID must be specified if no IPv4 address is configured on +any interfaces used by +.Xr ospf6d 8 . +.Pp +.It Ic rtlabel Ar label Ic external-tag Ar number +Map route labels to external route tags and vice versa. +The external route tag is a non-negative 32-bit number attached to +AS-external OSPF LSAs. +.Pp +.It Ic spf-delay Ar seconds +Set SPF delay in seconds. +The delay between receiving an update to the link +state database and starting the shortest path first calculation. +The default value is 1; valid range is 1\-10 seconds. +.Pp +.It Ic spf-holdtime Ar seconds +Set the SPF holdtime in seconds. +The minimum time between two consecutive +shortest path first calculations. +The default value is 5 seconds; the valid range is 1\-5 seconds. +.Pp +.It Xo +.Ic stub router +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +all interfaces with active neighbors will have a metric of infinity. +This ensures that the other routers prefer routes around this router while +still being able to reach directly connected IP prefixes. +The +.Ic stub router +option is automatically enabled if either the +.Xr sysctl 8 +variable +.Va net.inet6.ip6.forwarding +is set to a value different to 1 or if the FIB is not coupled. +.El +.Ss Areas +Areas are used for grouping interfaces. +All interface-specific parameters can +be configured per area, overruling the global settings. +These interface-specific parameters need to be defined before the interfaces. +.Bl -tag -width Ds +.It Ic area Ar address Ns | Ns Ar id +Specify an area section, grouping one or more interfaces. +.Bd -literal -offset indent +area 0.0.0.0 { + hello-interval 3 + interface em0 + interface em1 { + metric 10 + } +} +.Ed +.El +.Pp +Area specific parameters are listed below. +.Bl -tag -width Ds +.It Ic demote Ar group Op Ar count +Increase the +.Xr carp 4 +demotion counter by +.Ar count +on the given interface group, usually +.Ar carp , +when no neighbor in the area is in an active state. +The demotion counter will be decreased when one neighbor in that +area is in an active state. +The default value for +.Ar count +is 1. +.Pp +For more information on interface groups, +see the +.Ic group +keyword in +.Xr ifconfig 8 . +.El +.Ss Interfaces +Each interface can have several parameters configured individually, otherwise +they are inherited. +An interface is specified by its name. +.Bd -literal -offset indent +interface em0 { + ... +} +.Ed +.Pp +Interface-specific parameters are listed below. +.Bl -tag -width Ds +.It Ic demote Ar group +Increase the +.Xr carp 4 +demotion counter by 1 on the given interface group, usually +.Ar carp , +when the interface state is going down. +The demotion counter will be decreased when the interface +state is active again. +.It Ic depend on Ar interface +A metric of 65535 is used if the specified interface is down or in status +backup. +.It Ic hello-interval Ar seconds +Set the hello interval. +The default value is 10; valid range is 1\-65535 seconds. +.It Ic metric Ar cost +Set the interface metric a.k.a. cost. +The default value is 10; valid range is 1\-65535. +A metric of 65535 is used for +.Xr carp 4 +interfaces with status backup. +.It Ic passive +Prevent transmission and reception of OSPF packets on this interface. +The specified interface will be announced as a stub network. +Passive mode is enforced for +.Xr carp 4 +interfaces. +.It Ic retransmit-interval Ar seconds +Set retransmit interval. +The default value is 5 seconds; valid range is 5\-3600 seconds. +.It Ic router-dead-time Ar seconds +Set the router dead time, a.k.a. neighbor inactivity timer. +The default value is 40 seconds; valid range is 2\-65535 seconds. +When a neighbor has been +inactive for router-dead-time, its state is set to DOWN. +Neighbors +that have been inactive for more than 24 hours are completely removed. +.It Ic router-priority Ar priority +Set the router priority. +The default value is 1; valid range is 0\-255. +If set +to 0, the router is not eligible as a Designated Router or Backup Designated +Router. +.It Ic transmit-delay Ar seconds +Set the transmit delay. +The default value is 1; valid range is 1\-3600 seconds. +.It Ic type p2p +Set the interface type to point to point. +This disables the election of a DR and BDR for the given interface. +.El +.Sh FILES +.Bl -tag -width /etc/examples/ospf6d.conf -compact +.It Pa /etc/ospf6d.conf +.Xr ospf6d 8 +configuration file. +.It Pa /etc/examples/ospf6d.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr ospf6ctl 8 , +.Xr ospf6d 8 , +.Xr rc.conf.local 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 4.2 . diff --git a/static/openbsd/man5/ospfd.conf.5 b/static/openbsd/man5/ospfd.conf.5 new file mode 100644 index 00000000..7e45fc50 --- /dev/null +++ b/static/openbsd/man5/ospfd.conf.5 @@ -0,0 +1,449 @@ +.\" $OpenBSD: ospfd.conf.5,v 1.67 2026/01/18 16:38:02 schwarze Exp $ +.\" +.\" Copyright (c) 2005 Esben Norby <norby@openbsd.org> +.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: January 18 2026 $ +.Dt OSPFD.CONF 5 +.Os +.Sh NAME +.Nm ospfd.conf +.Nd OSPF routing daemon configuration file +.Sh DESCRIPTION +The +.Xr ospfd 8 +daemon implements the Open Shortest Path First protocol version 2 as described +in RFC 2328. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr ospfd 8 . +A number of global settings can be overruled in specific areas or interfaces. +.It Sx Areas +An OSPF router must be a member of at least one area. +Areas are used to group interfaces, simplifying configuration. +.El +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/ospfd.sub.conf" +.Ed +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic area , +.Ic interface , +or +.Ic hello-interval ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +hi="5" +area 0.0.0.0 { + interface em0 { + hello-interval $hi + } +} +.Ed +.Pp +The same can be accomplished by specifying the hello-interval +globally or within the area declaration. +.Ss Global configuration +All interface related settings can be configured globally, per area and per +interface. +The only settings that can be set globally and not overruled are listed below. +.Pp +.Bl -tag -width Ds -compact +.It Ic fib-priority Ar prio +Set the routing priority to +.Ar prio . +The default is 32. +.Pp +.It Xo +.Ic fib-update +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic \&no , +do not update the Forwarding Information Base, a.k.a. the kernel +routing table. +The default is +.Ic yes . +Setting +.Ic fib-update +to +.Ic \&no +will implicitly set the +.Ic stub router +option to ensure that no traffic tries to transit via this router. +.Pp +.It Ic rdomain Ar tableid +Specifies the routing table +.Xr ospfd 8 +should modify. +Table 0 is the default table. +.Pp +.It Xo +.Op Ic no +.Ic redistribute +.Sm off +.Pq Ic static | connected | default +.Sm on +.Op Ic set ... +.Bk -words +.Op Ic depend on Ar interface +.Ek +.Xc +.It Xo +.Op Ic no +.Ic redistribute Ar prefix +.Op Ic set ... +.Op Ic depend on Ar interface +.Xc +.It Xo +.Op Ic no +.Ic redistribute rtlabel Ar label +.Op Ic set ... +.Op Ic depend on Ar interface +.Xc +If set to +.Ic connected , +routes to directly attached networks will be announced over OSPF. +If set to +.Ic static , +static routes will be announced over OSPF. +If set to +.Ic default , +a default route pointing to this router will be announced over OSPF. +It is possible to specify a network range with +.Ar prefix ; +networks need to be part of that range to be redistributed. +Additionally it is possible to redistribute based on route labels +using the +.Ic rtlabel +keyword. +By default no additional routes will be announced over OSPF. +.Pp +.Ic redistribute +statements are evaluated in sequential order, from first to last. +The first matching rule decides if a route should be redistributed or not. +Matching rules starting with +.Ic no +will force the route to be not announced. +The only exception is +.Ic default , +which will be set no matter what, and additionally +.Ic no +cannot be used together with it. +.Pp +With the +.Ic depend on +option, redistributed routes will have a metric of 65535 if the specified +.Ar interface +is down or in state backup. +This is especially useful on a carp cluster to ensure all traffic goes to +the carp master. +.Pp +It is possible to set the route +.Ic metric +and +.Ic type +for each redistribute rule. +.Ic type +is either 1 or 2. +The default value for +.Ic type +is 1 and for +.Ic metric +is 100. +Setting more than one option needs curly brackets: +.Bd -literal -offset indent +redistribute static set { metric 300 type 2 } +.Ed +.Pp +The use of +.Ic redistribute Ar prefix | rtlabel +can result in higher CPU usage, since +.Xr ospfd 8 +will need to process more route updates. +.Pp +.It Xo +.Ic rfc1583compat +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +decisions regarding AS-external routes are evaluated according to RFC 2328. +The default is +.Ic no . +.Pp +.It Ic router-id Ar address +Set the router ID; if not specified, the numerically lowest IP address of +the router will be used. +.Pp +.It Ic rtlabel Ar label Ic external-tag Ar number +Map route labels to external route tags and vice versa. +The external route tag is a non-negative 32-bit number attached to +AS-external OSPF LSAs. +.Pp +.It Xo +.Ic spf-delay +.Po Ar seconds Ns | Ns +.Ic msec Ar milliseconds Pc +.Xc +Set the SPF delay. +The delay between receiving an update to the link +state database and starting the shortest path first calculation. +The default value is 1 second; valid range is 10 milliseconds\-10 seconds. +.Pp +.It Xo +.Ic spf-holdtime +.Po Ar seconds Ns | Ns +.Ic msec Ar milliseconds Pc +.Xc +Set the SPF holdtime. +The minimum time between two consecutive +shortest path first calculations. +The default value is 5 seconds; the valid range is 10 milliseconds\-5 seconds. +.Pp +.It Xo +.Ic stub router +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic yes , +all interfaces with active neighbors will have a metric of infinity. +This ensures that the other routers prefer routes around this router while +still being able to reach directly connected IP prefixes. +The +.Ic stub router +option is automatically enabled if either the +.Xr sysctl 8 +variable +.Va net.inet.ip.forwarding +is set to a value other than 1 or if the FIB is not coupled. +.El +.Ss Areas +Areas are used for grouping interfaces. +All interface-specific parameters can +be configured per area, overruling the global settings. +These interface-specific parameters need to be defined before the interfaces. +.Bl -tag -width Ds +.It Ic area Ar id | address +Specify an area section, grouping one or more interfaces. +.Bd -literal -offset indent +area 0.0.0.0 { + hello-interval 3 + interface em0 + interface em1 { + metric 10 + } +} +.Ed +.El +.Pp +Area specific parameters are listed below. +.Bl -tag -width Ds +.It Ic demote Ar group Op Ar count +Increase the +.Xr carp 4 +demotion counter by +.Ar count +on the given interface group, usually +.Ar carp , +when no neighbor in the area is in an active state. +The demotion counter will be decreased when one neighbor in that +area is in an active state. +The default value for +.Ar count +is 1. +.Pp +For more information on interface groups, +see the +.Ic group +keyword in +.Xr ifconfig 8 . +.It Xo +.Ic stub +.Op Ic redistribute default +.Op Ic set ... +.Xc +Mark the area as +.Ar stub . +Stub areas will not be flooded by as-ext LSA, resulting in smaller routing +tables. +Area border routers should redistribute a default network LSA; this can be +enabled by specifying the default redistribute option. +A default summary LSA will only be redistributed if the router has an active +connection to the backbone area 0.0.0.0. +.El +.Ss Interfaces +Each interface can have several parameters configured individually, otherwise +they are inherited. +An interface is specified by its name. +If multiple networks are configured, an additional IP address can be supplied. +By default the first IP address is used. +.Bd -literal -offset indent +interface em0 { + auth-type crypt + auth-md 1 "yotVoo_Heypp" + auth-md-keyid 1 +} +interface fxp0:192.168.1.3 +.Ed +.Pp +Interface-specific parameters are listed below. +.Bl -tag -width Ds +.It Ic auth-key Ar key +Set the authentication key for +.Ic simple +authentication. +Up to 8 characters can be specified. +.It Ic auth-md Ar key-id key +Set the authentication +.Ar key-id +and +.Ar key +for +.Ic crypt +authentication. +The valid range for +.Ar key-id +is 0\-255. +Up to 16 characters can be specified for +.Ar key . +Multiple keys may be specified. +.It Ic auth-md-keyid Ar key-id +Configure the +.Ar key-id +to use for +.Ic crypt +authentication. +The valid range for +.Ar key-id +is 0\-255. +The default key-id is 1. +While key-id 0 is valid, it is unavailable on various other implementations. +.It Xo +.Ic auth-type +.Po Ic none Ns | Ns +.Ic simple Ns | Ns Ic crypt Pc +.Xc +Set the authentication type. +The default is +.Ic none . +Simple authentication uses a plaintext password, up to 8 characters. +Crypt authentication uses an MD5 hash. +.It Ic demote Ar group +Increase the +.Xr carp 4 +demotion counter by 1 on the given interface group, usually +.Ar carp , +when the interface state is going down. +The demotion counter will be decreased when the interface +state is active again. +.It Ic depend on Ar interface +A metric of 65535 is used if the specified interface is down or in status +backup. +.It Ic fast-hello-interval msec Ar milliseconds +If the interface is configured to use +.Ic router-dead-time minimal , +hello packets will be sent using this timer. +The default value is 333; valid range is 50\-333 milliseconds. +.It Ic hello-interval Ar seconds +Set the hello interval. +The default value is 10; valid range is 1\-65535 seconds. +.It Ic metric Ar cost +Set the interface metric a.k.a. cost. +The default value is 10; valid range is 1\-65535. +A metric of 65535 is used for +.Xr carp 4 +interfaces with status backup. +.It Ic passive +Prevent transmission and reception of OSPF packets on this interface. +The specified interface will be announced as a stub network. +Passive mode is enforced for +.Xr carp 4 +interfaces. +.It Ic retransmit-interval Ar seconds +Set retransmit interval. +The default value is 5 seconds; valid range is 5\-3600 seconds. +.It Xo +.Ic router-dead-time +.Pq Ar seconds Ns | Ns Ic minimal +.Xc +Set the router dead time, a.k.a. neighbor inactivity timer. +The default value is 40 seconds; valid range is 2\-2147483647 seconds. +If the router dead time has been set to +.Ic minimal , +the timer is set to 1 second and hello packets are sent using the interval +specified by +.Ic fast-hello-interval . +When a neighbor has been +inactive for router-dead-time, its state is set to DOWN. +Neighbors +that have been inactive for more than 24 hours are completely removed. +.It Ic router-priority Ar priority +Set the router priority. +The default value is 1; valid range is 0\-255. +If set +to 0, the router is not eligible as a Designated Router or Backup Designated +Router. +.It Ic transmit-delay Ar seconds +Set the transmit delay. +The default value is 1; valid range is 1\-3600 seconds. +.It Ic type p2p +Set the interface type to point to point. +This disables the election of a DR and BDR for the given interface. +.El +.Sh FILES +.Bl -tag -width /etc/examples/ospfd.conf -compact +.It Pa /etc/ospfd.conf +.Xr ospfd 8 +configuration file. +.It Pa /etc/examples/ospfd.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr ospfctl 8 , +.Xr ospfd 8 , +.Xr rc.conf.local 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 3.7 . diff --git a/static/openbsd/man5/package.5 b/static/openbsd/man5/package.5 new file mode 100644 index 00000000..8d11e1d7 --- /dev/null +++ b/static/openbsd/man5/package.5 @@ -0,0 +1,303 @@ +.\" $OpenBSD: package.5,v 1.33 2023/11/29 14:32:01 espie Exp $ +.\" Copyright (c) 2005-2006 Marc Espie <espie@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.Dd $Mdocdate: November 29 2023 $ +.Dt PACKAGE 5 +.Os +.Sh NAME +.Nm package , +.Nm packing-list , +.Nm plist +.Nd format for OpenBSD binary packages and packing-lists +.Sh DESCRIPTION +Binary packages for +.Ox +can be created using +.Xr pkg_create 1 +and are usually manipulated using +.Xr pkg_add 1 , +.Xr pkg_mklocatedb 1 , +or +.Xr pkg_info 1 . +.Pp +The basic underlying format is an archive following the ustar specification +that can be handled with +.Xr tar 1 +and compressed using +.Xr gzip 1 . +.Pp +Package names always end in +.Dq .tgz ; +the file name itself should conform to +.Xr packages-specs 7 . +.Pp +Note that the base distribution tarballs of +.Ox +(e.g.\& +.Pa baseXX.tgz , +.Pa compXX.tgz , +\&...) are not binary packages fit for +.Xr pkg_add 1 . +.Pp +All types of archive contents can be present in a package, +including files, directories, hardlinks, symlinks, fifos, block and character +devices. +.Pp +In order to allow just-in-time extraction, +packages always begin with a table of contents, named +.Pa +CONTENTS , +nicknamed +.Nm packing-list +.Po +.Nm plist +for short +.Pc . +This table of contents can be read using the API described in +.Xr OpenBSD::PackingList 3p . +.Pp +All the remaining information in the archive should be referenced in the +.Nm packing-list , +including symlinks destinations, +special permissions, and file owners +.Po +.Xr pkg_create 1 +and +.Xr pkg_add 1 +actually enforce this +.Pc . +See +.Xr pkg_create 1 +for annotation details. +.Pp +This table of contents is always followed by a few special files, some of +which are optional: the package description (+DESC), +a display message (+DISPLAY), etc. +.Pp +The basic ustar format has some limitations with respect to file names. +Packages now use the +.Qq extended record specification +(header type x) +for long links and long file names. +Other extended ustar headers are currently recognized, but not supported. +.Pp +Starting with +.Ox 5.5 , +the compressed archive may be composed of several +.Xr gzip 1 +archives concatenated together. +.Xr gzip 1 +doesn't mind, and +.Xr tar 1 +is happy as long as the uncompressed stream is sane. +This allows for faster signing and better rsync properties. +.Pp +Starting with +.Ox 5.6 , +tarballs are stored +.Qq out-of-order : +each archive entry will match an entry in the +.Nm packing-list +(and all file-like entries will be matched), but the order will be adjusted +so that most recently changed files come first, in order to allow +faster updates. +.Pp +Starting with +.Ox 5.7 , +by default, timestamps are stored directly in the +.Nm packing-list +as +.Cm @ts +annotations. +The files in the archive will have a null timestamp. +.Pp +The combination of the LRU archive order, null timestamps and compression +in fixed chunks starting from the end, means a substantial amount of data +doesn't change from snapshot to snapshot, thus reducing the pressure on +mirroring bandwidth. +.Sh PACKING LIST ANNOTATIONS +User annotations are described in +.Xr pkg_create 1 . +The following annotations are automatically inserted during package creation +and installation: +.Pp +.Bl -tag -width Ds -compact +.It Cm @arch Ar arches +List of architectures for which this package is intended. +This corresponds to +.Fl A Ar arches +of +.Xr pkg_create 1 +.Pp +.It Cm @comment pkgpath=path ftp=yes/no +Historical accident. +This specific comment encodes the actual +.Fl D Ar FULLPKGPATH , +and +.Fl D Ar FTP +arguments to +.Xr pkg_create 1 . +.Pp +.It Xo +.Cm @depend +.Sm off +.Ar pkgpath : +.Ar pkgspec : +.Ar default +.Sm on +.Xc +Record a dependency declared using the option +.Fl P +of +.Xr pkg_create 1 . +.Pp +.It Xo +.Cm @digital-signature +.Sm off +.Ar signify2 : +.Ar date : +.Ar external +.Sm on +.Xc +Record the date of signature of a package, synthesized by +.Xr pkg_add 1 +from +.Xr signify 1 +output. +.Pp +.It Cm @link Ar name +Added after a file entry by +.Nm +to record that the entry is actually a hard link. +.Pp +.It Cm @localbase Ar base +Used internally to record the settings of +.Fl L +option. +.Pp +.It Cm @name Ar pkgname +Set the name of the package. +This name is potentially different than the name of +the file it came in, and is used when keeping track of the package +for later deinstallation. +.Xr pkg_create 1 +will derive this field from the package file name. +.Pp +.It Cm @option Ar name +Some options are automatically inserted/modified by the package tools: +.Bl -tag -width indent +.It Ar always-update +.Xr pkg_create 1 +will complete the option line with a sha256 digest of the whole +.Nm packing-list +encoded in base64. +.It Ar firmware +Set by +.Xr fw_update 8 +to trigger firmware-specific handling. +In particular, firmware is hidden from normal updates. +.It Ar manual-installation +Record that a package has been explicitly installed by the user, +and not as a result of a dependency look-up. +Refer to +.Xr pkg_add 1 Ns 's +.Fl a +option for details. +.El +.Pp +.It Cm @sha +Added after a file entry by +.Xr pkg_create 1 +to record the files's cryptographic checksum, +as a sha256 digest encoded in base64. +.Pp +.It Cm @signer +Record the signing key for a package, synthesized by +.Xr pkg_add 1 +from +.Xr signify 1 +output. +.Pp +.It Cm @size +Added after a file entry by +.Xr pkg_create 1 +to record a file size. +.Pp +.It Cm @symlink Ar name +Added after a file entry by +.Xr pkg_create 1 +to record that the entry is actually a symbolic link. +.Pp +.It Cm @url +Original location of the package, synthesized by +.Xr pkg_add 1 +during installation. +.Pp +.It Cm @ts Ar timestamp +Added after a file entry to record the actual file timestamp, instead +of storing it as tarball meta-info. +The package tools read and process that annotation correctly, whereas +.Xr tar 1 +will only see files dated from the epoch. +.Pp +.It Cm @version Ar number +Record a global (system) version number for the package. +This is built adding together +.Fl V +options from +.Xr pkg_create 1 , +and triggers updates when it changes. +.Pp +.It Cm @wantlib Ar libspec +Record a library requirement declared using the option +.Fl W +of +.Xr pkg_create 1 . +.El +.Pp +Note that most of these annotations cannot be added manually, as +.Xr pkg_create 1 +will error out. +.Sh PACKAGE SIGNATURES +All information within a package is checksummed, using SHA256 since +.Ox 4.4 . +During creation and installation, meta-information, such as file owners and +permissions, are also checked: any important stuff that isn't recorded +in the +.Nm packing-list +is an error. +.Pp +Starting with +.Ox 6.1 , +.Xr signify 1 +.Fl zS +.Xr gzip 1 +header signatures are the only supported format. +This allows for +.Sq just-in-time +signature checking, as the binary data is checked in 64K bytes long chunks. +.Sh SEE ALSO +.Xr pkg_add 1 , +.Xr pkg_create 1 , +.Xr pkg_info 1 , +.Xr pkg_sign 1 , +.Xr packages 7 , +.Xr packages-specs 7 +.Sh STANDARDS +Packages are valid gzip'ed ustar archives that can be extracted using +.Xr tar 1 . +In particular, hardlink names should be valid, and all items will +extract to different names. +However, it may be a bit difficult to make sense of the package contents +without peeking at the +.Nm packing-list . diff --git a/static/openbsd/man5/pcap-filter.5 b/static/openbsd/man5/pcap-filter.5 new file mode 100644 index 00000000..dc39a259 --- /dev/null +++ b/static/openbsd/man5/pcap-filter.5 @@ -0,0 +1,1053 @@ +.\" $OpenBSD: pcap-filter.5,v 1.13 2024/02/26 06:49:38 jmc Exp $ +.\" +.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.Dd $Mdocdate: February 26 2024 $ +.Dt PCAP-FILTER 5 +.Os +.Sh NAME +.Nm pcap-filter +.Nd packet filter syntax +.Sh DESCRIPTION +.Xr pcap_compile 3 +compiles pcap filters for software such as +.Xr tcpdump 8 . +The resulting filter program can then be applied to +some stream of packets to determine which packets will be supplied to +.Xr pcap_loop 3 , +.Xr pcap_dispatch 3 , +.Xr pcap_next 3 , +or +.Xr pcap_next_ex 3 . +.Pp +The filter expression consists of one or more +.Em primitives . +Primitives usually consist of an +.Ar id +.Pq name or number +preceded by one or more qualifiers. +There are three different kinds of qualifier: +.Bl -tag -width "proto" +.It Ar type +Specify which kind of address component the +.Ar id +name or number refers to. +Possible types are +.Cm host , +.Cm net +and +.Cm port . +E.g., +.Dq host foo , +.Dq net 128.3 , +.Dq port 20 . +If there is no type qualifier, +.Cm host +is assumed. +.It Ar dir +Specify a particular transfer direction to and/or from +.Ar id . +Possible directions are +.Cm src , +.Cm dst , +.Cm src or dst , +.Cm src and dst , +.Cm ra , +.Cm ta , +.Cm addr1 , +.Cm addr2 , +.Cm addr3 , +and +.Cm addr4 . +E.g., +.Dq src foo , +.Dq dst net 128.3 , +.Dq src or dst port ftp-data . +If there is no +.Ar dir +qualifier, +.Cm src or dst +is assumed. +The +.Cm ra , +.Cm ta , +.Cm addr1 , +.Cm addr2 , +.Cm addr3 , +and +.Cm addr4 +qualifiers are only valid for IEEE 802.11 Wireless LAN link layers. +For null link layers (i.e., point-to-point protocols such as SLIP +.Pq Serial Line Internet Protocol +or the +.Xr pflog 4 +header), the +.Cm inbound +and +.Cm outbound +qualifiers can be used to specify a desired direction. +.It Ar proto +Restrict the match to a particular protocol. +Possible protocols are: +.Cm ah , +.Cm arp , +.Cm atalk , +.Cm decnet , +.Cm esp , +.Cm ether , +.Cm fddi , +.Cm icmp , +.Cm icmp6 , +.Cm igmp , +.Cm igrp , +.Cm ip , +.Cm ip6 , +.Cm lat , +.Cm mopdl , +.Cm moprc , +.Cm pim , +.Cm rarp , +.Cm sca , +.Cm stp , +.Cm tcp , +.Cm udp , +and +.Cm wlan . +E.g., +.Dq ether src foo , +.Dq arp net 128.3 , +.Dq tcp port 21 , +and +.Dq wlan addr2 0:2:3:4:5:6 . +If there is no protocol qualifier, +all protocols consistent with the type are assumed. +E.g., +.Dq src foo +means +.Do +.Pq ip or arp or rarp +src foo +.Dc +.Pq except the latter is not legal syntax ; +.Dq net bar +means +.Do +.Pq ip or arp or rarp +net bar +.Dc ; +and +.Dq port 53 +means +.Do +.Pq TCP or UDP +port 53 +.Dc . +.Pp +.Cm fddi +is actually an alias for +.Cm ether ; +the parser treats them identically as meaning +.Qo +the data link level used on the specified network interface +.Qc . +FDDI +.Pq Fiber Distributed Data Interface +headers contain Ethernet-like source and destination addresses, +and often contain Ethernet-like packet types, +so it's possible to filter these FDDI fields just as with the analogous +Ethernet fields. +FDDI headers also contain other fields, +but they cannot be named explicitly in a filter expression. +.Pp +Similarly, +.Cm tr +and +.Cm wlan +are aliases for +.Cm ether ; +the previous paragraph's statements about FDDI headers also apply to Token Ring +and 802.11 wireless LAN headers. +For 802.11 headers, the destination address is the DA field +and the source address is the SA field; +the BSSID, RA, and TA fields aren't tested. +.El +.Pp +In addition to the above, there are some special primitive +keywords that don't follow the pattern: +.Cm gateway , +.Cm broadcast , +.Cm less , +.Cm greater , +and arithmetic expressions. +All of these are described below. +.Pp +More complex filter expressions are built up by using the words +.Cm and , +.Cm or , +and +.Cm not +to combine primitives +e.g., +.Do +host foo and not port ftp and not port ftp-data +.Dc . +To save typing, identical qualifier lists can be omitted +e.g., +.Dq tcp dst port ftp or ftp-data or domain +is exactly the same as +.Do +tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain +.Dc . +.Pp +Allowable primitives are: +.Bl -tag -width "ether proto proto" +.It Cm dst host Ar host +True if the IPv4/v6 destination field of the packet is +.Ar host , +which may be either an address or a name. +.It Cm src host Ar host +True if the IPv4/v6 source field of the packet is +.Ar host . +.It Cm host Ar host +True if either the IPv4/v6 source or destination of the packet is +.Ar host . +.Pp +Any of the above +.Ar host +expressions can be prepended with the keywords, +.Cm ip , arp , rarp , +or +.Cm ip6 , +as in: +.Pp +.D1 Cm ip host Ar host +.Pp +which is equivalent to: +.Bd -ragged -offset indent +.Cm ether proto +.Ar ip +.Cm and host +.Ar host +.Ed +.Pp +If +.Ar host +is a name with multiple IP addresses, each address will be checked for a match. +.It Cm ether dst Ar ehost +True if the Ethernet destination address is +.Ar ehost . +.Ar ehost +may be either a name from +.Pa /etc/ethers +or a number (see +.Xr ether_aton 3 +for a numeric format). +.It Cm ether src Ar ehost +True if the Ethernet source address is +.Ar ehost . +.It Cm ether host Ar ehost +True if either the Ethernet source or destination address is +.Ar ehost . +.It Cm gateway Ar host +True if the packet used +.Ar host +as a gateway; i.e., the Ethernet source or destination address was +.Ar host +but neither the IP source nor the IP destination was +.Ar host . +.Ar host +must be a name and must be found both by the machine's +host-name-to-IP-address resolution mechanisms (host name file, DNS, NIS, +etc.) and by the machine's host-name-to-Ethernet-address resolution mechanism +(such as +.Pa /etc/ethers ) . +An equivalent expression is: +.Bd -ragged -offset indent +.Cm ether host +.Ar ehost +.Cm and not host +.Ar host +.Ed +.Pp +which can be used with either names or numbers for host/ehost. +This syntax does not work in an IPv6-enabled configuration at this moment. +.It Cm dst net Ar net +True if the IPv4/v6 destination address of the packet has a network +number of +.Ar net , +which may be either a name from the networks database +(such as +.Pa /etc/networks ) +or a network number. +An IPv4 network number can be written as a dotted quad (e.g. 192.168.1.0), +dotted triple (e.g. 192.168.1), dotted pair (e.g 172.16), +or single number (e.g. 10); +the netmask is 255.255.255.255 for a dotted quad +(which means that it's really a host match), +255.255.255.0 for a dotted triple, 255.255.0.0 for a dotted pair, +or 255.0.0.0 for a single number. +An IPv6 network number must be written out fully; +the netmask is ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, +so IPv6 "network" matches are really always host matches, +and a network match requires a netmask length. +.It Cm src net Ar net +True if the IPv4/v6 source address of the packet has a network number of +.Ar net . +.It Cm net Ar net +True if either the IPv4/v6 source or destination address of the packet +has a network number of +.Ar net . +.It Cm net Ar net Cm mask Ar netmask +True if the IPv4 address matches +.Ar net +with the specific +.Ar netmask . +May be qualified with +.Cm src +or +.Cm dst . +Note that this syntax is not valid for IPv6 networks. +.It Cm net Ar net Ns / Ns Ar len +True if the IPv4/v6 address matches +.Ar net +with a netmask +.Ar len +bits wide. +May be qualified with +.Cm src +or +.Cm dst . +.It Cm dst port Ar port +True if the packet is IP/TCP, IP/UDP, IP6/TCP or IP6/UDP +and has a destination port value of +.Ar port . +The +.Ar port +can be a number or a name used in +.Pa /etc/services +(see +.Xr tcp 4 +and +.Xr udp 4 ) . +If a name is used, both the port number and protocol are checked. +If a number or ambiguous name is used, +only the port number is checked (e.g.\& +.Dq dst port 513 +will print both +TCP/login traffic and UDP/who traffic, and +.Dq port domain +will print both TCP/domain and UDP/domain traffic). +.It Cm src port Ar port +True if the packet has a source port value of +.Ar port . +.It Cm port Ar port +True if either the source or destination port of the packet is +.Ar port . +.Pp +Any of the above port expressions can be prepended with the keywords +.Cm tcp +or +.Cm udp , +as in: +.Pp +.D1 Cm tcp src port Ar port +.Pp +which matches only TCP packets whose source port is +.Ar port . +.It Cm less Ar length +True if the packet has a length less than or equal to +.Ar length . +This is equivalent to: +.Pp +.D1 Cm len <= Ar length +.It Cm greater Ar length +True if the packet has a length greater than or equal to +.Ar length . +This is equivalent to: +.Pp +.D1 Cm len >= Ar length +.It Cm sample Ar samplerate +True if the packet has been randomly selected or sampled at a rate of 1 per +.Ar samplerate . +.It Cm ip proto Ar protocol +True if the packet is an IPv4 packet (see +.Xr ip 4 ) +of protocol type +.Ar protocol . +.Ar protocol +can be a number, or one of the names from +.Xr protocols 5 , +such as +.Cm icmp , +.Cm icmp6 , +.Cm igmp , +.Cm igrp , +.Cm pim , +.Cm ah , +.Cm esp , +.Cm vrrp , +.Cm udp , +or +.Cm tcp . +Note that the identifiers +.Cm tcp , +.Cm udp , +and +.Cm icmp +are also keywords and must be escaped using a backslash character +.Pq \e . +Note that this primitive does not chase the protocol header chain. +.It Cm ip6 proto Ar protocol +True if the packet is an IPv6 packet of protocol type +.Ar protocol . +Note that this primitive does not chase the protocol header chain. +.It Cm ether broadcast +True if the packet is an Ethernet broadcast packet. +The +.Cm ether +keyword is optional. +.It Cm ip broadcast +True if the packet is an IPv4 broadcast packet. +It checks for both the all-zeroes and all-ones broadcast conventions, +and looks up the subnet mask on the interface on which the capture is +being done. +.Pp +If the subnet mask of the interface on which the capture is being done +is not known, a value of PCAP_NETMASK_UNKNOWN can be supplied; +tests for IPv4 broadcast addresses will fail to compile, +but all other tests in the filter program will be OK. +.It Cm ether multicast +True if the packet is an Ethernet multicast packet. +The +.Cm ether +keyword is optional. +This is shorthand for +.Dq ether[0] & 1 != 0 . +.It Cm ip multicast +True if the packet is an IPv4 multicast packet. +.It Cm ip6 multicast +True if the packet is an IPv6 multicast packet. +.It Cm ether proto Ar protocol +True if the packet is of ether type +.Ar protocol . +.Ar protocol +can be a number, or one of the names +.Cm ip , +.Cm ip6 , +.Cm arp , +.Cm rarp , +.Cm atalk , +.Cm atalkarp , +.Cm decnet , +.Cm decdts , +.Cm decdns , +.Cm lanbridge , +.Cm lat , +.Cm mopdl , +.Cm moprc , +.Cm pup , +.Cm sca , +.Cm sprite , +.Cm stp , +.Cm vexp , +.Cm vprod , +or +.Cm xns . +These identifiers are also keywords and must be escaped +using a backslash character +.Pq Sq \e . +.Pp +In the case of FDDI (e.g., +.Dq fddi protocol arp ) , +and IEEE 802.11 wireless LANs (such as +.Dq wlan protocol arp ) , +for most of those protocols +the protocol identification comes from the 802.2 Logical Link Control +.Pq LLC +header, which is usually layered on top of the FDDI or 802.11 header. +.Pp +When filtering for most protocol identifiers on FDDI or 802.11, +the filter checks only the protocol ID field of an LLC header +in so-called SNAP format with an Organizational Unit Identifier (OUI) of +0x000000, for encapsulated Ethernet; it doesn't check whether the packet +is in SNAP format with an OUI of 0x000000. +The exceptions are: +.Bl -tag -width "atalk" +.It iso +The filter checks the DSAP (Destination Service Access Point) and +SSAP (Source Service Access Point) fields of the LLC header. +.It stp +The filter checks the DSAP of the LLC header. +.It atalk +The filter checks for a SNAP-format packet with an OUI of 0x080007 +and the AppleTalk etype. +.El +.Pp +In the case of Ethernet, the filter checks the Ethernet type field +for most of those protocols. +The exceptions are: +.Bl -tag -width "iso and stp" +.It iso and stp +The filter checks for an 802.3 frame and then checks the LLC header as +it does for FDDI and 802.11. +.It atalk +The filter checks both for the AppleTalk etype in an Ethernet frame and +for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11. +.El +.It Cm decnet src Ar host +True if the DECNET source address is +.Ar host , +which may be an address of the form +.Dq 10.123 , +or a DECNET host name. +DECNET host name support is only available on systems that are +configured to run DECNET. +.It Cm decnet dst Ar host +True if the DECNET destination address is +.Ar host . +.It Cm decnet host Ar host +True if either the DECNET source or destination address is +.Ar host . +.It Cm ifname Ar interface +True if the packet was logged as coming from the specified interface +(applies only to packets logged by +.Xr pf 4 ) . +.It Cm on Ar interface +Synonymous with the +.Cm ifname +modifier. +.It Cm rnr Ar num +True if the packet was logged as matching the specified PF rule number +in the main ruleset (applies only to packets logged by +.Xr pf 4 ) . +.It Cm rulenum Ar num +Synonymous with the +.Cm rnr +modifier. +.It Cm reason Ar code +True if the packet was logged with the specified PF reason code. +Known codes are: +.Cm match , +.Cm bad-offset , +.Cm fragment , +.Cm short , +.Cm normalize , +.Cm memory , +.Cm bad-timestamp , +.Cm congestion , +.Cm ip-option , +.Cm proto-cksum , +.Cm state-mismatch , +.Cm state-insert , +.Cm state-limit , +.Cm src-limit , +and +.Cm synproxy +(applies only to packets logged by +.Xr pf 4 ) . +.It Cm rset Ar name +True if the packet was logged as matching the specified PF ruleset +name of an anchored ruleset (applies only to packets logged by +.Xr pf 4 ) . +.It Cm ruleset Ar name +Synonymous with the +.Cm rset +modifier. +.It Cm srnr Ar num +True if the packet was logged as matching the specified PF rule number +of an anchored ruleset (applies only to packets logged by +.Xr pf 4 ) . +.It Cm subrulenum Ar num +Synonymous with the +.Cm srnr +modifier. +.It Cm action Ar act +True if PF took the specified action when the packet was logged. +Known actions are: +.Cm pass +and +.Cm block , +.Cm nat , +.Cm rdr , +.Cm binat , +.Cm match +and +.Cm scrub +(applies only to packets logged by +.Xr pf 4 ) . +.It Cm ip , ip6 , arp , rarp , atalk , decnet , iso , stp +Abbreviations for +.Cm ether proto Ar p , +where +.Ar p +is one of the above protocols. +.It Cm lat , moprc , mopdl +Abbreviations for +.Cm ether proto Ar p , +where +.Ar p +is one of the above protocols. +Note that not all applications using +.Xr pcap_open_live 3 +currently know how to parse these protocols (ie. +.Xr tcpdump 8 ) . +.It Xo +.Cm ah , +.Cm esp , +.Cm icmp , +.Cm icmp6 , +.Cm igmp , +.Cm igrp , +.Cm pim , +.Cm tcp , +.Cm udp +.Xc +Abbreviations for +.Cm ip proto Ar p +or +.Cm ip6 proto Ar p , +where +.Ar p +is one of the above protocols. +.It Cm wlan addr1 Ar ehost +True if the first IEEE 802.11 address is +.Ar ehost . +.It Cm wlan addr2 Ar ehost +True if the second IEEE 802.11 address is +.Ar ehost . +.It Cm wlan addr3 Ar ehost +True if the third IEEE 802.11 address is +.Ar ehost . +.It Cm wlan addr4 Ar ehost +True if the fourth IEEE 802.11 address is +.Ar ehost . +The fourth address field is only used for +WDS (Wireless Distribution System) frames. +.It Cm wlan host Ar ehost +True if either the first, second, third, or fourth +IEEE 802.11 address is +.Ar ehost . +.It Cm type Ar wlan_type +True if the IEEE 802.11 frame type matches the specified +.Ar wlan_type . +Valid types are: +.Cm mgt , +.Cm ctl , +.Cm data , +or a numeric value. +.It Cm type Ar wlan_type Cm subtype Ar wlan_subtype +True if the IEEE 802.11 frame type matches the specified +.Ar wlan_type +and frame subtype matches the specified +.Ar wlan_subtype . +.Pp +If the specified +.Ar wlan_type +is +.Cm mgt , +then valid values for +.Ar wlan_subtype +are +.Cm assoc-req , +.Cm assoc-resp , +.Cm reassoc-req , +.Cm reassoc-resp , +.Cm probe-req , +.Cm probe-resp , +.Cm beacon , +.Cm atim , +.Cm disassoc , +.Cm auth , +and +.Cm deauth . +.Pp +If the specified +.Ar wlan_type +is +.Cm ctl , +then valid values for +.Ar wlan_subtype +are +.Cm ps-poll , +.Cm rts , +.Cm cts , +.Cm ack , +.Cm cf-end , +and +.Cm cf-end-ack . +.Pp +If the specified +.Ar wlan_type +is +.Cm data , +then valid values for +.Ar wlan_subtype +are +.Cm data , +.Cm data-cf-ack , +.Cm data-cf-poll , +.Cm data-cf-ack-poll , +.Cm null , +.Cm cf-ack , +.Cm cf-poll , +.Cm cf-ack-poll , +.Cm qos-data , +.Cm qos-data-cf-ack , +.Cm qos-data-cf-poll , +.Cm qos-data-cf-ack-poll , +.Cm qos , +.Cm qos-cf-poll , +and +.Cm qos-cf-ack-poll . +.It Cm subtype Ar wlan_subtype +True if the IEEE 802.11 frame subtype matches the specified +.Ar wlan_subtype +and frame has the type to which the specified +.Ar wlan_subtype +belongs. +.It Cm dir Ar dir +True if the IEEE 802.11 frame direction matches the specified +.Cm dir . +Valid directions are: +.Cm nods , +.Cm tods , +.Cm fromds , +.Cm dstods , +or a numeric value. +.It Cm vlan Op Ar vlan_id +True if the packet is an IEEE 802.1Q VLAN packet. +If +.Ar vlan_id +is specified, only true if the packet has the specified ID. +Note that the first +.Cm vlan +keyword encountered in +.Ar expression +changes the decoding offsets for the remainder of +.Ar expression +on the assumption that the packet is a VLAN packet. +This expression may be used more than once, to filter on VLAN hierarchies. +Each use of that expression increments the filter offsets by 4. +.Pp +For example, +to filter on VLAN 200 encapsulated within VLAN 100: +.Pp +.Dl vlan 100 && vlan 200 +.Pp +To filter IPv4 protocols encapsulated in VLAN 300 encapsulated within any +higher order VLAN: +.Pp +.Dl vlan && vlan 300 && ip +.It Cm mpls Op Ar label +True if the packet is an MPLS (Multi-Protocol Label Switching) packet. +If +.Ar label +is specified, only true if the packet has the specified label. +Note that the first +.Cm mpls +keyword encountered in +.Ar expression +changes the decoding offsets for the remainder of +.Ar expression +on the assumption that the packet is an MPLS packet. +This expression may be used more than once, to filter on MPLS labels. +Each use of that expression increments the filter offsets by 4. +.Pp +For example, +to filter on MPLS label 42 first and requires the next label to be 12: +.Pp +.Dl mpls 42 && mpls 12 +.Pp +To filter on network 192.0.2.0/24 transported inside packets with label 42: +.Pp +.Dl mpls 42 && net 192.0.2.0/24 +.It Ar expr relop expr +True if the relation holds, where +.Ar relop +is one of +.Sq > , +.Sq < , +.Sq >= , +.Sq <= , +.Sq = , +.Sq != , +and +.Ar expr +is an arithmetic expression composed of integer constants +(expressed in standard C syntax), the normal binary operators +.Pf ( Sq + , +.Sq - , +.Sq * , +.Sq / , +.Sq & , +.Sq | , +.Sq << , +.Sq >> ) , +a length operator, a random operator, and special packet data accessors. +Note that all comparisons are unsigned, so that, for example, +0x80000000 and 0xffffffff are > 0. +To access data inside the packet, use the following syntax: +.Pp +.D1 Ar proto Ns Op Ar expr : Ns Ar size +.Pp +.Ar proto +is one of +.Cm ether , +.Cm fddi , +.Cm tr , +.Cm wlan , +.Cm ppp , +.Cm slip , +.Cm link , +.Cm ip , +.Cm arp , +.Cm rarp , +.Cm tcp , +.Cm udp , +.Cm icmp , +.Cm ip6 , +or +.Cm radio , +and indicates the protocol layer for the index operation +.Pf ( Cm ether , +.Cm fddi , +.Cm wlan , +.Cm tr , +.Cm ppp , +.Cm slip , +and +.Cm link +all refer to the link layer; +.Cm radio +refers to the "radio header" added to some 802.11 captures). +Note that +.Cm tcp , +.Cm udp , +and other upper-layer protocol types only apply to IPv4, not IPv6 +(this will be fixed in the future). +The byte offset, relative to the indicated protocol layer, is given by +.Ar expr . +.Ar size +is optional and indicates the number of bytes in the field of interest; +it can be either one, two, or four, and defaults to one. +The length operator, indicated by the keyword +.Cm len , +gives the length of the packet. +The random operator, indicated by the keyword +.Cm random , +generates a random number. +.Pp +For example, +.Dq ether[0] & 1 != 0 +catches all multicast traffic. +The expression +.Dq ip[0] & 0xf != 5 +catches all IPv4 packets with options. +The expression +.Dq ip[6:2] & 0x1fff = 0 +catches only unfragmented IPv4 datagrams and frag zero of fragmented +IPv4 datagrams. +This check is implicitly applied to the +.Cm tcp +and +.Cm udp +index operations. +For instance, +.Dq tcp[0] +always means the first byte of the TCP header, +and never means the first byte of an intervening fragment. +.Pp +Some offsets and field values may be expressed as names rather than +as numeric values. +The following protocol header field offsets are available: +.Cm icmptype +(ICMP type field), +.Cm icmpcode +(ICMP code field), and +.Cm tcpflags +(TCP flags field). +.Pp +The following ICMP type field values are available: +.Cm icmp-echoreply , +.Cm icmp-unreach , +.Cm icmp-sourcequench , +.Cm icmp-redirect , +.Cm icmp-echo , +.Cm icmp-routeradvert , +.Cm icmp-routersolicit , +.Cm icmp-timxceed , +.Cm icmp-paramprob , +.Cm icmp-tstamp , +.Cm icmp-tstampreply , +.Cm icmp-ireq , +.Cm icmp-ireqreply , +.Cm icmp-maskreq , +.Cm and +.Cm icmp-maskreply . +.Pp +The following TCP flags field values are available: +.Cm tcp-fin , +.Cm tcp-syn , +.Cm tcp-rst , +.Cm tcp-push , +.Cm tcp-ack , +.Cm tcp-urg . +.El +.Pp +Primitives may be combined using +a parenthesized group of primitives and operators. +Parentheses are special to the shell and must be escaped. +Allowable primitives and operators are: +.Bd -ragged -offset indent +Negation +.Po +.Dq Cm \&! +or +.Dq Cm not +.Pc +.Pp +Concatenation +.Po +.Dq Cm && +or +.Dq Cm and +.Pc +.Pp +Alternation +.Po +.Dq Cm || +or +.Dq Cm or +.Pc +.Ed +.Pp +Negation has highest precedence. +Alternation and concatenation have equal precedence and associate +left to right. +Explicit +.Cm and +tokens, not juxtaposition, +are now required for concatenation. +.Pp +If an identifier is given without a keyword, the most recent keyword +is assumed. +For example, +.Bd -ragged -offset indent +.Cm not host +vs +.Cm and +ace +.Ed +.Pp +is short for +.Bd -ragged -offset indent +.Cm not host +vs +.Cm and host +ace +.Ed +.Pp +which should not be confused with +.Bd -ragged -offset indent +.Cm not +.Pq Cm host No vs Cm or No ace +.Ed +.Sh EXAMPLES +To select all packets arriving at or departing from +.Dq sundown : +.Pp +.Dl host sundown +.Pp +To select traffic between +.Dq helios +and either +.Dq hot +or +.Dq ace : +.Pp +.Dl host helios and \e( hot or ace \e) +.Pp +To select all IP packets between +.Dq ace +and any host except +.Dq helios : +.Pp +.Dl ip host ace and not helios +.Pp +To select all traffic between local hosts and hosts at Berkeley: +.Pp +.Dl net ucb-ether +.Pp +To select all FTP traffic through internet gateway +.Dq snup : +.Pp +.Dl gateway snup and (port ftp or ftp-data) +.Pp +To select traffic neither sourced from nor destined for local network +192.168.7.0/24 +(if you gateway to one other net, this stuff should never make it +onto your local net): +.Pp +.Dl ip and not net 192.168.7.0/24 +.Pp +To select the start and end packets (the SYN and FIN packets) of each +TCP connection that involves a host not in local network 192.168.7.0/24: +.Bd -literal -offset indent +tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst \e + net 192.168.7.0/24 +.Ed +.Pp +To select all IPv4 HTTP packets to and from port 80, i.e. print only +packets that contain data and not, for example, SYN and FIN packets and +ACK-only packets +(IPv6 is left as an exercise for the reader): +.Bd -literal -offset indent +tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) \e + - ((tcp[12]&0xf0)>>2)) != 0) +.Ed +.Pp +To select IP packets longer than 576 bytes sent through gateway +.Dq snup : +.Pp +.Dl gateway snup and ip[2:2] > 576 +.Pp +To select IP broadcast or multicast packets +that were not sent via Ethernet broadcast or multicast: +.Pp +.Dl ether[0] & 1 = 0 and ip[16] >= 224 +.Pp +To select all ICMP packets that are not echo requests/replies +(i.e. not ping packets): +.Pp +.Dl icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply +.Sh SEE ALSO +.Xr pcap_open_live 3 , +.Xr tcpdump 8 +.Sh AUTHORS +.An -nosplit +The original authors are +.An Van Jacobson , +.An Craig Leres , +and +.An Steven McCanne , +all of the +Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. +.\" Fixes should be submitted to http://sourceforge.net/tracker/?group_id=53067 diff --git a/static/openbsd/man5/rad.conf.5 b/static/openbsd/man5/rad.conf.5 new file mode 100644 index 00000000..4110406c --- /dev/null +++ b/static/openbsd/man5/rad.conf.5 @@ -0,0 +1,242 @@ +.\" $OpenBSD: rad.conf.5,v 1.36 2026/02/26 07:17:50 florian Exp $ +.\" +.\" Copyright (c) 2018 Florian Obser <florian@openbsd.org> +.\" Copyright (c) 2005 Esben Norby <norby@openbsd.org> +.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: February 26 2026 $ +.Dt RAD.CONF 5 +.Os +.Sh NAME +.Nm rad.conf +.Nd router advertisement daemon configuration file +.Sh DESCRIPTION +The +.Xr rad 8 +daemon is an IPv6 router advertisement daemon. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr rad 8 . +These are used as default values for +.Ic interface +definitions and can be overwritten in an +.Ic interface +block. +.It Sx Interfaces +.Xr rad 8 +sends IPv6 router advertisement messages. +This section defines on which interfaces to advertise prefix information +and their associated parameters. +.El +.Pp +Additional configuration files can be included with the +.Ic include +keyword. +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic interface ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Ss Global configuration +The global configuration section sets defaults for router advertisement +messages. +These can be overwritten in interface blocks. +.Bl -tag -width Ds +.It Ic default router Pq Cm yes Ns | Ns Cm no +Act as a default router or not. +The default is +.Cm yes . +.It Ic dns Brq Ar option ... +Add a DNS router advertisement option +to communicate network provided nameservers. +In a +.Ic dns +block, a +.Cm search +option or at least one +.Cm nameserver +option is required, whereas specifying the +.Cm lifetime +is optional: +.Bl -tag -width Ds +.It Cm lifetime Ar seconds +The number of seconds the dns options are valid after receiving a router +advertisement message. +The default is 3600 seconds. +.It Cm nameserver Pq Ar address Ns | Ns Brq Ar address ... +IPv6 address or list of IPv6 addresses of DNS name servers. +.It Cm search Pq Ar domain Ns | Ns Brq Ar domain ... +Domain or list of domains for the +.Xr resolv.conf 5 +search list. +.El +.It Ic hop limit Ar hops +Specify the diameter of the internet. +The default is 0, meaning unspecified by this router. +.It Ic managed address configuration Pq Cm yes Ns | Ns Cm no +If set to +.Cm yes , +indicate that stateless address configuration prefixes are +not available and hosts should consult DHCPv6. +The default is +.Cm no . +.It Ic mtu Ar bytes +The MTU option is used in Router Advertisement messages to ensure that all +nodes on a link use the same MTU value in those cases where the link MTU +is not well known. +The default is 0, meaning unspecified by this router. +.It Ic nat64 prefix Ar prefix Op Brq Ar option ... +Add a PREF64 router advertisement option to communicate prefixes used +for Network Address and Protocol Translation from IPv6 to IPv4 (NAT64). +If +.Ar prefix +is specified without a prefix length, its default is 64. +.Pp +.Ic nat64 prefix +options are as follows: +.Bl -tag -width Ds +.It Cm lifetime Ar seconds +The number of seconds the nat64 prefix option is valid after receiving a router +advertisement message. +A value of zero indicates to not use the prefix anymore. +The maximum is 65528 seconds. +The default is 3600 seconds. +.El +.It Ic other configuration Pq Cm yes Ns | Ns Cm no +If set to +.Cm yes , +hosts should consult DHCPv6 for additional configuration +like NTP servers or DNS name servers. +The default is +.Cm no . +.It Ic router lifetime Ar seconds +The number of seconds this router is a valid default router after receiving +a router advertisement message. +The default is 3600 seconds. +.It Ic router preference Pq Cm high Ns | Ns Cm medium Ns | Ns Cm low +Indicate whether to prefer this router over other default routers. +The default is +.Cm medium . +.It Ic reachable time Ar number +The time, in milliseconds, that a node assumes a neighbor is reachable. +The default is 0, meaning unspecified by this router. +This option is ignored by +.Xr slaacd 8 +and cannot be set on +.Ox +IPv6 hosts. +.It Ic retrans timer Ar number +The time, in milliseconds, between retransmitted Neighbor Solicitation messages. +The default is 0, meaning unspecified by this router. +This option is ignored by +.Xr slaacd 8 +and cannot be set on +.Ox +IPv6 hosts. +.It Ic source link-layer address Pq Cm yes Ns | Ns Cm no +Add a source link-layer address option to router advertisement messages, to +communicate the link-layer address of the sending interface. +The default is +.Cm yes . +.El +.Ss Interfaces +This section contains a list of interfaces or interface groups +to send advertisements on. +At least one +.Ic interface +is required. +.Bl -tag -width Ds +.It Ic interface Ar name Op Brq Ar prefix ... +Options set in the global section can be overwritten inside an interface +block. +In addition an interface block can contain a list of prefixes: +.Pp +.Bl -tag -width Ds -compact +.It Oo Cm no Oc Ic auto prefix Op Brq Ar option ... +.It Ic prefix Ar prefix Op Brq Ar option ... +The default is to discover prefixes to announce by inspecting the IPv6 +addresses configured on an interface. +This can be disabled with +.Cm no Ic auto prefix . +If +.Ar prefix +is specified without a prefix length, its default is 64. +.Pp +.Ic prefix +options are as follows: +.Bl -tag -width Ds +.It Cm autonomous address-configuration Pq Cm yes Ns | Ns Cm no +This prefix can be used to generate IPv6 addresses. +The default is +.Cm yes . +.It Cm on-link Pq Cm yes Ns | Ns Cm no +This prefix is considered on-link. +The default is +.Cm yes . +.It Cm preferred lifetime Ar seconds +The preferred lifetime (pltime) in seconds for addresses generated from this +prefix. +The default is 2700. +This option is ignored if the prefix is discovered from a network interface +and it has a lower preferred lifetime. +.It Cm valid lifetime Ar seconds +The valid lifetime (vltime) in seconds for addresses generated from this +prefix. +The default is 3600. +This option is ignored if the prefix is discovered from a network interface +and it has a lower valid lifetime. +.El +.El +.El +.Sh FILES +.Bl -tag -width /etc/examples/rad.conf -compact +.It Pa /etc/rad.conf +.Xr rad 8 +configuration file. +.It Pa /etc/examples/rad.conf +Example configuration file. +.El +.Sh EXAMPLES +With the following example configuration, +.Xr rad 8 +will pick a prefix from the ix1 interface and send router advertisements on it: +.Pp +.Dl interface ix1 +.Sh SEE ALSO +.Xr ractl 8 , +.Xr rad 8 , +.Xr rc.conf.local 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 6.4 . diff --git a/static/openbsd/man5/radiusd.conf.5 b/static/openbsd/man5/radiusd.conf.5 new file mode 100644 index 00000000..937d2788 --- /dev/null +++ b/static/openbsd/man5/radiusd.conf.5 @@ -0,0 +1,248 @@ +.\" $OpenBSD: radiusd.conf.5,v 1.34 2024/07/18 00:28:53 yasuoka Exp $ +.\" +.\" Copyright (c) 2014 Esdenera Networks GmbH +.\" Copyright (c) 2014, 2023 Internet Initiative Japan Inc. +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: July 18 2024 $ +.Dt RADIUSD.CONF 5 +.Os +.Sh NAME +.Nm radiusd.conf +.Nd RADIUS daemon configuration file +.Sh DESCRIPTION +.Nm +is the configuration file for the RADIUS daemon, +.Xr radiusd 8 . +It has the following format: +.Pp +Empty lines and lines beginning with the +.Sq # +character are ignored. +.Pp +Keywords may be specified multiple times within the configuration file. +The configuration options are as follows: +.Bl -tag -width Ds +.It Xo +.Ic listen on Ar address Oo Ic accounting Oc Oo Ic port Ar port Oc +.Xc +Specify an +.Ar address +and a +.Ar port +to listen on. +When +.Ar accounting +is specified, +it is used for waiting for RADIUS accounting messages. +The default port number is 1812 for authentication and 1813 for accounting. +.It Ic client Ar address/mask Brq ... +Allow access to a client with the specified +.Ar address +and +.Ar mask . +It is followed by a block of options enclosed in curly brackets: +.Bl -tag -width Ds +.It Ic secret Ar secret +The shared secret with the clients. +This option cannot be omitted. +.It Ic msgauth-required Ar yes | no +Specify if message authentication is required. +The default is to require message authentication. +.El +.It Ic module Ar name Oo Ar path Oc Op Brq ... +Load a module. +Specify one of the predefined names for +.Ar name , +or specify +.Ar name +and +.Ar path . +When multiple modules of the same path are loaded with different names, +each module can have configurations respectively and work independently. +.Pp +The following modules are predefined: +.Bl -tag -width Ds +.It Do bsdauth Dc module +The +.Dq bsdauth +module provides authentication from the local system's +.Xr authenticate 3 +interface. +See +.Xr radiusd_bsdauth 8 . +.It Do eap2mschap Dc module +The +.Dq eap2mschap +module provides conversion from EAP-MSCHAPv2 to MS-CHAPv2. +See +.Xr radiusd_eap2mschap 8 . +.It Do file Dc module +The +.Dq file +module provides authentication by a local file. +See +.Xr radiusd_file 8 . +.It Do ipcp Dc module +The +.Dq ipcp +module provides IP configuration and manages the IP address pool. +It also provides session-timeout and disconnection feature. +See +.Xr radiusd_ipcp 8 . +.It Do radius Dc module +The +.Dq radius +module provides authentication from upstream RADIUS servers. +See +.Xr radiusd_radius 8 . +.It Do standard Dc module +The +.Dq standard +module provides standard decorations for RADIUS messages. +See +.Xr radiusd_standard 8 . +.El +.Pp +It is optionally followed by a block of options enclosed in curly brackets. +The following option can be used in the block: +.Bl -tag -width Ds +.It Ic set Ar key value ... +Configure the module specific configurations by +.Ar key +and +.Ar value +for the module specified by +.Ar module . +Notice that +.Ar key +and +.Ar value +must be quoted to be distinguished from the reserved word if needed. +.El +.It Xo +.Ic authenticate +.Ar username-pattern ... +.Ic by Ar auth +.Op Ic decorate-by Ar deco ... +.Xc +Specify an authentication configuration for the users specified by +.Ar username-pattern . +The users matched by the pattern are authenticated by the module +specified by +.Ar auth . +Use shell globbing rules for the pattern; +multiple patterns can be specified by separating with space characters. +When multiple +.Ic authenticate +lines are specified, the first +.Ic authenticate +setting whose +.Ar username-pattern +matches an authenticating user is used. +.Pp +Optionally decoration modules can be specified by +.Ar deco . +The specified modules decorate the RADIUS messages in the configured order. +.It Xo +.Ic authentication-filter +.Ar username-pattern ... +.Ic by Ar auth +.Op Ic decorate-by Ar deco ... +.Xc +.Ic authentication-filter +works the same as +.Ic authenticate , +but the module can work as a filter, +it can ask the authentication to the following authentication modules, +and then it receives the authentication reply and modifies the reply. +.It Xo +.Ic account +.Op Ic quick +.Ar username-pattern ... +.Ic to Ar module +.Op Ic decorate-by Ar deco ... +.Xc +Specify an accounting configuration for the users specified by +.Ar username-pattern . +The accounting messages for the users matched by the pattern are handled +by the module specified by the +.Ar module . +Use shell globbing rules for the patterns; +multiple patterns can be determined by separating them with space characters. +When multiple +.Ic account +configurations are specified, +all matches are used; +if the user matches a pattern with the +.Ic quick +option, then processing stops after that configuration. +.Pp +Optionally decoration modules can be specified by +.Ar deco . +The specified modules decorate the RADIUS messages in the configured order. +.El +.Sh FILES +.Bl -tag -width "/etc/examples/radiusd.conf" -compact +.It Pa /etc/radiusd.conf +Default +.Xr radiusd 8 +configuration file. +.It Pa /etc/examples/radiusd.conf +Example configuration file. +.El +.Sh EXAMPLES +.Bd -literal -offset indent +listen on 0.0.0.0 +listen on 0.0.0.0 accounting +listen on :: +listen on :: accounting + +client 127.0.0.1/32 { + secret "secret" + msgauth-required no +} +client 192.168.0.0/24 { + secret "secret" +} + +module bsdauth { + set restrict-group operator +} + +module radius { + set secret "testing123" + set server "127.0.0.1" +} + +module standard + +module strip-realm "/usr/libexec/radiusd/radiusd_standard" { + set strip-atmark-realm true +} + +authenticate *@local by bsdauth decorate-by strip-realm + +authenticate * by radius + +account * to standard +.Ed +.Sh SEE ALSO +.Xr radiusd 8 , +.Xr radiusd_bsdauth 8 , +.Xr radiusd_eap2mschap 8 , +.Xr radiusd_file 8 , +.Xr radiusd_ipcp 8 , +.Xr radiusd_radius 8 , +.Xr radiusd_standard 8 diff --git a/static/openbsd/man5/rcsfile.5 b/static/openbsd/man5/rcsfile.5 new file mode 100644 index 00000000..9549bca2 --- /dev/null +++ b/static/openbsd/man5/rcsfile.5 @@ -0,0 +1,154 @@ +.\" $OpenBSD: rcsfile.5,v 1.1 2019/04/24 11:57:54 schwarze Exp $ +.\" +.\" Copyright (c) 2019 Fabio Scotoni <fabio@esse.ch> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: April 24 2019 $ +.Dt RCSFILE 5 +.Os +.Sh NAME +.Nm rcsfile +.Nd format of an RCS file +.Sh DESCRIPTION +An RCS file is a text file. +It consists of four sections, each separated by two empty lines. +RCS files should not be edited by hand; +the +.Xr rcs 1 +programs should be used instead. +.Ss Administrative data +The RCS file begins with admin data. +Each entry in this section consists of either one or multiple values. +Entries that take one value are specified on one line: +The keyword and its corresponding value are separated by +a tab character. +Entries that take multiple values begin with a keyword on one line; +the values are specified on subsequent lines, one per line and +prefixed with a tab character. +If the list is empty, the semicolon immediately follows the keyword. +Entries are terminated with a semicolon. +The entries are: +.Bl -tag -width Ds +.It Ic head Ar rev +Highest revision number. +.It Ic branch Ar rev +Revision number that specifies the default branch (optional). +.It Ic access +List of users that are allowed to check in new revisions with +.Xr ci 1 . +This keyword is not followed by a tab; +instead, the list of users is specified with one username per line. +The list is terminated by a single semicolon. +.It Ic symbols +List of symbolic names used as aliases for specific revisions. +Each entry consists of a symbolic name followed by a colon and +the revision. +.It Ic locks +List of locked revisions. +Each entry consists of a username followed by a colon and +the locked revision. +.It Ic strict +Indicates that locks are strict; +if missing, locks are not strict. +This entry takes no value and immediately follows the list of locks +without a newline. +.It Ic comment Pf @ Ar leader Ns @ +Contains the comment leader surrounded by at signs. +.It Ic expand Pf @ Ar mode Ns @ +Indicates the keyword substitution mode. +See +.Xr rcs 1 +for the possible keyword substitution modes. +If this entry is not given in the admin section, +.Ar kv +must be assumed. +.El +.Ss List of deltas +The RCS file continues with a list of deltas. +Deltas are separated by empty lines. +The list begins with the head and ends with the initial revision. +Each entry begins with the revision number, followed by a newline. +After that, the structure follows the admin section. +.Bl -tag -width Ds +.It Ic date Ar YYYY . Ns Ar mm . Ns Ar dd . Ns Ar HH . Ns Ar MM . Ns Ar SS +Indicates the date and UTC time the revision was checked in. +The date consists of the year, the month, +the day of month, the hour, the minute and the second, +each separated by dots. +The year is specified in either two or four digits. +The other values are specified in two digits each. +.It Ic author Ar username +Author's username. +This entry immediately follows the +.Ic date +without a newline. +.It Ic state Ar value +Contains the state of this delta, +which is an arbitrary string. +This entry immediately follows the +.Ic author +without a newline. +.It Ic branches +List of revision numbers that are branches stemming from this delta. +.It Ic next Ar rev +Next revision. +Chronologically, this is the +.Em previous +revision. +For the initial check-in, +.Ar rev +is empty, +but the tab character that acts as separator is nonetheless present. +.El +.Ss Description +The RCS file continues with the description. +It consists of the string +.Ic desc +followed by a newline and then an at sign. +The description is an arbitrary string that can span multiple lines. +A single at sign on a line terminates the description. +At signs anywhere in the description itself +are escaped by prefixing them with another at sign. +.Ss List of deltatexts +Finally, the RCS file contains the deltatexts. +The list of deltatexts is ordered the same as the list of deltas. +Deltatexts are separated by two lines. +Each entry begins with the revision number, followed by a newline. +The text +.Dq Ic log +follows on its own line. +The log message follows on another new line; +it consists of an at sign, the log message itself (which may span +multiple lines), and finally an at sign on its own line. +Then the text +.Dq Ic text +follows on its own line. +The format is the same as for the description and log message. +As with the description, +at signs anywhere in the log message or in the deltatext itself +are escaped by prefixing them with another at sign. +The deltatext of the head consists of the full file contents. +All subsequent deltatexts contain the differences to the previous +deltatext in the format of +.Xr diff 1 +.Fl n . +.Sh SEE ALSO +.Xr ci 1 , +.Xr co 1 , +.Xr cvs 1 , +.Xr ident 1 , +.Xr rcs 1 , +.Xr rcsclean 1 , +.Xr rcsdiff 1 , +.Xr rcsmerge 1 diff --git a/static/openbsd/man5/relayd.conf.5 b/static/openbsd/man5/relayd.conf.5 new file mode 100644 index 00000000..a63dd4e3 --- /dev/null +++ b/static/openbsd/man5/relayd.conf.5 @@ -0,0 +1,1709 @@ +.\" $OpenBSD: relayd.conf.5,v 1.215 2026/02/18 22:27:03 kirill Exp $ +.\" +.\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org> +.\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: February 18 2026 $ +.Dt RELAYD.CONF 5 +.Os +.Sh NAME +.Nm relayd.conf +.Nd relay daemon configuration file +.Sh DESCRIPTION +.Nm +is the configuration file for the relay daemon, +.Xr relayd 8 . +.Pp +.Nm +is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr relayd 8 . +Do note that the config file allows global settings to be added after +defining tables in the config file, but those tables will use the +built-in defaults instead of the global settings below them. +.It Sx Tables +Table definitions describe a list of hosts, +in a similar fashion to +.Xr pf 4 +tables. +They are used for relay, redirection, and router target selection with +the described options and health checking on the host they contain. +.It Sx Redirections +Redirections are translated to +.Xr pf 4 +rdr-to rules for stateful forwarding to a target host from a +health-checked table on layer 3. +.It Sx Relays +Relays allow application layer load balancing, TLS acceleration, and +general purpose TCP proxying on layer 7. +.It Sx Protocols +Protocols are predefined settings and filter rules for relays. +.It Sx Routers +Routers are used to insert routes with health-checked gateways for +(WAN) link balancing. +.El +.Pp +Within the sections, +a host +.Ar address +can be specified by IPv4 address, IPv6 address, interface name, +interface group, or DNS hostname. +If the address is an interface name, +.Xr relayd 8 +will look up the first IPv4 address and any other IPv4 and IPv6 +addresses of the specified network interface. +A +.Ar port +can be specified by number or name. +The port name to number mappings are found in the file +.Pa /etc/services ; +see +.Xr services 5 +for details. +.Pp +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment is effective until the end of the entire block. +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/relayd.conf.local" +.Ed +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic table , +.Ic relay , +or +.Ic timeout ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +www1="10.0.0.1" +www2="10.0.0.2" +table <webhosts> { + $www1 + $www2 +} +.Ed +.Ss Global configuration +Here are the settings that can be set globally: +.Bl -tag -width Ds +.It Ic agentx Oo Ic context Ar context Oc Oo Ic path Ar path Oc +Export +.Xr relayd 8 +metrics via an agentx compatible +.Pq snmp +daemon by connecting to +.Ar path . +Metrics can be found under the relaydMIBObjects subtree +.Pq enterprises.30155.3 . +If +.Ar path +is omitted, it will default to +.Pa /var/agentx/master . +.Ar Context +is the SNMPv3 context and can usually be omitted. +.It Ic interval Ar number +Set the interval in seconds at which the hosts will be checked. +The default interval is 10 seconds. +.It Xo +.Ic log +.Pq Ic state changes Ns | Ns Ic host checks +.Xc +Log host checks: +Either log only the +.Ic state changes +of hosts or log all +.Ic host checks +that were run, even if the state didn't change. +The host state can be +.Dq up +(the health check completed successfully), +.Dq down +(the host is down or didn't match the check criteria), +or +.Dq unknown +(the host is disabled or has not been checked yet). +.It Xo +.Ic log connection Op Ic errors +.Xc +When using relays, log all TCP connections. +Optionally log only +.Ic connection errors . +.It Ic prefork Ar number +When using relays, run the specified number of processes to handle +relayed connections. +This increases the performance and prevents delays when connecting +to a relay. +.Xr relayd 8 +runs 3 relay processes by default and every process will handle +all configured relays. +.It Ic socket Qo Ar path Qc +Create a control socket at +.Ar path . +By default +.Pa /var/run/relayd.sock +is used. +.It Ic timeout Ar number +Set the global timeout in milliseconds for checks. +This can be overridden by the timeout value in the table definitions. +The default timeout is 200 milliseconds and it must not exceed the +global interval. +The default value is optimized for checks within the +same collision domain \(en use a higher timeout, such as 1000 milliseconds, +for checks of hosts in other subnets. +If this option is to be set, it should be placed before overrides in tables. +.El +.Ss Tables +Tables are used to group a set of hosts as the target for redirections +or relays; they will be mapped to a +.Xr pf 4 +table for redirections. +Tables may be defined with the following attribute: +.Bl -tag -width disable +.It Ic disable +Start the table disabled \(en no hosts will be checked in this table. +The table can be later enabled through +.Xr relayctl 8 . +.El +.Pp +Each table must contain at least one host +.Ar address ; +multiple hosts are separated by newline, comma, or whitespace. +Host entries may be defined with the following attributes: +.Bl -tag -width retry +.It Ic ip ttl Ar number +Change the default time-to-live value in the IP headers for host checks. +.It Ic parent Ar number +The optional parent option inherits the state from a parent +host with the specified identifier. +The check will be skipped for this host and copied from the parent host. +This can be used to prevent multiple checks on hosts with multiple IP +addresses for the same service. +The host identifiers are sequentially assigned to the configured hosts +starting with 1; it can be shown with the +.Xr relayctl 8 +.Ic show summary +commands. +.It Ic priority Ar number +Change the route priority used when adding a route. +If not specified, the kernel will set a priority of 8 +.Pq Dv RTP_STATIC . +In ordinary use, a fallback route should be added statically with a very +high (e.g. 52) priority. +Unused in all other modes. +.It Ic retry Ar number +The optional retry option adds a tolerance for failed host checks; +the check will be retried for +.Ar number +more times before setting the host state to down. +If this table is used by a relay, it will also specify the number of +retries for outgoing connection attempts. +.El +.Pp +For example: +.Bd -literal -offset indent +table <service> { 192.168.1.1, 192.168.1.2, 192.168.2.3 } +table <fallback> disable { 10.1.5.1 retry 2 } + +redirect "www" { + listen on www.example.com port 80 + forward to <service> check http "/" code 200 + forward to <fallback> check http "/" code 200 +} +.Ed +.Pp +Tables are used by +.Ic forward to +directives in redirections or relays with a set of general options, +health-checking rules, and timings; +see the +.Sx Redirections +and +.Sx Relays +sections for more information about the forward context. +Table specific configuration directives are described below. +Multiple options can be appended to +.Ic forward to +directives, separated by whitespaces. +.Pp +The following options will configure the health-checking method for +the table, and is mandatory for redirections: +.Bl -tag -width Ds +.It Xo +.Ic check http Ar path +.Op Ic host Ar hostname +.Ic code Ar number +.Xc +For each host in the table, verify that retrieving the URL +.Ar path +gives the HTTP return code +.Ar number . +If +.Ar hostname +is specified, it is used as the +.Dq Host: +header to query a specific hostname at the target host. +To validate the HTTP return code, use this shell command: +.Bd -literal -offset indent +$ echo -n "HEAD <path> HTTP/1.0\er\en\er\en" | \e + nc <host> <port> | head -n1 +.Ed +.Pp +This prints the status header including the actual return code: +.Bd -literal -offset indent +HTTP/1.1 200 OK +.Ed +.It Xo +.Ic check https Ar path +.Op Ic host Ar hostname +.Ic code Ar number +.Xc +This has the same effect as above but wraps the HTTP request in TLS. +.It Xo +.Ic check http Ar path +.Op Ic host Ar hostname +.Ic digest Ar string +.Xc +For each host in the table, verify that retrieving the URL +.Ar path +produces non-binary content whose message digest matches the defined string. +The algorithm used is determined by the string length of the +.Ar digest +argument, either SHA1 (40 characters) or MD5 (32 characters). +If +.Ar hostname +is specified, it is used as the +.Dq Host: +header to query a specific hostname at the target host. +The digest does not take the HTTP headers into account. +Do not specify a binary object (such as a graphic) as the target of the +request, as +.Nm +expects the data returned to be a string. +To compute the digest, use this simple command: +.Bd -literal -offset indent +$ ftp -o - http://host[:port]/path | sha1 +.Ed +.Pp +This gives a digest that can be used as-is in a digest statement: +.Bd -literal -offset indent +a9993e36476816aba3e25717850c26c9cd0d89d +.Ed +.It Xo +.Ic check https Ar path +.Op Ic host Ar hostname +.Ic digest Ar string +.Xc +This has the same effect as above but wraps the HTTP request in TLS. +.It Ic check icmp +Ping hosts in this table to determine whether they are up or not. +This method will automatically use ICMP or ICMPV6 depending on the +address family of each host. +.It Ic check script Ar path +Execute an external program to check the host state. +The program will be executed for each host by specifying the hostname +on the command line: +.Bd -literal -offset indent +/usr/local/bin/checkload.pl front-www1.private.example.com +.Ed +.Pp +.Xr relayd 8 +expects a positive return value on success and zero on failure. +Note that the script will be executed with the privileges of the +.Qq _relayd +user and terminated after +.Ar timeout +milliseconds. +.It Xo +.Ic check send +.Ar data +.Ic expect +.Ar pattern +.Op Ic tls +.Xc +For each host in the table, a TCP connection is established on the +port specified, then +.Ar data +is sent. +Incoming data is then read and is expected to match against +.Ar pattern +using shell globbing rules. +If +.Ar data +is an empty string or +.Ic nothing +then nothing is sent on the connection and data is immediately +read. +This can be useful with protocols that output a banner like +SMTP, NNTP, and FTP. +If the +.Ic tls +keyword is present, +the transaction will occur in a TLS tunnel. +.It Xo +.Ic check binary send +.Ar data +.Ic expect +.Ar data +.Op Ic tls +.Xc +For each host in the table, a TCP connection is established on the +port specified, then the +.Ic send +.Ar data +is converted into binary and sent. +Incoming (binary) +data is then read and is expected to match against a binary +conversion of the +.Ic expect +.Ar data +using +.Xr memcmp 3 . +.Ar data +must be populated with a string containing an even number of hexadecimal +single-byte characters and must not be empty. +This can be useful with binary protocols such as LDAP and SNMP. +If the +.Ic tls +keyword is present, +the transaction will occur in a TLS tunnel. +.It Ic check tcp +Use a simple TCP connect to check that hosts are up. +.It Ic check tls +Perform a complete TLS handshake with each host to check their availability. +.El +.Pp +The following general table options are available: +.Bl -tag -width Ds +.It Ic demote Ar group +Enable the per-table +.Xr carp 4 +demotion option. +This will increment the carp demotion counter for the +specified interface group if all hosts in the table are down. +For more information on interface groups, +see the +.Ic group +keyword in +.Xr ifconfig 8 . +.It Ic interval Ar number +Override the global interval and specify one for this table. +It must be a multiple of the global interval. +.It Ic timeout Ar number +Set the timeout in milliseconds for each host that is checked using +TCP as the transport. +This will override the global timeout, which is 200 milliseconds by default. +.El +.Pp +The following options will set the scheduling algorithm to select a +host from the specified table: +.Bl -tag -width Ds +.It Ic mode hash Op Ar key +Balances the outgoing connections across the active hosts based on the +.Ar key , +IP address and port of the relay. +Additional input can be fed into the +hash by looking at HTTP headers and GET variables; +see the +.Sx Protocols +section below. +This mode is only supported by relays. +.It Ic mode least-states +Forward each outgoing connection to the active host with the least +active +.Xr pf 4 +states. +This mode is only supported by redirections. +.It Ic mode loadbalance Op Ar key +Balances the outgoing connections across the active hosts based on the +.Ar key , +the source IP address of the client, and the IP address and port of the relay. +This mode is only supported by relays. +.It Ic mode random +Distributes the outgoing connections randomly through all active hosts. +This mode is supported by redirections and relays. +.It Ic mode roundrobin +Distributes the outgoing connections using a round-robin scheduler +through all active hosts. +This is the default mode and will be used if no option has been specified. +This mode is supported by redirections and relays. +.It Ic mode source-hash Op Ar key +Balances the outgoing connections across the active hosts based on the +.Ar key +and the source IP address of the client. +This mode is supported by redirections and relays. +.El +.Pp +The optional +.Ar key +argument can be specified for the +.Ic hash , +.Ic loadbalance , +and +.Ic source-hash +modes as either a hex value with a leading +.Ql 0x +or as a string. +If omitted, +.Xr relayd 8 +generates a random key when the configuration is loaded. +.Ss Redirections +Redirections represent a +.Xr pf 4 +rdr-to rule. +They are used for stateful redirections to the hosts in the specified +tables. +.Xr pf 4 +rewrites the target IP addresses and ports of the incoming +connections, operating on layer 3. +The configuration directives that are valid in the +.Ic redirect +context are described below: +.Bl -tag -width Ds +.It Ic disable +The redirection is initially disabled. +It can be later enabled through +.Xr relayctl 8 . +.It Xo +.Ic forward to +.Pf < Ar table Ns > +.Op Ic port Ar number +.Ar options ... +.Xc +Specify the tables of target hosts to be used; see the +.Sx Tables +section above for information about table options. +If the +.Ic port +option is not specified, the first port from the +.Ic listen on +directive will be used. +This directive can be specified twice \(en the second entry will be used +as the backup table if all hosts in the main table are down. +At least one entry for the main table is mandatory. +.It Xo +.Ic listen on Ar address +.Op ip-proto +.Ic port Ar port +.Op Ic interface Ar name +.Op Ic pflog +.Xc +Specify an +.Ar address +and a +.Ar port +to listen on. +.Xr pf 4 +will redirect incoming connections for the specified target to the +hosts in the main or backup table. +The +.Ar port +argument can optionally specify a port range instead of a single port; +the format is +.Ar min-port : Ns Ar max-port . +The optional argument +.Ar ip-proto +can be used to specify an IP protocol like +.Cm tcp +or +.Cm udp ; +it defaults to +.Cm tcp . +The rule can be optionally restricted to a given interface name. +The optional +.Ic pflog +keyword will add +.Cm log +to the rule. +The logged packets are sent to +.Xr pflog 4 . +.It Xo +.Op Ic match +.Ic pftag Ar name +.Xc +Automatically tag packets passing through the +.Xr pf 4 +rdr-to rule with the name supplied. +This allows simpler filter rules. +The optional +.Ic match +keyword will change the default rule action from +.Ql pass in quick +to +.Ql match in +to allow further evaluation in the pf ruleset using the +.Cm tagged Ar name +rule option. +.It Xo +.Ic route to +.Pf < Ar table Ns > +.Op Ic port Ar number +.Ar options ... +.Xc +Like the +.Ic forward to +directive, but directly routes the packets to the target host without +modifying the target address using a +.Xr pf 4 +route-to rule. +This can be used for +.Dq direct server return +to force the target host to respond via a different gateway. +Note that hosts have to accept sessions for the same address as +the gateway, which is typically done by configuring a loopback +interface on the host with this address. +.It Ic session timeout Ar seconds +Specify the inactivity timeout in seconds for established redirections. +The default timeout is 600 seconds (10 minutes). +The maximum is 2147483647 seconds (68 years). +.It Ic sticky-address +This has the same effect as specifying sticky-address +for an rdr-to rule in +.Xr pf.conf 5 . +It will ensure that multiple connections from the same source are +mapped to the same redirection address. +.El +.Ss Relays +Relays will forward traffic between a client and a target server. +In contrast to redirections and IP forwarding in the network stack, a +relay will accept incoming connections from remote clients as a +server, open an outgoing connection to a target host, and forward +any traffic between the target host and the remote client, +operating on layer 7. +A relay is also called an application layer gateway or layer 7 proxy. +.Pp +The main purpose of a relay is to provide advanced load balancing +functionality based on specified protocol characteristics, such as +HTTP headers, to provide TLS acceleration and to allow +basic handling of the underlying application protocol. +.Pp +The +.Ic relay +configuration directives are described below: +.Bl -tag -width Ds +.It Ic disable +Start the relay but immediately close any accepted connections. +.It Xo +.Op Ic transparent +.Ic forward +.Op Ic with tls +.Ic to +.Ar address +.Op Ic port Ar port +.Ar options ... +.Xc +Specify the address and port of the target host to connect to. +If the +.Ic port +option is not specified, the port from the +.Ic listen on +directive will be used. +Use the +.Ic transparent +keyword to enable fully-transparent mode; the source address of the +client will be retained in this case. +.Pp +The +.Ic with tls +directive enables client-side TLS mode to connect to the remote host. +Verification of server certificates can be enabled by setting the +.Ic ca file +option in the protocol section. +.Pp +The following options may be specified for forward directives: +.Bl -tag -width Ds +.It Ic inet +If the requested destination is an IPv6 address, +.Xr relayd 8 +will forward the connection to an IPv4 address which is determined by +the last 4 octets of the original IPv6 destination. +For example, if the original IPv6 destination address is +2001:db8:7395:ffff::a01:101, the session is relayed to the IPv4 +address 10.1.1.1 (a01:101). +.It Ic inet6 Ar address-prefix +If the requested destination is an IPv4 address, +.Xr relayd 8 +will forward the connection to an IPv6 address which is determined by +setting the last 4 octets of the specified IPv6 +.Ar address-prefix +to the 4 octets of the original IPv4 destination. +For example, if the original IPv4 destination address is 10.1.1.1 and +the specified address prefix is 2001:db8:7395:ffff::, the session is +relayed to the IPv6 address 2001:db8:7395:ffff::a01:101. +.It Ic retry Ar number +The optional host +.Ic retry +option will be used as a tolerance for failed +host connections; the connection will be retried for +.Ar number +more times. +.It Ic proxy-protocol Pq Ic v1 Ns | Ns Ic v2 +Upon connection to the destination, +.Xr relayd 8 +will prepend a PROXY protocol header of the specified version to the relayed +data, with the IP address and port of the remote host as well as the +.Xr relayd 8 +server. +.El +.It Xo +.Ic forward to +.Pf < Ar table Ns > +.Op Ic port Ar port +.Ar options ... +.Xc +Like the previous directive, but connect to a host from the specified +table; see the +.Sx Tables +section above for information about table options. +This directive can be specified multiple times \(en subsequent entries +will be used as the backup table if all hosts in the previous table +are down. +At least one entry for the main table is mandatory. +As above, use the +.Ic with tls +directive to enable client-side TLS mode when connecting to the remote host. +.It Xo +.Ic forward to +.Ic destination +.Ar options ... +.Xc +When redirecting connections with a divert-to rule in +.Xr pf.conf 5 +to a relay listening on localhost, this directive will +look up the real destination address of the intended target host, +allowing the relay to be run as a transparent proxy. +If an additional +.Ic forward to +directive to a specified address or table is present, +it will be used as a backup if the lookup failed. +As above, use the +.Ic with tls +directive to enable client-side TLS mode when connecting to the remote host. +.It Xo +.Ic forward to +.Ic nat lookup +.Ar options ... +.Xc +Like the previous directive, but for redirections with rdr-to in +.Xr pf.conf 5 . +.It Xo +.Ic listen on Ar address Ic port Ar port +.Op Ic tls +.Xc +Specify the address and port for the relay to listen on. +The relay will accept incoming connections to the specified address. +If the +.Ic tls +keyword is present, the relay will accept connections using the +encrypted TLS protocol. +.It Ic protocol Ar name +Use the specified protocol definition for the relay. +The generic TCP protocol options will be used by default; +see the +.Sx Protocols +section below. +.It Ic session timeout Ar seconds +Specify the inactivity timeout in seconds for accepted sessions. +The default timeout is 600 seconds (10 minutes). +The maximum is 2147483647 seconds (68 years). +.El +.Ss TLS relays +In addition to plain TCP, +.Xr relayd 8 +supports the Transport Layer Security (TLS) cryptographic protocol for +authenticated and encrypted relays. +.Xr relayd 8 +can operate as a TLS client or server to offer a variety of options +for different use cases related to TLS. +.Bl -tag -width Ds +.It Ic TLS client +When configuring the relay +.Ic forward +statements with the +.Ic with tls +directive, +.Xr relayd 8 +will enable client-side TLS to connect to the remote host. +This is commonly used for TLS tunneling and transparent encapsulation +of plain TCP connections. +See the +.Ic forward to +description in the +.Sx Relays +section for more details. +.It Ic TLS server +When specifying the +.Ic tls +keyword in the relay +.Ic listen +statements, +.Xr relayd 8 +will accept connections from clients as a TLS server. +This mode is also known as +.Dq TLS acceleration . +See the +.Ic listen on +description in the +.Sx Relays +section for more details. +.It Ic TLS client and server +When combining both modes, TLS server and client, +.Xr relayd 8 +can filter TLS connections as a man-in-the-middle. +This combined mode is also called +.Dq TLS inspection . +The configuration requires additional X.509 certificate settings; +see the +.Ic ca key +description in the +.Sx Protocols +section for more details. +.El +.Pp +When configured for +.Dq TLS inspection +mode, +.Xr relayd 8 +will listen for incoming connections which have been diverted to the +local socket by PF. +Before accepting and negotiating the incoming TLS connection as a +server, it will look up the original destination address on the +diverted socket, and pre-connect to the target server as a TLS client +to obtain the remote TLS certificate. +It will update or patch the obtained TLS certificate by replacing the +included public key with its local server key because it doesn't have +the private key of the remote server certificate. +It also updates the X.509 issuer name to the local CA subject name and +signs the certificate with its local CA key. +This way it keeps all the other X.509 attributes that are already +present in the server certificate, including the "green bar" extended +validation attributes. +Now it finally accepts the TLS connection from the diverted client +using the updated certificate and continues to handle the connection +and to connect to the remote server. +.Ss Protocols +Protocols are templates defining settings and rules for relays. +They allow setting generic TCP options, TLS settings, and rules +for the selected application layer protocol. +.Pp +The protocol directive is available for a number of different +application layer protocols. +There is no generic handler for UDP-based protocols because it is a +stateless datagram-based protocol which has to look into the +application layer protocol to find any possible state information. +.Bl -tag -width Ds +.It Ic dns protocol +(UDP) +Domain Name System (DNS) protocol. +The requested IDs in the DNS header will be used to match the state. +.Xr relayd 8 +replaces these IDs with random values to compensate for +predictable values generated by some hosts. +.It Ic http protocol +Handle the HyperText Transfer Protocol +(HTTP, or "HTTPS" if encapsulated in a TLS tunnel). +.It Xo +.Op Ic tcp +.Ic protocol +.Xc +Generic handler for TCP-based protocols. +This is the default. +.El +.Pp +The available configuration directives are described below: +.Bl -tag -width Ds +.It Xo +.Pq Ic block Ns | Ns Ic pass Ns | Ns Ic match +.Op Ar rule +.Xc +Specify one or more rules to filter connections based on their +network or application layer headers; +see the +.Sx Filter rules +section for more details. +.It Ic return error Op Ar option +Return an error response to the client if an internal operation or the +forward connection to the client failed. +By default, the connection will be silently dropped. +The effect of this option depends on the protocol: HTTP will send an +error header and page to the client before closing the connection. +Additional valid options are: +.Bl -tag -width Ds +.It Ic style Ar string +Specify a Cascading Style Sheet (CSS) to be used for the returned +HTTP error pages, for example: +.Bd -literal -offset indent +body { background: #a00000; color: white; } +.Ed +.El +.It Ic tcp Ar option +Enable or disable the specified TCP/IP options; see +.Xr tcp 4 +and +.Xr ip 4 +for more information about the options. +Valid options are: +.Bl -tag -width Ds +.It Ic backlog Ar number +Set the maximum length the queue of pending connections may grow to. +The backlog option is 10 by default, is limited to 512 and capped by the +.Ic kern.somaxconn +.Xr sysctl 8 +variable. +.It Ic ip minttl Ar number +This option for the underlying IP connection may be used to discard packets +with a TTL lower than the specified value. +This can be used to implement the +Generalized TTL Security Mechanism (GTSM) +according to RFC 5082. +.It Ic ip ttl Ar number +Change the default time-to-live value in the IP headers. +.It Ic nodelay +Enable the TCP NODELAY option for this connection. +This is recommended to avoid delays in the relayed data stream, +e.g. for SSH connections. +The default is +.Ic no nodelay . +.It Ic no splice +Disable socket splicing for zero-copy data transfer. +The default is to enable socket splicing. +.It Ic sack +Use selective acknowledgements for this connection. +The default is +.Ic no sack . +.It Ic socket buffer Ar number +Set the socket-level buffer size for input and output for this +connection. +This will affect the TCP window size. +.El +.It Ic tls Ar option +Set the TLS options and session settings. +This is only used if TLS is enabled in the relay. +Valid options are: +.Bl -tag -width Ds +.It Ic ca cert Ar path +Specify a CA certificate for TLS inspection. +For more information, see the +.Ic ca key +option below. +.It Ic ca file Ar path +This option enables CA verification in TLS client mode. +The daemon will load the CA (Certificate Authority) certificates from +the specified path to verify the server certificates. +.Ox +provides a default CA bundle in +.Pa /etc/ssl/cert.pem . +.It Ic ca key Ar path Ic password Ar password +Specify a CA key for TLS inspection. +The +.Ar password +argument will specify the password to decrypt the CA key +(typically an RSA key). +This option will enable TLS inspection if the following conditions +are true: +.Pp +.Bl -bullet -compact -offset indent +.It +TLS server mode is enabled by the +.Ic listen +directive: +.Ic listen on ... tls . +.It +TLS client mode and divert lookups are enabled by the +.Ic forward +directive: +.Ic forward with tls to destination . +.It +The +.Ic ca cert +option is specified. +.It +The +.Ic ca key +option is specified. +.El +.It Ic ciphers Ar string +Set the string defining the TLS cipher suite. +If not specified, the default value +.Ql HIGH:!aNULL +will be used (strong crypto cipher suites without anonymous DH). +See the CIPHERS section of +.Xr openssl 1 +for information about TLS cipher suites and preference lists. +.It Ic client ca Ar path +Require TLS client certificates that can be verified against the CA +certificates in the specified file. +.It Ic client-renegotiation +Allow client-initiated renegotiation. +To mitigate a potential DoS risk, +the default is +.Ic no client-renegotiation . +.It Ic ecdhe Ar curves +Specify a comma separated list of elliptic curves to use for ECDHE cipher +suites, in order of preference. +The special value of "default" will use the default curves; see +.Xr tls_config_set_ecdhecurves 3 +for further details. +.It Ic edh Op Ic params Pq Ic none Ns | Ns Ic auto Ns | Ns Ic legacy +Enable EDH-based cipher suites with Perfect Forward Secrecy (PFS) for +older clients that do not support ECDHE. +In +.Ic auto +mode, the key size of the ephemeral key is automatically selected +based on the size of the private key used for signing. +In +.Ic legacy +mode, a 1024 bit ephemeral key is used. +If +.Ic params +is omitted, +.Ic auto +is used. +The default is +.Ic no edh . +.It Ic keypair Ar name +The relay will attempt to look up a private key in +.Pa /etc/ssl/private/name:port.key +and a public certificate in +.Pa /etc/ssl/name:port.crt , +where +.Ar port +is the specified port that the relay listens on. +If these files are not present, the relay will continue to look in +.Pa /etc/ssl/private/name.key +and +.Pa /etc/ssl/name.crt . +This option can be specified multiple times for TLS Server Name Indication. +If not specified, +a keypair will be loaded using the specified IP address of the relay as +.Ar name . +See +.Xr ssl 8 +for details about TLS server certificates. +.Pp +An optional OCSP staple file will be used during TLS handshakes with +this server if it is found as a non-empty file in +.Pa /etc/ssl/name:port.ocsp +or +.Pa /etc/ssl/name.ocsp . +The file should contain a DER-format OCSP response retrieved from an +OCSP server for the certificate in use, and can be created using +.Xr ocspcheck 8 . +.It Ic no cipher-server-preference +Prefer the client's cipher list over the server's preferences when +choosing a cipher for the connection. +The default is to prefer the server's cipher list. +.It Ic session tickets +Enable TLS session tickets. +.Xr relayd 8 +supports stateless TLS session tickets (RFC 5077) to implement TLS session +resumption for connections not using TLSv1.3. +The default is to disable session tickets. +.It Ic no tlsv1.3 +Disable the TLSv1.3 protocol. +The default is to enable TLSv1.3. +.It Ic no tlsv1.2 +Disable the TLSv1.2 protocol. +The default is to enable TLSv1.2. +.It Ic sslv3 +Is deprecated and does nothing. +.It Ic tlsv1 +Enable all TLSv1 protocols. +This is an alias that currently includes +.Ic tlsv1.2 , +and +.Ic tlsv1.3 . +The default is +.Ic no tlsv1 . +.It Ic tlsv1.0 +Is deprecated and does nothing. +.It Ic tlsv1.1 +Is deprecated and does nothing. +.El +.It Ic http Ar option +Set the HTTP options and session settings. +This is only used if HTTP is enabled in the relay. +Valid options are: +.Bl -tag -width Ds +.It Ic headerlen Ar number +Set the maximum size of all HTTP headers in bytes. +The default value is 8192 and it is limited to a maximum of 131072. +.It Ic websockets +Allow connection upgrade to websocket protocol. +The default is +.Ic no websockets . +.El +.El +.Ss Filter rules +Relays have the ability to filter connections based +on their network or application layer headers. +Filter rules apply options to connections based on the specified +filter parameters. +.Pp +For each connection that is processed by a relay, the filter rules are +evaluated in sequential order, from first to last. +For +.Ic block +and +.Ic pass , +the last matching rule decides what action is taken; +if no rule matches the connection, the default action is to establish +the connection without any additional action. +For +.Ic match , +rules are evaluated every time they match; +the pass/block state of a connection remains unchanged. +.Pp +The filter action may be one of the following: +.Bl -tag -width Ds +.It Ic block +The connection is blocked. +If a +.Ic block +rule matches a new connection attempt, it will not be established. +.Ic block +rules can also trigger for existing connections after evaluating +application layer parameters; +any connection of the relay session will be instantly dropped. +.It Ic match +The connection is matched. +This action does not alter the connection state, but allows +additional parameters to the connection. +.It Ic pass +The connection is passed; +.Xr relayd 8 +will continue to process the relay session normally. +.El +.Pp +These filter parameters can be used in the rules: +.Bl -tag -width Ds +.It Ic request No or Ic response +A relay session always consists of two connections: +the +.Ic request , +a client initiating a new connection to a server via the relay, +and the +.Ic response , +the server accepting the connection. +Depending on the protocol, +an established session can be purely request/response-based (like +HTTP), exchange data in a bidirectional way (like arbitrary TCP +sessions), or just contain a single datagram and an optional response +(like UDP-based protocols). +But the client always +.Em requests +to communicate with a remote peer; the server. +.It Ic quick +If a connection is matched by a rule with the +.Ic quick +option set, +the rule is considered to be the last matching rule and any further +evaluation is skipped. +.It Ic inet No or Ic inet6 +Only match connections with the specified address family, +either of type IPv4 or IPv6. +.It Ic from Ar address Ns Oo Li / Ns Ar prefix Oc +This rule only matches for connections from the specified source. +.It Ic to Ar address Ns Oo Li / Ns Ar prefix Oc +This rule only matches for connections to the specified destination. +The destination is the address the client was connecting to, +typically the relay's listen address in non-transparent mode, +not the address of the forwarded backend connection. +.It Ic forward to Pf < Ar table Ns > +Forward the request to a server in the specified table. +With this option, requests can be passed to specific backend servers. +A corresponding +.Ic forward to +declaration in the +.Sx Relays +section is required. +.It Ic label Ar string +The label will be printed as part of the error message if the +.Ic return error +option is set and may contain HTML tags, for example: +.Bd -literal -offset indent +block request url digest 5c1e03f58f8ce0b457474ffb371fd1ef \e + label "<a href='http://example.com/adv.pl?id=7359'>\e + Advisory provided by example.com</a>" +.Ed +.It Ic no Ar parameter +Reset a sticky parameter that was previously set by a matching rule. +The +.Ar parameter +is a keyword that can be either +.Ic label +or +.Ic tag . +.It Ic tag Ar string +Add a "sticky" tag to connections matching this filter rule. +Tags can be used to filter the connection by further rules using the +.Ic tagged +option. +Only one tag is assigned per connection; +the tag will be replaced if the connection is already tagged. +.It Ic tagged Ar string +Match the connection if it is already tagged with a given tag by a +previous rule. +.El +.Pp +The following parameters are available when using the +.Ic http +protocol: +.Bl -tag -width Ds +.It Ic method Ar name +Match the HTTP request method. +The method is specified by +.Ar name +and can be either +.Ic ACL , +.Ic BASELINE-CONTROL , +.Ic CHECKIN , +.Ic CHECKOUT , +.Ic CONNECT , +.Ic COPY , +.Ic DELETE , +.Ic GET , +.Ic HEAD , +.Ic LABEL , +.Ic LOCK , +.Ic MERGE , +.Ic MKACTIVITY , +.Ic MKCOL , +.Ic MKREDIRECTREF , +.Ic MKWORKSPACE , +.Ic MOVE , +.Ic OPTIONS , +.Ic ORDERPATCH , +.Ic PATCH , +.Ic POST , +.Ic PROPFIND , +.Ic PROPPATCH , +.Ic PUT , +.Ic REPORT , +.Ic SEARCH , +.Ic TRACE , +.Ic UNCHECKOUT , +.Ic UNLOCK , +.Ic UPDATE , +.Ic UPDATEREDIRECTREF , +or +.Ic VERSION-CONTROL . +.It Xo +.Ar type option +.Oo Oo Ic digest Oc +.Pq Ar key Ns | Ns Ic file Ar path +.Oo Ic value Ar value Oc Oc +.Xc +Match a specified HTTP header entity and an optional +.Ic key +and +.Ic value . +An +.Ic option +can be specified to modify the matched entity or to trigger an event. +The entity is extracted from the HTTP request or response header and +can be either of +.Ar type +.Ic cookie , +.Ic header , +.Ic path , +.Ic query , +or +.Ic url . +.Pp +Instead of a single +.Ar key , +multiple keys can be loaded from a +.Ic file +specified by +.Ar path +that contains one key per line. +Lines will be stripped at the first whitespace or newline character +and any empty lines or lines beginning with a hash mark +.Pq Ql # +will be ignored. +.Pp +If the +.Ic digest +keyword is specified, +compare the message digest of the key against the defined string. +The algorithm used is determined by the string length of the +.Ar key +argument, either SHA1 (40 characters) or MD5 (32 characters). +To compute the digest, +for example for a +.Ic url , +use this simple command: +.Bd -literal -offset indent +$ echo -n "example.com/path/?args" | sha1 +.Ed +.El +.Pp +.Bq Ar type +may be one of: +.Bl -tag -width Ds +.It Ic cookie Ar option Oo Ar key Oo Ic value Ar value Oc Oc +Look up the entity as a value in the Cookie header. +This type is only available with the direction +.Ic request . +.It Ic header Ar option Oo Ar key Oo Ic value Ar value Oc Oc +Look up the entity in the application protocol headers, like HTTP +headers in +.Ic http +mode. +.It Ic path Ar option Oo Ar key Oo Ic value Ar value Oc Oc +Look up the entity as a value in the URL path when using the +.Ic http +protocol. +This type is only available with the direction +.Ic request . +The +.Ar key +will match the path of the requested URL without the hostname +and query and the value will match the complete query, +for example: +.Bd -literal -offset indent +block path "/index.html" +block path "/cgi-bin/t.cgi" value "foo=bar*" +.Ed +.It Ic path strip Ar number +Strip +.Ar number +path components from the beginning of the path of the requested URL +when using the +.Ic http +protocol. +This type is only available with the direction +.Ic request . +.It Ic query Ar option Oo Ar key Oo Ic value Ar value Oc Oc +Look up the entity as a query variable in the URL when using the +.Ic http +protocol. +This type is only available with the direction +.Ic request , +for example: +.Bd -literal -offset indent +# Will match /cgi-bin/example.pl?foo=bar&ok=yes +pass request query "foo" value "bar" +.Ed +.It Ic url Ar option Oo Oo Ic digest Oc Ar key Oo Ic value Ar value Oc Oc +Look up the entity as a URL suffix/prefix expression consisting of a +canonicalized hostname without port or suffix and a path name or +prefix when using the +.Ic http +protocol. +This type is only available with the direction +.Ic request , +for example: +.Bd -literal -offset indent +block url "example.com/index.html" +block url "example.com/test.cgi?val=1" +.Ed +.Pp +.Xr relayd 8 +will match the full URL and different possible suffix/prefix +combinations by stripping subdomains and path components (up to 5 +levels), and the query string. +For example, the following +lookups will be done for +http://www.example.com:81/1/2/3/4/5.html?query=yes: +.Bd -literal -offset indent +www.example.com/1/2/3/4/5.html?query=yes +www.example.com/1/2/3/4/5.html +www.example.com/ +www.example.com/1/ +www.example.com/1/2/ +www.example.com/1/2/3/ +example.com/1/2/3/4/5.html?query=yes +example.com/1/2/3/4/5.html +example.com/ +example.com/1/ +example.com/1/2/ +example.com/1/2/3/ +.Ed +.El +.Pp +.Bq Ar option +may be one of: +.Bl -tag -width Ds +.It Ic append +Append the specified +.Ar value +to a protocol entity with the selected +.Ar key +name. +If it does not exist, it will be created with the new value. +.Pp +The value string may contain predefined macros that will be expanded +at runtime: +.Pp +.Bl -tag -width $SERVER_ADDR -offset indent -compact +.It Ic $HOST +The Host header's value of the relay. +.It Ic $REMOTE_ADDR +The IP address of the connected client. +.It Ic $REMOTE_PORT +The TCP source port of the connected client. +.It Ic $SERVER_ADDR +The configured IP address of the relay. +.It Ic $SERVER_PORT +The configured TCP server port of the relay. +.It Ic $SERVER_NAME +The server software name of +.Xr relayd 8 . +.It Ic $TIMEOUT +The configured session timeout of the relay. +.El +.It Ic hash +Feed the +.Ar value +of the selected entity into the load balancing hash to select the +target host. +See the +.Ic table +keyword in the +.Sx Relays +section above. +.It Ic log +Log the +.Ar key +name and the +.Ar value +of the entity. +.It Ic remove +Remove the entity with the selected +.Ar key +name. +.It Ic set +Like the +.Ic append +directive above, but change the contents of the specified entity. +If +.Ar key +does not exist in the request, it will be created with the new +.Ar value . +.Pp +The +.Ar value +string +may contain predefined macros that will be expanded at runtime, +as detailed for the +.Ic append +directive above. +.El +.Ss Routers +Routers represent routing table entries in the kernel forwarding +database, see +.Xr route 4 , +and a table of associated gateways. +They are used to dynamically insert or remove routes with gateways +based on their availability and health-check results. +A router can include multiple network statements and a single forward +statement with a table of one or more gateways. +All entries in a single router directive must match the same address +family, either IPv4 or IPv6. +.Pp +The kernel supports multipath routing when multiple gateways exist to +the same destination address. +The multipath routing behaviour can be changed globally using the +.Xr sysctl 8 +variables +.Va net.inet.ip.multipath +and +.Va net.inet6.ip6.multipath . +With the default setting of 0, +the first route selected will be used for subsequent packets to that +destination regardless of source. +Setting it to 1 will enable load balancing based on the packet source +address across gateways; multiple routes with the same priority are +used equally. +The kernel will also check the link state of the related network +interface and try a different route if it is not active. +.Pp +The configuration directives that are valid in the +.Ic routers +context are described below: +.Bl -tag -width Ds +.It Xo +.Ic forward to +.Pf < Ar table Ns > +.Ic port Ar number +.Ar options ... +.Xc +Specify the table of target gateways to be used; see the +.Sx Tables +section above for information about table options. +This entry is mandatory and must be specified once. +.It Xo +.Ic route +.Ar address Ns Li / Ns Ar prefix +.Xc +Specify the network address and prefix length of a route destination +that is reachable via the active gateways. +This entry must be specified at least once in a router directive. +.It Ic rtable Ar id +Add the routes to the kernel routing table with the specified +.Ar id . +.It Ic rtlabel Ar label +Add the routes with the specified +.Ar label +to the kernel routing table. +.El +.Sh FILES +.Bl -tag -width Ds -compact +.It Pa /etc/relayd.conf +.Xr relayd 8 +configuration file. +.Pp +.It Pa /etc/examples/relayd.conf +Example configuration file. +.Pp +.It Pa /etc/services +Service name database. +.Pp +.It Pa /etc/ssl/address.crt +.It Pa /etc/ssl/address:port.crt +.It Pa /etc/ssl/private/address.key +.It Pa /etc/ssl/private/address:port.key +Location of the relay TLS server certificates, where +.Ar address +is the configured IP address +and +.Ar port +is the configured port number of the relay. +.Pp +.It Pa /etc/ssl/cert.pem +Default location of the CA bundle that can be used with +.Xr relayd 8 . +.El +.Sh EXAMPLES +This configuration file would create a redirection service +.Dq www +which load balances four hosts +and falls back to one host containing a +.Dq sorry page : +.Bd -literal -offset indent +www1=front-www1.private.example.com +www2=front-www2.private.example.com +www3=front-www3.private.example.com +www4=front-www4.private.example.com + +interval 5 + +table <phphosts> { $www1, $www2, $www3, $www4 } +table <sorryhost> disable { sorryhost.private.example.com } + +redirect "www" { + listen on www.example.com port 8080 interface trunk0 + listen on www6.example.com port 80 interface trunk0 + + pftag REDIRECTED + + forward to <phphosts> port 8080 timeout 300 \e + check http "/" digest "630aa3c2f..." + forward to <sorryhost> port 8080 timeout 300 check icmp +} +.Ed +.Pp +It is possible to specify multiple listen directives with different IP +protocols in a single redirection configuration: +.Bd -literal -offset indent +redirect "dns" { + listen on dns.example.com tcp port 53 + listen on dns.example.com udp port 53 + + forward to <dnshosts> port 53 check tcp +} +.Ed +.Pp +To load balance an IP address over multiple backend servers using a +.Xr pf 4 +.Cm route-to +directive: +.Bd -literal -offset indent +table <backends> { 10.100.42.71 10.100.42.72 10.100.42.73 } + +redirect "xmpp" { + listen on 10.100.42.2 tcp port 5222 + + route to <backends> port 5222 check tcp interface em0 +} +.Ed +.Pp +The following configuration would add a relay to forward +secure HTTPS connections to a pool of HTTP webservers +using the +.Ic loadbalance +mode (TLS acceleration and layer 7 load balancing). +The HTTP protocol definition will add two HTTP headers containing +address information of the client and the server, set the +.Dq Keep-Alive +header value to the configured session timeout, +and include the +.Dq sessid +variable in the hash to calculate the target host: +.Bd -literal -offset indent +http protocol "https" { + match header set "X-Forwarded-For" \e + value "$REMOTE_ADDR" + match header set "X-Forwarded-By" \e + value "$SERVER_ADDR:$SERVER_PORT" + match header set "Keep-Alive" value "$TIMEOUT" + + match query hash "sessid" + + pass + block path "/cgi-bin/index.cgi" value "*command=*" + + tls { no tlsv1.0, ciphers "HIGH" } +} + +relay "tlsaccel" { + listen on www.example.com port 443 tls + protocol "https" + forward to <phphosts> port 8080 mode loadbalance check tcp +} +.Ed +.Pp +The second relay example will accept incoming connections to port +2222 and forward them to a remote SSH server. +The TCP +.Ic nodelay +option will allow a +.Dq smooth +SSH session without delays between keystrokes or displayed output on +the terminal: +.Bd -literal -offset indent +protocol "myssh" { + tcp { nodelay, socket buffer 65536 } +} + +relay "sshforward" { + listen on www.example.com port 2222 + protocol "myssh" + forward to shell.example.com port 22 +} +.Ed +.Pp +The following relay example will configure +.Dq TLS inspection +as described in the +.Sx TLS relays +section. +To start, first generate a new local CA key and certificate: +.Bd -literal -offset indent +# openssl req -x509 -days 365 -newkey rsa:2048 \e + -keyout /etc/ssl/private/ca.key -out /etc/ssl/ca.crt +.Ed +.Pp +A TLS server key and self-signed cert for 127.0.0.1 are also required; +see +.Ic listen on +in the +.Sx Relays +section for more details about certificate locations. +Configure the packet filter with a matching divert rule in +.Xr pf.conf 5 : +.Bd -literal -offset indent +# Divert incoming HTTPS traffic to relayd +pass in on vlan1 inet proto tcp to port 443 \e + divert-to localhost port 8443 +.Ed +.Pp +And finally configure the TLS inspection in +.Nm : +.Bd -literal -offset indent +http protocol httpfilter { + return error + + pass + match label "Prohibited!" + block url "social.network.example.com/" + + # New configuration directives for TLS Interception + tls ca key "/etc/ssl/private/ca.key" password "password123" + tls ca cert "/etc/ssl/ca.crt" +} + +relay tlsinspect { + listen on 127.0.0.1 port 8443 tls + protocol httpfilter + forward with tls to destination +} +.Ed +.Pp +The next simple router configuration example can be used to run +redundant, health-checked WAN links: +.Bd -literal -offset indent +table <gateways> { $gw1 ip ttl 1, $gw2 ip ttl 1 } +router "uplinks" { + route 0.0.0.0/0 + forward to <gateways> check icmp +} +.Ed +.Sh SEE ALSO +.Xr ocspcheck 8 , +.Xr relayctl 8 , +.Xr relayd 8 , +.Xr ssl 8 +.Sh HISTORY +The +.Nm +file format, formerly known as +.Ic hoststated.conf , +first appeared in +.Ox 4.1 . +It was renamed to +.Nm +in +.Ox 4.3 . +.Sh AUTHORS +.An -nosplit +The +.Xr relayd 8 +program was written by +.An Pierre-Yves Ritschard Aq Mt pyr@openbsd.org +and +.An Reyk Floeter Aq Mt reyk@openbsd.org . +.Sh CAVEATS +.Xr relayd 8 +verification of TLS server certificates is based on a static CA bundle +and +.Xr relayd 8 +currently does not support CRLs (Certificate Revocation Lists). diff --git a/static/openbsd/man5/ripd.conf.5 b/static/openbsd/man5/ripd.conf.5 new file mode 100644 index 00000000..591b05fd --- /dev/null +++ b/static/openbsd/man5/ripd.conf.5 @@ -0,0 +1,242 @@ +.\" $OpenBSD: ripd.conf.5,v 1.23 2025/07/08 14:26:45 schwarze Exp $ +.\" +.\" Copyright (c) 2006 Michele Marchetto <mydecay@openbeer.it> +.\" Copyright (c) 2005, 2006 Esben Norby <norby@openbsd.org> +.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: July 8 2025 $ +.Dt RIPD.CONF 5 +.Os +.Sh NAME +.Nm ripd.conf +.Nd RIP routing daemon configuration file +.Sh DESCRIPTION +The +.Xr ripd 8 +daemon implements the Routing Information Protocol version 2 as described +in RFC 2453. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr ripd 8 . +.It Sx Interfaces configuration +Interface-specific parameters. +.El +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic cost ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +hi="2" +interface em0 { + cost $hi +} +.Ed +.Ss Global configuration +Global settings concerns the main behaviour of the daemon. +.Pp +.Bl -tag -width Ds -compact +.It Ic fib-priority Ar prio +Set the routing priority to +.Ar prio . +The default is 40. +.Pp +.It Xo +.Ic fib-update +.Pq Ic yes Ns | Ns Ic no +.Xc +If set to +.Ic no , +do not update the Forwarding Information Base, a.k.a. the kernel routing +table. +The default is +.Ic yes . +.Pp +.It Ic rdomain Ar tableid +Specifies the routing table +.Xr ripd 8 +should modify. +Table 0 is the default table. +.Pp +.It Xo +.Op Ic no +.Ic redistribute +.Sm off +.Po Ic static Ns | Ns Ic connected Ns | Ns +.Ic default Pc +.Sm on +.Xc +.It Xo +.Op Ic no +.Ic redistribute Ar prefix +.Xc +.It Xo +.Op Ic no +.Ic redistribute rtlabel Ar label +.Xc +If set to +.Ic connected , +routes to directly attached networks will be +announced over RIP. +If set to +.Ic static , +static routes will be announced over RIP. +If set to +.Ic default , +a default route pointing to this router will be announced over RIP. +It is possible to specify a network range with +.Ar prefix ; +networks need to be part of that range to be redistributed. +Additionally it is possible to redistribute based on route labels +using the +.Ic rtlabel +keyword. +By default no additional routes will be announced over RIP. +.Pp +.Ic redistribute +statements are evaluated in sequential order, from first to last. +The first matching rule decides if a route should be redistributed or not. +Matching rules starting with +.Ic no +will force the route to be not announced. +.Pp +.It Xo +.Ic split-horizon +.Sm off +.Po Ic simple Ns | Ns Ic poisoned Ns | Ns +.Ic none Pc +.Sm on +.Xc +If set to +.Ic simple , +do not redistribute routes to the interface from which they were learned. +If set to +.Ic poisoned , +redistribute routes to the interface from which they were learned, by +forcing the metric to infinity. +Both these behaviours can resolve routing loops when a router goes down. +The default is +.Ic poisoned . +.Pp +.It Xo +.Ic triggered-updates +.Pq Ic yes Ns | Ns Ic no +.Xc +Immediately trigger responses when a route changes. +The default is +.Ic no . +.El +.Ss Interfaces configuration +Each interface can have several parameters configured individually, otherwise +they are inherited. +.Bd -literal -offset indent +interface em0 { + cost 9 + auth-type none +} +interface ix1 +.Ed +.Pp +Interface-specific parameters are listed below. +.Bl -tag -width Ds +.It Ic auth-key Ar key +Set the authentication key for +.Ic simple +authentication. +Up to 16 characters can be specified. +.It Ic auth-md Ar key-id key +Set the authentication +.Ar key-id +and +.Ar key +for +.Ic crypt +authentication. +The valid range for +.Ar key-id +is 0\-255. +Up to 16 characters can be specified for +.Ar key . +Multiple keys may be specified. +.It Ic auth-md-keyid Ar key-id +Configure the +.Ar key-id +to use for +.Ic crypt +authentication. +The valid range for +.Ar key-id +is 0\-255. +The default key-id is 1. +.It Xo +.Ic auth-type +.Po Ic none Ns | Ns +.Ic simple Ns | Ns Ic crypt Pc +.Xc +Set the authentication type. +The default is +.Ic none . +Simple authentication uses a plaintext password, up to 16 characters. +Crypt authentication uses an MD5 hash. +.It Ic cost Ar number +Cost of the network connected through this interface. +Values must be between 1 and 16, inclusive. +.It Ic demote Ar group +Increase the +.Xr carp 4 +demotion counter by 1 on the given interface group, usually +.Ar carp , +when the interface state is going down. +The demotion counter will be decreased when the interface +state is active again. +.It Ic passive +Prevent transmission and reception of RIP packets on this interface. +.El +.Sh FILES +.Bl -tag -width /etc/examples/ripd.conf -compact +.It Pa /etc/ripd.conf +.Xr ripd 8 +configuration file. +.It Pa /etc/examples/ripd.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr rc.conf.local 8 , +.Xr ripctl 8 , +.Xr ripd 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 4.1 . diff --git a/static/openbsd/man5/rsync.5 b/static/openbsd/man5/rsync.5 new file mode 100644 index 00000000..574516ce --- /dev/null +++ b/static/openbsd/man5/rsync.5 @@ -0,0 +1,525 @@ +.\" $OpenBSD: rsync.5,v 1.14 2023/04/12 08:32:27 claudio Exp $ +.\" +.\" Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: April 12 2023 $ +.Dt RSYNC 5 +.Os +.Sh NAME +.Nm rsync +.Nd rsync wire protocol +.Sh DESCRIPTION +The +.Nm +protocol described in this relates to the BSD-licensed +.Xr openrsync 1 , +a re-implementation of the GPL-licensed reference utility +.Xr rsync 1 . +It is compatible with version 27 of the reference. +.Pp +In this document, the +.Qq client process +refers to the utility as run on the operator's local computer. +The +.Qq server process +is run either on the local or remote computer, depending upon the +command-line given file locations. +.Pp +There are a number of options in the protocol that are dictated by command-line +flags. +These will be noted as +.Fl D +for devices, +.Fl g +for group ids, +.Fl l +for links, +.Fl n +for dry-run, +.Fl o +for user ids, +.Fl r +for recursion, +.Fl v +for verbose, and +.Fl -delete +for deletion (before). +.Ss Data types +The binary protocol encodes all data in little-endian format. +Integers are signed 32-bit, shorts are signed 16-bit, bytes are unsigned +8-bit. +A long is variable-length. +For values less than the maximum integer, the value is transmitted and +read as a 32-bit integer. +For values greater, the value is transmitted first as a maximum integer, +then a 64-bit signed integer. +.Pp +There are three types of checksums: long (slow), short (fast), and +whole-file. +The fast checksum is a derivative of Adler-32. +The slow checksum is MD4, +made over the checksum seed first (serialised in little-endian format), +then the data. +The whole-file applies MD4 to the file first, then the checksum seed at +the end (also serialised in little-endian format). +.Ss Multiplexing +Most +.Nm +transmissions are wrapped in a multiplexing envelope protocol. +It is composed as follows: +.Pp +.Bl -enum -compact +.It +envelope header (4 bytes) +.It +envelope payload (arbitrary length) +.El +.Pp +The first byte of the envelope header consists of a tag. +If the tag is 7, the payload is normal data. +Otherwise, the payload is out-of-band server messages. +If the tag is 1, it is an error on the sender's part and must trigger an +exit. +This limits message payloads to 24 bit integer size, +.Li 0x00ffffff . +.Pp +The only data not using this envelope are the initial handshake between +client and server. +.Ss File list +A central part of the protocol is the file list, which is generated by +the sender. +It consists of all files that must be sent to the receiver, either +explicitly as given or recursively generated. +.Pp +The file list itself consists of filenames and attributes (mode, time, +size, etc.). +Filenames must be relative to the destination root and not be absolute +or contain backtracking. +So if a file is given to the sender as +.Pa ../../foo/bar , +it must be sent as +.Pa foo/bar . +.Pp +The file list should be cleaned of inappropriate files prior to sending. +For example, if +.Fl l +is not specified, symbolic links may be omitted. +Directory entries without +.Fl r +may also be omitted. +Duplicates may be omitted. +.Pp +The receiver +.Em must not +assume that the file list is clean. +It should not omit inappropriate files from the file list (which would +affect the indexing), but may omit them during processing. +.Pp +Prior to be sent from sender to receiver, and upon being received, the +file list must be lexicographically sorted such as with +.Xr strcmp 3 . +Subsequent references to the file are by index in the sorted list. +.Ss Client process +The client can operate in sender or receiver mode depending upon the +command-line source and destination. +.Pp +If the destination directory (sink) is remote, the client is in sender +mode: the client will push its data to the server. +If the source file is remote, it is in receiver mode: the server pushes +to the client. +If neither are remote, the client operates in sender mode. +These are all mutually exclusive. +.Pp +When the client starts, regardless its mode, it first handshakes the +server. +This exchange is +.Em not +multiplexed. +.Pp +.Bl -enum -compact +.It +send local version (integer) +.It +receive remote version (integer) +.It +receive random seed (integer) +.El +.Pp +Following this, the client multiplexes when reading from the server. +Transmissions sent from client to server are not multiplexed. +It then enters the +.Sx Update exchange +protocol. +.Ss Server process +The server can operate in sender or receiver mode depending upon how the +client starts the server. +This may be directly from the parent process (when invoked for local +files) or indirectly via a remote shell. +.Pp +When in sender mode, the server pushes data to the client. +(This is equivalent to receiver mode for the client.) +In receiver, the opposite is true. +.Pp +When the server starts, regardless the mode, it first handshakes the +client. +This exchange is +.Em not +multiplexed. +.Pp +.Bl -enum -compact +.It +send local version (integer) +.It +receive remote version (integer) +.It +send random seed (integer) +.El +.Pp +Following this, the server multiplexes when writing to the client. +(Transmissions received from the client are not multiplexed.) +It then enters the +.Sx Update exchange +protocol. +.Ss Update exchange +When the client or server is in sender mode, it begins by conditionally +sending the exclusion list. +At this time, this is always empty. +.Pp +.Bl -enum -compact +.It +if +.Fl -delete +and the client, exclusion list zero (integer) +.El +.Pp +It then sends the +.Sx File list . +Prior to being sent, the file list should be lexicographically sorted. +.Pp +.Bl -enum -compact +.It +status byte (integer) +.It +inherited filename length (optional, byte) +.It +filename length (integer or byte) +.It +file (byte array) +.It +file length (long) +.It +file modification time (optional, time_t, integer) +.It +file mode (optional, mode_t, integer) +.It +if +.Fl o , +the user id (integer) +.It +if +.Fl g , +the group id (integer) +.It +if a special file and +.Fl D , +the device +.Dq rdev +type (integer) +.It +if a symbolic link and +.Fl l , +the link target's length (integer) +.It +if a symbolic link and +.Fl l , +the link target (byte array) +.El +.Pp +The status byte may consist of the following bits and determines which +of the optional fields are transmitted. +.Pp +.Bl -tag -compact -width Ds +.It 0x01 +A top-level directory. +(Only applies to directory files.) +If specified, the matching local directory is for deletions. +.It 0x02 +Do not send the file mode: it is a repeat of the last file's mode. +.It 0x08 +Like +.Li 0x02 , +but for the user id. +.It 0x10 +Like +.Li 0x02 , +but for the group id. +.It 0x20 +Inherit some of the prior file name. +Enables the inherited filename length transmission. +.It 0x40 +Use full integer length for file name. +Otherwise, use only the byte length. +.It 0x80 +Do not send the file modification time: it is a repeat of the last +file's. +.El +.Pp +If the status byte is zero, the file-list has terminated. +.Pp +If +.Fl o +has been specified, the sender sends the list of all users encountered +in the file list. +Identifier zero +.Pq Qq root +is never transmitted, as it would prematurely end the list. +This list may be incomplete or empty: the server is not obligated to +properly fill it in with all relevant users. +.Pp +.Bl -enum -compact +.It +user identifier or zero to indicate end of set (integer) +.It +non-zero length of user name (byte) +.It +user name (prior length) +.El +.Pp +The same sequence is then sent for groups if +.Fl g +has been specified. +.Pp +The sender then sends any IO error values, which for +.Xr openrsync 1 +is always zero. +.Pp +.Bl -enum -compact +.It +constant zero (integer) +.El +.Pp +The server sender then reads the exclusion list, which is always zero. +.Pp +.Bl -enum -compact +.It +if server, constant zero (integer) +.El +.Pp +Following that, the sender receives data regarding the receiver's copy +of the file list contents. +This data is not ordered in any way. +Each of these requests starts as follows: +.Pp +.Bl -enum -compact +.It +file index or -1 to signal a change of phase (integer) +.El +.Pp +The phase starts in phase 1, then proceeds to phase 2, and phase 3 +signals an end of transmission (no subsequent blocks). +If a phase change occurs, the sender must write back the -1 constant +integer value and increment its phase state. +.Pp +Blocks are read as follows: +.Pp +.Bl -enum -compact +.It +block index (integer) +.El +.Pp +In +.Pq Fl n +mode, the sender may immediately write back the index (integer) to skip +the following. +.Pp +.Bl -enum -compact +.It +number of blocks (integer) +.It +block length in the file (integer) +.It +long checksum length (integer) +.It +terminal (remainder) block length (integer) +.El +.Pp +And for each block: +.Pp +.Bl -enum -compact +.It +short checksum (integer) +.It +long checksum (bytes of checksum length) +.El +.Pp +The client then compares the two files, block by block, and updates the +server with mismatches as follows. +.Pp +.Bl -enum -compact +.It +file index (integer) +.It +number of blocks (integer) +.It +block length (integer) +.It +long checksum length (integer) +.It +remainder block length (integer) +.El +.Pp +Then for each block: +.Pp +.Bl -enum -compact +.It +data chunk size (integer) +.It +data chunk (bytes) +.It +block index subsequent to chunk or zero for finished (integer) +.El +.Pp +Following this sequence, the sender sends the following: +.Pp +.Bl -enum -compact +.It +whole-file long checksum (16 bytes) +.El +.Pp +The sender then either handles the next queued file or, if the receiver +has written a phase change, the phase change step. +.Pp +If the sender is the server and +.Fl v +has been specified, the sender must send statistics. +.Pp +.Bl -enum -compact +.It +total bytes read (long) +.It +total bytes written (long) +.It +total size of files (long) +.El +.Pp +Finally, the sender must read a final constant-value integer. +.Pp +.Bl -enum -compact +.It +end-of-sequence -1 value (integer) +.El +.Pp +If in receiver mode, the inverse above (write instead of read, read +instead of write) is performed. +.Pp +The receiver begins by conditionally writing, then reading, the +exclusion list count, which is always zero. +.Pp +.Bl -enum -compact +.It +if client, send zero (integer) +.It +if receiver and +.Fl -delete , +read zero (integer) +.El +.Pp +The receiver then proceeds with reading the +.Sx File list +as already +defined. +Following the list, the receiver reads the IO error, which must be zero. +.Pp +.Bl -enum -compact +.It +constant zero (integer) +.El +.Pp +The receiver must then sort the file names lexicographically. +.Pp +If there are no files in the file list at this time, the receiver must +exit prior to sending per-file data. +It then proceeds with the file blocks. +.Pp +For file blocks, the receiver must look at each file that is not up to +date, defined by having the same file size and timestamp, and send it to +the server. +Symbolic links and directory entries are never sent to the server. +.Pp +After the second phase has completed and prior to writing the +end-of-data signal, the client receiver reads statistics. +This is only performed with +.Pq Fl v . +.Pp +.Bl -enum -compact +.It +total bytes read (long) +.It +total bytes written (long) +.It +total size of files (long) +.El +.Pp +Finally, the receiver must send the constant end-of-sequence marker. +.Pp +.Bl -enum -compact +.It +end-of-sequence -1 value (integer) +.El +.Ss Sender and receiver asynchrony +The sender and receiver need not work in lockstep. +The receiver may send file update requests as quickly as it parses them, +and respond to the sender's update notices on demand. +Similarly, the sender may read as many update requests as it can, and +service them in any order it wishes. +.Pp +The sender and receiver synchronise state only at the end of phase. +.Pp +The reference +.Xr rsync 1 +takes advantage of this with a two-process receiver, one for sending +update requests (the generator) and another for receiving. +.Xr openrsync 1 +uses an event-loop model instead. +.\" .Sh CONTEXT +.\" For section 9 functions only. +.\" .Sh RETURN VALUES +.\" For sections 2, 3, and 9 function return values only. +.\" .Sh ENVIRONMENT +.\" For sections 1, 6, 7, and 8 only. +.\" .Sh FILES +.\" .Sh EXIT STATUS +.\" For sections 1, 6, and 8 only. +.\" .Sh EXAMPLES +.\" .Sh DIAGNOSTICS +.\" For sections 1, 4, 6, 7, 8, and 9 printf/stderr messages only. +.\" .Sh ERRORS +.\" For sections 2, 3, 4, and 9 errno settings only. +.Sh SEE ALSO +.Xr openrsync 1 , +.Xr rsync 1 , +.Xr rsyncd 5 +.\" .Sh STANDARDS +.\" .Sh HISTORY +.\" .Sh AUTHORS +.\" .Sh CAVEATS +.Sh BUGS +Time values are sent as 32-bit integers. +.Pp +When in server mode +.Em and +when communicating to a client with a newer protocol (>27), the phase +change integer (-1) acknowledgement must be sent twice by the sender. +The is probably a bug in the reference implementation. diff --git a/static/openbsd/man5/rsyncd.5 b/static/openbsd/man5/rsyncd.5 new file mode 100644 index 00000000..15e576d1 --- /dev/null +++ b/static/openbsd/man5/rsyncd.5 @@ -0,0 +1,135 @@ +.\" $OpenBSD: rsyncd.5,v 1.3 2019/02/18 21:34:54 benno Exp $ +.\" +.\" Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: February 18 2019 $ +.Dt RSYNCD 5 +.Os +.Sh NAME +.Nm rsyncd +.Nd rsyncd wire protocol +.Sh DESCRIPTION +The +.Nm +protocol described in this relates to the BSD-licensed +.Xr openrsync 1 , +a re-implementation of the GPL-licensed reference utility +.Xr rsync 1 . +It is compatible with version 27 of the reference. +.Pp +The +.Nm +protocol is an envelope protocol for +.Xr rsync 5 +between a client and an rsync://-capable server. +It provides a means to exchange capabilities information prior to file +transfer. +.Pp +In this document, +.Qq client +refers to the +.Xr openrsync 1 +utility making the request. +It follows that +.Qq server +refers to the daemon servicing the request. +.Pp +A connection between a client and server consists of host, a module, and +zero or more paths. +.Pp +.Dl openrsync rsync://host/module/path1 rsync://host/path2... dest +.Pp +At this time, operating in sender mode (with the rsync:// host receiving +information) is not described in this document. +.Ss Data types +These are the same as in +.Xr rsync 5 . +A newline is always a standalone \en. +.Ss Client process +After initialising a connection, the client and server exchange the +following information, in order. +This portion of the process is +.Em not +multiplexed. +.Pp +.Bl -enum -compact +.It +client sends requested module followed by newline +.It +server responds with preamble followed by standalone newline +.El +.Pp +The requested module must have non-zero length. +The preamble consists in a sequence of lines. +Each line either contains free-form text sent by the server as a +.Qq motd +.Pq message of the day +or a command: +.Pp +.Dl @RSYNCD: command\en +.Pp +The only supported command is the server protocol specification: +.Pp +.Dl @RSYNCD: xx[.yy]\en +.Pp +The optional component is the submodule, which may be discarded. +The version may only be specified once. +Both the motd and commands end in the special termination command: +.Pp +.Dl @RSYNCD: OK\en +.Pp +Following that, the client must send the command-line arguments that +would otherwise be used to start a +.Xr openrsync 1 +server. +Each argument must be specified on its own line, e.g., +.Pp +.Dl --server\en--sender\en-r\en-t\en.\enpath1\enpath2 +.Pp +This must be followed by a standalone newline. +.Pp +If the server does not understand or accept any of the command-line +arguments, it will exit at this point. +.Pp +Following this, the client must read the integer-length session checksum +seed. +Multiplexing is subsequently enabled. +.Pp +The sequence that follows is stipulated in +.Xr rsync 5 +following the handshake. +.\" The following requests should be uncommented and used where appropriate. +.\" .Sh CONTEXT +.\" For section 9 functions only. +.\" .Sh RETURN VALUES +.\" For sections 2, 3, and 9 function return values only. +.\" .Sh ENVIRONMENT +.\" For sections 1, 6, 7, and 8 only. +.\" .Sh FILES +.\" .Sh EXIT STATUS +.\" For sections 1, 6, and 8 only. +.\" .Sh EXAMPLES +.\" .Sh DIAGNOSTICS +.\" For sections 1, 4, 6, 7, 8, and 9 printf/stderr messages only. +.\" .Sh ERRORS +.\" For sections 2, 3, 4, and 9 errno settings only. +.Sh SEE ALSO +.Xr openrsync 1 , +.Xr rsync 5 +.\" .Sh STANDARDS +.\" .Sh HISTORY +.\" .Sh AUTHORS +.\" .Sh CAVEATS +.\" .Sh BUGS diff --git a/static/openbsd/man5/sasyncd.conf.5 b/static/openbsd/man5/sasyncd.conf.5 new file mode 100644 index 00000000..c772d610 --- /dev/null +++ b/static/openbsd/man5/sasyncd.conf.5 @@ -0,0 +1,194 @@ +.\" $OpenBSD: sasyncd.conf.5,v 1.20 2021/02/01 16:39:50 sthen Exp $ +.\" +.\" Copyright (c) 2005 Håkan Olsson. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" This code was written under funding by Multicom Security AB. +.\" +.\" Manual page for sasyncd.conf +.\" +.Dd $Mdocdate: February 1 2021 $ +.Dt SASYNCD.CONF 5 +.Os +.Sh NAME +.Nm sasyncd.conf +.Nd configuration file for sasyncd +.Sh DESCRIPTION +.Nm +is the configuration file for the +.Xr sasyncd 8 +daemon. +.Pp +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment is effective until the end of the entire block. +.Pp +Since the file contains the shared secret key used to encrypt data +between this host and the others, +.Pa /etc/sasyncd.conf +must be owned either by +.Dq root +or the +.Dq _isakmpd +pseudo user and be readable only by this owner, e.g.\& +.Bd -literal -offset indent +# chown root /etc/sasyncd.conf +# chmod 0600 /etc/sasyncd.conf +.Ed +.Pp +The following configuration settings are understood: +.Bl -tag -width Ds +.It Xo +.Ic interface +.Ar interface +.Xc +Specify which +.Xr carp 4 +interface +.Xr sasyncd 8 +should track master/slave state on. +.It Xo +.Ic group +.Ar group +.Xc +Specify on which interface group +.Xr sasyncd 8 +should increase the demotion counter. +This has the effect of suppressing +.Xr carp 4 +preemption while initial +.Xr sasyncd 8 +state is established. +The default is to use the +.Dq carp +group. +.Pp +For more information on interface groups, +see the +.Ic group +keyword in +.Xr ifconfig 8 . +.It Ic flushmode sync | startup | never +Controls how the +.Xr sasyncd 8 +master host handles SADB_FLUSH messages to its slaves. +.Pp +.Bl -tag -width "startupXX" -offset indent -compact +.It Ic sync +Pass any SADB_FLUSH messages along. +For example, in this mode +.Xr sasyncd 8 +will synchronize an +.Ic ipsecctl -F +command to all connected slaves. +For more information, see +.Xr ipsecctl 8 . +.It Ic startup +Send a SADB_FLUSH message to the slaves as they connect, and act as +.Ic sync +afterwards. +This is the default. +.It Ic never +Never send SADB_FLUSH messages. +.El +.It Xo +.Ic listen on Ar address +.Op Ar family +.Op Ic port Ar port +.Xc +Specify a local IP address, hostname, or interface the +.Xr sasyncd 8 +daemon should listen on. +The default is to listen on all local addresses. +When using an interface name, +.Ar family +may be given as +.Dq inet +or +.Dq inet6 +to only bind using the specified address family. +Finally, +.Ar port +can be used to specify which TCP port +.Xr sasyncd 8 +should listen to. +The default is to listen to port 500. +.It Ic mode master | slave +Force the daemon to run as master or slave. +Normally only intended for debugging use. +.It Ic mode skipslave +Prevent the daemon from syncing SA or SPD messages where the source or +destination address is one of the configured peers. +Intended to permit IPsec +.Xr pfsync 4 +protection. +This mode is experimental. +.It Ic peer Ar address +Specify a +.Xr sasyncd 8 +peer IP address or hostname. +May be specified multiple times. +For example: +.Bd -literal -offset indent +peer 10.0.0.2 +peer 10.0.0.3 +peer 10.0.0.4 +.Ed +.It Ic sharedkey Ar key +The shared AES key used to encrypt messages between +.Xr sasyncd 8 +hosts. +This configuration setting is required and must be either 16, 24 or 32 +bytes long (corresponding to AES using a 128, 192 or 256 bit key). +.It Ic control isakmpd | iked | all | none +By default, +.Xr sasyncd 8 +tracks its local master/slave mode and toggles the passive mode of +.Xr isakmpd 8 +accordingly. +This option can be changed to control +.Xr iked 8 +instead, +to control all supported daemons at the same time, +or to turn it off to synchronize SAs only. +.El +.Sh FILES +.Bl -tag -width /etc/examples/sasyncd.conf -compact +.It Pa /etc/sasyncd.conf +.It Pa /etc/examples/sasyncd.conf +.El +.Sh SEE ALSO +.Xr chmod 1 , +.Xr carp 4 , +.Xr chown 8 , +.Xr ipsecctl 8 , +.Xr sasyncd 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 3.8 . diff --git a/static/openbsd/man5/scr_dump.5 b/static/openbsd/man5/scr_dump.5 new file mode 100644 index 00000000..f55c70e8 --- /dev/null +++ b/static/openbsd/man5/scr_dump.5 @@ -0,0 +1,417 @@ +.\"*************************************************************************** +.\" Copyright 2018-2021,2023 Thomas E. Dickey * +.\" Copyright 2017 Free Software Foundation, Inc. * +.\" * +.\" Permission is hereby granted, free of charge, to any person obtaining a * +.\" copy of this software and associated documentation files (the * +.\" "Software"), to deal in the Software without restriction, including * +.\" without limitation the rights to use, copy, modify, merge, publish, * +.\" distribute, distribute with modifications, sublicense, and/or sell * +.\" copies of the Software, and to permit persons to whom the Software is * +.\" furnished to do so, subject to the following conditions: * +.\" * +.\" The above copyright notice and this permission notice shall be included * +.\" in all copies or substantial portions of the Software. * +.\" * +.\" THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * +.\" OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * +.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * +.\" IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, * +.\" DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR * +.\" OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR * +.\" THE USE OR OTHER DEALINGS IN THE SOFTWARE. * +.\" * +.\" Except as contained in this notice, the name(s) of the above copyright * +.\" holders shall not be used in advertising or otherwise to promote the * +.\" sale, use or other dealings in this Software without prior written * +.\" authorization. * +.\"*************************************************************************** +.\" +.\" $Id: scr_dump.5,v 1.1 2023/10/17 09:52:08 nicm Exp $ +.TH scr_dump 5 2023-07-01 "ncurses 6.4" "File formats" +.ie \n(.g .ds `` \(lq +.el .ds `` `` +.ie \n(.g .ds '' \(rq +.el .ds '' '' +.de NS +.ie n .sp +.el .sp .5 +.ie n .in +4 +.el .in +2 +.nf +.ft CR \" Courier +.. +.de NE +.fi +.ft R +.ie n .in -4 +.el .in -2 +.. +.de bP +.ie n .IP \(bu 4 +.el .IP \(bu 2 +.. +.SH NAME +scr_dump \- format of curses screen-dumps. +.SH SYNOPSIS +.B scr_dump +.SH DESCRIPTION +The curses library provides applications with the ability to write the +contents of a window to an external file using \fBscr_dump\fP or \fBputwin\fP, +and read it back using \fBscr_restore\fP or \fBgetwin\fP. +.PP +The \fBputwin\fP and \fBgetwin\fP functions do the work; +while \fBscr_dump\fP and \fBscr_restore\fP conveniently save and restore +the whole screen, i.e., \fBstdscr\fP. +.SS ncurses6 +A longstanding implementation of screen-dump was +revised with ncurses6 to remedy problems with the earlier approach: +.bP +A \*(``magic number\*('' is written to the beginning of the dump file, +allowing applications (such as \fBfile\fP(1)) to recognize curses dump files. +.IP +Because ncurses6 uses a new format, +that requires a new magic number +was unused by other applications. +This 16-bit number was unused: +.NS +0x8888 (octal \*(``\\210\\210\*('') +.NE +.IP +but to be more certain, this 32-bit number was chosen: +.NS +0x88888888 (octal \*(``\\210\\210\\210\\210\*('') +.NE +.IP +This is the pattern submitted to the maintainers of the \fBfile\fP program: +.NS +# +# ncurses5 (and before) did not use a magic number, +# making screen dumps "data". +# +# ncurses6 (2015) uses this format, ignoring byte-order +0 string \\210\\210\\210\\210ncurses ncurses6 screen image +# +.NE +.bP +The screen dumps are written in textual form, +so that internal data sizes are not directly related to the dump-format, and +enabling the library to read dumps from either narrow- or wide-character- +configurations. +.IP +The \fInarrow\fP library configuration holds characters and video attributes +in a 32-bit \fBchtype\fP, while the \fIwide-character\fP library stores +this information in the \fBcchar_t\fP structure, which is much larger than +32-bits. +.bP +It is possible to read a screen dump into a terminal with a different +screen-size, +because the library truncates or fills the screen as necessary. +.bP +The ncurses6 \fBgetwin\fP reads the legacy screen dumps from ncurses5. +.SS ncurses5 (legacy) +The screen-dump feature was added to ncurses in June 1995. +While there were fixes and improvements in succeeding years, +the basic scheme was unchanged: +.bP +The \fBWINDOW\fP structure was written in binary form. +.bP +The \fBWINDOW\fP structure refers to lines of data, +which were written as an array of binary data following the \fBWINDOW\fP. +.bP +When \fBgetwin\fP restored the window, +it would keep track of offsets into the array of line-data +and adjust the \fBWINDOW\fP structure which was read back into memory. +.PP +This is similar to Unix SystemV, +but does not write a \*(``magic number\*('' to identify the file format. +.SH PORTABILITY +There is no standard format for \fBputwin\fP. +This section gives a brief description of the existing formats. +.SS X/Open Curses +Refer to \fIX/Open Curses, Issue 7\fP (2009). +.PP +X/Open's documentation for \fIenhanced curses\fP says only: +.RS 3 +.PP +The \fBgetwin(\ ) \fPfunction reads window-related data +stored in the file by \fIputwin(\ )\fP. +The function +then creates and initializes a new window using that data. +.PP +The \fBputwin(\ )\fP function writes all data associated +with \fIwin\fP into the \fBstdio\fP(3) stream to which \fIfilep\fP +points, using an \fBunspecified format\fP. +This information can be retrieved later using \fBgetwin(\ )\fP. +.RE +.PP +In the mid-1990s when the X/Open Curses document was written, +there were still systems using older, less capable curses libraries +(aside from the BSD curses library which was not relevant to X/Open +because it did not meet the criteria for \fIbase curses\fP). +The document explained the term \*(``enhanced\*('' as follows: +.RS 3 +.bP +Shading is used to identify \fIX/Open Enhanced Curses\fP material, +relating to interfaces included to provide enhanced capabilities +for applications originally written to be compiled on systems +based on the UNIX operating system. +Therefore, the features described may not be present on systems +that conform to \fBXPG4 or to earlier XPG releases\fP. +The relevant reference pages may provide additional +or more specific portability warnings about use of the material. +.RE +.PP +In the foregoing, emphasis was added to \fBunspecified format\fP +and to \fBXPG4 or to earlier XPG releases\fP, +for clarity. +.SS Unix SystemV +Unix SystemV curses identified the file format by writing a +\*(``magic number\*('' at the beginning of the dump. +The \fBWINDOW\fP data and the lines of text follow, all in binary form. +.PP +The Solaris curses source has these definitions: +.NS +/* terminfo magic number */ +#define MAGNUM 0432 + +/* curses screen dump magic number */ +#define SVR2_DUMP_MAGIC_NUMBER 0433 +#define SVR3_DUMP_MAGIC_NUMBER 0434 +.NE +.PP +That is, the feature was likely introduced in SVr2 (1984), +and improved in SVr3 (1987). +The Solaris curses source has no magic number for SVr4 (1989). +Other operating systems (AIX and HPUX) use a magic number which would +correspond to this definition: +.NS +/* curses screen dump magic number */ +#define SVR4_DUMP_MAGIC_NUMBER 0435 +.NE +.PP +That octal number in bytes is 001, 035. +Because most Unix vendors use big-endian hardware, +the magic number is written with the high-order byte first, e.g., +.NS +\001\035 +.NE +.PP +After the magic number, the \fBWINDOW\fP structure and line-data are +written in binary format. +While the magic number used by the Unix systems can be seen using \fBod\fP(1), +none of the Unix systems documents the format used for screen-dumps. +.PP +The Unix systems do not use identical formats. +While collecting information for for this manual page, +the \fIsavescreen\fP test-program +produced dumps of different size +(all on 64-bit hardware, on 40x80 screens): +.bP +AIX (51817 bytes) +.bP +HPUX (90093 bytes) +.bP +Solaris 10 (13273 bytes) +.bP +ncurses5 (12888 bytes) +.SS Solaris +As noted above, Solaris curses has no magic number corresponding +to SVr4 curses. +This is odd since Solaris was the first operating system +to pass the SVr4 guidelines. +Solaris has two versions of curses: +.bP +The default curses library uses the SVr3 magic number. +.bP +There is an alternate curses library in \fB/usr/xpg4\fP. +This uses a textual format with no magic number. +.IP +According to the copyright notice, the \fIxpg4\fP Solaris curses library was +developed by MKS (Mortice Kern Systems) from 1990 to 1995. +.IP +Like ncurses6, there is a file-header with parameters. +Unlike ncurses6, the contents of the window are written piecemeal, +with coordinates and attributes for each chunk of text rather +than writing the whole window from top to bottom. +.SS PDCurses +PDCurses added support for screen dumps in version 2.7 (2005). +Like Unix SystemV and ncurses5, +it writes the \fBWINDOW\fP structure in binary, +but begins the file with its three-byte identifier \*(``PDC\*('', +followed by a one-byte version, +e.g., +.NS + \*(``PDC\\001\*('' +.NE +.SS NetBSD +As of April 2017, NetBSD curses does +not support \fBscr_dump\fP and \fBscr_restore\fP +(or \fBscr_init\fP, \fBscr_set\fP), +although it has \fBputwin\fP and \fBgetwin\fP. +.PP +Like ncurses5, NetBSD \fBputwin\fP does not identify its dumps with a +useful magic number. +It writes +.bP +the curses shared library major and minor versions +as the first two bytes (e.g., 7 and 1), +.bP +followed by a binary dump of the \fBWINDOW\fP, +.bP +some data for wide-characters referenced by the \fBWINDOW\fP structure, and +.bP +finally, lines as done by other implementations. +.SH EXAMPLE +Given a simple program which writes text to the screen +(and for the sake of example, limiting the screen-size to 10x20): +.NS +#include <curses.h> + +int +main(void) +{ + putenv("LINES=10"); + putenv("COLUMNS=20"); + initscr(); + start_color(); + init_pair(1, COLOR_WHITE, COLOR_BLUE); + init_pair(2, COLOR_RED, COLOR_BLACK); + bkgd(COLOR_PAIR(1)); + move(4, 5); + attron(A_BOLD); + addstr("Hello"); + move(5, 5); + attroff(A_BOLD); + attrset(A_REVERSE | COLOR_PAIR(2)); + addstr("World!"); + refresh(); + scr_dump("foo.out"); + endwin(); + return 0; +} +.NE +.PP +When run using ncurses6, the output looks like this: +.NS +\\210\\210\\210\\210ncurses 6.0.20170415 +_cury=5 +_curx=11 +_maxy=9 +_maxx=19 +_flags=14 +_attrs=\\{REVERSE|C2} +flag=_idcok +_delay=-1 +_regbottom=9 +_bkgrnd=\\{NORMAL|C1}\\s +rows: +1:\\{NORMAL|C1}\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s +2:\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s +3:\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s +4:\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s +5:\\s\\s\\s\\s\\s\\{BOLD}Hello\\{NORMAL}\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s +6:\\s\\s\\s\\s\\s\\{REVERSE|C2}World!\\{NORMAL|C1}\\s\\s\\s\\s\\s\\s\\s\\s\\s +7:\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s +8:\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s +9:\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s +10:\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s\\s +.NE +.PP +The first four octal escapes are actually nonprinting characters, +while the remainder of the file is printable text. +You may notice: +.bP +The actual color pair values are not written to the file. +.bP +All characters are shown in printable form; spaces are \*(``\\s\*('' to +ensure they are not overlooked. +.bP +Attributes are written in escaped curly braces, e.g., \*(``\\{BOLD}\*('', +and may include a color-pair (C1 or C2 in this example). +.bP +The parameters in the header are written out only if they are nonzero. +When reading back, order does not matter. +.ne 10 +.PP +Running the same program with Solaris \fIxpg4\fP curses gives this dump: +.NS +MAX=10,20 +BEG=0,0 +SCROLL=0,10 +VMIN=1 +VTIME=0 +FLAGS=0x1000 +FG=0,0 +BG=0,0, +0,0,0,1, +0,19,0,0, +1,0,0,1, +1,19,0,0, +2,0,0,1, +2,19,0,0, +3,0,0,1, +3,19,0,0, +4,0,0,1, +4,5,0x20,0,Hello +4,10,0,1, +4,19,0,0, +5,0,0,1, +5,5,0x4,2,World! +5,11,0,1, +5,19,0,0, +6,0,0,1, +6,19,0,0, +7,0,0,1, +7,19,0,0, +8,0,0,1, +8,19,0,0, +9,0,0,1, +9,19,0,0, +CUR=11,5 +.NE +.PP +Solaris \fBgetwin\fP requires that all parameters are present, and +in the same order. +The \fIxpg4\fP curses library does not know about the \fBbce\fP +(back color erase) capability, and does not color the window background. +.ne 10 +.PP +On the other hand, the SVr4 curses library does know about the background color. +However, its screen dumps are in binary. +Here is the corresponding dump (using \*(``od -t x1\*(''): +.NS +0000000 1c 01 c3 d6 f3 58 05 00 0b 00 0a 00 14 00 00 00 +0000020 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 +0000040 00 00 b8 1a 06 08 cc 1a 06 08 00 00 09 00 10 00 +0000060 00 00 00 80 00 00 20 00 00 00 ff ff ff ff 00 00 +0000100 ff ff ff ff 00 00 00 00 20 80 00 00 20 80 00 00 +0000120 20 80 00 00 20 80 00 00 20 80 00 00 20 80 00 00 +* +0000620 20 80 00 00 20 80 00 00 20 80 00 00 48 80 00 04 +0000640 65 80 00 04 6c 80 00 04 6c 80 00 04 6f 80 00 04 +0000660 20 80 00 00 20 80 00 00 20 80 00 00 20 80 00 00 +* +0000740 20 80 00 00 20 80 00 00 20 80 00 00 57 00 81 00 +0000760 6f 00 81 00 72 00 81 00 6c 00 81 00 64 00 81 00 +0001000 21 00 81 00 20 80 00 00 20 80 00 00 20 80 00 00 +0001020 20 80 00 00 20 80 00 00 20 80 00 00 20 80 00 00 +* +0001540 20 80 00 00 20 80 00 00 00 00 f6 d1 01 00 f6 d1 +0001560 08 00 00 00 40 00 00 00 00 00 00 00 00 00 00 07 +0001600 00 04 00 01 00 01 00 00 00 01 00 00 00 00 00 00 +0001620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +* +0002371 +.NE +.SH SEE ALSO +\fBcurs_scr_dump\fP(3), +\fBcurs_util\fP(3). +.SH AUTHORS +Thomas E. Dickey +.br +extended screen-dump format for ncurses 6.0 (2015) +.sp +Eric S. Raymond +.br +screen dump feature in ncurses 1.9.2d (1995) diff --git a/static/openbsd/man5/securenet.5 b/static/openbsd/man5/securenet.5 new file mode 100644 index 00000000..ff25573b --- /dev/null +++ b/static/openbsd/man5/securenet.5 @@ -0,0 +1,68 @@ +.\" $OpenBSD: securenet.5,v 1.12 2015/09/10 15:16:44 schwarze Exp $ +.\" +.\" Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS +.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd $Mdocdate: September 10 2015 $ +.Dt SECURENET 5 +.Os +.Sh NAME +.Nm securenet +.Nd ypserv(8) configuration file for secure networks +.Sh DESCRIPTION +The +.Nm +file controls which hosts can connect to the +.Nm YP +server. +.Pp +The format is rather simple. +Each row consists of two items. +The first item is the network mask. +The second item is the network. +.Sh FILES +.Bl -tag -width /var/yp/securenet -compact +.It Pa /var/yp/securenet +a +.Xr ypserv 8 +configuration file +.El +.Sh EXAMPLES +A configuration file might look like the following: +.Bd -literal +# +# Only my local net is secure. +# +255.255.255.0 139.58.253.0 +.Ed +.Sh SEE ALSO +.Xr ypserv.acl 5 , +.Xr yp 8 , +.Xr ypserv 8 +.Sh HISTORY +The +.Nm securenet +file was added to +.Tn NIS +by Sun Microsystems, Inc. as a bugfix for weak security. diff --git a/static/openbsd/man5/sensorsd.conf.5 b/static/openbsd/man5/sensorsd.conf.5 new file mode 100644 index 00000000..10b98186 --- /dev/null +++ b/static/openbsd/man5/sensorsd.conf.5 @@ -0,0 +1,204 @@ +.\" $OpenBSD: sensorsd.conf.5,v 1.29 2020/02/10 13:18:22 schwarze Exp $ +.\" +.\" Copyright (c) 2003 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2005 Matthew Gream <matthew.gream@pobox.com> +.\" Copyright (c) 2007 Constantine A. Murenin <cnst@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: February 10 2020 $ +.Dt SENSORSD.CONF 5 +.Os +.Sh NAME +.Nm sensorsd.conf +.Nd configuration file for sensorsd +.Sh DESCRIPTION +The +.Nm +file is read by +.Xr sensorsd 8 +to configure hardware sensor monitoring. +Each variable in the +.Xr sysctl 2 +.Va hw.sensors +subtree represents a sensor. +Each sensor is matched by at most one entry in +.Nm , +which may specify high and low limits, +and whether sensor status changes provided by the driver should be ignored. +Each time the limits are crossed in either direction +or the status provided by the driver changes, +.Xr sensorsd 8 Ns 's +alert functionality is triggered and a command, if specified, is +executed. +.Pp +.Nm +follows the syntax of configuration databases as documented in +.Xr cgetent 3 . +Sensors may be specified by their full +.Va hw.sensors +.Xr sysctl 8 +variable name or by type, +with the full name taking precedence. +For example, if an entry +.Dq hw.sensors.lm0.temp1 +is not found, then an entry for +.Dq temp +will instead be looked for. +.Pp +The following attributes may be used: +.Pp +.Bl -tag -width "commandXX" -offset indent -compact +.It Li command +Specify a command to be executed on state change. +.It Li high +Specify the largest acceptable value. +.It Li low +Specify the smallest acceptable value. +.It Li istatus +Ignore status provided by the driver. +.El +.Pp +The values for temperature sensors can be given in degrees Celsius or +Fahrenheit, for voltage sensors in volts, and fan speed sensors take a +unit-less number representing RPM. +For Boolean sensors, specify 0 for +.Qq Off +or 1 for +.Qq On . +Values for all other types of sensors can be specified +in the same units as they appear under the +.Xr sysctl 8 +.Va hw.sensors +tree. +.Pp +Sensors that provide status (such as those from +.Xr bio 4 , +.Xr esm 4 , +or +.Xr ipmi 4 ) +do not require boundary values specified +and simply trigger on status transitions. +If boundaries are specified nonetheless, +then they are used in addition to automatic status monitoring, +unless the +.Dq istatus +attribute is specified to ignore status values that are provided by the drivers. +.Pp +The command is executed when there is any change in sensor state. +Tokens in the command are substituted as follows: +.Pp +.Bl -tag -width Ds -offset indent -compact +.It %l +Whether the value exceeds or is within the user specified limits. +Can be one of: "below", "above", "within", "invalid", or "uninitialised". +.It %n +The sensor number. +.It %s +The sensor status. +.It %x +The xname of the device the sensor sits on. +.It %t +The type of sensor. +.It %2 +The sensor's current value. +.It %3 +The sensor's low limit. +.It %4 +The sensor's high limit. +.El +.Pp +For Boolean sensors, %2, %3, and %4 are substituted with +.Qq On +or +.Qq Off . +.Pp +By default, +.Xr sensorsd 8 +monitors status changes on all sensors that keep their state. +This behaviour may be altered by using the +.Dq istatus +attribute to ignore +status changes of sensors of a certain type +or individual sensors. +.Sh FILES +.Bl -tag -width /etc/examples/sensorsd.conf -compact +.It Pa /etc/sensorsd.conf +Configuration file for +.Xr sensorsd 8 . +.It Pa /etc/examples/sensorsd.conf +Example configuration file. +.El +.Sh EXAMPLES +In the following configuration file, +if hw.sensors.ipmi0.temp0 moves upwards beyond 80C +or downwards to 80C or less or if its status as provided by +.Xr ipmi 4 +changes, the command +.Pa /etc/sensorsd/log_warning +will be executed, +with the sensor type, number and current value passed to it. +Alerts will be sent +if hw.sensors.lm0.volt3 moves into or out of +the range from 4.8V to 5.2V, inclusive; +if the speed of the fan attached to hw.sensors.lm0.fan1 +transitions to being below or above 1000RPM; +if any RAID volume drive +changes its status from, for example, +.Dq OK , +such as in the case of drive failure, rebuild, or a complete failure, +the command +.Pa /etc/sensorsd/drive +will be executed, with the sensor number passed to it; however, +no alerts will be generated for status changes on timedelta sensors. +For all other sensors whose drivers automatically provide +sensor status updates, alerts will be generated +each time those sensors undergo status transitions. +.Bd -literal -offset indent +# Comments are allowed +hw.sensors.ipmi0.temp0:high=80C:command=/etc/sensorsd/log_warning %t %n %2 +hw.sensors.lm0.volt3:low=4.8V:high=5.2V +hw.sensors.lm0.fan1:low=1000 +drive:command=/etc/sensorsd/drive %n +timedelta:istatus #ignore status changes for timedelta +.Ed +.Sh SEE ALSO +.Xr cgetent 3 , +.Xr bio 4 , +.Xr ipmi 4 , +.Xr sensorsd 8 , +.Xr sysctl 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 3.5 . +The format was altered in +.Ox 4.1 +to accommodate hierarchical device-based sensor addressing. +The +.Dq istatus +attribute was introduced in +.Ox 4.2 . +.Sh CAVEATS +Alert functionality is triggered every time there is a change in sensor state; +for example, when +.Xr sensorsd 8 +is started, +the status of each monitored sensor changes +from undefined to whatever it is. +One must keep this in mind when using commands +that may unconditionally perform adverse actions (e.g.\& +.Xr shutdown 8 ) , +as they will be executed even when all sensors perform to specification. +If this is undesirable, then a wrapper shell script should be used instead. diff --git a/static/openbsd/man5/skey.5 b/static/openbsd/man5/skey.5 new file mode 100644 index 00000000..104a4ff7 --- /dev/null +++ b/static/openbsd/man5/skey.5 @@ -0,0 +1,88 @@ +.\" $OpenBSD: skey.5,v 1.10 2026/03/22 15:17:09 millert Exp $ +.\" +.\" Copyright (c) 2002 Todd C. Miller <millert@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" Sponsored in part by the Defense Advanced Research Projects +.\" Agency (DARPA) and Air Force Research Laboratory, Air Force +.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. +.\" +.Dd $Mdocdate: March 22 2026 $ +.Dt SKEY 5 +.Os +.Sh NAME +.Nm skey +.Nd one-time password user database +.Sh DESCRIPTION +The +.Pa /etc/skey +directory contains user records for the S/Key one-time password authentication +system. +.Pp +Records take the form of files within +.Pa /etc/skey , +where each file is named for the user whose record it contains. +For example, +.Pa /etc/skey/root +would hold root's S/Key record. +.Pp +The mode for +.Pa /etc/skey +should be 01730 and it should be owned by root and group auth. +Individual records within +.Pa /etc/skey +should be owned by the user they describe and be mode 0600. +To access S/Key records, a process must run as group auth. +.Pp +Each record consists of five lines: +.Bl -enum +.It +The name of the user the record describes. +This should be the same as the name of the file. +.It +The hash type used for this entry: +one of md5, sha1, or rmd160. +The default is md5. +.It +The sequence number. +This is a decimal number between one and ten thousand. +Each time the user authenticates via S/Key this number is decremented by one. +.It +A seed used along with the sequence number and the six S/Key words to +compute the value. +.It +The value expected from the crunching of the user's seed, sequence number, +and the six S/Key words. +When the result matches this value, authentication is considered to have +been successful. +.El +.Sh FILES +.Bl -tag -width /etc/skey -compact +.It Pa /etc/skey +.El +.Sh EXAMPLES +Here is a sample +.Pa /etc/skey +file for root: +.Bd -literal -offset indent +root +md5 +99 +obsd36521 +1f4359a3764b675d +.Ed +.Sh SEE ALSO +.Xr skey 1 , +.Xr skeyinit 1 , +.Xr skey 3 diff --git a/static/openbsd/man5/smtpd.conf.5 b/static/openbsd/man5/smtpd.conf.5 new file mode 100644 index 00000000..ddea17b2 --- /dev/null +++ b/static/openbsd/man5/smtpd.conf.5 @@ -0,0 +1,1387 @@ +.\" $OpenBSD: smtpd.conf.5,v 1.283 2026/04/04 19:18:37 martijn Exp $ +.\" +.\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> +.\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> +.\" Copyright (c) 2012 Gilles Chehade <gilles@poolp.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" +.Dd $Mdocdate: April 4 2026 $ +.Dt SMTPD.CONF 5 +.Os +.Sh NAME +.Nm smtpd.conf +.Nd SMTP daemon configuration file +.Sh DESCRIPTION +.Nm +is the configuration file for the mail daemon +.Xr smtpd 8 . +.Pp +When mail arrives, +each +.Dq RCPT TO: +command generates a mail envelope. +If an envelope matches +any of a pre-designated set of criteria +(using the +.Ic match +directive), +the message is accepted for delivery. +A copy of the message, as well as its associated envelopes, +is saved in the mail queue and later dispatched +according to an associated set of actions +(using the +.Ic action +directive). +If an envelope does not match any options, +it is rejected. +The match rules are evaluated sequentially, +with the first match winning. +.Pp +The format of the configuration file is fairly flexible. +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment is effective until the end of the entire block. +Arguments not beginning with a letter, digit, or underscore, +as well as reserved words +(such as +.Ic listen , +.Ic match , +and +.Cm port ) , +must be quoted. +Arguments containing whitespace should be surrounded by double quotes +.Pq \&" . +.Pp +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word. +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +lan_addr = "192.168.0.1" +listen on $lan_addr +listen on $lan_addr tls auth +.Ed +.Pp +The syntax of +.Nm +is described below. +.Bl -tag -width Ds +.It Ic action Ar name method Op Ar options +When the queue runner processes an envelope from the mail queue, +it carries out the +.Ic action +.Ar name , +selected by the +.Ic match No ... Cm action +directive when the message was received. +The +.Ic action +directive provides configuration data for delivery attempts. +Required lookups are performed at the time of each delivery attempt. +Consequently, changing an +.Ic action +directive or the files it references and restarting the +.Xr smtpd 8 +daemon causes the changes to take effect for subsequent delivery +attempts for the respective dispatcher +.Ar name , +even for messages that were already stuck in the queue +prior to the configuration changes. +.Pp +The delivery +.Ar method +parameter may be one of the following: +.Bl -tag -width Ds +.It Cm expand-only +Only accept the message if a delivery method was specified +in an aliases or +.Pa .forward +file. +.It Cm forward-only +Only accept the message if the recipient results in a remote address +after the processing of aliases or forward file. +.It Cm lmtp Ar destination Op Cm rcpt-to +Deliver the message to an LMTP server at +.Ar destination . +The location may be expressed as host:port or as a UNIX socket. +.Pp +Optionally, +.Cm rcpt-to +might be specified to use the +recipient email address (after expansion) instead of the +local user in the LMTP session as RCPT TO. +.It Cm maildir Oo Ar pathname Oc Op Cm junk +Deliver the message to the maildir in +.Ar pathname +if specified, or by default to +.Pa ~/Maildir . +.Pp +The +.Ar pathname +may contain format specifiers that are expanded before use +.Pq see Sx FORMAT SPECIFIERS . +.Pp +If the +.Cm junk +argument is provided, the message will be moved to the +.Ql Junk +folder if it contains a positive +.Ql X-Spam +header. +This folder will be created under +.Ar pathname +if it does not yet exist. +.It Cm mbox +Deliver the message to the user's mbox with +.Xr mail.local 8 . +.It Cm mda Ar command +Delegate the delivery to a +.Ar command +that receives the message on its standard input +.Pq see Sx MDA COMMANDS . +.Pp +The +.Ar command +may contain format specifiers that are expanded before use +.Pq see Sx FORMAT SPECIFIERS . +.It Cm relay +Relay the message to another SMTP server. +.El +.Pp +The local delivery methods support additional options: +.Bl -tag -width Ds +.It Cm alias Pf < Ar table Ns > +Use the mapping +.Ar table +for +.Xr aliases 5 +expansion. +.It Xo +.Cm ttl +.Sm off +.Ar n +.Brq Cm s | m | h | d +.Sm on +.Xc +Specify how long a message may remain in the queue. +.It Cm user Ar username +Specify the +.Ar username +for performing the delivery, to be looked up with +.Xr getpwnam 3 . +.Pp +This is used for virtual hosting where a single username +is in charge of handling delivery for all virtual users. +.Pp +This option is not usable with the +.Cm mbox +delivery method. +.Pp +Only the delivery user's +.Pa .forward +file will be processed. +.It Cm userbase Pf < Ar table Ns > +Use the mapping +.Ar table +for user lookups instead of the +.Xr getpwnam 3 +function. +.Pp +The +.Cm userbase +does not apply to the +.Cm user +option. +.It Cm virtual Pf < Ar table Ns > +Use the mapping +.Ar table +for virtual expansion. +The aliasing table format is described in +.Xr table 5 . +.It Cm wrapper Ar name +Use the wrapper specified in +.Cm mda wrapper . +.El +.Pp +The relay delivery methods also support additional options: +.Bl -tag -width Ds +.It Cm backup +Operate as a backup mail exchanger delivering messages to any mail exchanger +with higher priority. +.It Cm backup mx Ar name +Operate as a backup mail exchanger delivering messages to any mail exchanger +with higher priority than mail exchanger identified as +.Ar name . +.It Cm ca Ar caname +For secure connections, +use the certificate authority associated with +.Ar caname +(declared in a +.Ic ca +directive) +to validate the server's identity. +.It Cm helo Ar heloname +Advertise +.Ar heloname +as the hostname to other mail exchangers during the HELO phase. +.It Cm helo-src Pf < Ar table Ns > +Use the mapping +.Ar table +to look up a hostname matching the source address, +to advertise during the HELO phase. +.It Cm domain Pf < Ar domains Ns > +Do not perform MX lookups but look up destination domain in +.Ar domains +and use matching relay url as relay host. +.It Cm host Ar relay-url +Do not perform MX lookups but relay messages to the relay host described by +.Ar relay-url . +The format for +.Ar relay-url +is +.Sm off +.Op Ar proto No :// Op Ar label No @ +.Ar host Op : Ar port . +.Sm on +The following protocols are available: +.Pp +.Bl -tag -width "smtp+notls" -compact +.It smtp +Normal SMTP session with opportunistic STARTTLS +(the default). +.It smtp+tls +Normal SMTP session with mandatory STARTTLS. +.It smtp+notls +Plain text SMTP session without TLS. +.It lmtp +LMTP session. +.Ar port +is required. +.It smtps +SMTP session with forced TLS on connection. +The default port is 465. +.El +.Pp +Unless noted, +.Ar port +defaults to 25. +.Pp +The +.Ar label +corresponds to an entry in a credentials table, +as documented in +.Xr table 5 . +It is used with the +.Dq smtp+tls +and +.Dq smtps +protocols for authentication. +Server certificates for those protocols are verified by default. +.It Cm pki Ar pkiname +For secure connections, +use the certificate associated with +.Ar pkiname +(declared in a +.Ic pki +directive) +to prove the client's identity to the remote mail server. +.It Cm srs +When relaying a mail resulting from a forward, +use the Sender Rewriting Scheme to rewrite sender address. +.It Cm tls Op Cm no-verify +Require TLS to be used when relaying, using mandatory STARTTLS by default. +When used with a smarthost, the protocol must not be +.Dq smtp+notls:// . +If +.Cm no-verify +is specified, do not require a valid certificate. +.It Cm protocols Ar protostr +Define the protocol versions to be used for TLS sessions. +Refer to the +.Xr tls_config_parse_protocols 3 +manpage for the format of +.Ar protostr . +.It Cm ciphers Ar cipherstr +Define the list of ciphers that may be used for TLS sessions. +Refer to the +.Xr tls_config_set_ciphers 3 +manpage for the format of +.Ar cipherstr . +.It Cm auth Pf < Ar table Ns > +Use the mapping +.Ar table +for connecting to +.Ar relay-url +using credentials. +This option is usable only with +.Cm host +option. +The credential table format is described in +.Xr table 5 . +.It Cm mail-from Ar mailaddr +Use +.Ar mailaddr +as the MAIL FROM address within the SMTP transaction. +.It Cm src Ar sourceaddr | Pf < Ar sourceaddr Ns > +Use the string or list table +.Ar sourceaddr +for the source IP address, +which is useful on machines with multiple interfaces. +If the list contains more than one address, all of them are used +in such a way that traffic is routed as efficiently as possible. +.El +.It Ic admd Ar authservid +The Administrative Management Domain this mail server belongs to. +The authservid will be forwarded to filters using it to identify or mark +authentication-results headers. +If omitted, it defaults to the server name. +.It Ic bounce Cm warn-interval Ar delay Op , Ar delay ... +Send warning messages to the envelope sender when temporary delivery +failures cause a message to remain in the queue for longer than +.Ar delay . +Each +.Ar delay +parameter consists of a positive decimal integer and a unit +.Cm s , m , h , +or +.Cm d . +At most four +.Ar delay +parameters can be specified. +The default is +.Qq Ic bounce Cm warn-interval No 4h , +sending a single warning after four hours. +.It Ic ca Ar caname Cm cert Ar cafile +Associate the Certificate Authority (CA) certificate file +.Ar cafile +with ca entry +.Ar caname . +The ca entry can be referenced in +.Cm listen on +and +.Cm action ... relay +rules. +.It Ic filter Ar chain-name Ic chain Brq Ar filter-name Op , Ar ... +Register a chain of filters +.Ar chain-name , +consisting of the filters listed in +.Ar filter-name . +Filters in a filter chain are executed in order of declaration for +each phase that they are registered for. +A filter chain may be used in place of a filter for any directive except +filter chains themselves. +.It Ic filter Ar filter-name Ic phase Ar phase-name Ic match Ar conditions decision +Register a filter +.Ar filter-name . +A +.Ar decision +about what to do with the mail is taken at phase +.Ar phase-name +when matching +.Ar conditions . +Phases, matching conditions, and decisions are described in +.Sx MAIL FILTERING , +below. +.It Ic filter Ar filter-name Ic proc Ar proc-name +Register +.Qq proc +filter +.Ar filter-name +backed by the +.Ar proc-name +process. +.It Ic filter Ar filter-name Ic proc-exec Ar command Op Ar options +Register and execute +.Qq proc +filter +.Ar filter-name +from +.Ar command , +conformant with the +.Xr smtpd-filters 7 +API. +If +.Ar command +starts with a slash it is executed with an absolute path, +otherwise it will be run from +.Dq /usr/local/libexec/smtpd/ . +See +.Ic proc +for available +.Ar options . +.It Ic include Qq Ar pathname +Replace this directive with the content of the additional configuration +file at the absolute +.Ar pathname . +.It Ic listen on Ar interface Oo Ar family Oc Op Ar options +Listen on the +.Ar interface +for incoming connections, using the same syntax as +.Xr ifconfig 8 . +The +.Ar interface +parameter may also be an interface group, an IP address, or a domain name. +Listening can optionally be restricted to a specific address +.Ar family , +which can be either +.Cm inet4 +or +.Cm inet6 . +.Pp +The +.Ar options +are as follows: +.Bl -tag -width Ds +.It Cm auth Op Pf < Ar authtable Ns > +Support SMTPAUTH: clients may only start SMTP transactions +after successful authentication. +Users are authenticated against either their own normal login credentials +or a credentials table +.Ar authtable , +the format of which is described in +.Xr table 5 . +.It Cm auth-optional Op Pf < Ar authtable Ns > +Support SMTPAUTH optionally: +clients need not authenticate, but may do so. +This allows a +.Ic listen on +directive to both accept incoming mail from untrusted senders +and permit outgoing mail from authenticated users +(using +.Cm match auth ) . +It can be used in situations +where it is not possible to listen on a separate port +(usually the submission port, 587) +for users to authenticate. +.It Ic ca Ar caname +For secure connections, +use the CA certificate associated with +.Ar caname +(declared in a +.Ic ca +directive) +as the CA certificate when verifying client certificates. +.It Ic filter Ar name +Apply filter +.Ar name +on connections handled by this listener. +.It Cm hostname Ar hostname +Use +.Ar hostname +in the greeting banner instead of the default server name. +.It Cm hostnames Pf < Ar names Ns > +Override the server name for specific addresses. +The +.Ar names +table contains a mapping of IP addresses to hostnames. +If the address on which the connection arrives appears in the mapping, +the associated hostname is used. +.It Cm mask-src +Omit the +.Sy from +part when prepending +.Dq Received +headers. +.It Cm no-dsn +Disable the DSN (Delivery Status Notification) extension. +.It Cm pki Ar pkiname +For secure connections, +use the certificate associated with +.Ar pkiname +(declared in a +.Ic pki +directive) +to prove a mail server's identity. +This option can be used multiple times to provide alternate +certificates for SNI. +.It Cm port Op Ar port +Listen on the given +.Ar port +instead of the default port 25. +.It Cm proxy-v2 +Support the PROXYv2 protocol, +appropriately rewriting the source address received from proxy. +.It Cm received-auth +In +.Dq Received +headers, report whether the session was authenticated +and by which local user. +.It Cm senders Pf < Ar users Ns > Op Cm masquerade +Look up the authenticated user in the +.Ar users +mapping table to find the email addresses that user is allowed +to submit mail as. +In addition, if the +.Cm masquerade +option is provided, +the From header is rewritten +to match the sender provided in the SMTP session. +.It Cm smtps Op Cm verify +Support SMTPS, by default on port 465. +Mutually exclusive with +.Cm tls . +With the +.Cm verify +option, clients must also provide a valid certificate +to establish an SMTP session. +.It Cm tag Ar tag +Clients connecting to the listener are tagged with the given +.Ar tag . +.It Cm tls +Support STARTTLS, by default on port 25. +Mutually exclusive with +.Cm smtps . +.It Cm tls-require Op Cm verify +Like +.Cm tls , +but force clients to establish a secure connection +before being allowed to start an SMTP transaction. +With the +.Cm verify +option, clients must also provide a valid certificate +to establish an SMTP session. +.It Cm protocols Ar protostr +Define the protocol versions to be used for TLS sessions. +Refer to the +.Xr tls_config_parse_protocols 3 +manpage for the format of +.Ar protostr . +.It Cm ciphers Ar cipherstr +Define the list of ciphers that may be used for TLS sessions. +Refer to the +.Xr tls_config_set_ciphers 3 +manpage for the format of +.Ar cipherstr . +.El +.It Ic listen on Cm socket Op Ar options +Listen for incoming SMTP connections on the Unix domain socket +.Pa /var/run/smtpd.sock . +This is done by default, even if the directive is absent. +.Pp +The +.Ar options +are as follows: +.Bl -tag -width Ds +.It Ic filter Ar name +Apply filter +.Ar name +on connections handled by this listener. +.It Cm mask-src +Omit the +.Sy from +part when prepending +.Dq Received +headers. +.It Cm no-dsn +Disable the DSN (Delivery Status Notification) extension. +.It Cm tag Ar tag +Clients connecting to the listener are tagged with the given +.Ar tag . +.El +.It Ic match Ar options Cm action Ar name +If at least one mail envelope matches the +.Ar options +of one +.Ic match Cm action +directive, receive the incoming message, put a copy into each +matching envelope, and atomically save the envelopes to the mail +spool for later processing by the respective dispatcher +.Ar name +which has to be declared beforehand with the +.Ic action +directive. +.Pp +The following matching options are supported and can all be negated: +.Bl -tag -width Ds +.It Xo +.Op Ic \&! +.Cm for any +.Xc +Specify that session may address any destination. +.It Xo +.Op Ic \&! +.Cm for local +.Xc +Specify that session may address any local domain. +This is the default, and may be omitted. +.It Xo +.Op Ic \&! +.Cm for domain Oo Cm regex Oc +.Ar domain | Pf < Ar domain Ns > +.Xc +Specify that session may address the string or list table +.Ar domain . +The +.Cm regex +keyword is required if +.Ar domain +is a regular expression or table of regular expressions. +.It Xo +.Op Ic \&! +.Cm for rcpt-to Oo Cm regex Oc +.Ar recipient | Pf < Ar recipient Ns > +.Xc +Specify that session may address the string or list table +.Ar recipient . +The +.Cm regex +keyword is required if +.Ar recipient +is a regular expression or table of regular expressions. +.It Xo +.Op Ic \&! +.Cm from any +.Xc +Specify that session may originate from any source. +.It Xo +.Op Ic \&! +.Cm from auth +.Xc +Specify that session may originate from any authenticated user, +no matter the source IP address. +.It Xo +.Op Ic \&! +.Cm from auth Oo Cm regex Oc +.Ar user | Pf < Ar user Ns > +.Xc +Specify that session may originate from authenticated user or user list +.Ar user , +no matter the source IP address. +The +.Cm regex +keyword is required if +.Ar user +is a regular expression or table of regular expressions. +.It Xo +.Op Ic \&! +.Cm from local +.Xc +Specify that session may only originate from a local IP address, +or from the local enqueuer. +This is the default, and may be omitted. +.It Xo +.Op Ic \&! +.Cm from mail-from Oo Cm regex Oc +.Ar sender | Pf < Ar sender Ns > +.Xc +Specify that session may originate from sender or sender list +.Ar sender , +no matter the source IP address. +The +.Cm regex +keyword is required if +.Ar sender +is a regular expression or table of regular expressions. +.It Xo +.Op Ic \&! +.Cm from rdns +.Xc +Specify that session may only originate from an IP address that +resolves to a reverse DNS. +.It Xo +.Op Ic \&! +.Cm from rdns Oo Cm regex Oc +.Ar hostname | Pf < Ar hostname Ns > +.Xc +Specify that session may only originate from an IP address that +resolves to a reverse DNS matching string or list string +.Ar hostname . +The +.Cm regex +keyword is required if +.Ar hostname +is a regular expression or table of regular expressions. +.It Xo +.Op Ic \&! +.Cm from socket +.Xc +Specify that session may only originate from the local enqueuer. +.It Xo +.Op Ic \&! +.Cm from src Oo Cm regex Oc +.Ar address | Pf < Ar address Ns > +.Xc +Specify that session may only originate from string or list table +.Ar address +which can be a specific address or a subnet expressed in CIDR-notation. +The +.Cm regex +keyword is required if +.Ar address +is a regular expression or table of regular expressions. +.El +.Pp +In addition, the following transaction options may be matched: +.Bl -tag -width Ds +.It Xo +.Op Ic \&! +.Cm auth +.Xc +Matches transactions which have been authenticated. +.It Xo +.Op Ic \&! +.Cm auth Oo Cm regex Oc +.Ar username | Pf < Ar username Ns > +.Xc +Matches transactions which have been authenticated for user or user list +.Ar username . +The +.Cm regex +keyword is required if +.Ar username +is a regular expression or table of regular expressions. +.It Xo +.Op Ic \&! +.Cm helo Oo Cm regex Oc +.Ar helo-name | Pf < Ar helo-name Ns > +.Xc +Specify that session's HELO / EHLO should match the string or list table +.Ar helo-name . +The +.Cm regex +keyword is required if +.Ar helo-name +is a regular expression or table of regular expressions. +.It Xo +.Op Ic \&! +.Cm mail-from Oo Cm regex Oc +.Ar sender | Pf < Ar sender Ns > +.Xc +Specify that transaction's MAIL FROM should match the string or list table +.Ar sender . +The +.Cm regex +keyword is required if +.Ar sender +is a regular expression or table of regular expressions. +.It Xo +.Op Ic \&! +.Cm rcpt-to Oo Cm regex Oc +.Ar recipient | Pf < Ar recipient Ns > +.Xc +Specify that transaction's RCPT TO should match the string or list table +.Ar recipient . +The +.Cm regex +keyword is required if +.Ar recipient +is a regular expression or table of regular expressions. +.It Xo +.Op Ic \&! +.Cm tag Oo Cm regex Oc Ar tag +.Xc +Matches transactions tagged with the given +.Ar tag . +The +.Cm regex +keyword is required if +.Ar tag +is a regular expression. +.It Xo +.Op Ic \&! +.Cm tls +.Xc +Specify that transaction should take place in a TLS channel. +.El +.It Ic match Ar options Cm reject +Reject the incoming message during the SMTP dialogue. +The same +.Ar options +are supported as for the +.Ic match Cm action +directive. +.It Ic mda Cm wrapper Ar name command +Associate +.Ar command +with the mail delivery agent wrapper named +.Ar name . +When a local delivery specifies a wrapper, the +.Ar command +associated with the wrapper will be executed instead. +The command may contain format specifiers +.Pq see Sx FORMAT SPECIFIERS . +.It Ic mta Cm max-deferred Ar number +When delivery to a given host is suspended due to temporary failures, +cache at most +.Ar number +envelopes for that host such that they can be delivered +as soon as another delivery succeeds to that host. +The default is 100. +.It Ic pki Ar pkiname Cm cert Ar certfile +Associate certificate file +.Ar certfile +with pki entry +.Ar pkiname . +The pki entry defines a keypair configuration that can be referenced +in listener rules and relay actions. +.Pp +A certificate chain may be created by appending one or many certificates, +including a Certificate Authority certificate, +to +.Ar certfile . +The creation of certificates is documented in +.Xr starttls 8 . +.It Ic pki Ar pkiname Cm key Ar keyfile +Associate the key located in +.Ar keyfile +with pki entry +.Ar pkiname . +.It Ic pki Ar pkiname Cm dhe Ar params +Specify the DHE parameters to use for DHE cipher suites with pki entry +.Ar pkiname . +Valid parameter values are +.Cm none , +.Cm legacy , +and +.Cm auto . +For +.Cm legacy , +a fixed key length of 1024 bits is used, whereas for +.Cm auto , +the key length is determined automatically. +The default is +.Cm none , +which disables DHE cipher suites. +.It Ic proc Ar proc-name Ar command Op Ar options +Register an external process named +.Ar proc-name +from +.Ar command , +conformant with the +.Xr smtpd-filters 7 +API. +Such processes may be used to share the same instance between multiple filters. +If +.Ar command +starts with a slash it is executed with an absolute path, +otherwise it will be run from +.Dq /usr/local/libexec/smtpd/ . +.Pp +The following options are supported: +.Bl -tag -width Ds +.It Xo +.Ic user Ar username +.Xc +The +.Ar username +under which the process is to be executed. +The default is _smtpd. +.It Xo +.Ic group Ar group +.Xc +The +.Ar group +under which the process is to be executed. +The default is the primary group of +.Ic user . +.It Xo +.Ic chroot Ar chroot +.Xc +The +.Ar chroot +under which the process is to be executed. +Care must be taken that all dependencies of the +.Ar command +are installed inside the chroot. +.It Xo +.Ic tag Ar tag +.Xc +The +.Ar tag +with which all log messages of this processor are written to syslog. +.Ar tag +is limited to 32 letters. +The default is a best effort representation of the +.Ar proc-name . +.El +.It Ic queue Cm compression +Store queue files in a compressed format. +This may be useful to save disk space. +.It Ic queue Cm encryption Op Ar key +Encrypt queue files with +.Xr EVP_aes_256_gcm 3 . +If no +.Ar key +is specified, it is read with +.Xr getpass 3 . +If the string +.Cm stdin +or a single dash +.Pq Ql - +is given instead of a +.Ar key , +the key is read from the standard input. +.It Ic queue Cm ttl Ar delay +Set the default expiration time for temporarily undeliverable +messages, given as a positive decimal integer followed by a unit +.Cm s , m , h , +or +.Cm d . +The default is four days +.Pq 4d . +.It Ic smtp Cm ciphers Ar control +Set the +.Ar control +string for +.Xr SSL_CTX_set_cipher_list 3 . +The default is +.Qq HIGH:!aNULL:!MD5 . +.It Ic smtp limit Cm max-mails Ar count +Limit the number of messages to +.Ar count +for each session. +The default is 100. +.It Ic smtp limit Cm max-rcpt Ar count +Limit the number of recipients to +.Ar count +for each transaction. +The default is 1000. +.It Ic smtp Cm max-message-size Ar size +Reject messages larger than +.Ar size , +given as a positive number of bytes or as a string to be parsed with +.Xr scan_scaled 3 . +The default is +.Qq 35M . +.It Ic smtp Cm sub-addr-delim Ar character +When resolving the local part of a local email address, ignore the ASCII +.Ar character +and all characters following it. +The default is +.Ql + . +.It Ic srs Cm key Oo Cm backup Oc Ar secret +Set the secret key to use for SRS, +the Sender Rewriting Scheme. +The +.Cm backup +option can be specified to set a secret key to use as a fallback for SRS; +this can be used to implement SRS key rotation. +.It Ic srs Cm ttl Ar delay +Set the time-to-live delay for SRS envelopes. +After this delay, +a bounce reply to the SRS address will be discarded +to limit risks of forged addresses. +The default is four days +.Pq 4d . +.It Ic table Ar name Oo Ar type : Oc Ns Ar pathname +Tables provide additional configuration information for +.Xr smtpd 8 +in the form of lists or key-value mappings. +The format of the entries depends on what the table is used for. +Refer to +.Xr table 5 +for the exhaustive documentation. +.Pp +Each table is identified by an arbitrary, unique +.Ar name . +.Pp +If the +.Ar type +is +.Cm db , +information is stored in a file created with +.Xr makemap 8 ; +if it is +.Cm file +or omitted, information is stored in a plain text file +using the format described in +.Xr table 5 . +The +.Ar pathname +to the file must be absolute. +.It Ic table Ar name Brq Ar value Op , Ar ... +Instead of using a separate file, declare a list table +containing the given static +.Ar value Ns s . +The table must contain at least one value and may declare multiple values as a +comma-separated (whitespace optional) list. +.It Ic table Ar name Brq Ar key Ns = Ns Ar value Op , Ar ... +Instead of using a separate file, declare a mapping table +containing the given static +.Ar key Ns - Ns Ar value +pairs. +The table must contain at least one key-value pair and may declare +multiple pairs as a comma-separated (whitespace optional) list. +.El +.Ss MAIL FILTERING +In a regular workflow, +.Xr smtpd 8 +may accept or reject a message based only on the content of envelopes. +Its decisions are about the handling of the message, +not about the handling of an active session. +.Pp +Filtering extends the decision making process by allowing +.Xr smtpd 8 +to stop at each phase of an SMTP session, +check that conditions are met, +then decide if a session is allowed to move forward. +.Pp +With filtering, +a session may be interrupted at any phase before an envelope is complete. +A message may also be rejected after being submitted, +regardless of whether the envelope was accepted or not. +.Pp +The following phases are currently supported: +.Bl -column mail-from -offset indent +.It connect Ta upon connection, before a banner is displayed +.It helo Ta after HELO command is submitted +.It ehlo Ta after EHLO command is submitted +.It mail-from Ta after MAIL FROM command is submitted +.It rcpt-to Ta after RCPT TO command is submitted +.It data Ta after DATA command is submitted +.It commit Ta after message is fully submitted +.El +.Pp +At each phase, various conditions may be matched. +The fcrdns, rdns, and src data are available in all phases, +but other data must have been already submitted before they are available. +.Bl -column XXXXXXXXXXXXXXXXXXXXX -offset indent +.It fcrdns Ta forward-confirmed reverse DNS is valid +.It rdns Ta session has a reverse DNS +.It rdns Pf < Ar table Ns > Ta session has a reverse DNS in table +.It src Pf < Ar table Ns > Ta source address is in table +.It helo Pf < Ar table Ns > Ta helo name is in table +.It auth Ta session is authenticated +.It auth Pf < Ar table Ns > Ta session username is in table +.It mail-from Pf < Ar table Ns > Ta sender address is in table +.It rcpt-to Pf < Ar table Ns > Ta recipient address is in table +.El +.Pp +These conditions may all be negated by prefixing them with an exclamation mark: +.Bl -column XXXXXXXXXXXXXXXXXXXXX -offset indent +.It !fcrdns Ta forward-confirmed reverse DNS is invalid +.El +.Pp +Any conditions using a table may indicate that the table contains regular +expressions by prefixing the table name with the keyword regex. +.Bl -column XXXXXXXXXXXXXXXXXXXXX -offset indent +.It helo regex Pf < Ar table Ns > Ta helo name matches a regex in table +.El +.Pp +Finally, a number of decisions may be taken: +.Bl -column XXXXXXXXXXXXXXXXXXXXX -offset indent +.It bypass Ta the session or transaction bypasses filters +.It disconnect Ar message Ta the session is disconnected with message +.It junk Ta the session or transaction is junked, i.e., an +.Ql X-Spam: yes +header is added to any messages +.It reject Ar message Ta the command is rejected with message +.It rewrite Ar value Ta the command parameter is rewritten with value +.El +.Pp +Decisions that involve a message require that the message be RFC valid, +meaning that they should either start with a 4xx or 5xx status code. +Decisions can be taken at any phase, +though junking can only happen before a message is committed. +.Ss FORMAT SPECIFIERS +Some configuration directives support expansion of their parameters at runtime. +Such directives (for example +.Ic action Cm maildir , +.Ic action Cm mda ) +may use format specifiers which are expanded before delivery or +relaying. +The following formats are currently supported: +.Bl -column %{user.directory} -offset indent +.It %{sender} Ta sender email address, may be empty string +.It %{sender.user} Ta user part of the sender email address, may be empty +.It %{sender.domain} Ta domain part of the sender email address, may be empty +.It %{rcpt} Ta recipient email address +.It %{rcpt.user} Ta user part of the recipient email address +.It %{rcpt.domain} Ta domain part of the recipient email address +.It %{dest} Ta recipient email address after expansion +.It %{dest.user} Ta user part after expansion +.It %{dest.domain} Ta domain part after expansion +.It %{user.username} Ta local user +.It %{user.directory} Ta home directory of the local user +.It %{mbox.from} Ta name used in mbox From separator lines +.It %{mda} Ta mda command, only available for mda wrappers +.El +.Pp +Expansion formats also support partial expansion using the optional +bracket notations with substring offset. +For example, with recipient domain +.Dq example.org : +.Bl -column %{rcpt.domain[0:-4]} -offset indent +.It %{rcpt.domain[0]} Ta expands to Dq e +.It %{rcpt.domain[1]} Ta expands to Dq x +.It %{rcpt.domain[8:]} Ta expands to Dq org +.It %{rcpt.domain[-3:]} Ta expands to Dq org +.It %{rcpt.domain[0:6]} Ta expands to Dq example +.It %{rcpt.domain[0:-4]} Ta expands to Dq example +.El +.Pp +In addition, modifiers may be applied to the token. +For example, with recipient +.Dq User+Tag@Example.org : +.Bl -column %{rcpt:lowercase|strip} -offset indent +.It %{rcpt:lowercase} Ta expands to Dq user+tag@example.org +.It %{rcpt:uppercase} Ta expands to Dq USER+TAG@EXAMPLE.ORG +.It %{rcpt:strip} Ta expands to Dq User@Example.org +.It %{rcpt:lowercase|strip} Ta expands to Dq user@example.org +.El +.Pp +Modifiers and partial expansion can be used together. +In such cases, the modifiers are applied before the partial expansion. +For example, with sender +.Dq owner-tech+M123456@openbsd.org : +.Bl -column %{sender.user[6:]:strip} -offset indent +.It %{sender.user[6:]:strip} Ta expands to Dq tech +.El +.Pp +For security concerns, expanded values are sanitized and potentially +dangerous characters are replaced with +.Sq \&: . +In situations where they are desirable, the +.Dq raw +modifier may be applied. +For example, with recipient +.Dq user+t?g@example.org : +.Bl -column %{rcpt:raw} -offset indent +.It %{rcpt} Ta expands to Dq user+t:g@example.org +.It %{rcpt:raw} Ta expands to Dq user+t?g@example.org +.El +.Ss MDA COMMANDS +When an action delivery method is +.Cm mda , +.Xr smtpd 8 +runs the associated command for the delivery with the mail content +provided via standard input. +The command is expected to read all the mail content. +.Pp +The exit code of the command reports the outcome of the delivery: +status 0 +.Pq Dv EX_OK +is a successful delivery; status 71 +.Pq Dv EX_OSERR +and 75 +.Pq Dv EX_TEMPFAIL +are temporary failures; and all other exit status are considered +permanent failures. +.Pp +The following environment variables are set: +.Pp +.Bl -tag -width ORIGINAL_RECIPIENT -compact +.It Ev DOMAIN +The recipient domain. +.It Ev EXTENSION +The sub address of the recipient (may be unset). +.It Ev HOME +The delivery user's login directory. +.It Ev LOCAL +The local part of the recipient user address. +.It Ev LOGNAME +The login name of the user. +.It Ev ORIGINAL_RECIPIENT +The address of the original recipient. +.It Ev PATH +Set to +.Ev _PATH_DEFPATH . +Traditionally +.Pa /usr/bin:/bin , +but expanded to include +.Pa /usr/sbin , +.Pa /sbin , +.Pa /usr/X11R6/bin , +.Pa /usr/local/bin , +and +.Pa /usr/local/sbin +in +.Ox . +.It Ev RECIPIENT +The address of the final recipient. +.It Ev SENDER +The address of the sender (might be empty). +.It Ev SHELL +Set to +.Pa /bin/sh . +.It Ev USER +Synonym of +.Ev LOGNAME +for backwards compatibility. +.El +.Sh FILES +.Bl -tag -width "/etc/mail/smtpd.confXXX" -compact +.It Pa /etc/mail/smtpd.conf +Default +.Xr smtpd 8 +configuration file. +.It Pa /etc/mail/mailname +If this file exists, +the first line is used as the server name. +Otherwise, the server name is derived from the local hostname returned by +.Xr gethostname 3 , +either directly if it is a fully qualified domain name, +or by retrieving the associated canonical name through +.Xr getaddrinfo 3 . +.It Pa /var/run/smtpd.sock +Unix domain socket for incoming SMTP connections. +.It Pa /var/spool/smtpd/ +Spool directories for mail during processing. +.El +.Sh EXAMPLES +The default +.Nm +file which ships with +.Ox +listens on the loopback network interface +.Pq Pa lo0 +and allows for mail from users and daemons on the local machine, +as well as permitting email to remote servers. +Some more complex configurations are given below. +.Pp +This first example is similar to the default configuration, +but all outgoing mail is forwarded to a remote SMTP server. +A secrets file is needed to specify a username and password: +.Bd -literal -offset indent +# touch /etc/mail/secrets +# chmod 640 /etc/mail/secrets +# chown root:_smtpd /etc/mail/secrets +# echo "bob username:password" > /etc/mail/secrets +.Ed +.Pp +.Nm +would look like this: +.Bd -literal -offset indent +table aliases file:/etc/mail/aliases +table secrets file:/etc/mail/secrets + +listen on lo0 + +action "local_mail" mbox alias <aliases> +action "outbound" relay host smtp+tls://bob@smtp.example.com \e + auth <secrets> + +match from local for local action "local_mail" +match from local for any action "outbound" +.Ed +.Pp +In this second example, +the aim is to permit mail delivery and relaying +only for users that can authenticate +(using their normal login credentials). +An RSA certificate must be provided to prove the server's identity. +The mail server listens on all interfaces the default routes point to. +Mail with a local destination is sent to an external MDA. +First, the RSA certificate is created: +.Bd -literal -offset indent +# openssl genrsa \-out /etc/ssl/private/mail.example.com.key 4096 +# openssl req \-new \-x509 \-key /etc/ssl/private/mail.example.com.key \e + \-out /etc/ssl/mail.example.com.crt \-days 365 +# chmod 600 /etc/ssl/mail.example.com.crt +# chmod 600 /etc/ssl/private/mail.example.com.key +.Ed +.Pp +In the example above, +a certificate valid for one year was created. +The configuration file would look like this: +.Bd -literal -offset indent +pki mail.example.com cert "/etc/ssl/mail.example.com.crt" +pki mail.example.com key "/etc/ssl/private/mail.example.com.key" + +table aliases file:/etc/mail/aliases + +listen on lo0 +listen on egress tls pki mail.example.com auth + +action mda_with_aliases mda "/path/to/mda \-f \-" alias <aliases> +action mda_without_aliases mda "/path/to/mda \-f \-" +action "outbound" relay + +match for local action mda_with_aliases +match from any for domain example.com action mda_without_aliases +match for any action "outbound" +match auth from any for any action "outbound" +.Ed +.Pp +For sites that wish to sign messages using DKIM, +the following example uses +.Sy opensmtpd-filter-dkimsign +for DKIM signing: +.Bd -literal -offset indent +table aliases file:/etc/mail/aliases + +filter "dkimsign" proc-exec "filter-dkimsign -d <domain> -s <selector> \e + -k /etc/mail/dkim/private.key" user _dkimsign group _dkimsign + +listen on socket filter "dkimsign" +listen on lo0 filter "dkimsign" + +action "local_mail" mbox alias <aliases> +action "outbound" relay + +match for local action "local_mail" +match for any action "outbound" +.Ed +.Pp +Alternatively, the +.Sy opensmtpd-filter-rspamd +package may be used to provide integration with +.Sy rspamd , +a third-party daemon which provides multiple antispam features +as well as DKIM signing. +As well as configuring +.Sy rspamd +itself, +it requires use of the +.Cm proc-exec +keyword: +.Bd -literal -offset indent +filter "rspamd" proc-exec "filter-rspamd" +.Ed +.Pp +Sites that accept non-local messages may be able to cut down on the +volume of spam received by rejecting forged messages that claim +to be from the local domain. +The following example uses a list table +.Em other-relays +to specify the IP addresses of relays that may legitimately +originate mail with the owner's domain as the sender. +.Bd -literal -offset indent +table aliases file:/etc/mail/aliases +table other-relays file:/etc/mail/other-relays + +listen on lo0 +listen on egress + +action "local_mail" mbox alias <aliases> +action "outbound" relay + +match for local action "local_mail" +match for any action "outbound" +match !from src <other-relays> mail\-from "@example.com" for any \e + reject +match from any for domain example.com action "local_mail" +.Ed +.Sh SEE ALSO +.Xr mailer.conf 5 , +.Xr table 5 , +.Xr smtpd-filters 7 , +.Xr makemap 8 , +.Xr smtpd 8 +.Sh HISTORY +.Xr smtpd 8 +first appeared in +.Ox 4.6 . diff --git a/static/openbsd/man5/snmpd.conf.5 b/static/openbsd/man5/snmpd.conf.5 new file mode 100644 index 00000000..d998fd51 --- /dev/null +++ b/static/openbsd/man5/snmpd.conf.5 @@ -0,0 +1,495 @@ +.\" $OpenBSD: snmpd.conf.5,v 1.67 2026/01/18 16:38:02 schwarze Exp $ +.\" +.\" Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: January 18 2026 $ +.Dt SNMPD.CONF 5 +.Os +.Sh NAME +.Nm snmpd.conf +.Nd SNMP daemon configuration file +.Sh DESCRIPTION +.Nm +is the configuration file for the +.Xr snmpd 8 +daemon. +.Pp +The +.Nm +file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global runtime settings for +.Xr snmpd 8 . +.It Sx User configuration +USM user definitions. +.It Sx OID configuration +Custom configuration of SNMP object identifiers and values. +.El +.Pp +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment is effective until the end of the entire block. +.Pp +Arguments not beginning with a letter, digit, or underscore +must be quoted. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/snmpd.conf.local" +.Ed +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic community , +.Ic system , +or +.Ic oid ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +ext_addr="192.168.0.1" +listen on $ext_addr +.Ed +.Ss Global configuration +The following options can be set globally: +.Bl -tag -width Ds +.It Ic blocklist Ar oid +Remove the +.Ar oid +subtree from view. +Multiple +.Ic blocklist +statements are supported. +.It Ic filter-routes Pq Ic yes | no +If set to +.Ic yes , +ask the kernel to filter route update messages on the routing socket. +Routing table information will not be available, but CPU use will be +reduced during bulk updates. +The default is +.Ic no . +.It Ic listen on Oo Ic tcp | udp Oc Ar address Oo Ic port Ar port Oc Op Ar flags +Specify the local +.Ar address +.Xr snmpd 8 +should listen on for incoming SNMP messages, +or +.Cm any +to listen on all local IPv4 and IPv6 addresses. +Multiple +.Ic listen on +statements are supported. +If no +.Ic listen on +statement is present, the default is +.Ic listen on Cm any . +.Pp +The +.Ar flags +are as follows: +.Bl -tag -width Ds +.It Ic read +Accept get, getnext and bulkget requests. +.It Ic write +Accepts set requests. +.It Ic notify +Accepts trapv1 and trapv2 requests. +.It Ic snmpv1 +Enable SNMPv1 subsystem on the listen address. +.It Ic snmpv2c +Enable SNMPv2c subsystem on the listen address. +.It Ic snmpv3 +Enable SNMPv3 subsystem on the listen address. +.El +.Pp +The default protocol is +.Ic udp . +The default +.Ar port +is 161, unless +.Ic notify +is the only permission flag; which sets the +.Ar port +to 162. +If no permission flags are specified it defaults to +.Dq Ic read Ic write , +or +.Ic notify +when +.Ar port +is 162. +If no subsystem flags are specified, it defaults to +.Ic snmpv3 . +.Pp +Having +.Ic notify +set requires at least one +.Ic trap handle +statement. +.It Ic agentx Oo Ic path Ar path Oc Oo Ic owner Ar owner Oc Oo Ic group Ar group Oc Oo Ic mode Ar mode Oc +Set up an agentx master socket at +.Ar path +and defaults to +.Pa /var/agentx/master . +Socket owner, group, and permissions can be set with +.Ar owner , +.Ar group , +and +.Ar mode +respectively and defaults to root, _agentx, and 660. +Multiple +.Ic agentx +statements are supported. +Only unix sockets are supported. +.It Ic engineid Oo Ic pen Ar enterprise Oc Ar format +Set the snmp engineid, used for instance identification and key +generation for the +.Ic user +.Ar auth +and +.Ar key . +.Ar enterprise +specifies the private enterprise number of the instance and can be either an +integer or +.Ic openbsd +.Pq default . +.Pp +.Ar format +can be one of the following: +.Bl -tag -width Ds +.It Ic ipv4 Ar address +The engineID's format identifier is set to 1 and the ipv4 +.Ar address +is used in the format. +.It Ic ipv6 Ar address +The engineID's format identifier is set to 2 and the ipv6 +.Ar address +is used in the format. +.It Ic mac Ar address +The engineID's format identifier is set to 3 and the mac +.Ar address +is used in the format. +.It Ic text Ar text +The engineID's format identifier is set to 4 and the ASCII +.Ar text +is used in the format. +.It Ic octets Ar octetstring +The engineID's format identifier is set to 5 and the +.Ar octetstring +in hexadecimal is used in the format. +.It Ic hosthash Op Ar hostname +The engineID's format identifier is set to 129 and the first 27 bytes of the +sha256 hash of the +.Ar hostname +are used in the format. +This option is only valid for +.Ar enterprise +.Ic openbsd . +If used for the local engineID, then +.Ar hostname +defaults to the value of +.Xr hostname 1 . +This format is the default. +.It Ar number Ar octetstring +The engineID's format identifier is set to +.Ar number +and the +.Ar octetstring +in hexadecimal is used in the format. +This format is only available if +.Ar enterprise +is not +.Ic openbsd . +.It Ic agentid Ar octetstring +RFC1910 legacy format. +.Ar octetstring +must be 8 bytes +.Pq or 16 characters in hexadecimal format . +.El +.It Ic mib directory Ar path +Specify which directories to recursively search for MIB files. +Multiple directories can be specified. +If no directory is specified it defaults to +.Pa /usr/share/snmp/mibs . +.It Ic read-only community Ar string +Specify the name of the read-only community. +There is no default value. +.It Ic read-write Ic community Ar string +Specify the name of the read-write community. +There is no default value. +.It Ic seclevel Pq Ic none | auth | enc +Specify the lowest security level that +.Xr snmpd 8 +accepts on SNMPv3: +.Bl -tag -width "auth" -offset ident +.It Ic none +Both authentication and encryption of messages is optional. +.It Ic auth +Authentication of messages is mandatory. +.Xr snmpd 8 +will discard any messages that don't have a valid digest. +Encryption of messages is optional. +.It Ic enc +Messages must be encrypted and must have a valid digest for authentication. +Otherwise they will be discarded. +This is the default value. +.El +.It Ic system contact Ar string +Specify the name or description of the system contact, typically a +name or an email address. +The default value is +.Ar root@hostname +using the hostname of the local machine. +.It Ic system description Ar string +Specify a description of the local system. +The default value is the operating system identification as printed by the +.Xr uname 1 +command using the +.Fl a +flag: +.Bd -literal -offset indent +OpenBSD myhost.example.com 4.2 GENERIC#595 i386 +.Ed +.It Ic system location Ar string +Specify the string describing the location of the local system, +typically a physical location. +The default value is an empty string. +.It Ic system name Ar string +Specify the name of the local system, typically a fully-qualified +domain name. +The default value is the hostname of the local system. +.It Ic system oid Ar oid-string +Specify the authoritative identification of the local system. +The default value is +.Ar 1.3.6.1.4.1.30155.23.1 +.Pq iso.org.dod.internet.private.enterprises.openbsd.23.1 +identifying a common +.Ox +system. +.It Ic system services Ar number +Specify a magic value which indicates the set of services that the local +system may provide. +Refer to the +.Ar sysServices +description in the SNMP MIB for details. +The value is given in decimal. +.\"XXX describe the complicated services alg here +.It Ic trap community Ar string +Specify the name of the trap community. +There is no default value. +.It Ic trap handle Ar oid Qq Ar command +Execute +.Ic command +upon receipt of an SNMP trap that begins with a prefix of +.Ic oid . +Alternately, the string +.Qq Ic default +may be used, in which case the prefix used is +.Ic 1.3 . +The invoked +.Ar command +will receive the following information about the trap on standard input, +one per line, in this order: +the resolved hostname of the host sending the trap, +the IP address of the host sending the trap, +and any variable bindings contained in the trap +(the OID followed by the value, separated by a single space). +This option requires at least one +.Ic listen on +statement with a +.Ic notify +flag set. +Traps over SNMPv3 are currently unsupported. +.It Xo +.Ic trap receiver Ar address +.Op Ic oid Ar oid-string +.Ic snmpv2c +.Op Ic community Ar string +.Op Ic source-address Ar address +.Xc +Specify the +.Ar address +or FQDN of a remote trap receiver for outgoing traps +sent by +.Xr snmpd 8 . +This option may be specified multiple times. +The daemon will send outgoing traps in +.Ic snmpv2c +format. +The default community is specified by the global +.Ic trap community +option. +The IPv4 or IPv6 source address of the traps can be enforced using +.It Xo +.Ic trap receiver Ar address +.Op Ic oid Ar oid-string +.Op Ic snmpv3 +.Ic user Ar name Oo Ic seclevel Ar level Oc +.Op Ic source-address Ar address +.Xc +Specify the +.Ar address +or FQDN of a remote trap receiver for outgoing traps +sent by +.Xr snmpd 8 . +This option may be specified multiple times. +The daemon will send outgoing traps in +.Ic snmpv3 +format. +.Ic user +must point to an existing global +.Ic user . +If +.Ic seclevel +is not defined, it defaults to the global +.Ic seclevel +option. +The IPv4 or IPv6 source address of the traps can be enforced using +.Ic source-address . +.El +.Ss User configuration +Users for the SNMP User-based Security Model (USM, RFC 3414) must be +defined in the configuration file: +.Bl -tag -width xxxx +.It Xo +.Ic user Ar name +.Op Ic authkey Ar key Ic auth Ar hmac +.Op Ic enckey Ar key Ic enc Ar cipher +.Xc +Defines a known user. +The +.Ic authkey +keyword is required to specify the digest key used to authenticate +messages. +If this keyword is omitted then authentication is disabled +for this user account. +Optionally the HMAC algorithm used for authentication can be specified. +.Ar hmac +must be either +.Ic hmac-md5 , +.Ic hmac-sha1 , +.Ic hmac-sha224 , +.Ic hmac-sha256 , +.Ic hmac-sha384 , +or +.Ic hmac-sha512 . +If omitted, the default is +.Ic hmac-sha1 . +.Pp +With +.Ic enckey +the encryption key used to encrypt and decrypt messages for privacy is defined. +Without an +.Ic enckey +specification the user account will neither accept encrypted incoming +messages nor will it encrypt outgoing messages. +The +.Ar enc +algorithm can be either +.Ic des +or +.Ic aes +and defaults to +.Ic aes . +.Pp +Any user account that has encryption enabled requires authentication to +be enabled too. +.El +.Ss OID configuration +It is possible to specify user-defined OIDs in the configuration file: +.Bl -tag -width Ds +.It Xo +.Ic oid Ar oid-string +.Ic name Ar name +.Op Ic read-only | read-write +.Op Ar type +.Ar value +.Xc +Return the specified value to the client for this OID. +The +.Ic read-write +option may allow the client to override it, +and the type is either +.Ic string +or +.Ic integer . +.El +.Sh FILES +.Bl -tag -width /etc/examples/snmpd.conf -compact +.It Pa /etc/snmpd.conf +Default location of the configuration file. +.It Pa /etc/examples/snmpd.conf +Example configuration file. +.El +.Sh EXAMPLES +The following example will tell +.Xr snmpd 8 +to listen on localhost for SNMPv2c messages only with the community +.Dq 8LHQtm1QLGzk , +override the default system OID, set the magic services value, +and provide some custom OID values: +.Bd -literal -offset indent +listen on 127.0.0.1 snmpv2c +read-only community 8LHQtm1QLGzk + +system oid 1.3.6.1.4.1.30155.23.2 +system services 74 + +oid 1.3.6.1.4.1.30155.42.1 name myName read-only string "humppa" +oid 1.3.6.1.4.1.30155.42.2 name myStatus read-only integer 1 +.Ed +.Pp +The next example will enforce SNMPv3 with authenticated and encrypted +communication and the user-based security model. +The configuration defines several users using varying encryption and +authentication algorithms. +.Bd -literal -offset indent +seclevel enc + +user "mgmt" auth hmac-sha256 authkey "password123" enc aes enckey "321drowssap" +user "hans" auth hmac-sha1 authkey "password456" enc aes enckey "654drowssap" +user "sophie" auth hmac-md5 authkey "password789" enc des enckey "987drowssap" +.Ed +.Sh SEE ALSO +.Xr snmp 1 , +.Xr snmpd 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 4.3 . +.Sh AUTHORS +The +.Xr snmpd 8 +program was written by +.An Reyk Floeter Aq Mt reyk@openbsd.org . diff --git a/static/openbsd/man5/ssh_config.5 b/static/openbsd/man5/ssh_config.5 new file mode 100644 index 00000000..b459b044 --- /dev/null +++ b/static/openbsd/man5/ssh_config.5 @@ -0,0 +1,2475 @@ +.\" +.\" Author: Tatu Ylonen <ylo@cs.hut.fi> +.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +.\" All rights reserved +.\" +.\" As far as I am concerned, the code I have written for this software +.\" can be used freely for any purpose. Any derived versions of this +.\" software must be clearly marked as such, and if the derived work is +.\" incompatible with the protocol description in the RFC file, it must be +.\" called by a name other than "ssh" or "Secure Shell". +.\" +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $OpenBSD: ssh_config.5,v 1.423 2026/03/23 01:33:46 djm Exp $ +.Dd $Mdocdate: March 23 2026 $ +.Dt SSH_CONFIG 5 +.Os +.Sh NAME +.Nm ssh_config +.Nd OpenSSH client configuration file +.Sh DESCRIPTION +.Xr ssh 1 +obtains configuration data from the following sources in +the following order: +.Pp +.Bl -enum -offset indent -compact +.It +command-line options +.It +user's configuration file +.Pq Pa ~/.ssh/config +.It +system-wide configuration file +.Pq Pa /etc/ssh/ssh_config +.El +.Pp +Unless noted otherwise, for each parameter, the first obtained value +will be used. +The configuration files contain sections separated by +.Cm Host +specifications, and that section is only applied for hosts that +match one of the patterns given in the specification. +The matched host name is usually the one given on the command line +(see the +.Cm CanonicalizeHostname +option for exceptions). +.Pp +Since the first obtained value for each parameter is used, more +host-specific declarations should be given near the beginning of the +file, and general defaults at the end. +.Pp +The file contains keyword-argument pairs, one per line. +Lines starting with +.Ql # +and empty lines are interpreted as comments. +Arguments may optionally be enclosed in double quotes +.Pq \&" +in order to represent arguments containing spaces. +Configuration options may be separated by whitespace or +optional whitespace and exactly one +.Ql = ; +the latter format is useful to avoid the need to quote whitespace +when specifying configuration options using the +.Nm ssh , +.Nm scp , +and +.Nm sftp +.Fl o +option. +.Pp +The possible +keywords and their meanings are as follows (note that +keywords are case-insensitive and arguments are case-sensitive): +.Bl -tag -width Ds +.It Cm Host +Restricts the following declarations (up to the next +.Cm Host +or +.Cm Match +keyword) to be only for those hosts that match one of the patterns +given after the keyword. +If more than one pattern is provided, they should be separated by whitespace. +A single +.Ql * +as a pattern can be used to provide global +defaults for all hosts. +The host is usually the +.Ar hostname +argument given on the command line +(see the +.Cm CanonicalizeHostname +keyword for exceptions). +.Pp +A pattern entry may be negated by prefixing it with an exclamation mark +.Pq Sq !\& . +If a negated entry is matched, then the +.Cm Host +entry is ignored, regardless of whether any other patterns on the line +match. +Negated matches are therefore useful to provide exceptions for wildcard +matches. +.Pp +See +.Sx PATTERNS +for more information on patterns. +.It Cm Match +Restricts the following declarations (up to the next +.Cm Host +or +.Cm Match +keyword) to be used only when the conditions following the +.Cm Match +keyword are satisfied. +Match conditions are specified using one or more criteria +or the single token +.Cm all +which always matches. +The available criteria keywords are: +.Cm canonical , +.Cm final , +.Cm exec , +.Cm localnetwork , +.Cm host , +.Cm originalhost , +.Cm tagged , +.Cm command , +.Cm user , +.Cm localuser , +and +.Cm version . +The +.Cm all +criteria must appear alone or immediately after +.Cm canonical +or +.Cm final . +Other criteria may be combined arbitrarily. +All criteria but +.Cm all , +.Cm canonical , +and +.Cm final +require an argument. +Criteria may be negated by prepending an exclamation mark +.Pq Sq !\& . +.Pp +The +.Cm canonical +keyword matches only when the configuration file is being re-parsed +after hostname canonicalization (see the +.Cm CanonicalizeHostname +option). +This may be useful to specify conditions that work with canonical host +names only. +.Pp +The +.Cm final +keyword requests that the configuration be re-parsed (regardless of whether +.Cm CanonicalizeHostname +is enabled), and matches only during this final pass. +If +.Cm CanonicalizeHostname +is enabled, then +.Cm canonical +and +.Cm final +match during the same pass. +.Pp +The +.Cm exec +keyword executes the specified command under the user's shell. +If the command returns a zero exit status then the condition is considered true. +Commands containing whitespace characters must be quoted. +Arguments to +.Cm exec +accept the tokens described in the +.Sx TOKENS +section. +.Pp +The +.Cm localnetwork +keyword matches the addresses of active local network interfaces against the +supplied list of networks in CIDR format. +This may be convenient for varying the effective configuration on devices that +roam between networks. +Note that network address is not a trustworthy criteria in many +situations (e.g. when the network is automatically configured using DHCP) +and so caution should be applied if using it to control security-sensitive +configuration. +.Pp +The other keywords' criteria must be single entries or comma-separated +lists and may use the wildcard and negation operators described in the +.Sx PATTERNS +section. +.Pp +The criteria for the +.Cm host +keyword are matched against the target hostname, after any substitution +by the +.Cm Hostname +or +.Cm CanonicalizeHostname +options. +The +.Cm originalhost +keyword matches against the hostname as it was specified on the command-line. +.Pp +The +.Cm tagged +keyword matches a tag name specified by a prior +.Cm Tag +directive or on the +.Xr ssh 1 +command-line using the +.Fl P +flag. +The +.Cm command +keyword matches the remote command that has been requested, or the subsystem +name that is being invoked (e.g.\& +.Qq sftp +for an SFTP session). +The empty string will match the case where a command or tag has not been +specified, i.e.\& +.Sq Match tag \&"\&" . +The +.Cm version +keyword matches against the version string of +.Xr ssh 1 , +for example +.Dq OpenSSH_10.0 . +.Pp +The +.Cm user +keyword matches against the target username on the remote host. +The +.Cm localuser +keyword matches against the name of the local user running +.Xr ssh 1 +(this keyword may be useful in system-wide +.Nm +files). +.Pp +Finally, the +.Cm sessiontype +keyword matches the requested session type, which may be one of +.Cm shell +for interactive sessions, +.Cm exec +for command execution sessions, +.Cm subsystem +for subsystem invocations such as +.Xr sftp 1 , +or +.Cm none +for transport-only sessions, such as when +.Xr ssh 1 +is started with the +.Fl N +flag. +.It Cm AddKeysToAgent +Specifies whether keys should be automatically added to a running +.Xr ssh-agent 1 . +If this option is set to +.Cm yes +and a key is loaded from a file, the key and its passphrase are added to +the agent with the default lifetime, as if by +.Xr ssh-add 1 . +If this option is set to +.Cm ask , +.Xr ssh 1 +will require confirmation using the +.Ev SSH_ASKPASS +program before adding a key (see +.Xr ssh-add 1 +for details). +If this option is set to +.Cm confirm , +each use of the key must be confirmed, as if the +.Fl c +option was specified to +.Xr ssh-add 1 . +If this option is set to +.Cm no , +no keys are added to the agent. +Alternately, this option may be specified as a time interval +using the format described in the +.Sx TIME FORMATS +section of +.Xr sshd_config 5 +to specify the key's lifetime in +.Xr ssh-agent 1 , +after which it will automatically be removed. +The argument must be +.Cm no +(the default), +.Cm yes , +.Cm confirm +(optionally followed by a time interval), +.Cm ask +or a time interval. +.It Cm AddressFamily +Specifies which address family to use when connecting. +Valid arguments are +.Cm any +(the default), +.Cm inet +(use IPv4 only), or +.Cm inet6 +(use IPv6 only). +.It Cm BatchMode +If set to +.Cm yes , +user interaction such as password prompts and host key confirmation requests +will be disabled. +This option is useful in scripts and other batch jobs where no user +is present to interact with +.Xr ssh 1 . +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm BindAddress +Use the specified address on the local machine as the source address of +the connection. +Only useful on systems with more than one address. +.It Cm BindInterface +Use the address of the specified interface on the local machine as the +source address of the connection. +.It Cm CanonicalDomains +When +.Cm CanonicalizeHostname +is enabled, this option specifies the list of domain suffixes in which to +search for the specified destination host. +.It Cm CanonicalizeFallbackLocal +Specifies whether to fail with an error when hostname canonicalization fails. +The default, +.Cm yes , +will attempt to look up the unqualified hostname using the system resolver's +search rules. +A value of +.Cm no +will cause +.Xr ssh 1 +to fail instantly if +.Cm CanonicalizeHostname +is enabled and the target hostname cannot be found in any of the domains +specified by +.Cm CanonicalDomains . +.It Cm CanonicalizeHostname +Controls whether explicit hostname canonicalization is performed. +The default, +.Cm no , +is not to perform any name rewriting and let the system resolver handle all +hostname lookups. +If set to +.Cm yes +then, for connections that do not use a +.Cm ProxyCommand +or +.Cm ProxyJump , +.Xr ssh 1 +will attempt to canonicalize the hostname specified on the command line +using the +.Cm CanonicalDomains +suffixes and +.Cm CanonicalizePermittedCNAMEs +rules. +If +.Cm CanonicalizeHostname +is set to +.Cm always , +then canonicalization is applied to proxied connections too. +.Pp +If this option is enabled, then the configuration files are processed +again using the new target name to pick up any new configuration in matching +.Cm Host +and +.Cm Match +stanzas. +A value of +.Cm none +disables the use of a +.Cm ProxyJump +host. +.It Cm CanonicalizeMaxDots +Specifies the maximum number of dot characters in a hostname before +canonicalization is disabled. +The default, 1, +allows a single dot (i.e. hostname.subdomain). +.It Cm CanonicalizePermittedCNAMEs +Specifies rules to determine whether CNAMEs should be followed when +canonicalizing hostnames. +The rules consist of one or more arguments of +.Ar source_domain_list : Ns Ar target_domain_list , +where +.Ar source_domain_list +is a pattern-list of domains that may follow CNAMEs in canonicalization, +and +.Ar target_domain_list +is a pattern-list of domains that they may resolve to. +.Pp +For example, +.Qq *.a.example.com:*.b.example.com,*.c.example.com +will allow hostnames matching +.Qq *.a.example.com +to be canonicalized to names in the +.Qq *.b.example.com +or +.Qq *.c.example.com +domains. +.Pp +A single argument of +.Qq none +causes no CNAMEs to be considered for canonicalization. +This is the default behaviour. +.It Cm CASignatureAlgorithms +Specifies which algorithms are allowed for signing of certificates +by certificate authorities (CAs). +The default is: +.Bd -literal -offset indent +ssh-ed25519,ecdsa-sha2-nistp256, +ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, +rsa-sha2-512,rsa-sha2-256 +.Ed +.Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +.Pp +.Xr ssh 1 +will not accept host certificates signed using algorithms other than those +specified. +.It Cm CertificateFile +Specifies a file from which the user's certificate is read. +A corresponding private key must be provided separately in order +to use this certificate either +from an +.Cm IdentityFile +directive or +.Fl i +flag to +.Xr ssh 1 , +via +.Xr ssh-agent 1 , +or via a +.Cm PKCS11Provider +or +.Cm SecurityKeyProvider . +.Pp +Arguments to +.Cm CertificateFile +may use the tilde syntax to refer to a user's home directory, +the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +.Pp +It is possible to have multiple certificate files specified in +configuration files; these certificates will be tried in sequence. +Multiple +.Cm CertificateFile +directives will add to the list of certificates used for +authentication. +.It Cm ChannelTimeout +Specifies whether and how quickly +.Xr ssh 1 +should close inactive channels. +Timeouts are specified as one or more +.Dq type=interval +pairs separated by whitespace, where the +.Dq type +must be the special keyword +.Dq global +or a channel type name from the list below, optionally containing +wildcard characters. +.Pp +The timeout value +.Dq interval +is specified in seconds or may use any of the units documented in the +.Sx TIME FORMATS +section. +For example, +.Dq session=5m +would cause interactive sessions to terminate after five minutes of +inactivity. +Specifying a zero value disables the inactivity timeout. +.Pp +The special timeout +.Dq global +applies to all active channels, taken together. +Traffic on any active channel will reset the timeout, but when the timeout +expires then all open channels will be closed. +Note that this global timeout is not matched by wildcards and must be +specified explicitly. +.Pp +The available channel type names include: +.Bl -tag -width Ds +.It Cm agent-connection +Open connections to +.Xr ssh-agent 1 . +.It Cm direct-tcpip , Cm direct-streamlocal@openssh.com +Open TCP or Unix socket (respectively) connections that have +been established from an +.Xr ssh 1 +local forwarding, i.e.\& +.Cm LocalForward +or +.Cm DynamicForward . +.It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com +Open TCP or Unix socket (respectively) connections that have been +established to an +.Xr sshd 8 +listening on behalf of an +.Xr ssh 1 +remote forwarding, i.e.\& +.Cm RemoteForward . +.It Cm session +The interactive main session, including shell session, command execution, +.Xr scp 1 , +.Xr sftp 1 , +etc. +.It Cm tun-connection +Open +.Cm TunnelForward +connections. +.It Cm x11-connection +Open X11 forwarding sessions. +.El +.Pp +Note that in all the above cases, terminating an inactive session does not +guarantee to remove all resources associated with the session, e.g. shell +processes or X11 clients relating to the session may continue to execute. +.Pp +Moreover, terminating an inactive channel or session does not necessarily +close the SSH connection, nor does it prevent a client from +requesting another channel of the same type. +In particular, expiring an inactive forwarding session does not prevent +another identical forwarding from being subsequently created. +.Pp +The default is not to expire channels of any type for inactivity. +.It Cm CheckHostIP +If set to +.Cm yes , +.Xr ssh 1 +will additionally check the host IP address in the +.Pa known_hosts +file. +This allows it to detect if a host key changed due to DNS spoofing +and will add addresses of destination hosts to +.Pa ~/.ssh/known_hosts +in the process, regardless of the setting of +.Cm StrictHostKeyChecking . +If the option is set to +.Cm no +(the default), +the check will not be executed. +.It Cm Ciphers +Specifies the ciphers allowed and their order of preference. +Multiple ciphers must be comma-separated. +If the specified list begins with a +.Sq + +character, then the specified ciphers will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified ciphers (including wildcards) will be removed +from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified ciphers will be placed at the head of the +default set. +.Pp +The supported ciphers are: +.Bd -literal -offset indent +3des-cbc +aes128-cbc +aes192-cbc +aes256-cbc +aes128-ctr +aes192-ctr +aes256-ctr +aes128-gcm@openssh.com +aes256-gcm@openssh.com +chacha20-poly1305@openssh.com +.Ed +.Pp +The default is: +.Bd -literal -offset indent +chacha20-poly1305@openssh.com, +aes128-gcm@openssh.com,aes256-gcm@openssh.com, +aes128-ctr,aes192-ctr,aes256-ctr +.Ed +.Pp +The list of available ciphers may also be obtained using +.Qq ssh -Q cipher . +.It Cm ClearAllForwardings +Specifies that all local, remote, and dynamic port forwardings +specified in the configuration files or on the command line be +cleared. +This option is primarily useful when used from the +.Xr ssh 1 +command line to clear port forwardings set in +configuration files, and is automatically set by +.Xr scp 1 +and +.Xr sftp 1 . +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm Compression +Specifies whether to use compression. +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm ConnectionAttempts +Specifies the number of tries (one per second) to make before exiting. +The argument must be an integer. +This may be useful in scripts if the connection sometimes fails. +The default is 1. +.It Cm ConnectTimeout +Specifies the timeout (in seconds) used when connecting to the +SSH server, instead of using the default system TCP timeout. +This timeout is applied both to establishing the connection and to performing +the initial SSH protocol handshake and key exchange. +.It Cm ControlMaster +Enables the sharing of multiple sessions over a single network connection. +When set to +.Cm yes , +.Xr ssh 1 +will listen for connections on a control socket specified using the +.Cm ControlPath +argument. +Additional sessions can connect to this socket using the same +.Cm ControlPath +with +.Cm ControlMaster +set to +.Cm no +(the default). +These sessions will try to reuse the master instance's network connection +rather than initiating new ones, but will fall back to connecting normally +if the control socket does not exist, or is not listening. +.Pp +Setting this to +.Cm ask +will cause +.Xr ssh 1 +to listen for control connections, but require confirmation using +.Xr ssh-askpass 1 . +If the +.Cm ControlPath +cannot be opened, +.Xr ssh 1 +will continue without connecting to a master instance. +.Pp +X11 and +.Xr ssh-agent 1 +forwarding is supported over these multiplexed connections, however the +display and agent forwarded will be the one belonging to the master +connection i.e. it is not possible to forward multiple displays or agents. +.Pp +Two additional options allow for opportunistic multiplexing: try to use a +master connection but fall back to creating a new one if one does not already +exist. +These options are: +.Cm auto +and +.Cm autoask . +The latter requires confirmation like the +.Cm ask +option. +.It Cm ControlPath +Specify the path to the control socket used for connection sharing as described +in the +.Cm ControlMaster +section above or the string +.Cm none +to disable connection sharing. +Arguments to +.Cm ControlPath +may use the tilde syntax to refer to a user's home directory, +the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +It is recommended that any +.Cm ControlPath +used for opportunistic connection sharing include +at least %h, %p, and %r (or alternatively %C) and be placed in a directory +that is not writable by other users. +This ensures that shared connections are uniquely identified. +.It Cm ControlPersist +When used in conjunction with +.Cm ControlMaster , +specifies that the master connection should remain open +in the background (waiting for future client connections) +after the initial client connection has been closed. +If set to +.Cm no +(the default), +then the master connection will not be placed into the background, +and will close as soon as the initial client connection is closed. +If set to +.Cm yes +or 0, +then the master connection will remain in the background indefinitely +(until killed or closed via a mechanism such as the +.Qq ssh -O exit ) . +If set to a time in seconds, or a time in any of the formats documented in +.Xr sshd_config 5 , +then the backgrounded master connection will automatically terminate +after it has remained idle (with no client connections) for the +specified time. +.It Cm DynamicForward +Specifies that a TCP port on the local machine be forwarded +over the secure channel, and the application +protocol is then used to determine where to connect to from the +remote machine. +.Pp +The argument must be +.Sm off +.Oo Ar bind_address : Oc Ar port . +.Sm on +IPv6 addresses can be specified by enclosing addresses in square brackets. +By default, the local port is bound in accordance with the +.Cm GatewayPorts +setting. +However, an explicit +.Ar bind_address +may be used to bind the connection to a specific address. +The +.Ar bind_address +of +.Cm localhost +indicates that the listening port be bound for local use only, while an +empty address or +.Sq * +indicates that the port should be available from all interfaces. +.Pp +Currently the SOCKS4 and SOCKS5 protocols are supported, and +.Xr ssh 1 +will act as a SOCKS server. +Multiple forwardings may be specified, and +additional forwardings can be given on the command line. +Only the superuser can forward privileged ports. +.It Cm EnableEscapeCommandline +Enables the command line option in the +.Cm EscapeChar +menu for interactive sessions (default +.Ql ~C ) . +By default, the command line is disabled. +.It Cm EnableSSHKeysign +Setting this option to +.Cm yes +in the global client configuration file +.Pa /etc/ssh/ssh_config +enables the use of the helper program +.Xr ssh-keysign 8 +during +.Cm HostbasedAuthentication . +The argument must be +.Cm yes +or +.Cm no +(the default). +This option should be placed in the non-hostspecific section. +See +.Xr ssh-keysign 8 +for more information. +.It Cm EscapeChar +Sets the escape character (default: +.Ql ~ ) . +The escape character can also +be set on the command line. +The argument should be a single character, +.Ql ^ +followed by a letter, or +.Cm none +to disable the escape +character entirely (making the connection transparent for binary +data). +.It Cm ExitOnForwardFailure +Specifies whether +.Xr ssh 1 +should terminate the connection if it cannot set up all requested +dynamic, tunnel, local, and remote port forwardings, (e.g.\& +if either end is unable to bind and listen on a specified port). +Note that +.Cm ExitOnForwardFailure +does not apply to connections made over port forwardings and will not, +for example, cause +.Xr ssh 1 +to exit if TCP connections to the ultimate forwarding destination fail. +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm FingerprintHash +Specifies the hash algorithm used when displaying key fingerprints. +Valid options are: +.Cm md5 +and +.Cm sha256 +(the default). +.It Cm ForkAfterAuthentication +Requests +.Nm ssh +to go to background just before command execution. +This is useful if +.Nm ssh +is going to ask for passwords or passphrases, but the user +wants it in the background. +This implies the +.Cm StdinNull +configuration option being set to +.Dq yes . +The recommended way to start X11 programs at a remote site is with +something like +.Ic ssh -f host xterm , +which is the same as +.Ic ssh host xterm +if the +.Cm ForkAfterAuthentication +configuration option is set to +.Dq yes . +.Pp +If the +.Cm ExitOnForwardFailure +configuration option is set to +.Dq yes , +then a client started with the +.Cm ForkAfterAuthentication +configuration option being set to +.Dq yes +will wait for all remote port forwards to be successfully established +before placing itself in the background. +The argument to this keyword must be +.Cm yes +(same as the +.Fl f +option) or +.Cm no +(the default). +.It Cm ForwardAgent +Specifies whether the connection to the authentication agent (if any) +will be forwarded to the remote machine. +The argument may be +.Cm yes , +.Cm no +(the default), +an explicit path to an agent socket or the name of an environment variable +(beginning with +.Sq $ ) +in which to find the path. +.Pp +Agent forwarding should be enabled with caution. +Users with the ability to bypass file permissions on the remote host +(for the agent's Unix-domain socket) +can access the local agent through the forwarded connection. +An attacker cannot obtain key material from the agent, +however they can perform operations on the keys that enable them to +authenticate using the identities loaded into the agent. +.It Cm ForwardX11 +Specifies whether X11 connections will be automatically redirected +over the secure channel and +.Ev DISPLAY +set. +The argument must be +.Cm yes +or +.Cm no +(the default). +.Pp +X11 forwarding should be enabled with caution. +Users with the ability to bypass file permissions on the remote host +(for the user's X11 authorization database) +can access the local X11 display through the forwarded connection. +An attacker may then be able to perform activities such as keystroke monitoring +if the +.Cm ForwardX11Trusted +option is also enabled. +.It Cm ForwardX11Timeout +Specify a timeout for untrusted X11 forwarding +using the format described in the +.Sx TIME FORMATS +section of +.Xr sshd_config 5 . +X11 connections received by +.Xr ssh 1 +after this time will be refused. +Setting +.Cm ForwardX11Timeout +to zero will disable the timeout and permit X11 forwarding for the life +of the connection. +The default is to disable untrusted X11 forwarding after twenty minutes has +elapsed. +.It Cm ForwardX11Trusted +If this option is set to +.Cm yes , +remote X11 clients will have full access to the original X11 display. +.Pp +If this option is set to +.Cm no +(the default), +remote X11 clients will be considered untrusted and prevented +from stealing or tampering with data belonging to trusted X11 +clients. +Furthermore, the +.Xr xauth 1 +token used for the session will be set to expire after 20 minutes. +Remote clients will be refused access after this time. +.Pp +See the X11 SECURITY extension specification for full details on +the restrictions imposed on untrusted clients. +.It Cm GatewayPorts +Specifies whether remote hosts are allowed to connect to local +forwarded ports. +By default, +.Xr ssh 1 +binds local port forwardings to the loopback address. +This prevents other remote hosts from connecting to forwarded ports. +.Cm GatewayPorts +can be used to specify that ssh +should bind local port forwardings to the wildcard address, +thus allowing remote hosts to connect to forwarded ports. +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm GlobalKnownHostsFile +Specifies one or more files to use for the global +host key database, separated by whitespace. +The default is +.Pa /etc/ssh/ssh_known_hosts , +.Pa /etc/ssh/ssh_known_hosts2 . +.It Cm GSSAPIAuthentication +Specifies whether user authentication based on GSSAPI is allowed. +The default is +.Cm no . +.It Cm GSSAPIDelegateCredentials +Forward (delegate) credentials to the server. +The default is +.Cm no . +.It Cm HashKnownHosts +Indicates that +.Xr ssh 1 +should hash host names and addresses when they are added to +.Pa ~/.ssh/known_hosts . +These hashed names may be used normally by +.Xr ssh 1 +and +.Xr sshd 8 , +but they do not visually reveal identifying information if the +file's contents are disclosed. +The default is +.Cm no . +Note that existing names and addresses in known hosts files +will not be converted automatically, +but may be manually hashed using +.Xr ssh-keygen 1 . +.It Cm HostbasedAcceptedAlgorithms +Specifies the signature algorithms that will be used for hostbased +authentication as a comma-separated list of patterns. +Alternately if the specified list begins with a +.Sq + +character, then the specified signature algorithms will be appended +to the default set instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified signature algorithms (including wildcards) +will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified signature algorithms will be placed +at the head of the default set. +The default for this option is: +.Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +webauthn-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, +ssh-ed25519, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, +webauthn-sk-ecdsa-sha2-nistp256@openssh.com, +rsa-sha2-512,rsa-sha2-256 +.Ed +.Pp +The +.Fl Q +option of +.Xr ssh 1 +may be used to list supported signature algorithms. +This was formerly named HostbasedKeyTypes. +.It Cm HostbasedAuthentication +Specifies whether to try rhosts based authentication with public key +authentication. +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm HostKeyAlgorithms +Specifies the host key signature algorithms +that the client wants to use in order of preference. +Alternately if the specified list begins with a +.Sq + +character, then the specified signature algorithms will be appended to +the default set instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified signature algorithms (including wildcards) +will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified signature algorithms will be placed +at the head of the default set. +The default for this option is: +.Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +webauthn-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, +ssh-ed25519, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ecdsa-sha2-nistp256@openssh.com, +webauthn-sk-ecdsa-sha2-nistp256@openssh.com +sk-ssh-ed25519@openssh.com, +rsa-sha2-512,rsa-sha2-256 +.Ed +.Pp +If hostkeys are known for the destination host then this default is modified +to prefer their algorithms. +.Pp +The list of available signature algorithms may also be obtained using +.Qq ssh -Q HostKeyAlgorithms . +.It Cm HostKeyAlias +Specifies an alias that should be used instead of the +real host name when looking up or saving the host key +in the host key database files and when validating host certificates. +This option is useful for tunneling SSH connections +or for multiple servers running on a single host. +.It Cm Hostname +Specifies the real host name to log into. +This can be used to specify nicknames or abbreviations for hosts. +Arguments to +.Cm Hostname +accept the tokens described in the +.Sx TOKENS +section. +Numeric IP addresses are also permitted (both on the command line and in +.Cm Hostname +specifications). +The default is the name given on the command line. +.It Cm IdentitiesOnly +Specifies that +.Xr ssh 1 +should only use the configured authentication identity and certificate files +(either the default files, or those explicitly configured in the +.Nm +files +or passed on the +.Xr ssh 1 +command-line), +even if +.Xr ssh-agent 1 +or a +.Cm PKCS11Provider +or +.Cm SecurityKeyProvider +offers more identities. +The argument to this keyword must be +.Cm yes +or +.Cm no +(the default). +This option is intended for situations where ssh-agent +offers many different identities. +.It Cm IdentityAgent +Specifies the +.Ux Ns -domain +socket used to communicate with the authentication agent. +.Pp +This option overrides the +.Ev SSH_AUTH_SOCK +environment variable and can be used to select a specific agent. +Setting the socket name to +.Cm none +disables the use of an authentication agent. +If the string +.Qq SSH_AUTH_SOCK +is specified, the location of the socket will be read from the +.Ev SSH_AUTH_SOCK +environment variable. +Otherwise if the specified value begins with a +.Sq $ +character, then it will be treated as an environment variable containing +the location of the socket. +.Pp +Arguments to +.Cm IdentityAgent +may use the tilde syntax to refer to a user's home directory, +the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +.It Cm IdentityFile +Specifies a file from which the user's ECDSA, authenticator-hosted ECDSA, +Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read. +You can also specify a public key file to use the corresponding +private key that is loaded in +.Xr ssh-agent 1 +when the private key file is not present locally. +The default is +.Pa ~/.ssh/id_rsa , +.Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ecdsa_sk , +.Pa ~/.ssh/id_ed25519 +and +.Pa ~/.ssh/id_ed25519_sk . +Additionally, any identities represented by the authentication agent +will be used for authentication unless +.Cm IdentitiesOnly +is set. +If no certificates have been explicitly specified by +.Cm CertificateFile , +.Xr ssh 1 +will try to load certificate information from the filename obtained by +appending +.Pa -cert.pub +to the path of a specified +.Cm IdentityFile . +.Pp +Arguments to +.Cm IdentityFile +may use the tilde syntax to refer to a user's home directory +or the tokens described in the +.Sx TOKENS +section. +Alternately an argument of +.Cm none +may be used to indicate no identity files should be loaded. +.Pp +It is possible to have +multiple identity files specified in configuration files; all these +identities will be tried in sequence. +Multiple +.Cm IdentityFile +directives will add to the list of identities tried (this behaviour +differs from that of other configuration directives). +.Pp +.Cm IdentityFile +may be used in conjunction with +.Cm IdentitiesOnly +to select which identities in an agent are offered during authentication. +.Cm IdentityFile +may also be used in conjunction with +.Cm CertificateFile +in order to provide any certificate also needed for authentication with +the identity. +.It Cm IgnoreUnknown +Specifies a pattern-list of unknown options to be ignored if they are +encountered in configuration parsing. +This may be used to suppress errors if +.Nm +contains options that are unrecognised by +.Xr ssh 1 . +It is recommended that +.Cm IgnoreUnknown +be listed early in the configuration file as it will not be applied +to unknown options that appear before it. +.It Cm Include +Include the specified configuration file(s). +Multiple pathnames may be specified and each pathname may contain +.Xr glob 7 +wildcards, +tokens as described in the +.Sx TOKENS +section, environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section and, for user configurations, shell-like +.Sq ~ +references to user home directories. +Wildcards will be expanded and processed in lexical order. +Files without absolute paths are assumed to be in +.Pa ~/.ssh +if included in a user configuration file or +.Pa /etc/ssh +if included from the system configuration file. +.Cm Include +directive may appear inside a +.Cm Match +or +.Cm Host +block +to perform conditional inclusion. +.It Cm IPQoS +Specifies the +.Em Differentiated Services Field Codepoint Pq DSCP +value for connections. +Accepted values are +.Cm af11 , +.Cm af12 , +.Cm af13 , +.Cm af21 , +.Cm af22 , +.Cm af23 , +.Cm af31 , +.Cm af32 , +.Cm af33 , +.Cm af41 , +.Cm af42 , +.Cm af43 , +.Cm cs0 , +.Cm cs1 , +.Cm cs2 , +.Cm cs3 , +.Cm cs4 , +.Cm cs5 , +.Cm cs6 , +.Cm cs7 , +.Cm ef , +.Cm le , +a numeric value, or +.Cm none +to use the operating system default. +This option may take one or two arguments, separated by whitespace. +If one argument is specified, it is used as the packet class unconditionally. +If two values are specified, the first is automatically selected for +interactive sessions and the second for non-interactive sessions. +The default is +.Cm ef +(Expedited Forwarding) +for interactive sessions and +.Cm none +(the operating system default) +for non-interactive sessions. +.It Cm KbdInteractiveAuthentication +Specifies whether to use keyboard-interactive authentication. +The argument to this keyword must be +.Cm yes +(the default) +or +.Cm no . +.Cm ChallengeResponseAuthentication +is a deprecated alias for this. +.It Cm KbdInteractiveDevices +Specifies the list of methods to use in keyboard-interactive authentication. +Multiple method names must be comma-separated. +The default is to use the server specified list. +The methods available vary depending on what the server supports. +For an OpenSSH server, +it may be zero or more of: +.Cm bsdauth +and +.Cm pam . +.It Cm KexAlgorithms +Specifies the permitted KEX (Key Exchange) algorithms that will be used and +their preference order. +The selected algorithm will be the first algorithm in this list that +the server also supports. +Multiple algorithms must be comma-separated. +.Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. +.Pp +The default is: +.Bd -literal -offset indent +mlkem768x25519-sha256, +sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com, +curve25519-sha256,curve25519-sha256@libssh.org, +ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +diffie-hellman-group-exchange-sha256, +diffie-hellman-group16-sha512, +diffie-hellman-group18-sha512, +diffie-hellman-group14-sha256 +.Ed +.Pp +The list of supported key exchange algorithms may also be obtained using +.Qq ssh -Q kex . +.It Cm KnownHostsCommand +Specifies a command to use to obtain a list of host keys, in addition to +those listed in +.Cm UserKnownHostsFile +and +.Cm GlobalKnownHostsFile . +This command is executed after the files have been read. +It may write host key lines to standard output in identical format to the +usual files (described in the +.Sx VERIFYING HOST KEYS +section in +.Xr ssh 1 ) . +Arguments to +.Cm KnownHostsCommand +accept the tokens described in the +.Sx TOKENS +section. +The command may be invoked multiple times per connection: once when preparing +the preference list of host key algorithms to use, again to obtain the +host key for the requested host name and, if +.Cm CheckHostIP +is enabled, one more time to obtain the host key matching the server's +address. +If the command exits abnormally or returns a non-zero exit status then the +connection is terminated. +.It Cm LocalCommand +Specifies a command to execute on the local machine after successfully +connecting to the server. +The command string extends to the end of the line, and is executed with +the user's shell. +Arguments to +.Cm LocalCommand +accept the tokens described in the +.Sx TOKENS +section. +.Pp +The command is run synchronously and does not have access to the +session of the +.Xr ssh 1 +that spawned it. +It should not be used for interactive commands. +.Pp +This directive is ignored unless +.Cm PermitLocalCommand +has been enabled. +.It Cm LocalForward +Specifies that a TCP port or Unix-domain socket on the local machine +be forwarded over +the secure channel to the specified host and port (or Unix-domain socket) +from the remote machine. +For a TCP port, the first argument must be +.Sm off +.Oo Ar bind_address : Oc Ar port +.Sm on +or a Unix domain socket path. +The second argument is the destination and may be +.Ar host : Ns Ar hostport +or a Unix domain socket path if the remote host supports it. +.Pp +IPv6 addresses can be specified by enclosing addresses in square brackets. +.Pp +If either argument contains a '/' in it, that argument will be +interpreted as a Unix-domain socket (on the corresponding host) rather +than a TCP port. +.Pp +Multiple forwardings may be specified, and additional forwardings can be +given on the command line. +Only the superuser can forward privileged ports. +By default, the local port is bound in accordance with the +.Cm GatewayPorts +setting. +However, an explicit +.Ar bind_address +may be used to bind the connection to a specific address. +The +.Ar bind_address +of +.Cm localhost +indicates that the listening port be bound for local use only, while an +empty address or +.Sq * +indicates that the port should be available from all interfaces. +Unix domain socket paths may use the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +.It Cm LogLevel +Gives the verbosity level that is used when logging messages from +.Xr ssh 1 . +The possible values are: +QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. +The default is INFO. +DEBUG and DEBUG1 are equivalent. +DEBUG2 and DEBUG3 each specify higher levels of verbose output. +.It Cm LogVerbose +Specify one or more overrides to LogLevel. +An override consists of one or more pattern lists that matches the +source file, function and line number to force detailed logging for. +For example, an override pattern of: +.Bd -literal -offset indent +kex.c:*:1000,*:kex_exchange_identification():*,packet.c:* +.Ed +.Pp +would enable detailed logging for line 1000 of +.Pa kex.c , +everything in the +.Fn kex_exchange_identification +function, and all code in the +.Pa packet.c +file. +This option is intended for debugging and no overrides are enabled by default. +.It Cm MACs +Specifies the MAC (message authentication code) algorithms +in order of preference. +The MAC algorithm is used for data integrity protection. +Multiple algorithms must be comma-separated. +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. +.Pp +The algorithms that contain +.Qq -etm +calculate the MAC after encryption (encrypt-then-mac). +These are considered safer and their use recommended. +.Pp +The default is: +.Bd -literal -offset indent +umac-64-etm@openssh.com,umac-128-etm@openssh.com, +hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, +hmac-sha1-etm@openssh.com, +umac-64@openssh.com,umac-128@openssh.com, +hmac-sha2-256,hmac-sha2-512,hmac-sha1 +.Ed +.Pp +The list of available MAC algorithms may also be obtained using +.Qq ssh -Q mac . +.It Cm NoHostAuthenticationForLocalhost +Disable host authentication for localhost (loopback addresses). +The argument to this keyword must be +.Cm yes +or +.Cm no +(the default). +.It Cm NumberOfPasswordPrompts +Specifies the number of password prompts before giving up. +The argument to this keyword must be an integer. +The default is 3. +.It Cm ObscureKeystrokeTiming +Specifies whether +.Xr ssh 1 +should try to obscure inter-keystroke timings from passive observers of +network traffic. +If enabled, then for interactive sessions, +.Xr ssh 1 +will send keystrokes at fixed intervals of a few tens of milliseconds +and will send fake keystroke packets for some time after typing ceases. +The argument to this keyword must be +.Cm yes , +.Cm no +or an interval specifier of the form +.Cm interval:milliseconds +(e.g.\& +.Cm interval:80 +for 80 milliseconds). +The default is to obscure keystrokes using a 20ms packet interval. +Note that smaller intervals will result in higher fake keystroke packet rates. +.It Cm PasswordAuthentication +Specifies whether to use password authentication. +The argument to this keyword must be +.Cm yes +(the default) +or +.Cm no . +.It Cm PermitLocalCommand +Allow local command execution via the +.Ic LocalCommand +option or using the +.Ic !\& Ns Ar command +escape sequence in +.Xr ssh 1 . +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm PermitRemoteOpen +Specifies the destinations to which remote TCP port forwarding is permitted when +.Cm RemoteForward +is used as a SOCKS proxy. +The forwarding specification must be one of the following forms: +.Pp +.Bl -item -offset indent -compact +.It +.Cm PermitRemoteOpen +.Sm off +.Ar host : port +.Sm on +.It +.Cm PermitRemoteOpen +.Sm off +.Ar IPv4_addr : port +.Sm on +.It +.Cm PermitRemoteOpen +.Sm off +.Ar \&[ IPv6_addr \&] : port +.Sm on +.El +.Pp +Multiple forwards may be specified by separating them with whitespace. +An argument of +.Cm any +can be used to remove all restrictions and permit any forwarding requests. +An argument of +.Cm none +can be used to prohibit all forwarding requests. +The wildcard +.Sq * +can be used for host or port to allow all hosts or ports respectively. +Otherwise, no pattern matching or address lookups are performed on supplied +names. +.It Cm PKCS11Provider +Specifies which PKCS#11 provider to use or +.Cm none +to indicate that no provider should be used (the default). +The argument to this keyword is a path to the PKCS#11 shared library +.Xr ssh 1 +should use to communicate with a PKCS#11 token providing keys for user +authentication. +.It Cm Port +Specifies the port number to connect on the remote host. +The default is 22. +.It Cm PreferredAuthentications +Specifies the order in which the client should try authentication methods. +This allows a client to prefer one method (e.g.\& +.Cm keyboard-interactive ) +over another method (e.g.\& +.Cm password ) . +The default is: +.Bd -literal -offset indent +gssapi-with-mic,hostbased,publickey, +keyboard-interactive,password +.Ed +.It Cm ProxyCommand +Specifies the command to use to connect to the server. +The command +string extends to the end of the line, and is executed +using the user's shell +.Ql exec +directive to avoid a lingering shell process. +.Pp +Arguments to +.Cm ProxyCommand +accept the tokens described in the +.Sx TOKENS +section. +The command can be basically anything, +and should read from its standard input and write to its standard output. +It should eventually connect an +.Xr sshd 8 +server running on some machine, or execute +.Ic sshd -i +somewhere. +Host key management will be done using the +.Cm Hostname +of the host being connected (defaulting to the name typed by the user). +Setting the command to +.Cm none +disables this option entirely. +Note that +.Cm CheckHostIP +is not available for connects with a proxy command. +.Pp +This directive is useful in conjunction with +.Xr nc 1 +and its proxy support. +For example, the following directive would connect via an HTTP proxy at +192.0.2.0: +.Bd -literal -offset 3n +ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p +.Ed +.It Cm ProxyJump +Specifies one or more jump proxies as either +.Sm off +.Op Ar user No @ +.Ar host +.Op : Ns Ar port +.Sm on +or an ssh URI. +Multiple proxies may be separated by comma characters and will be visited +sequentially. +Setting this option will cause +.Xr ssh 1 +to connect to the target host by first making an +.Xr ssh 1 +connection to the specified +.Cm ProxyJump +host and then establishing a +TCP forwarding to the ultimate target from there. +Setting the host to +.Cm none +disables this option entirely. +.Pp +Note that this option will compete with the +.Cm ProxyCommand +option - whichever is specified first will prevent later instances of the +other from taking effect. +.Pp +Note also that the configuration for the destination host (either supplied +via the command-line or the configuration file) is not generally applied +to jump hosts. +.Pa ~/.ssh/config +should be used if specific configuration is required for jump hosts. +.It Cm ProxyUseFdpass +Specifies that +.Cm ProxyCommand +will pass a connected file descriptor back to +.Xr ssh 1 +instead of continuing to execute and pass data. +The default is +.Cm no . +.It Cm PubkeyAcceptedAlgorithms +Specifies the signature algorithms that will be used for public key +authentication as a comma-separated list of patterns. +If the specified list begins with a +.Sq + +character, then the algorithms after it will be appended to the default +instead of replacing it. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. +The default for this option is: +.Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +webauthn-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, +ssh-ed25519, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, +webauthn-sk-ecdsa-sha2-nistp256@openssh.com, +rsa-sha2-512,rsa-sha2-256 +.Ed +.Pp +The list of available signature algorithms may also be obtained using +.Qq ssh -Q PubkeyAcceptedAlgorithms . +.It Cm PubkeyAuthentication +Specifies whether to try public key authentication. +The argument to this keyword must be +.Cm yes +(the default), +.Cm no , +.Cm unbound +or +.Cm host-bound . +The final two options enable public key authentication while respectively +disabling or enabling the OpenSSH host-bound authentication protocol +extension required for restricted +.Xr ssh-agent 1 +forwarding. +.It Cm RefuseConnection +Allows a connection to be refused by the configuration file. +If this option is specified, then +.Xr ssh 1 +will terminate immediately before attempting to connect to the remote +host, display an error message that contains the argument to this keyword +and return a non-zero exit status. +This option may be useful to express reminders or warnings to the user via +.Nm . +.It Cm RekeyLimit +Specifies the maximum amount of data that may be transmitted or received +before the session key is renegotiated, optionally followed by a maximum +amount of time that may pass before the session key is renegotiated. +The first argument is specified in bytes and may have a suffix of +.Sq K , +.Sq M , +or +.Sq G +to indicate Kilobytes, Megabytes, or Gigabytes, respectively. +The default is between +.Sq 1G +and +.Sq 4G , +depending on the cipher. +The optional second value is specified in seconds and may use any of the +units documented in the TIME FORMATS section of +.Xr sshd_config 5 . +The default value for +.Cm RekeyLimit +is +.Cm default none , +which means that rekeying is performed after the cipher's default amount +of data has been sent or received and no time based rekeying is done. +.It Cm RemoteCommand +Specifies a command to execute on the remote machine after successfully +connecting to the server. +The command string extends to the end of the line, and is executed with +the user's shell. +Arguments to +.Cm RemoteCommand +accept the tokens described in the +.Sx TOKENS +section. +.It Cm RemoteForward +Specifies that a TCP port or Unix-domain socket on the remote machine +be forwarded over the secure channel. +The remote port may either be forwarded to a specified host and port +or Unix-domain socket +from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote +client to connect to arbitrary destinations from the local machine. +The first argument is the listening specification and may be +.Sm off +.Oo Ar bind_address : Oc Ar port +.Sm on +or, if the remote host supports it, a Unix domain socket path. +If forwarding to a specific destination then the second argument must be +.Ar host : Ns Ar hostport +or a Unix domain socket path, +otherwise if no destination argument is specified then the remote forwarding +will be established as a SOCKS proxy. +When acting as a SOCKS proxy, the destination of the connection can be +restricted by +.Cm PermitRemoteOpen . +.Pp +IPv6 addresses can be specified by enclosing addresses in square brackets. +.Pp +If either argument contains a '/' in it, that argument will be +interpreted as a Unix-domain socket (on the corresponding host) rather +than a TCP port. +.Pp +Multiple forwardings may be specified, and additional +forwardings can be given on the command line. +Privileged ports can be forwarded only when +logging in as root on the remote machine. +Unix domain socket paths may use the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +.Pp +If the +.Ar port +argument is 0, +the listen port will be dynamically allocated on the server and reported +to the client at run time. +.Pp +If the +.Ar bind_address +is not specified, the default is to only bind to loopback addresses. +If the +.Ar bind_address +is +.Ql * +or an empty string, then the forwarding is requested to listen on all +interfaces. +Specifying a remote +.Ar bind_address +will only succeed if the server's +.Cm GatewayPorts +option is enabled (see +.Xr sshd_config 5 ) . +.It Cm RequestTTY +Specifies whether to request a pseudo-tty for the session. +The argument may be one of: +.Cm no +(never request a TTY), +.Cm yes +(always request a TTY when standard input is a TTY), +.Cm force +(always request a TTY) or +.Cm auto +(request a TTY when opening a login session). +This option mirrors the +.Fl t +and +.Fl T +flags for +.Xr ssh 1 . +.It Cm RequiredRSASize +Specifies the minimum RSA key size (in bits) that +.Xr ssh 1 +will accept. +User authentication keys smaller than this limit will be ignored. +Servers that present host keys smaller than this limit will cause the +connection to be terminated. +The default is +.Cm 1024 +bits. +Note that this limit may only be raised from the default. +.It Cm RevokedHostKeys +Specifies revoked host public keys. +Keys listed in this file will be refused for host authentication. +Note that if this file does not exist or is not readable, +then host authentication will be refused for all hosts. +Keys may be specified as a text file, listing one public key per line, or as +an OpenSSH Key Revocation List (KRL) as generated by +.Xr ssh-keygen 1 . +For more information on KRLs, see the KEY REVOCATION LISTS section in +.Xr ssh-keygen 1 . +Arguments to +.Cm RevokedHostKeys +may use the tilde syntax to refer to a user's home directory, +the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +.It Cm SecurityKeyProvider +Specifies a path to a library that will be used when loading any +FIDO authenticator-hosted keys, overriding the default of using +the built-in USB HID support. +.Pp +If the specified value begins with a +.Sq $ +character, then it will be treated as an environment variable containing +the path to the library. +.It Cm SendEnv +Specifies what variables from the local +.Xr environ 7 +should be sent to the server. +The server must also support it, and the server must be configured to +accept these environment variables. +Note that the +.Ev TERM +environment variable is always sent whenever a +pseudo-terminal is requested as it is required by the protocol. +Refer to +.Cm AcceptEnv +in +.Xr sshd_config 5 +for how to configure the server. +Variables are specified by name, which may contain wildcard characters. +Multiple environment variables may be separated by whitespace or spread +across multiple +.Cm SendEnv +directives. +.Pp +See +.Sx PATTERNS +for more information on patterns. +.Pp +It is possible to clear previously set +.Cm SendEnv +variable names by prefixing patterns with +.Pa - . +The default is not to send any environment variables. +.It Cm ServerAliveCountMax +Sets the number of server alive messages (see below) which may be +sent without +.Xr ssh 1 +receiving any messages back from the server. +If this threshold is reached while server alive messages are being sent, +ssh will disconnect from the server, terminating the session. +It is important to note that the use of server alive messages is very +different from +.Cm TCPKeepAlive +(below). +The server alive messages are sent through the encrypted channel +and therefore will not be spoofable. +The TCP keepalive option enabled by +.Cm TCPKeepAlive +is spoofable. +The server alive mechanism is valuable when the client or +server depend on knowing when a connection has become unresponsive. +.Pp +The default value is 3. +If, for example, +.Cm ServerAliveInterval +(see below) is set to 15 and +.Cm ServerAliveCountMax +is left at the default, if the server becomes unresponsive, +ssh will disconnect after approximately 45 seconds. +.It Cm ServerAliveInterval +Sets a timeout interval in seconds after which if no data has been received +from the server, +.Xr ssh 1 +will send a message through the encrypted +channel to request a response from the server. +The default +is 0, indicating that these messages will not be sent to the server. +.It Cm SessionType +May be used to either request invocation of a subsystem on the remote system, +or to prevent the execution of a remote command at all. +The latter is useful for just forwarding ports. +The argument to this keyword must be +.Cm none +(same as the +.Fl N +option), +.Cm subsystem +(same as the +.Fl s +option) or +.Cm default +(shell or command execution). +.It Cm SetEnv +Directly specify one or more environment variables and their contents to +be sent to the server in the form +.Dq NAME=VALUE . +Similarly to +.Cm SendEnv , +with the exception of the +.Ev TERM +variable, the server must be prepared to accept the environment variable. +.Pp +The +.Dq VALUE +may use the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +.It Cm StdinNull +Redirects stdin from +.Pa /dev/null +(actually, prevents reading from stdin). +Either this or the equivalent +.Fl n +option must be used when +.Nm ssh +is run in the background. +The argument to this keyword must be +.Cm yes +(same as the +.Fl n +option) or +.Cm no +(the default). +.It Cm StreamLocalBindMask +Sets the octal file creation mode mask +.Pq umask +used when creating a Unix-domain socket file for local or remote +port forwarding. +This option is only used for port forwarding to a Unix-domain socket file. +.Pp +The default value is 0177, which creates a Unix-domain socket file that is +readable and writable only by the owner. +Note that not all operating systems honor the file mode on Unix-domain +socket files. +.It Cm StreamLocalBindUnlink +Specifies whether to remove an existing Unix-domain socket file for local +or remote port forwarding before creating a new one. +If the socket file already exists and +.Cm StreamLocalBindUnlink +is not enabled, +.Nm ssh +will be unable to forward the port to the Unix-domain socket file. +This option is only used for port forwarding to a Unix-domain socket file. +.Pp +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm StrictHostKeyChecking +If this flag is set to +.Cm yes , +.Xr ssh 1 +will never automatically add host keys to the +.Pa ~/.ssh/known_hosts +file, and refuses to connect to hosts whose host key has changed. +This provides maximum protection against man-in-the-middle (MITM) attacks, +though it can be annoying when the +.Pa /etc/ssh/ssh_known_hosts +file is poorly maintained or when connections to new hosts are +frequently made. +This option forces the user to manually +add all new hosts. +.Pp +If this flag is set to +.Cm accept-new +then ssh will automatically add new host keys to the user's +.Pa known_hosts +file, but will not permit connections to hosts with +changed host keys. +If this flag is set to +.Cm no +or +.Cm off , +ssh will automatically add new host keys to the user known hosts files +and allow connections to hosts with changed hostkeys to proceed, +subject to some restrictions. +If this flag is set to +.Cm ask +(the default), +new host keys +will be added to the user known host files only after the user +has confirmed that is what they really want to do, and +ssh will refuse to connect to hosts whose host key has changed. +The host keys of +known hosts will be verified automatically in all cases. +.It Cm SyslogFacility +Gives the facility code that is used when logging messages from +.Xr ssh 1 . +The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, +LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. +The default is USER. +.It Cm TCPKeepAlive +Specifies whether the system should send TCP keepalive messages to the +other side. +If they are sent, death of the connection or crash of one +of the machines will be properly noticed. +However, this means that +connections will die if the route is down temporarily, and some people +find it annoying. +.Pp +The default is +.Cm yes +(to send TCP keepalive messages), and the client will notice +if the network goes down or the remote host dies. +This is important in scripts, and many users want it too. +.Pp +To disable TCP keepalive messages, the value should be set to +.Cm no . +See also +.Cm ServerAliveInterval +for protocol-level keepalives. +.It Cm Tag +Specify a configuration tag name that may be later used by a +.Cm Match +directive to select a block of configuration. +.It Cm Tunnel +Request +.Xr tun 4 +device forwarding between the client and the server. +The argument must be +.Cm yes , +.Cm point-to-point +(layer 3), +.Cm ethernet +(layer 2), +or +.Cm no +(the default). +Specifying +.Cm yes +requests the default tunnel mode, which is +.Cm point-to-point . +.It Cm TunnelDevice +Specifies the +.Xr tun 4 +devices to open on the client +.Pq Ar local_tun +and the server +.Pq Ar remote_tun . +.Pp +The argument must be +.Sm off +.Ar local_tun Op : Ar remote_tun . +.Sm on +The devices may be specified by numerical ID or the keyword +.Cm any , +which uses the next available tunnel device. +If +.Ar remote_tun +is not specified, it defaults to +.Cm any . +The default is +.Cm any:any . +.It Cm UpdateHostKeys +Specifies whether +.Xr ssh 1 +should accept notifications of additional hostkeys from the server sent +after authentication has completed and add them to +.Cm UserKnownHostsFile . +The argument must be +.Cm yes , +.Cm no +or +.Cm ask . +This option allows learning alternate hostkeys for a server +and supports graceful key rotation by allowing a server to send replacement +public keys before old ones are removed. +.Pp +Additional hostkeys are only accepted if the key used to authenticate the +host was already trusted or explicitly accepted by the user, the host was +authenticated via +.Cm UserKnownHostsFile +(i.e. not +.Cm GlobalKnownHostsFile ) +and the host was authenticated using a plain key and not a certificate. +.Pp +.Cm UpdateHostKeys +is enabled by default if the user has not overridden the default +.Cm UserKnownHostsFile +setting and has not enabled +.Cm VerifyHostKeyDNS , +otherwise +.Cm UpdateHostKeys +will be set to +.Cm no . +.Pp +If +.Cm UpdateHostKeys +is set to +.Cm ask , +then the user is asked to confirm the modifications to the known_hosts file. +Confirmation is currently incompatible with +.Cm ControlPersist , +and will be disabled if it is enabled. +.Pp +Presently, only +.Xr sshd 8 +from OpenSSH 6.8 and greater support the +.Qq hostkeys@openssh.com +protocol extension used to inform the client of all the server's hostkeys. +.It Cm User +Specifies the user to log in as. +This can be useful when a different user name is used on different machines. +This saves the trouble of +having to remember to give the user name on the command line. +Arguments to +.Cm User +may use the tokens described in the +.Sx TOKENS +section +(with the exception of %r and %C) +and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +.It Cm UserKnownHostsFile +Specifies one or more files to use for the user +host key database, separated by whitespace. +Each filename may use tilde notation to refer to the user's home directory, +the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +A value of +.Cm none +causes +.Xr ssh 1 +to ignore any user-specific known hosts files. +The default is +.Pa ~/.ssh/known_hosts , +.Pa ~/.ssh/known_hosts2 . +.It Cm VerifyHostKeyDNS +Specifies whether to verify the remote key using DNS and SSHFP resource +records. +If this option is set to +.Cm yes , +the client will implicitly trust keys that match a secure fingerprint +from DNS. +Insecure fingerprints will be handled as if this option was set to +.Cm ask . +If this option is set to +.Cm ask , +information on fingerprint match will be displayed, but the user will still +need to confirm new host keys according to the +.Cm StrictHostKeyChecking +option. +The default is +.Cm no . +.Pp +See also +.Sx VERIFYING HOST KEYS +in +.Xr ssh 1 . +.It Cm VersionAddendum +Optionally specifies additional text to append to the SSH protocol banner +sent by the client upon connection. +The default is +.Cm none . +.It Cm VisualHostKey +If this flag is set to +.Cm yes , +an ASCII art representation of the remote host key fingerprint is +printed in addition to the fingerprint string at login and +for unknown host keys. +If this flag is set to +.Cm no +(the default), +no fingerprint strings are printed at login and +only the fingerprint string will be printed for unknown host keys. +.It Cm WarnWeakCrypto +controls whether the user is warned when the cryptographic algorithms +negotiated for the connection are weak or otherwise recommended against. +Warnings may be disabled by turning off a specific warning or by disabling +all warnings. +Warnings about connections that don't use a post-quantum key exchange +may be disabled using the +.Cm no-pq-kex +flag. +.Cm no +will disable all warnings. +The default, equivalent to +.Cm yes , +is to enable all warnings. +.It Cm XAuthLocation +Specifies the full pathname of the +.Xr xauth 1 +program. +The default is +.Pa /usr/X11R6/bin/xauth . +.El +.Sh PATTERNS +A +.Em pattern +consists of zero or more non-whitespace characters, +.Sq * +(a wildcard that matches zero or more characters), +or +.Sq ?\& +(a wildcard that matches exactly one character). +For example, to specify a set of declarations for any host in the +.Qq .co.uk +set of domains, +the following pattern could be used: +.Pp +.Dl Host *.co.uk +.Pp +The following pattern +would match any host in the 192.168.0.[0-9] network range: +.Pp +.Dl Host 192.168.0.? +.Pp +A +.Em pattern-list +is a comma-separated list of patterns. +Patterns within pattern-lists may be negated +by preceding them with an exclamation mark +.Pq Sq !\& . +For example, +to allow a key to be used from anywhere within an organization +except from the +.Qq dialup +pool, +the following entry (in authorized_keys) could be used: +.Pp +.Dl from=\&"!*.dialup.example.com,*.example.com\&" +.Pp +Note that a negated match will never produce a positive result by itself. +For example, attempting to match +.Qq host3 +against the following pattern-list will fail: +.Pp +.Dl from=\&"!host1,!host2\&" +.Pp +The solution here is to include a term that will yield a positive match, +such as a wildcard: +.Pp +.Dl from=\&"!host1,!host2,*\&" +.Sh TOKENS +Arguments to some keywords can make use of tokens, +which are expanded at runtime. +Tokens are expanded without quoting or escaping of shell characters. +It is the user's responsibility to ensure they are safe in the +context of their use. +.Pp +The supported tokens in +.Nm +are: +.Pp +.Bl -tag -width XXXX -offset indent -compact +.It %% +A literal +.Sq % . +.It \&%C +Hash of %l%h%p%r%j. +.It %d +Local user's home directory. +.It %f +The fingerprint of the server's host key. +.It %H +The +.Pa known_hosts +hostname or address that is being searched for. +.It %h +The remote hostname. +.It \%%I +A string describing the reason for a +.Cm KnownHostsCommand +execution: either +.Cm ADDRESS +when looking up a host by address (only when +.Cm CheckHostIP +is enabled), +.Cm HOSTNAME +when searching by hostname, or +.Cm ORDER +when preparing the host key algorithm preference list to use for the +destination host. +.It %i +The local user ID. +.It %j +The contents of the ProxyJump option, or the empty string if this +option is unset. +.It %K +The base64 encoded host key. +.It %k +The host key alias if specified, otherwise the original remote hostname given +on the command line. +.It %L +The local hostname. +.It %l +The local hostname, including the domain name. +.It %n +The original remote hostname, as given on the command line. +.It %p +The remote port. +.It %r +The remote username. +.It \&%T +The local +.Xr tun 4 +or +.Xr tap 4 +network interface assigned if +tunnel forwarding was requested, or +.Qq NONE +otherwise. +.It %t +The type of the server host key, e.g. +.Cm ssh-ed25519 . +.It %u +The local username. +.El +.Pp +.Cm CertificateFile , +.Cm ControlPath , +.Cm IdentityAgent , +.Cm IdentityFile , +.Cm Include , +.Cm KnownHostsCommand , +.Cm LocalForward , +.Cm Match exec , +.Cm RemoteCommand , +.Cm RemoteForward , +.Cm RevokedHostKeys , +.Cm UserKnownHostsFile +and +.Cm VersionAddendum +accept the tokens %%, %C, %d, %h, %i, %j, %k, %L, %l, %n, %p, %r, and %u. +.Pp +.Cm KnownHostsCommand +additionally accepts the tokens %f, %H, %I, %K and %t. +.Pp +.Cm Hostname +accepts the tokens %% and %h. +.Pp +.Cm LocalCommand +accepts all tokens. +.Pp +.Cm ProxyCommand +and +.Cm ProxyJump +accept the tokens %%, %h, %n, %p, and %r. +.Pp +Note that some of these directives build commands for execution via the shell. +Because +.Xr ssh 1 +performs no filtering or escaping of characters that have special meaning in +shell commands (e.g. quotes), it is the user's responsibility to ensure that +the arguments passed to +.Xr ssh 1 +do not contain such characters and that tokens are appropriately quoted +when used. +.Sh ENVIRONMENT VARIABLES +Arguments to some keywords can be expanded at runtime from environment +variables on the client by enclosing them in +.Ic ${} , +for example +.Ic ${HOME}/.ssh +would refer to the user's .ssh directory. +If a specified environment variable does not exist then an error will be +returned and the setting for that keyword will be ignored. +.Pp +The keywords +.Cm CertificateFile , +.Cm ControlPath , +.Cm IdentityAgent , +.Cm IdentityFile , +.Cm Include , +.Cm KnownHostsCommand , +and +.Cm UserKnownHostsFile +support environment variables. +The keywords +.Cm LocalForward +and +.Cm RemoteForward +support environment variables only for Unix domain socket paths. +.Sh FILES +.Bl -tag -width Ds +.It Pa ~/.ssh/config +This is the per-user configuration file. +The format of this file is described above. +This file is used by the SSH client. +Because of the potential for abuse, this file must have strict permissions: +read/write for the user, and not writable by others. +.It Pa /etc/ssh/ssh_config +Systemwide configuration file. +This file provides defaults for those +values that are not specified in the user's configuration file, and +for those users who do not have a configuration file. +This file must be world-readable. +.El +.Sh SEE ALSO +.Xr ssh 1 +.Sh AUTHORS +.An -nosplit +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by +.An Tatu Ylonen . +.An Aaron Campbell , Bob Beck , Markus Friedl , +.An Niels Provos , Theo de Raadt +and +.An Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +.An Markus Friedl +contributed the support for SSH protocol versions 1.5 and 2.0. diff --git a/static/openbsd/man5/sshd_config.5 b/static/openbsd/man5/sshd_config.5 new file mode 100644 index 00000000..62930d37 --- /dev/null +++ b/static/openbsd/man5/sshd_config.5 @@ -0,0 +1,2256 @@ +.\" +.\" Author: Tatu Ylonen <ylo@cs.hut.fi> +.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +.\" All rights reserved +.\" +.\" As far as I am concerned, the code I have written for this software +.\" can be used freely for any purpose. Any derived versions of this +.\" software must be clearly marked as such, and if the derived work is +.\" incompatible with the protocol description in the RFC file, it must be +.\" called by a name other than "ssh" or "Secure Shell". +.\" +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $OpenBSD: sshd_config.5,v 1.397 2026/03/28 05:07:12 djm Exp $ +.Dd $Mdocdate: March 28 2026 $ +.Dt SSHD_CONFIG 5 +.Os +.Sh NAME +.Nm sshd_config +.Nd OpenSSH daemon configuration file +.Sh DESCRIPTION +.Xr sshd 8 +reads configuration data from +.Pa /etc/ssh/sshd_config +(or the file specified with +.Fl f +on the command line). +The file contains keyword-argument pairs, one per line. +Unless noted otherwise, for each keyword, the first obtained value will be used. +Lines starting with +.Ql # +and empty lines are interpreted as comments. +Arguments may optionally be enclosed in double quotes +.Pq \&" +in order to represent arguments containing spaces. +.Pp +The possible +keywords and their meanings are as follows (note that +keywords are case-insensitive and arguments are case-sensitive): +.Bl -tag -width Ds +.It Cm AcceptEnv +Specifies what environment variables sent by the client will be copied into +the session's +.Xr environ 7 . +See +.Cm SendEnv +and +.Cm SetEnv +in +.Xr ssh_config 5 +for how to configure the client. +The +.Ev TERM +environment variable is always accepted whenever the client +requests a pseudo-terminal as it is required by the protocol. +Variables are specified by name, which may contain the wildcard characters +.Ql * +and +.Ql \&? . +Multiple environment variables may be separated by whitespace or spread +across multiple +.Cm AcceptEnv +directives. +Be warned that some environment variables could be used to bypass restricted +user environments. +For this reason, care should be taken in the use of this directive. +The default is not to accept any environment variables. +.It Cm AddressFamily +Specifies which address family should be used by +.Xr sshd 8 . +Valid arguments are +.Cm any +(the default), +.Cm inet +(use IPv4 only), or +.Cm inet6 +(use IPv6 only). +.It Cm AllowAgentForwarding +Specifies whether +.Xr ssh-agent 1 +forwarding is permitted. +The default is +.Cm yes . +Note that disabling agent forwarding does not improve security +unless users are also denied shell access, as they can always install +their own forwarders. +.It Cm AllowGroups +This keyword can be followed by a list of group name patterns, separated +by spaces. +If specified, login is allowed only for users whose primary +group or supplementary group list matches one of the patterns. +Only group names are valid; a numerical group ID is not recognized. +By default, login is allowed for all groups. +.Cm AllowGroups +is not consulted for groups matched by +.Cm DenyGroups . +.Pp +See PATTERNS in +.Xr ssh_config 5 +for more information on patterns. +This keyword may appear multiple times in +.Nm +with each instance appending to the list. +.It Cm AllowStreamLocalForwarding +Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. +The available options are +.Cm yes +(the default) +or +.Cm all +to allow StreamLocal forwarding, +.Cm no +to prevent all StreamLocal forwarding, +.Cm local +to allow local (from the perspective of +.Xr ssh 1 ) +forwarding only or +.Cm remote +to allow remote forwarding only. +Note that disabling StreamLocal forwarding does not improve security unless +users are also denied shell access, as they can always install their +own forwarders. +.It Cm AllowTcpForwarding +Specifies whether TCP forwarding is permitted. +The available options are +.Cm yes +(the default) +or +.Cm all +to allow TCP forwarding, +.Cm no +to prevent all TCP forwarding, +.Cm local +to allow local (from the perspective of +.Xr ssh 1 ) +forwarding only or +.Cm remote +to allow remote forwarding only. +Note that disabling TCP forwarding does not improve security unless +users are also denied shell access, as they can always install their +own forwarders. +.It Cm AllowUsers +This keyword can be followed by a list of user name patterns, separated +by spaces. +If specified, login is allowed only for user names that +match one of the patterns. +Only user names are valid; a numerical user ID is not recognized. +By default, login is allowed for all users. +If the pattern takes the form USER@HOST then USER and HOST +are separately checked, restricting logins to particular +users from particular hosts. +HOST criteria may additionally contain addresses to match in CIDR +address/masklen format. +.Cm AllowUsers +is not consulted for users matched by +.Cm DenyUsers . +.Pp +See PATTERNS in +.Xr ssh_config 5 +for more information on patterns. +This keyword may appear multiple times in +.Nm +with each instance appending to the list. +.It Cm AuthenticationMethods +Specifies the authentication methods that must be successfully completed +for a user to be granted access. +This option must be followed by one or more lists of comma-separated +authentication method names, or by the single string +.Cm any +to indicate the default behaviour of accepting any single authentication +method. +If the default is overridden, then successful authentication requires +completion of every method in at least one of these lists. +.Pp +For example, +.Qq publickey,password publickey,keyboard-interactive +would require the user to complete public key authentication, followed by +either password or keyboard interactive authentication. +Only methods that are next in one or more lists are offered at each stage, +so for this example it would not be possible to attempt password or +keyboard-interactive authentication before public key. +.Pp +For keyboard interactive authentication it is also possible to +restrict authentication to a specific device by appending a +colon followed by the device identifier +.Cm bsdauth +or +.Cm pam . +depending on the server configuration. +For example, +.Qq keyboard-interactive:bsdauth +would restrict keyboard interactive authentication to the +.Cm bsdauth +device. +.Pp +If the publickey method is listed more than once, +.Xr sshd 8 +verifies that keys that have been used successfully are not reused for +subsequent authentications. +For example, +.Qq publickey,publickey +requires successful authentication using two different public keys. +.Pp +Note that each authentication method listed should also be explicitly enabled +in the configuration. +.Pp +The available authentication methods are: +.Qq gssapi-with-mic , +.Qq hostbased , +.Qq keyboard-interactive , +.Qq none +(used for access to password-less accounts when +.Cm PermitEmptyPasswords +is enabled), +.Qq password +and +.Qq publickey . +.It Cm AuthorizedKeysCommand +Specifies a program to be used to look up the user's public keys. +The program must be owned by root, not writable by group or others and +specified by an absolute path. +Arguments to +.Cm AuthorizedKeysCommand +accept the tokens described in the +.Sx TOKENS +section. +If no arguments are specified then the username of the target user is used. +.Pp +The program should produce on standard output zero or +more lines of authorized_keys output (see +.Cm AUTHORIZED_KEYS +in +.Xr sshd 8 ) . +.Cm AuthorizedKeysCommand +is tried after the usual +.Cm AuthorizedKeysFile +files and will not be executed if a matching key is found there. +By default, no +.Cm AuthorizedKeysCommand +is run. +This command is only executed for valid users. +.It Cm AuthorizedKeysCommandUser +Specifies the user under whose account the +.Cm AuthorizedKeysCommand +is run. +It is recommended to use a dedicated user that has no other role on the host +than running authorized keys commands. +If +.Cm AuthorizedKeysCommand +is specified but +.Cm AuthorizedKeysCommandUser +is not, then +.Xr sshd 8 +will refuse to start. +.It Cm AuthorizedKeysFile +Specifies the file that contains the public keys used for user authentication. +The format is described in the AUTHORIZED_KEYS FILE FORMAT section of +.Xr sshd 8 . +Arguments to +.Cm AuthorizedKeysFile +may include wildcards and accept the tokens described in the +.Sx TOKENS +section. +After expansion, +.Cm AuthorizedKeysFile +is taken to be an absolute path or one relative to the user's home +directory. +Multiple files may be listed, separated by whitespace. +Alternately this option may be set to +.Cm none +to skip checking for user keys in files. +The default is +.Qq .ssh/authorized_keys .ssh/authorized_keys2 . +These files are only checked for valid users. +.It Cm AuthorizedPrincipalsCommand +Specifies a program to be used to generate the list of allowed +certificate principals as per +.Cm AuthorizedPrincipalsFile . +The program must be owned by root, not writable by group or others and +specified by an absolute path. +Arguments to +.Cm AuthorizedPrincipalsCommand +accept the tokens described in the +.Sx TOKENS +section. +If no arguments are specified then the username of the target user is used. +.Pp +The program should produce on standard output zero or +more lines of +.Cm AuthorizedPrincipalsFile +output. +If either +.Cm AuthorizedPrincipalsCommand +or +.Cm AuthorizedPrincipalsFile +is specified, then certificates offered by the client for authentication +must contain a principal that is listed. +By default, no +.Cm AuthorizedPrincipalsCommand +is run. +This command is only executed for valid users. +.It Cm AuthorizedPrincipalsCommandUser +Specifies the user under whose account the +.Cm AuthorizedPrincipalsCommand +is run. +It is recommended to use a dedicated user that has no other role on the host +than running authorized principals commands. +If +.Cm AuthorizedPrincipalsCommand +is specified but +.Cm AuthorizedPrincipalsCommandUser +is not, then +.Xr sshd 8 +will refuse to start. +.It Cm AuthorizedPrincipalsFile +Specifies a file that lists principal names that are accepted for +certificate authentication. +When using certificates signed by a key listed in +.Cm TrustedUserCAKeys , +this file lists names, one of which must appear in the certificate for it +to be accepted for authentication. +Names are listed one per line preceded by key options (as described in +.Cm AUTHORIZED_KEYS FILE FORMAT +in +.Xr sshd 8 ) . +Empty lines and comments starting with +.Ql # +are ignored. +.Pp +Arguments to +.Cm AuthorizedPrincipalsFile +may include wildcards and accept the tokens described in the +.Sx TOKENS +section. +After expansion, +.Cm AuthorizedPrincipalsFile +is taken to be an absolute path or one relative to the user's home directory. +The default is +.Cm none , +i.e. not to use a principals file \(en in this case, the username +of the user must appear in a certificate's principals list for it to be +accepted. +This file is only checked for valid users. +.Pp +Note that +.Cm AuthorizedPrincipalsFile +is only used when authentication proceeds using a CA listed in +.Cm TrustedUserCAKeys +and is not consulted for certification authorities trusted via +.Pa ~/.ssh/authorized_keys , +though the +.Cm principals= +key option offers a similar facility (see +.Xr sshd 8 +for details). +.It Cm Banner +The contents of the specified file are sent to the remote user before +authentication is allowed. +If the argument is +.Cm none +then no banner is displayed. +By default, no banner is displayed. +.It Cm CASignatureAlgorithms +Specifies which algorithms are allowed for signing of certificates +by certificate authorities (CAs). +The default is: +.Bd -literal -offset indent +ssh-ed25519,ecdsa-sha2-nistp256, +ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, +rsa-sha2-512,rsa-sha2-256 +.Ed +.Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +.Pp +Certificates signed using other algorithms will not be accepted for +public key or host-based authentication. +.It Cm ChannelTimeout +Specifies whether and how quickly +.Xr sshd 8 +should close inactive channels. +Timeouts are specified as one or more +.Dq type=interval +pairs separated by whitespace, where the +.Dq type +must be the special keyword +.Dq global +or a channel type name from the list below, optionally containing +wildcard characters. +.Pp +The timeout value +.Dq interval +is specified in seconds or may use any of the units documented in the +.Sx TIME FORMATS +section. +For example, +.Dq session=5m +would cause interactive sessions to terminate after five minutes of +inactivity. +Specifying a zero value disables the inactivity timeout. +.Pp +The special timeout +.Dq global +applies to all active channels, taken together. +Traffic on any active channel will reset the timeout, but when the timeout +expires then all open channels will be closed. +Note that this global timeout is not matched by wildcards and must be +specified explicitly. +.Pp +The available channel type names include: +.Bl -tag -width Ds +.It Cm agent-connection +Open connections to +.Xr ssh-agent 1 . +.It Cm direct-tcpip , Cm direct-streamlocal@openssh.com +Open TCP or Unix socket (respectively) connections that have +been established from an +.Xr ssh 1 +local forwarding, i.e.\& +.Cm LocalForward +or +.Cm DynamicForward . +.It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com +Open TCP or Unix socket (respectively) connections that have been +established to an +.Xr sshd 8 +listening on behalf of an +.Xr ssh 1 +remote forwarding, i.e.\& +.Cm RemoteForward . +.It Cm session +The interactive main session, including shell session, command execution, +.Xr scp 1 , +.Xr sftp 1 , +etc. +.It Cm tun-connection +Open +.Cm TunnelForward +connections. +.It Cm x11-connection +Open X11 forwarding sessions. +.El +.Pp +Note that in all the above cases, terminating an inactive session does not +guarantee to remove all resources associated with the session, e.g. shell +processes or X11 clients relating to the session may continue to execute. +.Pp +Moreover, terminating an inactive channel or session does not necessarily +close the SSH connection, nor does it prevent a client from +requesting another channel of the same type. +In particular, expiring an inactive forwarding session does not prevent +another identical forwarding from being subsequently created. +.Pp +The default is not to expire channels of any type for inactivity. +.It Cm ChrootDirectory +Specifies the pathname of a directory to +.Xr chroot 2 +to after authentication. +At session startup +.Xr sshd 8 +checks that all components of the pathname are root-owned directories +which are not writable by group or others. +After the chroot, +.Xr sshd 8 +changes the working directory to the user's home directory. +Arguments to +.Cm ChrootDirectory +accept the tokens described in the +.Sx TOKENS +section. +.Pp +The +.Cm ChrootDirectory +must contain the necessary files and directories to support the +user's session. +For an interactive session this requires at least a shell, typically +.Xr sh 1 , +and basic +.Pa /dev +nodes such as +.Xr null 4 , +.Xr zero 4 , +.Xr stdin 4 , +.Xr stdout 4 , +.Xr stderr 4 , +and +.Xr tty 4 +devices. +For file transfer sessions using SFTP +no additional configuration of the environment is necessary if the in-process +sftp-server is used, +though sessions which use logging may require +.Pa /dev/log +inside the chroot directory on some operating systems (see +.Xr sftp-server 8 +for details). +.Pp +For safety, it is very important that the directory hierarchy be +prevented from modification by other processes on the system (especially +those outside the jail). +Misconfiguration can lead to unsafe environments which +.Xr sshd 8 +cannot detect. +.Pp +The default is +.Cm none , +indicating not to +.Xr chroot 2 . +.It Cm Ciphers +Specifies the ciphers allowed. +Multiple ciphers must be comma-separated. +If the specified list begins with a +.Sq + +character, then the specified ciphers will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified ciphers (including wildcards) will be removed +from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified ciphers will be placed at the head of the +default set. +.Pp +The supported ciphers are: +.Pp +.Bl -item -compact -offset indent +.It +3des-cbc +.It +aes128-cbc +.It +aes192-cbc +.It +aes256-cbc +.It +aes128-ctr +.It +aes192-ctr +.It +aes256-ctr +.It +aes128-gcm@openssh.com +.It +aes256-gcm@openssh.com +.It +chacha20-poly1305@openssh.com +.El +.Pp +The default is: +.Bd -literal -offset indent +chacha20-poly1305@openssh.com, +aes128-gcm@openssh.com,aes256-gcm@openssh.com, +aes128-ctr,aes192-ctr,aes256-ctr +.Ed +.Pp +The list of available ciphers may also be obtained using +.Qq ssh -Q cipher . +.It Cm ClientAliveCountMax +Sets the number of client alive messages which may be sent without +.Xr sshd 8 +receiving any messages back from the client. +If this threshold is reached while client alive messages are being sent, +sshd will disconnect the client, terminating the session. +It is important to note that the use of client alive messages is very +different from +.Cm TCPKeepAlive . +The client alive messages are sent through the encrypted channel +and therefore will not be spoofable. +The TCP keepalive option enabled by +.Cm TCPKeepAlive +is spoofable. +The client alive mechanism is valuable when the client or +server depend on knowing when a connection has become unresponsive. +.Pp +The default value is 3. +If +.Cm ClientAliveInterval +is set to 15, and +.Cm ClientAliveCountMax +is left at the default, unresponsive SSH clients +will be disconnected after approximately 45 seconds. +Setting a zero +.Cm ClientAliveCountMax +disables connection termination. +.It Cm ClientAliveInterval +Sets a timeout interval in seconds after which if no data has been received +from the client, +.Xr sshd 8 +will send a message through the encrypted +channel to request a response from the client. +The default +is 0, indicating that these messages will not be sent to the client. +.It Cm Compression +Specifies whether compression is enabled after +the user has authenticated successfully. +The argument must be +.Cm yes , +.Cm delayed +(a legacy synonym for +.Cm yes ) +or +.Cm no . +The default is +.Cm yes . +.It Cm DenyGroups +This keyword can be followed by a list of group name patterns, separated +by spaces. +Login is disallowed for users whose primary group or supplementary +group list matches one of the patterns. +Only group names are valid; a numerical group ID is not recognized. +By default, login is allowed for all groups. +.Cm AllowGroups +is not consulted for groups matched by +.Cm DenyGroups . +.Pp +See PATTERNS in +.Xr ssh_config 5 +for more information on patterns. +This keyword may appear multiple times in +.Nm +with each instance appending to the list. +.It Cm DenyUsers +This keyword can be followed by a list of user name patterns, separated +by spaces. +Login is disallowed for user names that match one of the patterns. +Only user names are valid; a numerical user ID is not recognized. +By default, login is allowed for all users. +If the pattern takes the form USER@HOST then USER and HOST +are separately checked, restricting logins to particular +users from particular hosts. +HOST criteria may additionally contain addresses to match in CIDR +address/masklen format. +.Cm AllowUsers +is not consulted for users matched by +.Cm DenyUsers . +.Pp +See PATTERNS in +.Xr ssh_config 5 +for more information on patterns. +This keyword may appear multiple times in +.Nm +with each instance appending to the list. +.It Cm DisableForwarding +Disables all forwarding features, including X11, +.Xr ssh-agent 1 , +TCP and StreamLocal. +This option overrides all other forwarding-related options and may +simplify restricted configurations. +.It Cm ExposeAuthInfo +Writes a temporary file containing a list of authentication methods and +public credentials (e.g. keys) used to authenticate the user. +The location of the file is exposed to the user session through the +.Ev SSH_USER_AUTH +environment variable. +The default is +.Cm no . +.It Cm FingerprintHash +Specifies the hash algorithm used when logging key fingerprints. +Valid options are: +.Cm md5 +and +.Cm sha256 . +The default is +.Cm sha256 . +.It Cm ForceCommand +Forces the execution of the command specified by +.Cm ForceCommand , +ignoring any command supplied by the client and +.Pa ~/.ssh/rc +if present. +The command is invoked by using the user's login shell with the -c option. +This applies to shell, command, or subsystem execution. +It is most useful inside a +.Cm Match +block. +The command originally supplied by the client is available in the +.Ev SSH_ORIGINAL_COMMAND +environment variable. +Specifying a command of +.Cm internal-sftp +will force the use of an in-process SFTP server that requires no support +files when used with +.Cm ChrootDirectory . +The default is +.Cm none . +.Pp +This directive does not limit other kinds of access that a +client may request via their connection, such as TCP, agent, socket or +X11 forwarding. +If these are not desired, then they must be explicitly disabled, either +individually via their respective options or all together using the +.Cm DisableForwarding +option. +.It Cm GatewayPorts +Specifies whether remote hosts are allowed to connect to ports +forwarded for the client. +By default, +.Xr sshd 8 +binds remote port forwardings to the loopback address. +This prevents other remote hosts from connecting to forwarded ports. +.Cm GatewayPorts +can be used to specify that sshd +should allow remote port forwardings to bind to non-loopback addresses, thus +allowing other hosts to connect. +The argument may be +.Cm no +to force remote port forwardings to be available to the local host only, +.Cm yes +to force remote port forwardings to bind to the wildcard address, or +.Cm clientspecified +to allow the client to select the address to which the forwarding is bound. +The default is +.Cm no . +.It Cm GSSAPIAuthentication +Specifies whether user authentication based on GSSAPI is allowed. +The default is +.Cm no . +.It Cm GSSAPICleanupCredentials +Specifies whether to automatically destroy the user's credentials cache +on logout. +The default is +.Cm yes . +.It Cm GSSAPIDelegateCredentials +Accept delegated credentials on the server side. +The default is +.Cm yes . +.It Cm GSSAPIStrictAcceptorCheck +Determines whether to be strict about the identity of the GSSAPI acceptor +a client authenticates against. +If set to +.Cm yes +then the client must authenticate against the host +service on the current hostname. +If set to +.Cm no +then the client may authenticate against any service key stored in the +machine's default store. +This facility is provided to assist with operation on multi homed machines. +The default is +.Cm yes . +.It Cm HostbasedAcceptedAlgorithms +Specifies the signature algorithms that will be accepted for hostbased +authentication as a list of comma-separated patterns. +Alternately if the specified list begins with a +.Sq + +character, then the specified signature algorithms will be appended to +the default set instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified signature algorithms (including wildcards) +will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified signature algorithms will be placed at +the head of the default set. +The default for this option is: +.Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +webauthn-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, +ssh-ed25519, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, +webauthn-sk-ecdsa-sha2-nistp256@openssh.com, +rsa-sha2-512,rsa-sha2-256 +.Ed +.Pp +The list of available signature algorithms may also be obtained using +.Qq ssh -Q HostbasedAcceptedAlgorithms . +This was formerly named HostbasedAcceptedKeyTypes. +.It Cm HostbasedAuthentication +Specifies whether rhosts or /etc/hosts.equiv authentication together +with successful public key client host authentication is allowed +(host-based authentication). +The default is +.Cm no . +.It Cm HostbasedUsesNameFromPacketOnly +Specifies whether or not the server will attempt to perform a reverse +name lookup when matching the name in the +.Pa ~/.shosts , +.Pa ~/.rhosts , +and +.Pa /etc/hosts.equiv +files during +.Cm HostbasedAuthentication . +A setting of +.Cm yes +means that +.Xr sshd 8 +uses the name supplied by the client rather than +attempting to resolve the name from the TCP connection itself. +The default is +.Cm no . +.It Cm HostCertificate +Specifies a file containing a public host certificate. +The certificate's public key must match a private host key already specified +by +.Cm HostKey . +The default behaviour of +.Xr sshd 8 +is not to load any certificates. +.It Cm HostKey +Specifies a file containing a private host key +used by SSH. +The defaults are +.Pa /etc/ssh/ssh_host_ecdsa_key , +.Pa /etc/ssh/ssh_host_ed25519_key +and +.Pa /etc/ssh/ssh_host_rsa_key . +.Pp +Note that +.Xr sshd 8 +will refuse to use a file if it is group/world-accessible +and that the +.Cm HostKeyAlgorithms +option restricts which of the keys are actually used by +.Xr sshd 8 . +.Pp +It is possible to have multiple host key files. +It is also possible to specify public host key files instead. +In this case operations on the private key will be delegated +to an +.Xr ssh-agent 1 . +.It Cm HostKeyAgent +Identifies the UNIX-domain socket used to communicate +with an agent that has access to the private host keys. +If the string +.Qq SSH_AUTH_SOCK +is specified, the location of the socket will be read from the +.Ev SSH_AUTH_SOCK +environment variable. +.It Cm HostKeyAlgorithms +Specifies the host key signature algorithms +that the server offers. +The default for this option is: +.Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +webauthn-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, +ssh-ed25519, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, +webauthn-sk-ecdsa-sha2-nistp256@openssh.com, +rsa-sha2-512,rsa-sha2-256 +.Ed +.Pp +The list of available signature algorithms may also be obtained using +.Qq ssh -Q HostKeyAlgorithms . +.It Cm IgnoreRhosts +Specifies whether to ignore per-user +.Pa .rhosts +and +.Pa .shosts +files during +.Cm HostbasedAuthentication . +The system-wide +.Pa /etc/hosts.equiv +and +.Pa /etc/shosts.equiv +are still used regardless of this setting. +.Pp +Accepted values are +.Cm yes +(the default) to ignore all per-user files, +.Cm shosts-only +to allow the use of +.Pa .shosts +but to ignore +.Pa .rhosts +or +.Cm no +to allow both +.Pa .shosts +and +.Pa rhosts . +.It Cm IgnoreUserKnownHosts +Specifies whether +.Xr sshd 8 +should ignore the user's +.Pa ~/.ssh/known_hosts +during +.Cm HostbasedAuthentication +and use only the system-wide known hosts file +.Pa /etc/ssh/ssh_known_hosts . +The default is +.Dq no . +.It Cm Include +Include the specified configuration file(s). +Multiple pathnames may be specified and each pathname may contain +.Xr glob 7 +wildcards that will be expanded and processed in lexical order. +Files without absolute paths are assumed to be in +.Pa /etc/ssh . +An +.Cm Include +directive may appear inside a +.Cm Match +block +to perform conditional inclusion. +.It Cm IPQoS +Specifies the +.Em Differentiated Services Field Codepoint Pq DSCP +value for the connection. +Accepted values are +.Cm af11 , +.Cm af12 , +.Cm af13 , +.Cm af21 , +.Cm af22 , +.Cm af23 , +.Cm af31 , +.Cm af32 , +.Cm af33 , +.Cm af41 , +.Cm af42 , +.Cm af43 , +.Cm cs0 , +.Cm cs1 , +.Cm cs2 , +.Cm cs3 , +.Cm cs4 , +.Cm cs5 , +.Cm cs6 , +.Cm cs7 , +.Cm ef , +.Cm le , +a numeric value, or +.Cm none +to use the operating system default. +This option may take one or two arguments, separated by whitespace. +If one argument is specified, it is used as the packet class unconditionally. +If two values are specified, the first is automatically selected for +interactive sessions and the second for non-interactive sessions. +The default is +.Cm ef +(Expedited Forwarding) +for interactive sessions and +.Cm none +(the operating system default) +for non-interactive sessions. +.It Cm KbdInteractiveAuthentication +Specifies whether to allow keyboard-interactive authentication. +All authentication styles from +.Xr login.conf 5 +are supported. +The default is +.Cm yes . +The argument to this keyword must be +.Cm yes +or +.Cm no . +.Cm ChallengeResponseAuthentication +is a deprecated alias for this. +.It Cm KerberosAuthentication +Specifies whether the password provided by the user for +.Cm PasswordAuthentication +will be validated through the Kerberos KDC. +To use this option, the server needs a +Kerberos servtab which allows the verification of the KDC's identity. +The default is +.Cm no . +.It Cm KerberosGetAFSToken +If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire +an AFS token before accessing the user's home directory. +The default is +.Cm no . +.It Cm KerberosOrLocalPasswd +If password authentication through Kerberos fails then +the password will be validated via any additional local mechanism +such as +.Pa /etc/passwd . +The default is +.Cm yes . +.It Cm KerberosTicketCleanup +Specifies whether to automatically destroy the user's ticket cache +file on logout. +The default is +.Cm yes . +.It Cm KexAlgorithms +Specifies the permitted KEX (Key Exchange) algorithms that the server will +offer to clients. +The ordering of this list is not important, as the client specifies the +preference order. +Multiple algorithms must be comma-separated. +.Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. +.Pp +The supported algorithms are: +.Pp +.Bl -item -compact -offset indent +.It +curve25519-sha256 +.It +curve25519-sha256@libssh.org +.It +diffie-hellman-group1-sha1 +.It +diffie-hellman-group14-sha1 +.It +diffie-hellman-group14-sha256 +.It +diffie-hellman-group16-sha512 +.It +diffie-hellman-group18-sha512 +.It +diffie-hellman-group-exchange-sha1 +.It +diffie-hellman-group-exchange-sha256 +.It +ecdh-sha2-nistp256 +.It +ecdh-sha2-nistp384 +.It +ecdh-sha2-nistp521 +.It +mlkem768x25519-sha256 +.It +sntrup761x25519-sha512 +.It +sntrup761x25519-sha512@openssh.com +.El +.Pp +The default is: +.Bd -literal -offset indent +mlkem768x25519-sha256, +sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com, +curve25519-sha256,curve25519-sha256@libssh.org, +ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 +.Ed +.Pp +The list of supported key exchange algorithms may also be obtained using +.Qq ssh -Q KexAlgorithms . +.It Cm ListenAddress +Specifies the local addresses +.Xr sshd 8 +should listen on. +The following forms may be used: +.Pp +.Bl -item -offset indent -compact +.It +.Cm ListenAddress +.Sm off +.Ar hostname | address +.Sm on +.Op Cm rdomain Ar domain +.It +.Cm ListenAddress +.Sm off +.Ar hostname : port +.Sm on +.Op Cm rdomain Ar domain +.It +.Cm ListenAddress +.Sm off +.Ar IPv4_address : port +.Sm on +.Op Cm rdomain Ar domain +.It +.Cm ListenAddress +.Sm off +.Oo Ar hostname | address Oc : Ar port +.Sm on +.Op Cm rdomain Ar domain +.El +.Pp +The optional +.Cm rdomain +qualifier requests +.Xr sshd 8 +listen in an explicit routing domain. +If +.Ar port +is not specified, +sshd will listen on the address and all +.Cm Port +options specified. +The default is to listen on all local addresses on the current default +routing domain. +Multiple +.Cm ListenAddress +options are permitted. +For more information on routing domains, see +.Xr rdomain 4 . +.It Cm LoginGraceTime +The server disconnects after this time if the user has not +successfully logged in. +If the value is 0, there is no time limit. +The default is 120 seconds. +.It Cm LogLevel +Gives the verbosity level that is used when logging messages from +.Xr sshd 8 . +The possible values are: +QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. +The default is INFO. +DEBUG and DEBUG1 are equivalent. +DEBUG2 and DEBUG3 each specify higher levels of debugging output. +Logging with a DEBUG level violates the privacy of users and is not recommended. +.It Cm LogVerbose +Specify one or more overrides to +.Cm LogLevel . +An override consists of one or more pattern lists that matches the +source file, function and line number to force detailed logging for. +For example, an override pattern of: +.Bd -literal -offset indent +kex.c:*:1000,*:kex_exchange_identification():*,packet.c:* +.Ed +.Pp +would enable detailed logging for line 1000 of +.Pa kex.c , +everything in the +.Fn kex_exchange_identification +function, and all code in the +.Pa packet.c +file. +This option is intended for debugging and no overrides are enabled by default. +.It Cm MACs +Specifies the available MAC (message authentication code) algorithms. +The MAC algorithm is used for data integrity protection. +Multiple algorithms must be comma-separated. +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. +.Pp +The algorithms that contain +.Qq -etm +calculate the MAC after encryption (encrypt-then-mac). +These are considered safer and their use recommended. +The supported MACs are: +.Pp +.Bl -item -compact -offset indent +.It +hmac-md5 +.It +hmac-md5-96 +.It +hmac-sha1 +.It +hmac-sha1-96 +.It +hmac-sha2-256 +.It +hmac-sha2-512 +.It +umac-64@openssh.com +.It +umac-128@openssh.com +.It +hmac-md5-etm@openssh.com +.It +hmac-md5-96-etm@openssh.com +.It +hmac-sha1-etm@openssh.com +.It +hmac-sha1-96-etm@openssh.com +.It +hmac-sha2-256-etm@openssh.com +.It +hmac-sha2-512-etm@openssh.com +.It +umac-64-etm@openssh.com +.It +umac-128-etm@openssh.com +.El +.Pp +The default is: +.Bd -literal -offset indent +umac-64-etm@openssh.com,umac-128-etm@openssh.com, +hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, +hmac-sha1-etm@openssh.com, +umac-64@openssh.com,umac-128@openssh.com, +hmac-sha2-256,hmac-sha2-512,hmac-sha1 +.Ed +.Pp +The list of available MAC algorithms may also be obtained using +.Qq ssh -Q mac . +.It Cm Match +Introduces a conditional block. +If all of the criteria on the +.Cm Match +line are satisfied, the keywords on the following lines override those +set in the global section of the config file, until either another +.Cm Match +line or the end of the file. +If a keyword appears in multiple +.Cm Match +blocks that are satisfied, only the first instance of the keyword is +applied. +.Pp +The arguments to +.Cm Match +are one or more criteria-pattern pairs or one of the single token criteria: +.Cm All , +which matches all criteria, or +.Cm Invalid-User , +which matches when the requested user-name does not match any known account. +The available criteria are +.Cm User , +.Cm Group , +.Cm Host , +.Cm LocalAddress , +.Cm LocalPort , +.Cm Version , +.Cm RDomain , +and +.Cm Address +(with +.Cm RDomain +representing the +.Xr rdomain 4 +on which the connection was received). +.Pp +The match patterns may consist of single entries or comma-separated +lists and may use the wildcard and negation operators described in the +.Sx PATTERNS +section of +.Xr ssh_config 5 . +.Pp +The patterns in an +.Cm Address +criteria may additionally contain addresses to match in CIDR +address/masklen format, +such as 192.0.2.0/24 or 2001:db8::/32. +Note that the mask length provided must be consistent with the address - +it is an error to specify a mask length that is too long for the address +or one with bits set in this host portion of the address. +For example, 192.0.2.0/33 and 192.0.2.0/8, respectively. +.Pp +The +.Cm Version +keyword matches against the version string of +.Xr sshd 8 , +for example +.Dq OpenSSH_10.0 . +.Pp +Only a subset of keywords may be used on the lines following a +.Cm Match +keyword. +Available keywords are +.Cm AcceptEnv , +.Cm AllowAgentForwarding , +.Cm AllowGroups , +.Cm AllowStreamLocalForwarding , +.Cm AllowTcpForwarding , +.Cm AllowUsers , +.Cm AuthenticationMethods , +.Cm AuthorizedKeysCommand , +.Cm AuthorizedKeysCommandUser , +.Cm AuthorizedKeysFile , +.Cm AuthorizedPrincipalsCommand , +.Cm AuthorizedPrincipalsCommandUser , +.Cm AuthorizedPrincipalsFile , +.Cm Banner , +.Cm CASignatureAlgorithms , +.Cm ChannelTimeout , +.Cm ChrootDirectory , +.Cm ClientAliveCountMax , +.Cm ClientAliveInterval , +.Cm DenyGroups , +.Cm DenyUsers , +.Cm DisableForwarding , +.Cm ExposeAuthInfo , +.Cm ForceCommand , +.Cm GatewayPorts , +.Cm GSSAPIAuthentication , +.Cm HostbasedAcceptedAlgorithms , +.Cm HostbasedAuthentication , +.Cm HostbasedUsesNameFromPacketOnly , +.Cm IgnoreRhosts , +.Cm Include , +.Cm IPQoS , +.Cm KbdInteractiveAuthentication , +.Cm KerberosAuthentication , +.Cm LogLevel , +.Cm MaxAuthTries , +.Cm MaxSessions , +.Cm PasswordAuthentication , +.Cm PermitEmptyPasswords , +.Cm PermitListen , +.Cm PermitOpen , +.Cm PermitRootLogin , +.Cm PermitTTY , +.Cm PermitTunnel , +.Cm PermitUserRC , +.Cm PubkeyAcceptedAlgorithms , +.Cm PubkeyAuthentication , +.Cm PubkeyAuthOptions , +.Cm RefuseConnection , +.Cm RekeyLimit , +.Cm RevokedKeys , +.Cm RDomain , +.Cm SetEnv , +.Cm StreamLocalBindMask , +.Cm StreamLocalBindUnlink , +.Cm TrustedUserCAKeys , +.Cm UnusedConnectionTimeout , +.Cm X11DisplayOffset , +.Cm X11Forwarding +and +.Cm X11UseLocalhost . +.It Cm MaxAuthTries +Specifies the maximum number of authentication attempts permitted per +connection. +Once the number of failures reaches half this value, +additional failures are logged. +The default is 6. +.It Cm MaxSessions +Specifies the maximum number of open shell, login or subsystem (e.g. sftp) +sessions permitted per network connection. +Multiple sessions may be established by clients that support connection +multiplexing. +Setting +.Cm MaxSessions +to 1 will effectively disable session multiplexing, whereas setting it to 0 +will prevent all shell, login and subsystem sessions while still permitting +forwarding. +The default is 10. +.It Cm MaxStartups +Specifies the maximum number of concurrent unauthenticated connections to the +SSH daemon. +Additional connections will be dropped until authentication succeeds or the +.Cm LoginGraceTime +expires for a connection. +.Pp +Alternatively, random early drop can be enabled by specifying +the three colon separated values +start:rate:full (e.g. "10:30:60"). +The default is 10:30:100. +.Xr sshd 8 +will refuse connection attempts with a probability of rate/100 (30%) +if there are currently start (10) unauthenticated connections. +The probability increases linearly and all connection attempts +are refused if the number of unauthenticated connections reaches full (60). +.It Cm ModuliFile +Specifies the +.Xr moduli 5 +file that contains the Diffie-Hellman groups used for the +.Dq diffie-hellman-group-exchange-sha1 +and +.Dq diffie-hellman-group-exchange-sha256 +key exchange methods. +The default is +.Pa /etc/moduli . +.It Cm PasswordAuthentication +Specifies whether password authentication is allowed. +The default is +.Cm yes . +.It Cm PermitEmptyPasswords +When password authentication is allowed, it specifies whether the +server allows login to accounts with empty password strings. +The default is +.Cm no . +.It Cm PermitListen +Specifies the addresses/ports on which a remote TCP port forwarding may listen. +The listen specification must be one of the following forms: +.Pp +.Bl -item -offset indent -compact +.It +.Cm PermitListen +.Sm off +.Ar port +.Sm on +.It +.Cm PermitListen +.Sm off +.Ar host : port +.Sm on +.El +.Pp +Multiple permissions may be specified by separating them with whitespace. +An argument of +.Cm any +can be used to remove all restrictions and permit any listen requests. +An argument of +.Cm none +can be used to prohibit all listen requests. +The host name may contain wildcards as described in the PATTERNS section in +.Xr ssh_config 5 . +The wildcard +.Sq * +can also be used in place of a port number to allow all ports. +By default all port forwarding listen requests are permitted. +Note that the +.Cm GatewayPorts +option may further restrict which addresses may be listened on. +Note also that +.Xr ssh 1 +will request a listen host of +.Dq localhost +if no listen host was specifically requested, and this name is +treated differently to explicit localhost addresses of +.Dq 127.0.0.1 +and +.Dq ::1 . +.It Cm PermitOpen +Specifies the destinations to which TCP port forwarding is permitted. +The forwarding specification must be one of the following forms: +.Pp +.Bl -item -offset indent -compact +.It +.Cm PermitOpen +.Sm off +.Ar host : port +.Sm on +.It +.Cm PermitOpen +.Sm off +.Ar IPv4_addr : port +.Sm on +.It +.Cm PermitOpen +.Sm off +.Ar \&[ IPv6_addr \&] : port +.Sm on +.El +.Pp +Multiple forwards may be specified by separating them with whitespace. +An argument of +.Cm any +can be used to remove all restrictions and permit any forwarding requests. +An argument of +.Cm none +can be used to prohibit all forwarding requests. +The wildcard +.Sq * +can be used for host or port to allow all hosts or ports respectively. +Otherwise, no pattern matching or address lookups are performed on supplied +names. +By default all port forwarding requests are permitted. +.It Cm PermitRootLogin +Specifies whether root can log in using +.Xr ssh 1 . +The argument must be +.Cm yes , +.Cm prohibit-password , +.Cm forced-commands-only , +or +.Cm no . +The default is +.Cm prohibit-password . +.Pp +If this option is set to +.Cm prohibit-password +(or its deprecated alias, +.Cm without-password ) , +password and keyboard-interactive authentication are disabled for root. +.Pp +If this option is set to +.Cm forced-commands-only , +root login with public key authentication will be allowed, +but only if the +.Ar command +option has been specified +(which may be useful for taking remote backups even if root login is +normally not allowed). +All other authentication methods are disabled for root. +.Pp +If this option is set to +.Cm no , +root is not allowed to log in. +.It Cm PermitTTY +Specifies whether +.Xr pty 4 +allocation is permitted. +The default is +.Cm yes . +.It Cm PermitTunnel +Specifies whether +.Xr tun 4 +device forwarding is allowed. +The argument must be +.Cm yes , +.Cm point-to-point +(layer 3), +.Cm ethernet +(layer 2), or +.Cm no . +Specifying +.Cm yes +permits both +.Cm point-to-point +and +.Cm ethernet . +The default is +.Cm no . +.Pp +Independent of this setting, the permissions of the selected +.Xr tun 4 +device must allow access to the user. +.It Cm PermitUserEnvironment +Specifies whether +.Pa ~/.ssh/environment +and +.Cm environment= +options in +.Pa ~/.ssh/authorized_keys +are processed by +.Xr sshd 8 . +Valid options are +.Cm yes , +.Cm no +or a pattern-list specifying which environment variable names to accept +(for example +.Qq LANG,LC_* ) . +The default is +.Cm no . +Enabling environment processing may enable users to bypass access +restrictions in some configurations using mechanisms such as +.Ev LD_PRELOAD . +.It Cm PermitUserRC +Specifies whether any +.Pa ~/.ssh/rc +file is executed. +The default is +.Cm yes . +.It Cm PerSourceMaxStartups +Specifies the number of unauthenticated connections allowed from a +given source address, or +.Dq none +if there is no limit. +This limit is applied in addition to +.Cm MaxStartups , +whichever is lower. +The default is +.Cm none . +.It Cm PerSourceNetBlockSize +Specifies the number of bits of source address that are grouped together +for the purposes of applying PerSourceMaxStartups limits. +Values for IPv4 and optionally IPv6 may be specified, separated by a colon. +The default is +.Cm 32:128 , +which means each address is considered individually. +.It Cm PerSourcePenalties +Controls penalties for various conditions that may represent attacks on +.Xr sshd 8 . +If a penalty is enforced against a client then its source address and any +others in the same network, as defined by +.Cm PerSourceNetBlockSize , +will be refused connection for a period. +.Pp +A penalty doesn't affect concurrent connections in progress, but multiple +penalties from the same source from concurrent connections will accumulate +up to a maximum. +Conversely, penalties are not applied until a minimum threshold time has been +accumulated. +.Pp +Penalties are enabled by default with the default settings listed below +but may disabled using the +.Cm no +keyword. +The defaults may be overridden by specifying one or more of the keywords below, +separated by whitespace. +All keywords accept arguments, e.g.\& +.Qq crash:2m . +.Bl -tag -width Ds +.It Cm crash:duration +Specifies how long to refuse clients that cause a crash of +.Xr sshd 8 (default: 90s). +.It Cm authfail:duration +Specifies how long to refuse clients that disconnect after making one or more +unsuccessful authentication attempts (default: 5s). +.It Cm invaliduser:duration +Specifies how long to refuse clients that attempt to log in with an invalid +user (default: 5s). +.It Cm refuseconnection:duration +Specifies how long to refuse clients that were administratively prohibited +connection via the +.Cm RefuseConnection +option (default: 10s). +.It Cm noauth:duration +Specifies how long to refuse clients that disconnect without attempting +authentication (default: 1s). +This timeout should be used cautiously otherwise it may penalise legitimate +scanning tools such as +.Xr ssh-keyscan 1 . +.It Cm grace-exceeded:duration +Specifies how long to refuse clients that fail to authenticate after +.Cm LoginGraceTime +(default: 10s). +.It Cm max:duration +Specifies the maximum time a particular source address range will be refused +access for (default: 10m). +Repeated penalties will accumulate up to this maximum. +.It Cm min:duration +Specifies the minimum penalty that must accrue before enforcement begins +(default: 15s). +.It Cm max-sources4:number , max-sources6:number +Specifies the maximum number of client IPv4 and IPv6 address ranges to +track for penalties (default: 65536 for both). +.It Cm overflow:mode +Controls how the server behaves when +.Cm max-sources4 +or +.Cm max-sources6 +is exceeded. +There are two operating modes: +.Cm deny-all , +which denies all incoming connections other than those exempted via +.Cm PerSourcePenaltyExemptList +until a penalty expires, and +.Cm permissive , +which allows new connections by removing existing penalties early +(default: permissive). +Note that client penalties below the +.Cm min +threshold count against the total number of tracked penalties. +IPv4 and IPv6 addresses are tracked separately, so an overflow in one will +not affect the other. +.It Cm overflow6:mode +Allows specifying a different overflow mode for IPv6 addresses. +The default it to use the same overflow mode as was specified for IPv4. +.El +.It Cm PerSourcePenaltyExemptList +Specifies a comma-separated list of addresses to exempt from penalties. +This list may contain wildcards and CIDR address/masklen ranges. +Note that the mask length provided must be consistent with the address - +it is an error to specify a mask length that is too long for the address +or one with bits set in this host portion of the address. +For example, 192.0.2.0/33 and 192.0.2.0/8, respectively. +The default is not to exempt any addresses. +.It Cm PidFile +Specifies the file that contains the process ID of the +SSH daemon, or +.Cm none +to not write one. +The default is +.Pa /var/run/sshd.pid . +.It Cm Port +Specifies the port number that +.Xr sshd 8 +listens on. +The default is 22. +Multiple options of this type are permitted. +See also +.Cm ListenAddress . +.It Cm PrintLastLog +Specifies whether +.Xr sshd 8 +should print the date and time of the last user login when a user logs +in interactively. +The default is +.Cm yes . +.It Cm PrintMotd +Specifies whether +.Xr sshd 8 +should print +.Pa /etc/motd +when a user logs in interactively. +(On some systems it is also printed by the shell, +.Pa /etc/profile , +or equivalent.) +The default is +.Cm yes . +.It Cm PubkeyAcceptedAlgorithms +Specifies the signature algorithms that will be accepted for public key +authentication as a list of comma-separated patterns. +Alternately if the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. +The default for this option is: +.Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +webauthn-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, +ssh-ed25519, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, +webauthn-sk-ecdsa-sha2-nistp256@openssh.com, +rsa-sha2-512,rsa-sha2-256 +.Ed +.Pp +The list of available signature algorithms may also be obtained using +.Qq ssh -Q PubkeyAcceptedAlgorithms . +.It Cm PubkeyAuthOptions +Sets one or more public key authentication options. +The supported keywords are: +.Cm none +(the default; indicating no additional options are enabled), +.Cm touch-required +and +.Cm verify-required . +.Pp +The +.Cm touch-required +option causes public key authentication using a FIDO authenticator algorithm +(i.e.\& +.Cm ecdsa-sk +or +.Cm ed25519-sk ) +to always require the signature to attest that a physically present user +explicitly confirmed the authentication (usually by touching the authenticator). +By default, +.Xr sshd 8 +requires user presence unless overridden with an authorized_keys option. +The +.Cm touch-required +flag disables this override. +.Pp +The +.Cm verify-required +option requires a FIDO key signature attest that the user was verified, +e.g. via a PIN. +.Pp +Neither the +.Cm touch-required +or +.Cm verify-required +options have any effect for other, non-FIDO, public key types. +.It Cm PubkeyAuthentication +Specifies whether public key authentication is allowed. +The default is +.Cm yes . +.It Cm RefuseConnection +Indicates that +.Xr sshd 8 +should unconditionally terminate the connection. +Additionally, a +.Cm refuseconnection +penalty may be recorded against the source of the connection if +.Cm PerSourcePenalties +are enabled. +This option is only really useful in a +.Cm Match +block. +.It Cm RekeyLimit +Specifies the maximum amount of data that may be transmitted or received +before the session key is renegotiated, optionally followed by a maximum +amount of time that may pass before the session key is renegotiated. +The first argument is specified in bytes and may have a suffix of +.Sq K , +.Sq M , +or +.Sq G +to indicate Kilobytes, Megabytes, or Gigabytes, respectively. +The default is between +.Sq 1G +and +.Sq 4G , +depending on the cipher. +The optional second value is specified in seconds and may use any of the +units documented in the +.Sx TIME FORMATS +section. +The default value for +.Cm RekeyLimit +is +.Cm default none , +which means that rekeying is performed after the cipher's default amount +of data has been sent or received and no time based rekeying is done. +.It Cm RequiredRSASize +Specifies the minimum RSA key size (in bits) that +.Xr sshd 8 +will accept. +User and host-based authentication keys smaller than this limit will be +refused. +The default is +.Cm 1024 +bits. +Note that this limit may only be raised from the default. +.It Cm RevokedKeys +Specifies revoked public keys file, or +.Cm none +to not use one. +Keys listed in this file will be refused for public key authentication. +Note that if this file is not readable, then public key authentication will +be refused for all users. +Keys may be specified as a text file, listing one public key per line, or as +an OpenSSH Key Revocation List (KRL) as generated by +.Xr ssh-keygen 1 . +This file may be consulted for each public key authentication attempt +received by +.Xr sshd 8 +and its contents must be consistent at all times, therefore it should only +be atomically replaced and never modified in place while the server is running. +For more information on KRLs, see the KEY REVOCATION LISTS section in +.Xr ssh-keygen 1 . +.It Cm RDomain +Specifies an explicit routing domain that is applied after authentication +has completed. +The user session, as well as any forwarded or listening IP sockets, +will be bound to this +.Xr rdomain 4 . +If the routing domain is set to +.Cm \&%D , +then the domain in which the incoming connection was received will be applied. +.It Cm SecurityKeyProvider +Specifies a path to a library that will be used when loading +FIDO authenticator-hosted keys, overriding the default of using +the built-in USB HID support. +.It Cm SetEnv +Specifies one or more environment variables to set in child sessions started +by +.Xr sshd 8 +as +.Dq NAME=VALUE . +The environment value may be quoted (e.g. if it contains whitespace +characters). +Environment variables set by +.Cm SetEnv +override the default environment and any variables specified by the user +via +.Cm AcceptEnv +or +.Cm PermitUserEnvironment . +.It Cm SshdAuthPath +Overrides the default path to the +.Cm sshd-auth +binary that is invoked to complete user authentication. +The default is +.Pa /usr/libexec/sshd-auth . +This option is intended for use by tests. +.It Cm SshdSessionPath +Overrides the default path to the +.Cm sshd-session +binary that is invoked to handle each connection. +The default is +.Pa /usr/libexec/sshd-session . +This option is intended for use by tests. +.It Cm StreamLocalBindMask +Sets the octal file creation mode mask +.Pq umask +used when creating a Unix-domain socket file for local or remote +port forwarding. +This option is only used for port forwarding to a Unix-domain socket file. +.Pp +The default value is 0177, which creates a Unix-domain socket file that is +readable and writable only by the owner. +Note that not all operating systems honor the file mode on Unix-domain +socket files. +.It Cm StreamLocalBindUnlink +Specifies whether to remove an existing Unix-domain socket file for local +or remote port forwarding before creating a new one. +If the socket file already exists and +.Cm StreamLocalBindUnlink +is not enabled, +.Nm sshd +will be unable to forward the port to the Unix-domain socket file. +This option is only used for port forwarding to a Unix-domain socket file. +.Pp +The argument must be +.Cm yes +or +.Cm no . +The default is +.Cm no . +.It Cm StrictModes +Specifies whether +.Xr sshd 8 +should check file modes and ownership of the +user's files and home directory before accepting login. +This is normally desirable because novices sometimes accidentally leave their +directory or files world-writable. +The default is +.Cm yes . +Note that this does not apply to +.Cm ChrootDirectory , +whose permissions and ownership are checked unconditionally. +.It Cm Subsystem +Configures an external subsystem (e.g. file transfer daemon). +Arguments should be a subsystem name and a command (with optional arguments) +to execute upon subsystem request. +.Pp +The command +.Cm sftp-server +implements the SFTP file transfer subsystem. +.Pp +Alternately the name +.Cm internal-sftp +implements an in-process SFTP server. +This may simplify configurations using +.Cm ChrootDirectory +to force a different filesystem root on clients. +It accepts the same command line arguments as +.Cm sftp-server +and even though it is in-process, settings such as +.Cm LogLevel +or +.Cm SyslogFacility +do not apply to it and must be set explicitly via +command line arguments. +.Pp +By default no subsystems are defined. +.It Cm SyslogFacility +Gives the facility code that is used when logging messages from +.Xr sshd 8 . +The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, +LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. +The default is AUTH. +.It Cm TCPKeepAlive +Specifies whether the system should send TCP keepalive messages to the +other side. +If they are sent, death of the connection or crash of one +of the machines will be properly noticed. +However, this means that +connections will die if the route is down temporarily, and some people +find it annoying. +On the other hand, if TCP keepalives are not sent, +sessions may hang indefinitely on the server, leaving +.Qq ghost +users and consuming server resources. +.Pp +The default is +.Cm yes +(to send TCP keepalive messages), and the server will notice +if the network goes down or the client host crashes. +This avoids infinitely hanging sessions. +.Pp +To disable TCP keepalive messages, the value should be set to +.Cm no . +.It Cm TrustedUserCAKeys +Specifies a file containing public keys of certificate authorities that are +trusted to sign user certificates for authentication, or +.Cm none +to not use one. +Keys are listed one per line; empty lines and comments starting with +.Ql # +are allowed. +If a certificate is presented for authentication and has its signing CA key +listed in this file, then it may be used for authentication for any user +listed in the certificate's principals list. +Note that certificates that lack a list of principals will not be permitted +for authentication using +.Cm TrustedUserCAKeys . +For more details on certificates, see the CERTIFICATES section in +.Xr ssh-keygen 1 . +.It Cm UnusedConnectionTimeout +Specifies whether and how quickly +.Xr sshd 8 +should close client connections with no open channels. +Open channels include active shell, command execution or subsystem +sessions, connected network, socket, agent or X11 forwardings. +Forwarding listeners, such as those from the +.Xr ssh 1 +.Fl R +flag, are not considered as open channels and do not prevent the timeout. +The timeout value +is specified in seconds or may use any of the units documented in the +.Sx TIME FORMATS +section. +.Pp +Note that this timeout starts when the client connection completes +user authentication but before the client has an opportunity to open any +channels. +Caution should be used when using short timeout values, as they may not +provide sufficient time for the client to request and open its channels +before terminating the connection. +.Pp +The default +.Cm none +is to never expire connections for having no open channels. +This option may be useful in conjunction with +.Cm ChannelTimeout . +.It Cm UseDNS +Specifies whether +.Xr sshd 8 +should look up the remote host name, and to check that +the resolved host name for the remote IP address maps back to the +very same IP address. +.Pp +If this option is set to +.Cm no +(the default) then only addresses and not host names may be used in +.Pa ~/.ssh/authorized_keys +.Cm from +and +.Nm +.Cm Match +.Cm Host +directives. +.It Cm VersionAddendum +Optionally specifies additional text to append to the SSH protocol banner +sent by the server upon connection. +The default is +.Cm none . +.It Cm X11DisplayOffset +Specifies the first display number available for +.Xr sshd 8 Ns 's +X11 forwarding. +This prevents sshd from interfering with real X11 servers. +The default is 10. +.It Cm X11Forwarding +Specifies whether X11 forwarding is permitted. +The argument must be +.Cm yes +or +.Cm no . +The default is +.Cm no . +.Pp +When X11 forwarding is enabled, there may be additional exposure to +the server and to client displays if the +.Xr sshd 8 +proxy display is configured to listen on the wildcard address (see +.Cm X11UseLocalhost ) , +though this is not the default. +Additionally, the authentication spoofing and authentication data +verification and substitution occur on the client side. +The security risk of using X11 forwarding is that the client's X11 +display server may be exposed to attack when the SSH client requests +forwarding (see the warnings for +.Cm ForwardX11 +in +.Xr ssh_config 5 ) . +A system administrator may have a stance in which they want to +protect clients that may expose themselves to attack by unwittingly +requesting X11 forwarding, which can warrant a +.Cm no +setting. +.Pp +Note that disabling X11 forwarding does not prevent users from +forwarding X11 traffic, as users can always install their own forwarders. +.It Cm X11UseLocalhost +Specifies whether +.Xr sshd 8 +should bind the X11 forwarding server to the loopback address or to +the wildcard address. +By default, +sshd binds the forwarding server to the loopback address and sets the +hostname part of the +.Ev DISPLAY +environment variable to +.Cm localhost . +This prevents remote hosts from connecting to the proxy display. +However, some older X11 clients may not function with this +configuration. +.Cm X11UseLocalhost +may be set to +.Cm no +to specify that the forwarding server should be bound to the wildcard +address. +The argument must be +.Cm yes +or +.Cm no . +The default is +.Cm yes . +.It Cm XAuthLocation +Specifies the full pathname of the +.Xr xauth 1 +program, or +.Cm none +to not use one. +The default is +.Pa /usr/X11R6/bin/xauth . +.El +.Sh TIME FORMATS +.Xr sshd 8 +command-line arguments and configuration file options that specify time +may be expressed using a sequence of the form: +.Sm off +.Ar time Op Ar qualifier , +.Sm on +where +.Ar time +is a positive integer value and +.Ar qualifier +is one of the following: +.Pp +.Bl -tag -width Ds -compact -offset indent +.It Aq Cm none +seconds +.It Cm s | Cm S +seconds +.It Cm m | Cm M +minutes +.It Cm h | Cm H +hours +.It Cm d | Cm D +days +.It Cm w | Cm W +weeks +.El +.Pp +Each member of the sequence is added together to calculate +the total time value. +.Pp +Time format examples: +.Pp +.Bl -tag -width Ds -compact -offset indent +.It 600 +600 seconds (10 minutes) +.It 10m +10 minutes +.It 1h30m +1 hour 30 minutes (90 minutes) +.El +.Sh TOKENS +Arguments to some keywords can make use of tokens, +which are expanded at runtime. +Tokens are expanded without quoting or escaping of shell characters. +It is the administrator's responsibility to ensure they are safe in the +context of their use. +.Pp +The supported tokens in +.Nm +are: +.Pp +.Bl -tag -width XXXX -offset indent -compact +.It %% +A literal +.Sq % . +.It \&%C +Identifies the connection endpoints, containing +four space-separated values: client address, client port number, +server address, and server port number. +.It \&%D +The routing domain in which the incoming connection was received. +.It %F +The fingerprint of the CA key. +.It %f +The fingerprint of the key or certificate. +.It %h +The home directory of the user. +.It %i +The key ID in the certificate. +.It %K +The base64-encoded CA key. +.It %k +The base64-encoded key or certificate for authentication. +.It %s +The serial number of the certificate. +.It \&%T +The type of the CA key. +.It %t +The key or certificate type. +.It \&%U +The numeric user ID of the target user. +.It %u +The username. +.El +.Pp +.Cm AuthorizedKeysCommand +accepts the tokens %%, %C, %D, %f, %h, %k, %t, %U, and %u. +.Pp +.Cm AuthorizedKeysFile +accepts the tokens %%, %h, %U, and %u. +.Pp +.Cm AuthorizedPrincipalsCommand +accepts the tokens %%, %C, %D, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U, and %u. +.Pp +.Cm AuthorizedPrincipalsFile +accepts the tokens %%, %h, %U, and %u. +.Pp +.Cm ChrootDirectory +accepts the tokens %%, %h, %U, and %u. +.Pp +.Cm RoutingDomain +accepts the token %D. +.Sh FILES +.Bl -tag -width Ds +.It Pa /etc/ssh/sshd_config +Contains configuration data for +.Xr sshd 8 . +This file should be writable by root only, but it is recommended +(though not necessary) that it be world-readable. +.El +.Sh SEE ALSO +.Xr sftp-server 8 , +.Xr sshd 8 +.Sh AUTHORS +.An -nosplit +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by +.An Tatu Ylonen . +.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos , +.An Theo de Raadt +and +.An Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +.An Markus Friedl +contributed the support for SSH protocol versions 1.5 and 2.0. +.An Niels Provos +and +.An Markus Friedl +contributed support for privilege separation. diff --git a/static/openbsd/man5/syslog.conf.5 b/static/openbsd/man5/syslog.conf.5 new file mode 100644 index 00000000..8ae2919c --- /dev/null +++ b/static/openbsd/man5/syslog.conf.5 @@ -0,0 +1,367 @@ +.\" Copyright (c) 1990, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" from: @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 +.\" $OpenBSD: syslog.conf.5,v 1.39 2019/01/13 11:07:47 schwarze Exp $ +.\" $NetBSD: syslog.conf.5,v 1.4 1996/01/02 17:41:46 perry Exp $ +.\" +.Dd $Mdocdate: January 13 2019 $ +.Dt SYSLOG.CONF 5 +.Os +.Sh NAME +.Nm syslog.conf +.Nd syslogd(8) configuration file +.Sh DESCRIPTION +The +.Nm syslog.conf +file is the configuration file for the +.Xr syslogd 8 +program. +It consists of blocks of lines separated by +.Em program +specifications, with each line containing two fields: the +.Em selector +field which specifies the types of messages and priorities to which the +line applies, and an +.Em action +field which specifies the action to be taken if a message +.Xr syslogd 8 +receives matches the selection criteria. +The +.Em selector +field is separated from the +.Em action +field by one or more tab or space characters. +.Pp +The +.Em selectors +are encoded as a +.Em facility , +a period +.Pq Ql \&. , +and a +.Em level , +with no intervening whitespace. +Both the +.Em facility +and the +.Em level +are case insensitive. +.Pp +The +.Em facility +describes the part of the system generating the message, and is one of +the following keywords: auth, authpriv, cron, daemon, ftp, kern, lpr, mail, +mark, news, syslog, user, uucp and local0 through local7. +These keywords (with the exception of mark) correspond to the +similar +.Dq Dv LOG_ +values specified to the +.Xr openlog 3 +and +.Xr syslog 3 +library routines. +.Pp +The +.Em level +describes the severity of the message, and is a keyword from the +following ordered list (highest to lowest): emerg, alert, crit, err, +warning, notice, info and debug. +These keywords correspond to the +similar +.Pq Dv LOG_ +values specified to the +.Xr syslog 3 +library routine. +.Pp +Each block of lines is separated from the previous block by a tag. +The tag is a line beginning with +.Em !prog +and each block will be associated with calls to syslog from that specific +program (matched using +.Xr glob 7 +rules). +When a message matches multiple blocks, the action of each matching +block is taken. +If no tag is specified at the beginning of the file, +every line is checked for a match and acted upon +.Pq at least until a tag is found . +.Pp +.Em !!prog +causes the subsequent block to abort evaluation when a message matches, +ensuring that only a single set of actions is taken. +.Em !*\& +can be used to ensure that any ensuing blocks are further evaluated +(i.e. cancelling the effect of a +.Em !prog +or +.Em !!prog ) . +.Pp +Blocks starting with +.Em +host +or +.Em ++host +or +.Em +* +work the same way as their +.Em prog +counterparts, but they match on the hostname instead of the program +name. +.Pp +See +.Xr syslog 3 +for further descriptions of both the +.Em facility +and +.Em level +keywords and their significance. +It's recommended that selections be made on +.Em facility +rather than +.Em program , +since the latter can easily vary in a networked environment. +In some cases, though, an appropriate +.Em facility +simply doesn't exist. +.Pp +If a received message matches the specified +.Em facility +and is of the specified +.Em level +.Pq Em or a higher level , +and the first word in the message after the date matches the +.Em program , +the action specified in the +.Em action +field will be taken. +In this context, +.Xr ascii 7 +letters, digits, hyphens +.Pq Sq - , +periods +.Pq Sq \&. , +and underscores +.Pq Sq _ +can be contained in a word; other bytes end the word. +.Pp +Multiple +.Em selectors +may be specified for a single +.Em action +by separating them with semicolon +.Pq Ql \&; +characters. +It is important to note, however, that each +.Em selector +can modify the ones preceding it. +.Pp +Multiple +.Em facilities +may be specified for a single +.Em level +by separating them with comma +.Pq Ql \&, +characters. +.Pp +An asterisk +.Pq Ql * +can be used to specify all +.Em facilities , +all +.Em levels +or all +.Em programs . +.Pp +The special +.Em facility +.Dq mark +receives a message at priority +.Dq info +every 20 minutes (see +.Xr syslogd 8 ) . +This is not enabled by a +.Em facility +field containing an asterisk. +.Pp +The special +.Em level +.Dq none +disables a particular +.Em facility . +.Pp +The +.Em action +field of each line specifies the action to be taken when the +.Em selector +field selects a message. +There are six forms: +.Bl -bullet +.It +A pathname (beginning with a leading slash). +Selected messages are appended to the file. +.It +A pipe to another program (beginning with a leading pipe symbol). +The given program is started and presented the selected messages +on its standard input. +If the program exits, +.Xr syslogd 8 +tries to restart it. +.It +A hostname (preceded by an at +.Pq Ql @ +sign). +Selected messages are forwarded to the +.Xr syslogd 8 +program on the named host. +A port number may be specified using the +.Ar host:port +syntax. +This is optional for UDP and TLS. +There is no well-known port for syslog over TCP, so in this case it +is mandatory to specify the port. +IPv6 addresses can be used by surrounding the address portion with +square brackets +.Po +.Ql [\& +and +.Ql ]\& +.Pc . +A prefix udp4:// or udp6:// in front of the hostname and after the +at sign will force IPv4 or IPv6 addresses for UDP transport. +The prefixes tcp[46]:// or tls[46]:// send messages over TCP or +TLS, respectively, with an optional IP version 4 or 6. +.It +A comma separated list of users. +Selected messages are written to those users +if they are logged in. +.It +An asterisk. +Selected messages are written to all logged-in users. +.It +A colon, followed by a memory buffer size +.Pq in kilobytes , +followed by another colon, followed by a buffer name. +Selected messages are written to an in-memory buffer that may be read using +.Xr syslogc 8 . +Memory buffered logging is useful to provide access to log data on devices +that lack local storage (e.g. diskless workstations or routers). +The largest allowed buffer size is 256kb. +.El +.Pp +Blank lines and lines whose first non-blank character is a hash +.Pq Ql # +character are ignored. +.Sh FILES +.Bl -tag -width /etc/syslog.conf -compact +.It Pa /etc/syslog.conf +The +.Xr syslogd 8 +configuration file. +.El +.Sh EXAMPLES +A configuration file might appear as follows: +.Bd -literal +# Log info (and higher) messages from spamd only to +# a dedicated file, discarding debug messages. +# Matching messages abort evaluation of further rules. +!!spamd +daemon.info /var/log/spamd +daemon.debug /dev/null +!* + +# Log all kernel messages, authentication messages of +# level notice or higher and anything of level err or +# higher to the console. +# Don't log private authentication messages! +*.err;kern.*;auth.notice;authpriv.none /dev/console + +# Log anything (except mail) of level info or higher. +# Don't log private authentication messages! +*.info;mail.none;authpriv.none /var/log/messages + +# The authpriv file has restricted access. +authpriv.* /var/log/secure + +# Log all the mail messages in one place. +mail.* /var/log/maillog + +# Everybody gets emergency messages, plus log them on another +# machine. +*.emerg * +*.emerg @arpa.berkeley.edu + +# Root and Eric get alert and higher messages. +*.alert root,eric + +# Log everything coming from host bastion to a separate file. +++bastion +*.* /var/log/bastion ++* + +# Save mail and news errors of level err and higher in a +# special file. +mail,news.err /var/log/spoolerr + +# Save ftpd transactions along with mail and news. +!ftpd +*.* /var/log/spoolerr + +# Keep a copy of all logging in a 32k memory buffer named "debug". +*.debug :32:debug + +# Store notices and authpriv messages in a 64k buffer named "important". +*.notice,authpriv.* :64:important + +# Feed everything to logsurfer. +*.* |/usr/local/sbin/logsurfer +.Ed +.Sh SEE ALSO +.Xr syslog 3 , +.Xr syslogc 8 , +.Xr syslogd 8 +.Sh HISTORY +The +.Nm +file appeared in +.Bx 4.3 , +along with +.Xr syslogd 8 . +.Pp +Historic versions of +.Xr syslogd 8 +did not support space-delimited fields. +.Sh BUGS +The effects of multiple selectors are sometimes not intuitive. +For example +.Dq mail.crit;*.err +will select +.Dq mail +facility messages at the level of +.Dq err +or higher, not at the level of +.Dq crit +or higher. diff --git a/static/openbsd/man5/table.5 b/static/openbsd/man5/table.5 new file mode 100644 index 00000000..3f4d4093 --- /dev/null +++ b/static/openbsd/man5/table.5 @@ -0,0 +1,267 @@ +.\" $OpenBSD: table.5,v 1.14 2024/05/02 18:14:33 op Exp $ +.\" +.\" Copyright (c) 2013 Eric Faurot <eric@openbsd.org> +.\" Copyright (c) 2013 Gilles Chehade <gilles@poolp.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" +.Dd $Mdocdate: May 2 2024 $ +.Dt TABLE 5 +.Os +.Sh NAME +.Nm table +.Nd format description for smtpd tables +.Sh DESCRIPTION +This manual page documents the file format for the various tables used in the +.Xr smtpd 8 +mail daemon. +.Pp +The format described here applies to tables as defined in +.Xr smtpd.conf 5 . +.Sh TABLE TYPES +There are two types of tables: lists and mappings. +A list consists of a series of values, +while a mapping consists of a series of keys and their associated values. +The following illustrates how to declare them as static tables: +.Bd -literal -offset indent +table mylist { value1, value2, value3 } +table mymapping { key1 = value1, key2 = value2, key3 = value3 } +.Ed +.Pp +When using a +.Ql file +table, a list will be written with each value on a line by itself. +.Bd -literal -offset indent +value1 +value2 +value3 +.Ed +.Pp +A mapping will be written with each key and value on a line, +whitespace and an optional colon separating both columns: +.Bd -literal -offset indent +key1: value1 +key2 value2 +key3 value3 +.Ed +.Pp +Blank lines, leading and trailing spaces and tabs are ignored. +Lines whose first non-space character is a hash mark +.Pq Sq # +are comments and are ignored. +To force the parsing of a file table as a list rather than a mapping, use +this special comment: +.Pp +.Dl # @list +.Pp +A file table can be converted to a Berkeley database using the +.Xr makemap 8 +utility with no syntax change. +.Pp +Tables using a +.Ql file +or Berkeley DB backend will be referenced as follows: +.Bd -unfilled -offset indent +.Ic table Ar name Cm file : Ns Pa /path/to/file +.Ic table Ar name Cm db : Ns Pa /path/to/file.db +.Ed +.Ss Aliasing tables +Aliasing tables are mappings that associate a recipient to one or many +destinations. +They can be used in two contexts: primary domain aliases and virtual domain +mapping. +.Bd -unfilled -offset indent +.Ic action Ar name method Cm alias Pf < table Ns > +.Ic action Ar name method Cm virtual Pf < table Ns > +.Ed +.Pp +In a primary domain context, the key is the user part of the recipient address, +whilst the value is one or many recipients as described in +.Xr aliases 5 : +.Bd -literal -offset indent +user1 otheruser +user2 otheruser1,otheruser2 +user3 otheruser@example.com +.Ed +.Pp +In a virtual domain context, the key is either a user part, a full email +address or a catch-all, following selection rules described in +.Xr smtpd.conf 5 , +and the value is one or many recipients as described in +.Xr aliases 5 : +.Bd -literal -offset indent +user1 otheruser +user2@example.org otheruser1,otheruser2 +@example.org otheruser@example.com +@ catchall@example.com +.Ed +.Pp +The following directive shares the same table format, +but with a different meaning. +Here, the user is allowed to send mail from the listed addresses: +.Bd -unfilled -offset indent +.Ic listen on Ar interface Cm auth Oo Ar ... Oc Cm senders Pf < Ar table Ns > +.Ed +.Ss Domain tables +Domain tables are simple lists of domains or hosts. +.Bd -unfilled -offset indent +.Ic match Cm for domain Pf < table Ns > Cm action Ar name +.Ic match Cm helo Pf < table Ns > Oo Ar ... Oc Cm action Ar name +.Ed +.Pp +In that context, the list of domains will be matched against the recipient +domain or against the HELO name advertised by the sending host, +respectively. +For +.Ql static , +.Ql file +and +.Xr dbopen 3 +backends, a wildcard may be used so the domain table may contain: +.Bd -literal -offset indent +example.org +*.example.org +.Ed +.Ss Credentials tables +Credentials tables are mappings of credentials. +They can be used in two contexts: +.Bd -unfilled -offset indent +.Ic listen on Ar interface Cm tls Oo Ar ... Oc Cm auth Pf < Ar table Ns > +.Ic action Ar name Cm relay host Ar relay-url Cm auth Pf < Ar table Ns > +.Ed +.Pp +In a listener context, the credentials are a mapping of username and encrypted +passwords: +.Bd -literal -offset indent +user1 $2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe +user2 $2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK +.Ed +.Pp +The passwords are to be encrypted using the +.Xr smtpctl 8 +encrypt subcommand. +.Pp +In a relay context, the credentials are a mapping of labels and +username:password pairs: +.Bd -literal -offset indent +label1 user:password +.Ed +.Pp +The label must be unique and is used as a selector for the proper credentials +when multiple credentials are valid for a single destination. +The password is not encrypted as it must be provided to the remote host. +.Ss Netaddr tables +Netaddr tables are lists of IPv4 and IPv6 network addresses. +They can only be used in the following context: +.Pp +.D1 Ic match Cm from src Pf < Ar table Ns > Cm action Ar name +.Pp +When used as a "from source", the address of a client is compared to the list +of addresses in the table until a match is found. +.Pp +A netaddr table can contain exact addresses or netmasks, and looks as follow: +.Bd -literal -offset indent +192.168.1.1 +[::1] +192.168.1.0/24 +.Ed +.Pp +IPv6 addresses must be enclosed in square brackets. +.Ss Userinfo tables +Userinfo tables are used in rule context to specify an alternate userbase, +mapping virtual users to local system users by UID, GID and home directory. +.Pp +.D1 Ic action Ar name method Cm userbase Pf < Ar table Ns > +.Pp +A userinfo table looks as follows: +.Bd -literal -offset indent +joe 1000:100:/home/virtual/joe +jack 1000:100:/home/virtual/jack +.Ed +.Pp +In this example, both joe and jack are virtual users mapped to the local +system user with UID 1000 and GID 100, but different home directories. +These directories may contain a +.Xr forward 5 +file. +This can be used in conjunction with an alias table +that maps an email address or the domain part to the desired virtual +username. +For example: +.Bd -literal -offset indent +joe@example.org joe +jack@example.com jack +.Ed +.Ss Source tables +Source tables are lists of IPv4 and IPv6 addresses. +They can only be used in the following context: +.Pp +.D1 Ic action Ar name Cm relay src Pf < Ar table Ns > +.Pp +Successive queries to the source table will return the elements one by one. +.Pp +A source table looks as follow: +.Bd -literal -offset indent +192.168.1.2 +192.168.1.3 +[::1] +[::2] +.Ed +.Pp +IPv6 address must be enclosed in square brackets. +.Ss Mailaddr tables +Mailaddr tables are lists of email addresses. +They can be used in the following contexts: +.Bd -unfilled -offset indent +.Ic match Cm mail\-from Pf < Ar table Ns > Cm action Ar name +.Ic match Cm rcpt\-to Pf < Ar table Ns > Cm action Ar name +.Ed +.Pp +A mailaddr entry is used to match an email address against a username, +a domain or a full email address. +A "*" wildcard may be used in part of the domain name. +.Pp +A mailaddr table looks as follow: +.Bd -literal -offset indent +user +@domain +user@domain +user@*.domain +.Ed +.Ss Addrname tables +Addrname tables are used to map IP addresses to hostnames. +They can be used in both listen context and relay context: +.Bd -unfilled -offset indent +.Ic listen on Ar interface Cm hostnames Pf < Ar table Ns > +.Ic action Ar name Cm relay helo\-src Pf < Ar table Ns > +.Ed +.Pp +In listen context, the table is used to look up the server name to advertise +depending on the local address of the socket on which a connection is accepted. +In relay context, the table is used to determine the hostname for the HELO +sequence of the SMTP protocol, depending on the local address used for the +outgoing connection. +.Pp +The format is a mapping from inet4 or inet6 addresses to hostnames: +.Bd -literal -offset indent +[::1] localhost +127.0.0.1 localhost +88.190.23.165 www.opensmtpd.org +.Ed +.Pp +IPv6 addresses must be enclosed in square brackets. +.Sh SEE ALSO +.Xr smtpd.conf 5 , +.Xr makemap 8 , +.Xr smtpd 8 diff --git a/static/openbsd/man5/term.5 b/static/openbsd/man5/term.5 new file mode 100644 index 00000000..91a8a942 --- /dev/null +++ b/static/openbsd/man5/term.5 @@ -0,0 +1,411 @@ +.\"*************************************************************************** +.\" Copyright 2018-2021,2023 Thomas E. Dickey * +.\" Copyright 1998-2016,2017 Free Software Foundation, Inc. * +.\" * +.\" Permission is hereby granted, free of charge, to any person obtaining a * +.\" copy of this software and associated documentation files (the * +.\" "Software"), to deal in the Software without restriction, including * +.\" without limitation the rights to use, copy, modify, merge, publish, * +.\" distribute, distribute with modifications, sublicense, and/or sell * +.\" copies of the Software, and to permit persons to whom the Software is * +.\" furnished to do so, subject to the following conditions: * +.\" * +.\" The above copyright notice and this permission notice shall be included * +.\" in all copies or substantial portions of the Software. * +.\" * +.\" THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * +.\" OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * +.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * +.\" IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, * +.\" DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR * +.\" OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR * +.\" THE USE OR OTHER DEALINGS IN THE SOFTWARE. * +.\" * +.\" Except as contained in this notice, the name(s) of the above copyright * +.\" holders shall not be used in advertising or otherwise to promote the * +.\" sale, use or other dealings in this Software without prior written * +.\" authorization. * +.\"*************************************************************************** +.\" +.\" $Id: term.5,v 1.2 2023/10/17 09:52:08 nicm Exp $ +.TH term 5 2023-07-01 "ncurses 6.4" "File formats" +.ie \n(.g .ds `` \(lq +.el .ds `` `` +.ie \n(.g .ds '' \(rq +.el .ds '' '' +.de NS +.ie n .sp +.el .sp .5 +.ie n .in +4 +.el .in +2 +.nf +.ft CR \" Courier +.. +.de NE +.fi +.ft R +.ie n .in -4 +.el .in -2 +.. +.de bP +.ie n .IP \(bu 4 +.el .IP \(bu 2 +.. +.ds n 5 +.ds d /usr/share/terminfo +.SH NAME +term \- format of compiled term file. +.SH SYNOPSIS +.B term +.SH DESCRIPTION +.SS STORAGE LOCATION +Compiled terminfo descriptions are placed under the directory \fB\*d\fP. +Two configurations are supported (when building the \fBncurses\fP libraries): +.TP 5 +.B directory tree +A two-level scheme is used to avoid a linear search +of a huge \s-1UNIX\s+1 system directory: \fB\*d/c/name\fP where +.I name +is the name of the terminal, and +.I c +is the first character of +.IR name . +Thus, +.I act4 +can be found in the file \fB\*d/a/act4\fP. +Synonyms for the same terminal are implemented by multiple +links to the same compiled file. +.TP 5 +.B hashed database +Using Berkeley database, two types of records are stored: +the terminfo data in the same format as stored in a directory tree with +the terminfo's primary name as a key, +and records containing only aliases pointing to the primary name. +.IP +If built to write hashed databases, +\fBncurses\fP can still read terminfo databases organized as a directory tree, +but cannot write entries into the directory tree. +It can write (or rewrite) entries in the hashed database. +.IP +\fBncurses\fP distinguishes the two cases in the TERMINFO and TERMINFO_DIRS +environment variable by assuming a directory tree for entries that +correspond to an existing directory, +and hashed database otherwise. +.SS LEGACY STORAGE FORMAT +The format has been chosen so that it will be the same on all hardware. +An 8 or more bit byte is assumed, but no assumptions about byte ordering +or sign extension are made. +.PP +The compiled file is created with the \fBtic\fP program, +and read by the routine \fBsetupterm\fP(3). +The file is divided into six parts: +.RS 5 +.TP 3 +a) \fIheader\fP, +.TP 3 +b) \fIterminal names\fP, +.TP 3 +c) \fIboolean flags\fP, +.TP 3 +d) \fInumbers\fP, +.TP 3 +e) \fIstrings\fP, and +.TP 3 +f) \fIstring table\fP. +.RE +.PP +The \fIheader\fP section begins the file. +This section contains six short integers in the format +described below. +These integers are +.RS 5 +.TP 5 +(1) the \fImagic number\fP (octal 0432); +.TP 5 +(2) the size, in bytes, of the \fIterminal names\fP section; +.TP 5 +(3) the number of bytes in the \fIboolean flags\fP section; +.TP 5 +(4) the number of short integers in the \fInumbers\fP section; +.TP 5 +(5) the number of offsets (short integers) in the \fIstrings\fP section; +.TP 5 +(6) the size, in bytes, of the \fIstring table\fP. +.RE +.PP +The capabilities in the +\fIboolean flags\fP, +\fInumbers\fP, and +\fIstrings\fP +sections are in the same order as the file <term.h>. +.PP +Short integers are signed, in the range \-32768 to 32767. +They are stored as two 8-bit bytes. +The first byte contains the least significant 8 bits of the value, +and the second byte contains the most significant 8 bits. +(Thus, the value represented is 256*second+first.) +This format corresponds to the hardware of the \s-1VAX\s+1 +and \s-1PDP\s+1-11 (that is, little-endian machines). +Machines where this does not correspond to the hardware must read the +integers as two bytes and compute the little-endian value. +.PP +Numbers in a terminal description, +whether they are entries in the \fInumbers\fP or \fIstrings\fP table, +are positive integers. +Boolean flags are treated as positive one-byte integers. +In each case, those positive integers represent a terminal capability. +The terminal compiler tic uses negative integers to handle the cases where +a capability is not available: +.bP +If a capability is absent from this terminal, +tic stores a \-1 in the corresponding table. +.IP +The integer value \-1 is represented by two bytes 0377, 0377. +.br +Absent boolean values are represented by the byte 0 (false). +.bP +If a capability has been canceled from this terminal, +tic stores a \-2 in the corresponding table. +.IP +The integer value \-2 is represented by two bytes 0377, 0376. +.br +The boolean value \-2 is represented by the byte 0376. +.br +.bP +Other negative values are illegal. +.PP +The \fIterminal names\fP section comes after the \fIheader\fP. +It contains the first line of the terminfo description, +listing the various names for the terminal, +separated by the \*(``|\*('' character. +The \fIterminal names\fP section is terminated +with an \s-1ASCII NUL\s+1 character. +.PP +The \fIboolean flags\fP section has one byte for each flag. +Boolean capabilities are either 1 or 0 (true or false) +according to whether the terminal supports the given capability or not. +.PP +Between the \fIboolean flags\fP section and the \fInumber\fP section, +a null byte will be inserted, if necessary, +to ensure that the \fInumber\fP section begins on an even byte +This is a relic of the PDP\-11's word-addressed architecture, +originally designed to avoid traps induced +by addressing a word on an odd byte boundary. +All short integers are aligned on a short word boundary. +.PP +The \fInumbers\fP section is similar to the \fIboolean flags\fP section. +Each capability takes up two bytes, +and is stored as a little-endian short integer. +.PP +The \fIstrings\fP section is also similar. +Each capability is stored as a short integer. +The capability value is an index into the \fIstring table\fP. +.PP +The \fIstring table\fP is the last section. +It contains all of the values of string capabilities referenced in +the \fIstrings\fP section. +Each string is null-terminated. +Special characters in ^X or \ec notation are stored in their +interpreted form, not the printing representation. +Padding information $<nn> and parameter information %x are +stored intact in uninterpreted form. +.SS EXTENDED STORAGE FORMAT +The previous section describes the conventional terminfo binary format. +With some minor variations of the offsets (see PORTABILITY), +the same binary format is used in all modern UNIX systems. +Each system uses a predefined set of boolean, number or string capabilities. +.PP +The \fBncurses\fP libraries and applications support +extended terminfo binary format, +allowing users to define capabilities which are loaded at runtime. +This +extension is made possible by using the fact that the other implementations +stop reading the terminfo data when they have reached the end of the size given +in the header. +\fBncurses\fP checks the size, +and if it exceeds that due to the predefined data, +continues to parse according to its own scheme. +.PP +First, it reads the extended header (5 short integers): +.RS 5 +.TP 5 +(1) +count of extended boolean capabilities +.TP 5 +(2) +count of extended numeric capabilities +.TP 5 +(3) +count of extended string capabilities +.TP 5 +(4) +count of the items in extended string table +.TP 5 +(5) +size of the extended string table in bytes +.RE +.PP +The count- and size-values for the extended string table +include the extended capability \fInames\fP as well as +extended capability \fIvalues\fP. +.PP +Using the counts and sizes, \fBncurses\fP allocates arrays and reads data +for the extended capabilities in the same order as the header information. +.PP +The extended string table contains values for string capabilities. +After the end of these values, it contains the names for each of +the extended capabilities in order, e.g., booleans, then numbers and +finally strings. +.PP +Applications which manipulate terminal data can use the definitions +described in \fBterm_variables\fP(3) which associate the long capability +names with members of a \fBTERMTYPE\fP structure. +. +.SS EXTENDED NUMBER FORMAT +On occasion, 16-bit signed integers are not large enough. +With \fBncurses\fP 6.1, a new format was introduced by making a few changes +to the legacy format: +.bP +a different magic number (octal 01036) +.bP +changing the type for the \fInumber\fP array from signed 16-bit integers +to signed 32-bit integers. +.PP +To maintain compatibility, the library presents the same data structures +to direct users of the \fBTERMTYPE\fP structure as in previous formats. +However, that cannot provide callers with the extended numbers. +The library uses a similar but hidden data structure \fBTERMTYPE2\fP +to provide data for the terminfo functions. +.SH PORTABILITY +.SS setupterm +Note that it is possible for +.B setupterm +to expect a different set of capabilities +than are actually present in the file. +Either the database may have been updated since +.B setupterm +was recompiled +(resulting in extra unrecognized entries in the file) +or the program may have been recompiled more recently +than the database was updated +(resulting in missing entries). +The routine +.B setupterm +must be prepared for both possibilities \- +this is why the numbers and sizes are included. +Also, new capabilities must always be added at the end of the lists +of boolean, number, and string capabilities. +.SS Binary format +X/Open Curses does not specify a format for the terminfo database. +UNIX System V curses used a directory-tree of binary files, +one per terminal description. +.PP +Despite the consistent use of little-endian for numbers and the otherwise +self-describing format, it is not wise to count on portability of binary +terminfo entries between commercial UNIX versions. +The problem is that there +are at least three versions of terminfo (under HP\-UX, AIX, and OSF/1) which +diverged from System V terminfo after SVr1, and have added extension +capabilities to the string table that (in the binary format) collide with +System V and XSI Curses extensions. +See \fBterminfo\fP(\*n) for detailed +discussion of terminfo source compatibility issues. +.PP +This implementation is by default compatible with the binary +terminfo format used by Solaris curses, +except in a few less-used details +where it was found that the latter did not match X/Open Curses. +The format used by the other Unix versions +can be matched by building ncurses +with different configuration options. +.SS Magic codes +The magic number in a binary terminfo file is the first 16-bits (two bytes). +Besides making it more reliable for the library to check that a file +is terminfo, +utilities such as \fBfile\fP(1) also use that to tell what the file-format is. +System V defined more than one magic number, +with 0433, 0435 as screen-dumps (see \fBscr_dump\fP(5)). +This implementation uses 01036 as a continuation of that sequence, +but with a different high-order byte to avoid confusion. +.SS The TERMTYPE structure +Direct access to the \fBTERMTYPE\fP structure is provided for legacy +applications. +Portable applications should use the \fBtigetflag\fP and related functions +described in \fBterminfo\fP(3) for reading terminal capabilities. +.SS Mixed-case terminal names +A small number of terminal descriptions use uppercase characters in +their names. +If the underlying filesystem ignores the difference between +uppercase and lowercase, +\fBncurses\fP represents the \*(``first character\*('' +of the terminal name used as +the intermediate level of a directory tree in (two-character) hexadecimal form. +.SH EXAMPLE +As an example, here is a description for the Lear-Siegler +ADM\-3, a popular though rather stupid early terminal: +.NS +adm3a|lsi adm3a, + am, + cols#80, lines#24, + bel=^G, clear=\032$<1>, cr=^M, cub1=^H, cud1=^J, + cuf1=^L, cup=\\E=%p1%{32}%+%c%p2%{32}%+%c, cuu1=^K, + home=^^, ind=^J, +.NE +.PP +and a hexadecimal dump of the compiled terminal description: +.NS +.ft CW +\s-20000 1a 01 10 00 02 00 03 00 82 00 31 00 61 64 6d 33 ........ ..1.adm3 +0010 61 7c 6c 73 69 20 61 64 6d 33 61 00 00 01 50 00 a|lsi ad m3a...P. +0020 ff ff 18 00 ff ff 00 00 02 00 ff ff ff ff 04 00 ........ ........ +0030 ff ff ff ff ff ff ff ff 0a 00 25 00 27 00 ff ff ........ ..%.'... +0040 29 00 ff ff ff ff 2b 00 ff ff 2d 00 ff ff ff ff ).....+. ..-..... +0050 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +0060 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +0070 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +0080 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +0090 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +00a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +00b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +00c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +00d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +00e0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +00f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +0100 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +0110 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ........ ........ +0120 ff ff ff ff ff ff 2f 00 07 00 0d 00 1a 24 3c 31 ....../. .....$<1 +0130 3e 00 1b 3d 25 70 31 25 7b 33 32 7d 25 2b 25 63 >..=%p1% {32}%+%c +0140 25 70 32 25 7b 33 32 7d 25 2b 25 63 00 0a 00 1e %p2%{32} %+%c.... +0150 00 08 00 0c 00 0b 00 0a 00 ........ .\s+2 +.ft R +.NE +.sp +.SH LIMITS +Some limitations: +.bP +total compiled entries cannot exceed 4096 bytes in the legacy format. +.bP +total compiled entries cannot exceed 32768 bytes in the extended format. +.bP +the name field cannot exceed 128 bytes. +.PP +Compiled entries are limited to 32768 bytes because offsets into the +\fIstrings table\fP use two-byte integers. +The legacy format could have supported 32768-byte entries, +but was limited a virtual memory page's 4096 bytes. +.SH FILES +\*d/*/* compiled terminal capability database +.SH SEE ALSO +\fBcurses\fP(3), \fBterminfo\fP(\*n). +.SH AUTHORS +Thomas E. Dickey +.br +extended terminfo format for ncurses 5.0 +.br +hashed database support for ncurses 5.6 +.br +extended number support for ncurses 6.1 +.sp +Eric S. Raymond +.br +documented legacy terminfo format, e.g., from \fIpcurses\fP. diff --git a/static/openbsd/man5/termcap.5 b/static/openbsd/man5/termcap.5 new file mode 100644 index 00000000..785bc15b --- /dev/null +++ b/static/openbsd/man5/termcap.5 @@ -0,0 +1,1835 @@ +.\" $OpenBSD: termcap.5,v 1.32 2024/01/23 22:28:20 millert Exp $ +.\" +.\" Copyright (c) 1985, 1991 The Regents of the University of California. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" from: @(#)termcap.5 6.11 (Berkeley) 3/6/93 +.\" +.Dd $Mdocdate: January 23 2024 $ +.Dt TERMCAP 5 +.Os +.Sh NAME +.Nm termcap +.Nd terminal capability database +.Sh DESCRIPTION +The +.Nm +file +is a database describing terminals, used, for example, by +.Xr vi 1 +and +.Xr curses 3 . +Terminals are described in +.Nm +by giving a set of capabilities that they have and by describing +how operations are performed. +Padding requirements and initialization sequences +are included in +.Nm . +.Pp +Entries in +.Nm +consist of a number of `:'-separated fields. +The first entry for each terminal gives the names that are known for the +terminal, separated by `|' characters. +The first name given is the most common abbreviation for the terminal. +The last name given should be a long name fully identifying the terminal, +and all others are understood as synonyms for the terminal name. +All names but the last should be in lower case and contain no blanks; +the last name may well contain upper case characters and blanks for +readability. +.Pp +Terminal names (except for the last, verbose entry) +should be chosen using the following conventions. +The particular piece of hardware making up the terminal +should have a root name chosen, thus +.Dq hp2621 +This name should not contain hyphens. +Modes that the hardware can be in +or user preferences +should be indicated by appending a hyphen and an indicator of the mode. +Therefore, a +.Dq vt100 +in 132-column mode would be +.Dq vt100-w . +.Pp +The following suffixes should be used where possible: +.Bl -column "Suffix" "With automatic margins (usually default)" "Example" +.It Sy Suffix Ta Sy Meaning Ta Sy Example +.It \-w Ta "Wide mode (more than 80 columns)." Ta vt100-w +.It \-am Ta "With automatic margins (usually default)." Ta vt100-am +.It \-nam Ta "Without automatic margins." Ta vt100-nam +.It Pf \- Ar n Ta "Number of lines on screen." Ta aaa-60 +.It \-na Ta "arrow keys (leave them in local)." Ta concept100-na +.It Pf \- Ar np Ta "Number of pages of memory." Ta concept100-4p +.It \-rv Ta "Reverse video." Ta concept100-rv +.El +.Sh CAPABILITIES +The characters in the +.Em Notes +function +field in the table have the following meanings +(more than one may apply to a capability): +.Bd -unfilled +N Indicates numeric parameter(s). +P Indicates that padding may be specified. +* Indicates that padding may be based on the number of lines affected. +o Indicates capability is obsolete. +.Ed +.Pp +.Dq Obsolete +capabilities have no +.Xr terminfo 5 +equivalents, since they were considered useless, +or are subsumed by other capabilities. +New software should not rely on them at all. +.Bl -column "i1-i3" "Type" "(NP*)" "Description" +.It Sy Name Ta Sy Type Ta Sy Notes Ta Sy Description +.It ae Ta str Ta (P) Ta "End alternate character set." +.It AL Ta str Ta (NP*) Ta "Add" +.Em n +new blank lines +.It al Ta str Ta (P*) Ta "Add new blank line." +.It am Ta bool Ta "" Ta "Terminal has automatic margins." +.It as Ta str Ta (P) Ta "Start alternate character set." +.It bc Ta str Ta (o) Ta "Backspace if not" +.Sy \&^H . +.It bl Ta str Ta (P) Ta "Audible signal (bell)." +.It bs Ta bool Ta (o) Ta "Terminal can backspace with" +.Sy \&^H . +.It bt Ta str Ta (P) Ta "Back tab." +.It bw Ta bool Ta "" Ta Sy \&le +(backspace) wraps from column 0 to last column. +.It CC Ta str Ta "" Ta "Terminal settable command character in prototype." +.It cd Ta str Ta (P*) Ta "Clear to end of display." +.It ce Ta str Ta (P) Ta "Clear to end of line." +.It ch Ta str Ta (NP) Ta "Set cursor column (horizontal position)." +.It cl Ta str Ta (P*) Ta "Clear screen and home cursor." +.It CM Ta str Ta (NP) Ta "Memory-relative cursor addressing." +.It cm Ta str Ta (NP) Ta "Screen-relative cursor motion." +.It co Ta num Ta "" Ta "Number of columns in a line (see" +.Sx BUGS +section below). +.It cr Ta str Ta (P) Ta "Carriage return." +.It cs Ta str Ta (NP) Ta "Change scrolling region (VT100)." +.It ct Ta str Ta (P) Ta "Clear all tab stops." +.It cv Ta str Ta (NP) Ta "Set cursor row (vertical position)." +.It da Ta bool Ta "" Ta "Display may be retained above the screen." +.It dB Ta num Ta (o) Ta "Milliseconds" +.Sy \&bs +delay needed (default 0). +.It db Ta bool Ta "" Ta "Display may be retained below the screen." +.It DC Ta str Ta (NP*) Ta "Delete" +.Em n +characters. +.It dC Ta num Ta (o) Ta "Milliseconds" +.Sy \&cr +delay needed (default 0). +.It dc Ta str Ta (P*) Ta "Delete character." +.It dF Ta num Ta (o) Ta "Milliseconds" +.Sy \&ff +delay needed (default 0). +.It DL Ta str Ta (NP*) Ta "Delete" +.Ar n +lines. +.It dl Ta str Ta (P*) Ta "Delete line." +.It dm Ta str Ta "" Ta "Enter delete mode." +.It dN Ta num Ta (o) Ta "Milliseconds" +.Sy \&nl +delay needed (default 0). +.It DO Ta str Ta (NP*) Ta "Move cursor down" +.Ar n +lines. +.It do Ta str Ta "" Ta "Down one line." +.It ds Ta str Ta "" Ta "Disable status line." +.It dT Ta num Ta (o) Ta "Milliseconds of horizontal tab delay needed (default 0)." +.It dV Ta num Ta (o) Ta "Milliseconds of vertical tab delay needed (default 0)." +.It ec Ta str Ta (NP) Ta "Erase" +.Ar n +characters. +.It ed Ta str Ta "" Ta "End delete mode." +.It ei Ta str Ta "" Ta "End insert mode." +.It eo Ta bool Ta "" Ta "Can erase overstrikes with a blank." +.It EP Ta bool Ta (o) Ta "Even parity." +.It es Ta bool Ta "" Ta "Escape can be used on the status line." +.It ff Ta str Ta (P*) Ta "Hardcopy terminal page eject." +.It fs Ta str Ta "" Ta "Return from status line." +.It gn Ta bool Ta "" Ta "Generic line type, for example dialup, switch)." +.It hc Ta bool Ta "" Ta "Hardcopy terminal." +.It HD Ta bool Ta (o) Ta "Half-duplex." +.It hd Ta str Ta "" Ta "Half-line down (forward 1/2 linefeed)." +.It ho Ta str Ta (P) Ta "Home cursor." +.It hs Ta bool Ta "" Ta "Has extra" +.Dq status line . +.It hu Ta str Ta "" Ta "Half-line up (reverse 1/2 linefeed)." +.It hz Ta bool Ta "" Ta "Cannot print ``~'' (Hazeltine)." +.It i1-i3 Ta str Ta "" Ta "Terminal initialization strings" +.Pq Xr terminfo 5 No only +.It IC Ta str Ta (NP*) Ta "Insert" +.Ar n +blank characters. +.It ic Ta str Ta (P*) Ta "Insert character." +.It if Ta str Ta "" Ta "Name of file containing initialization string." +.It im Ta str Ta "" Ta "Enter insert mode." +.It in Ta bool Ta "" Ta "Insert mode distinguishes nulls." +.It iP Ta str Ta "" Ta "Pathname of program for initialization" +.Pq Xr terminfo 5 No only +.It ip Ta str Ta (P*) Ta "Insert pad after character inserted." +.It is Ta str Ta "" Ta "Terminal initialization string" +.Pf ( Nm termcap +only). +.It it Ta num Ta "" Ta "Tabs initially every" +.Ar n +positions. +.It K1 Ta str Ta "" Ta "Sent by keypad upper left." +.It K2 Ta str Ta "" Ta "Sent by keypad center." +.It K3 Ta str Ta "" Ta "Sent by keypad upper right." +.It K4 Ta str Ta "" Ta "Sent by keypad lower left." +.It K5 Ta str Ta "" Ta "Sent by keypad lower right." +.It k0-k9 Ta str Ta "" Ta "Sent by function keys 0-9." +.It kA Ta str Ta "" Ta "Sent by insert-line key." +.It ka Ta str Ta "" Ta "Sent by clear-all-tabs key." +.It kb Ta str Ta "" Ta "Sent by backspace key." +.It kC Ta str Ta "" Ta "Sent by clear-screen or erase key." +.It kD Ta str Ta "" Ta "Sent by delete-character key." +.It kd Ta str Ta "" Ta "Sent by down-arrow key." +.It kE Ta str Ta "" Ta "Sent by clear-to-end-of-line key." +.It ke Ta str Ta "" Ta "Out of" +.Dq keypad transmit +mode. +.It kF Ta str Ta "" Ta "Sent by scroll-forward/down key." +.It kH Ta str Ta "" Ta "Sent by home-down key." +.It kh Ta str Ta "" Ta "Sent by home key." +.It kI Ta str Ta "" Ta "Sent by insert-character or enter-insert-mode key." +.It kL Ta str Ta "" Ta "Sent by delete-line key." +.It kl Ta str Ta "" Ta "Sent by left-arrow key." +.It kM Ta str Ta "" Ta "Sent by insert key while in insert mode." +.It km Ta bool Ta "" Ta "Has a" +.Dq meta +key (shift, sets parity bit). +.It kN Ta str Ta "" Ta "Sent by next-page key." +.It kn Ta num Ta (o) Ta "Number of function" +.Pq Sy \&k\&0 Ns \- Ns Sy \&k\&9 +keys (default 0). +.It ko Ta str Ta (o) Ta "Termcap entries for other non-function keys." +.It kP Ta str Ta "" Ta "Sent by previous-page key." +.It kR Ta str Ta "" Ta "Sent by scroll-backward/up key." +.It kr Ta str Ta "" Ta "Sent by right-arrow key." +.It kS Ta str Ta "" Ta "Sent by clear-to-end-of-screen key." +.It ks Ta str Ta "" Ta "Put terminal in" +.Dq keypad transmit +mode. +.It kT Ta str Ta "" Ta "Sent by set-tab key." +.It kt Ta str Ta "" Ta "Sent by clear-tab key." +.It ku Ta str Ta "" Ta "Sent by up-arrow key." +.It l0-l9 Ta str Ta "" Ta "Labels on function keys if not" +.Dq \&f Ns Em n . +.It LC Ta bool Ta (o) Ta "Lower-case only." +.It LE Ta str Ta (NP) Ta "Move cursor left" +.Ar n +positions. +.It le Ta str Ta (P) Ta "Move cursor left one position." +.It li Ta num Ta "" Ta "Number of lines on screen or page (see" +.Sx BUGS +section below). +.It ll Ta str Ta "" Ta "Last line, first column." +.It lm Ta num Ta "" Ta "Lines of memory if >" Sy \&li +(0 means varies). +.It ma Ta str Ta (o) Ta "Arrow key map (used by" +.Xr vi 1 +version 2 only). +.It mb Ta str Ta "" Ta "Turn on blinking attribute." +.It md Ta str Ta "" Ta "Turn on bold (extra bright) attribute." +.It me Ta str Ta "" Ta "Turn off all attributes." +.It mh Ta str Ta "" Ta "Turn on half-bright attribute." +.It mi Ta bool Ta "" Ta "Safe to move while in insert mode." +.It mk Ta str Ta "" Ta "Turn on blank attribute (characters invisible)." +.It ml Ta str Ta (o) Ta "Memory lock on above cursor." +.It mm Ta str Ta "" Ta "Turn on" +.Dq meta mode +(8th bit). +.It mo Ta str Ta "" Ta "Turn off" +.Dq meta mode . +.It mp Ta str Ta "" Ta "Turn on protected attribute." +.It mr Ta str Ta "" Ta "Turn on reverse-video attribute." +.It ms Ta bool Ta "" Ta "Safe to move in standout modes." +.It mu Ta str Ta (o) Ta "Memory unlock (turn off memory lock)." +.It nc Ta bool Ta (o) Ta "No correctly-working" +.Sy \&cr +(Datamedia 2500, Hazeltine 2000). +.It nd Ta str Ta "" Ta "Non-destructive space (cursor right)." +.It NL Ta bool Ta (o)" Ta Sy \&\en No "is newline, not line feed." +.It nl Ta str Ta (o) Ta "Newline character if not" Sy \en . +.It ns Ta bool Ta (o) Ta "Terminal doesn't scroll." +.It nw Ta str Ta (P) Ta "Newline (behaves like" +.Sy \&cr +followed by +.Sy \&do ) . +.It OP Ta bool Ta (o) Ta "Odd parity." +.It os Ta bool Ta "" Ta "Terminal overstrikes." +.It pb Ta num Ta "" Ta "Lowest baud where delays are required." +.It pc Ta str Ta "" Ta "Pad character (default NUL)." +.It pf Ta str Ta "" Ta "Turn off the printer." +.It pk Ta str Ta "" Ta "Program function key" +.Em n +to type string +.Em s +.Pq Xr terminfo 5 No only +.It pl Ta str Ta "" Ta "Program function key" +.Em n +to execute string +.Em s +.Pq Xr terminfo 5 No only +.It pO Ta str Ta (N) Ta "Turn on the printer for" +.Em n +bytes. +.It po Ta str Ta "" Ta "Turn on the printer." +.It ps Ta str Ta "" Ta "Print contents of the screen." +.It pt Ta bool Ta (o) Ta "Has hardware tabs (may need to be set with" +.Sy \&is ) . +.It px Ta str Ta "" Ta "Program function key" +.Em n +to transmit string +.Em s +.Pq Xr terminfo 5 No only +.It r1-r3 Ta str Ta "" Ta "Reset terminal completely to sane modes" +.Pq Xr terminfo 5 No only +.It rc Ta str Ta (P) Ta "Restore cursor to position of last" +.Sy \&sc . +.It rf Ta str Ta "" Ta "Name of file containing reset codes." +.It RI Ta str Ta (NP) Ta "Move cursor right" +.Em n +positions. +.It rp Ta str Ta (NP*) Ta "Repeat character" +.Em c n +times. +.It rs Ta str Ta "" Ta "Reset terminal completely to sane modes" +.Pf ( Nm termcap +only). +.It sa Ta str Ta (NP) Ta "Define the video attributes." +.It sc Ta str Ta (P) Ta "Save cursor position." +.It se Ta str Ta "" Ta "End standout mode." +.It SF Ta str Ta (NP*) Ta "Scroll forward" +.Em n +lines. +.It sf Ta str Ta (P) Ta "Scroll text up." +.It sg Ta num Ta "" Ta "Number of garbage chars left by" +.Sy \&so +or +.Sy \&se +(default 0). +.It so Ta str Ta "" Ta "Begin standout mode." +.It SR Ta str Ta (NP*) Ta "Scroll backward" +.Em n +lines. +.It sr Ta str Ta (P) Ta "Scroll text down." +.It st Ta str Ta "" Ta "Set a tab in all rows, current column." +.It ta Ta str Ta (P) Ta "Tab to next 8-position hardware tab stop." +.It tc Ta str Ta "" Ta "Entry of similar terminal; must be last." +.It te Ta str Ta "" Ta "String to end programs that use" +.Nm . +.It ti Ta str Ta "" Ta "String to begin programs that use" +.Nm . +.It ts Ta str Ta (N) Ta "Go to status line, column" +.Em n . +.It UC Ta bool Ta (o) Ta "Upper-case only." +.It uc Ta str Ta "" Ta "Underscore one character and move past it." +.It ue Ta str Ta "" Ta "End underscore mode." +.It ug Ta num Ta "" Ta "Number of garbage chars left by" +.Sy \&us +or +.Sy \&ue +(default 0). +.It ul Ta bool Ta "" Ta "Underline character overstrikes." +.It UP Ta str Ta (NP*) Ta "Move cursor up" +.Em n +lines. +.It up Ta str Ta "" Ta "Upline (cursor up)." +.It us Ta str Ta "" Ta "Start underscore mode." +.It vb Ta str Ta "" Ta "Visible bell (must not move cursor)." +.It ve Ta str Ta "" Ta "Make cursor appear normal (undo" +.Sy \&vs Ns / Ns Sy \&vi ) . +.It vi Ta str Ta "" Ta "Make cursor invisible." +.It vs Ta str Ta "" Ta "Make cursor very visible." +.It vt Ta num Ta "" Ta "Virtual terminal number (not supported on all systems)." +.It wi Ta str Ta (N) Ta "Set current window." +.It ws Ta num Ta "" Ta "Number of columns in status line." +.It xb Ta bool Ta "" Ta "Beehive" +.Pf ( "f1=" Dv ESC , +.Pf "f2=" Sy \&^C ) . +.It xn Ta bool Ta "" Ta "Newline ignored after 80 columns (Concept)." +.It xo Ta bool Ta "" Ta "Terminal uses xoff/xon" +.Pq Dv DC3 Ns / Ns Dv DC1 +handshaking. +.It xr Ta bool Ta (o) Ta "Return acts like" +.Sy "ce cr nl" +(Delta Data). +.It xs Ta bool Ta "" Ta "Standout not erased by overwriting (Hewlett-Packard)." +.It xt Ta bool Ta "" Ta "Tabs ruin, magic" +.Sy \&so +char (Teleray 1061). +.It xx Ta bool Ta (o) Ta "Tektronix 4025 insert-line." +.El +.Ss A Sample Entry +The following entry, which describes the Concept\-100, is among the more +complex entries in the +.Nm +file as of this writing. +.Bd -literal +ca\||\|concept100\||\|c100\||\|concept\||\|c104\||\|concept100-4p\||\|HDS Concept\-100:\e + :al=3*\eE^R:am:bl=^G:cd=16*\eE^C:ce=16\eE^U:cl=2*^L:cm=\eEa%+ %+ :\e + :co#80:.cr=9^M:db:dc=16\eE^A:dl=3*\eE^B:do=^J:ei=\eE\e200:eo:im=\eE^P:in:\e + :ip=16*:is=\eEU\eEf\eE7\eE5\eE8\eEl\eENH\eEK\eE\e200\eEo&\e200\eEo\e47\eE:k1=\eE5:\e + :k2=\eE6:k3=\eE7:kb=^h:kd=\eE<:ke=\eEx:kh=\eE?:kl=\eE>:kr=\eE=:ks=\eEX:\e + :ku=\eE;:le=^H:li#24:mb=\eEC:me=\eEN\e200:mh=\eEE:mi:mk=\eEH:mp=\eEI:\e + :mr=\eED:nd=\eE=:pb#9600:rp=0.2*\eEr%.%+ :se=\eEd\eEe:sf=^J:so=\eEE\eED:\e + :.ta=8\et:te=\eEv \e200\e200\e200\e200\e200\e200\eEp\er\en:\e + :ti=\eEU\eEv 8p\eEp\er:ue=\eEg:ul:up=\eE;:us=\eEG:\e + :vb=\eEk\e200\e200\e200\e200\e200\e200\e200\e200\e200\e200\e200\e200\e200\e200\eEK:\e + :ve=\eEw:vs=\eEW:vt#8:xn:\e + :bs:cr=^M:dC#9:dT#8:nl=^J:ta=^I:pt: +.Ed +.Pp +Entries may continue onto multiple lines by giving a +.Ql \e +as the last character of a line, and empty fields +may be included for readability (here between the last field on a line +and the first field on the next). +Comments may be included on lines beginning with +.Ql # . +.Ss Types of Capabilities +Capabilities in +.Nm +are of three types: Boolean capabilities, +which indicate particular features that the terminal has; +numeric capabilities, +giving the size of the display or the size of other attributes; +and string capabilities, +which give character sequences that can be used to perform particular +terminal operations. +All capabilities have two-letter codes. +For instance, the fact that +the Concept has +.Em automatic margins +(an automatic return and linefeed +when the end of a line is reached) is indicated by the Boolean capability +.Sy \&am . +Hence the description of the Concept includes +.Sy \&am . +.Pp +Boolean capabilities are defined by their name, +.Sy \&fo . +They have no argument. +The presence of a boolean capability name sets its value to +.Sy \&true . +A capability value will be reverted to +.Sy \&false , +by appending a +.Sy \&@ +char after the name, such as +.Sy \&fo@ . +.Pp +Numeric capabilities are followed by the character `#' then the value. +In the example above +.Sy \&co , +which indicates the number of columns the display has, +gives the value `80' for the Concept. +.Pp +Finally, string-valued capabilities, such as +.Sy \&ce +(clear-to-end-of-line +sequence) are given by the two-letter code, an `=', then a string +ending at the next following `:'. +A delay in milliseconds may appear after +the `=' in such a capability, +which causes padding characters to be supplied by +.Xr tputs 3 +after the remainder of the string is sent to provide this delay. +The delay can be either a number, +such as `20', or a number followed by +an `*', +such as `3*'. +An `*' indicates that the padding required is proportional +to the number of lines affected by the operation, and the amount given is +the per-affected-line padding required. +(In the case of insert-character, +the factor is still the number of +.Em lines +affected; +this is always 1 unless the terminal has +.Sy \&in +and the software uses it.) +When an `*' is specified, it is sometimes useful to give a delay of the form +`3.5' to specify a delay per line to tenths of milliseconds. +(Only one decimal place is allowed.) +.Pp +A number of escape sequences are provided in the string-valued capabilities +for easy encoding of control characters there. +.Sy \&\eE +maps to an +.Dv ESC +character, +.Sy \&^X +maps to a control-X for any appropriate X, +and the sequences +.Sy \&\en +.Sy \&\er +.Sy \&\et +.Sy \&\eb +.Sy \&\ef +map to linefeed, return, tab, backspace, and formfeed, respectively. +Finally, characters may be given as three octal digits after a +.Sy \&\e , +and the characters +.Sy \&^ +and +.Sy \&\e +may be given as +.Sy \&\e^ +and +.Sy \&\e\e . +If it is necessary to place a +.Sy \&: +in a capability, it must be escaped in octal as +.Sy \&\e072 . +If it is necessary to place a +.Dv NUL +character in a string capability, it must be encoded as +.Sy \&\e200 . +(The routines that deal with +.Nm +use C strings and strip the high bits of the output very late, so that a +.Sy \&\e200 +comes out as a +.Sy \&\e000 +would.) +.Pp +Sometimes individual capabilities must be commented out. +To do this, put a period before the capability name. +For example, see the first +.Sy \&cr +and +.Sy \&ta +in the example above. +.Ss Preparing Descriptions +The most effective way to prepare a terminal description is by imitating +the description of a similar terminal in +.Nm +and to build up a description gradually, using partial descriptions +with +.Xr vi 1 +to check that they are correct. +Be aware that a very unusual terminal may expose deficiencies in +the ability of the +.Nm +file to describe it +or bugs in +.Xr vi 1 . +To easily test a new terminal description you are working on +you can put it in your home directory in a file called +.Pa .termcap +and programs will look there before looking in +.Pa /usr/share/misc/termcap . +You can also set the environment variable +.Ev TERMPATH +to a list of absolute file pathnames (separated by spaces or colons), +one of which contains the description you are working on, +and programs will search them in the order listed, and nowhere else. +See +.Xr termcap 3 . +The +.Ev TERMCAP +environment variable is usually set to the +.Nm +entry itself +to avoid reading files when starting up a program. +.Pp +To get the padding for insert-line right +(if the terminal manufacturer did not document it), +a severe test is to use +.Xr vi 1 +to edit +.Pa /etc/passwd +at 9600 baud, delete roughly 16 lines from the middle of the screen, +then hit the `u' key several times quickly. +If the display messes up, more padding is usually needed. +A similar test can be used for insert-character. +.Ss Basic Capabilities +The number of columns on each line of the display is given by the +.Sy \&co +numeric capability. +If the display is a terminal, +then the +number of lines on the screen is given by the +.Sy \&li +capability. +If the display wraps around to the beginning of the next line when +the cursor reaches the right margin, then it should have the +.Sy \&am +capability. +If the terminal can clear its screen, +the code to do this is given by the +.Sy \&cl +string capability. +If the terminal overstrikes +(rather than clearing the position when a character is overwritten), +it should have the +.Sy \&os +capability. +If the terminal is a printing terminal, +with no soft copy unit, +give it both +.Sy \&hc +and +.Sy \&os . +.Pf ( Sy \&os +applies to storage scope terminals, +such as the Tektronix 4010 series, +as well as to hard copy and +.Tn APL +terminals.) +If there is a code to move the cursor to the left edge of the current row, +give this as +.Sy \&cr . +(Normally this will be carriage-return, +.Sy \&^M . ) +If there is a code to produce an audible signal (bell, beep, etc.), +give this as +.Sy \&bl . +.Pp +If there is a code (such as backspace) +to move the cursor one position to the left, +that capability should be given as +.Sy \&le . +Similarly, +codes to move to the right, up, and down +should be given as +.Sy \&nd , +.Sy \&up , +and +.Sy \&do , +respectively. +These +.Em local cursor motions +should not alter the text they pass over; +for example, you would not normally use +.Dq nd=\ \& +unless the terminal has the +.Sy \&os +capability, +because the space would erase the character moved over. +.Pp +A very important point here is that the local cursor motions encoded +in +.Nm +have undefined behavior at the left and top edges of a terminal. +Programs should never attempt to backspace around the left edge, +unless +.Sy \&bw +is given, and never attempt to go up off the top +using local cursor motions. +.Pp +In order to scroll text up, +a program goes to the bottom left corner of the screen and sends the +.Sy \&sf +(index) string. +To scroll text down, +a program goes to the top left corner of the screen and sends the +.Sy \&sr +(reverse index) string. +The strings +.Sy \&sf +and +.Sy \&sr +have undefined behavior +when not on their respective corners of the screen. +Parameterized versions of the scrolling sequences are +.Sy \&SF +and +.Sy \&SR , +which have the same semantics as +.Sy \&sf +and +.Sy \&sr +except that they take one parameter +and scroll that many lines. +They also have undefined behavior +except at the appropriate corner of the screen. +.Pp +The +.Sy \&am +capability tells whether the cursor sticks at the right +edge of the screen when text is output there, +but this does not necessarily apply to +.Sy \&nd +from the last column. +Leftward local motion is defined from the left edge only when +.Sy \&bw +is given; then an +.Sy \&le +from the left edge will move to the right edge of the previous row. +This is useful for drawing a box around the edge of the screen, +for example. +If the terminal has switch-selectable automatic margins, +the +.Nm +description usually assumes that this feature is on, i.e.\& +.Sy \&am . +If the terminal has a command +that moves to the first column of the next line, +that command can be given as +.Sy \&nw +(newline). +It is permissible for this to clear the remainder of the current line, +so if the terminal has no correctly working +.Tn \&CR +and +.Tn \&LF +it may still be possible to craft a working +.Sy \&nw +out of one or both of them. +.Pp +These capabilities suffice to describe hardcopy and +.Dq glass-tty +terminals. +Thus the Teletype model 33 is described as +.Bd -literal -offset indent +T3\||\|tty33\||\|33\||\|tty\||\|Teletype model 33:\e + :bl=^G:co#72:cr=^M:do=^J:hc:os: +.Ed +.Pp +and the Lear Siegler +.Tn ADM Ns \-3 +is described as +.Bd -literal -offset indent +l3\||\|adm3\||\|3\||\|LSI ADM-3:\e +:am:bl=^G:cl=^Z:co#80:cr=^M:do=^J:le=^H:li#24:sf=^J: +.Ed +.Ss Parameterized Strings +Cursor addressing and other strings requiring parameters +are described by a +parameterized string capability, with +.Xr printf 3 Ns \-like +escapes +.Sy \&%x +in it, +while other characters are passed through unchanged. +For example, to address the cursor the +.Sy \&cm +capability is given, using two parameters: the row and column to move to. +(Rows and columns are numbered from zero and refer to the physical screen +visible to the user, not to any unseen memory. +If the terminal has memory-relative cursor addressing, +that can be indicated by an analogous +.Sy \&CM +capability.) +.Pp +The +.Sy \&% +encodings have the following meanings: +.Pp +.Bl -tag -width "%>xy" -compact +.It %% +output `%' +.It %d +output value as in +.Xr printf 3 +%d +.It %2 +output value as in +.Xr printf 3 +%2d +.It %3 +output value as in +.Xr printf 3 +%3d +.It %. +output value as in +.Xr printf 3 +%c +.It %+ Ns Em x +add +.Em x +to value, then do %. +.It %> Ns Em \&xy +if +value > +.Em x +then add +.Em y , +no output +.It %r +reverse order of two parameters, no output +.It %i +increment by one, no output +.It %n +exclusive-or all parameters with 0140 (Datamedia 2500) +.It \&%B +BCD (16*(value/10)) + (value%10), no output +.It \&%D +Reverse coding (value \- 2*(value%16)), no output (Delta Data) +.El +.Pp +Consider the Hewlett-Packard 2645, which, to get to row 3 and column 12, needs +to be sent +.Dq \eE&a12c03Y +padded for 6 milliseconds. +Note that the order +of the row and column coordinates is reversed here +and that the row and column +are sent as two-digit integers. +Thus its +.Sy \&cm +capability is +.Dq Li cm=6\eE&a%r%2c%2Y . +.Pp +The Datamedia 2500 needs the current row and column sent +encoded in binary using +.Dq \&%. . +Terminals that use +.Dq \&%. +need to be able to +backspace the cursor +.Pq Sy \&le +and to move the cursor up one line on the screen +.Pq Sy \&up . +This is necessary because it is not always safe to transmit +.Sy \&\en , +.Sy \&^D , +and +.Sy \&\er , +as the system may change or discard them. +(Programs using +.Nm +must set terminal modes so that tabs are not expanded, so +.Sy \&\et +is safe to send. +This turns out to be essential for the Ann Arbor 4080.) +.Pp +A final example is the Lear Siegler +.Tn ADM Ns \-3a , +which offsets row and column +by a blank character, thus +.Dq Li cm=\eE=%+ %+\ \& . +.Pp +Row or column absolute cursor addressing +can be given as single parameter capabilities +.Sy \&ch +(horizontal position absolute) and +.Sy \&cv +(vertical position absolute). +Sometimes these are shorter than the more general two-parameter sequence +(as with the Hewlett-Packard 2645) and can be used in preference to +.Sy \&cm . +If there are parameterized local motions +(e.g., move +.Ar n +positions to the right) +these can be given as +.Sy \&DO , +.Sy \&LE , +.Sy \&RI , +and +.Sy \&UP +with a single parameter indicating how many positions to move. +These are primarily useful if the terminal does not have +.Sy \&cm , +such as the Tektronix 4025. +.Ss Cursor Motions +If the terminal has a fast way to home the cursor +(to the very upper left corner of the screen), this can be given as +.Sy \&ho . +Similarly, a fast way of getting to the lower left-hand corner +can be given as +.Sy \&ll ; +this may involve going up with +.Sy \&up +from the home position, +but a program should never do this itself (unless +.Sy \&ll +does), because it can +make no assumption about the effect of moving up from the home position. +Note that the home position is the same as +cursor address (0,0): to the top left corner of the screen, not of memory. +(Therefore, the +.Dq \eEH +sequence on Hewlett-Packard terminals +cannot be used for +.Sy \&ho . ) +.Ss Area Clears +If the terminal can clear from the current position to the end of the +line, leaving the cursor where it is, this should be given as +.Sy \&ce . +If the terminal can clear from the current position to the end of the +display, this should be given as +.Sy \&cd . +.Sy \&cd +must only be invoked from the first column of a line. +(Therefore, +it can be simulated by a request to delete a large number of lines, +if a true +.Sy \&cd +is not available.) +.Ss Insert/Delete Line +If the terminal can open a new blank line +before the line containing the cursor, +this should be given as +.Sy \&al ; +this must be invoked only from the first +position of a line. +The cursor must then appear at the left of the newly blank line. +If the terminal can delete the line that the cursor is on, this +should be given as +.Sy \&dl ; +this must only be used from the first position on +the line to be deleted. +Versions of +.Sy \&al +and +.Sy \&dl +which take a single parameter +and insert or delete that many lines +can be given as +.Sy \&AL +and +.Sy \&DL . +If the terminal has a settable scrolling region +(like the VT100), +the command to set this can be described with the +.Sy \&cs +capability, +which takes two parameters: the top and bottom lines of the scrolling region. +The cursor position is, alas, undefined after using this command. +It is possible to get the effect of insert or delete line +using this command \(em the +.Sy \&sc +and +.Sy \&rc +(save and restore cursor) commands are also useful. +Inserting lines at the top or bottom of the screen can also be done using +.Sy \&sr +or +.Sy \&sf +on many terminals without a true insert/delete line, +and is often faster even on terminals with those features. +.Pp +If the terminal has the ability to define a window as part of memory +which all commands affect, it should be given as the parameterized string +.Sy \&wi . +The four parameters are the starting and ending lines in memory +and the starting and ending columns in memory, in that order. +(This +.Xr terminfo 5 +capability is described for completeness. +It is unlikely that any +.Nm Ns -using +program will support it.) +.Pp +If the terminal can retain display memory above the screen, then the +.Sy \&da +capability should be given; +if display memory can be retained +below, then +.Sy \&db +should be given. +These indicate +that deleting a line or scrolling may bring non-blank lines up from below +or that scrolling back with +.Sy \&sr +may bring down non-blank lines. +.Ss Insert/Delete Character +There are two basic kinds of intelligent terminals with respect to +insert/delete character that can be described using +.Nm . +The most common insert/delete character operations affect only the characters +on the current line and shift characters off the end of the line rigidly. +Other terminals, such as the Concept\-100 and the Perkin Elmer Owl, make +a distinction between typed and untyped blanks on the screen, shifting +upon an insert or delete only to an untyped blank on the screen which is +either eliminated or expanded to two untyped blanks. +You can determine +the kind of terminal you have by clearing the screen then typing +text separated by cursor motions. +Type +.Dq Li abc\ \ \ \ def +using local +cursor motions (not spaces) between the +.Dq abc +and the +.Dq def . +Then position the cursor before the +.Dq abc +and put the terminal in insert +mode. +If typing characters causes the rest of the line to shift +rigidly and characters to fall off the end, then your terminal does +not distinguish between blanks and untyped positions. +If the +.Dq abc +shifts over to the +.Dq def +which then move together around the end of the +current line and onto the next as you insert, then you have the second type of +terminal and should give the capability +.Sy \&in , +which stands for +.Dq insert null . +While these are two logically separate attributes +(one line +.Em \&vs . +multi-line insert mode, +and special treatment of untyped spaces), +we have seen no terminals whose insert +mode cannot be described with the single attribute. +.Pp +.Nm +can describe both terminals that have an insert mode and terminals +that send a simple sequence to open a blank position on the current line. +Give as +.Sy \&im +the sequence to get into insert mode. +Give as +.Sy \&ei +the sequence to leave insert mode. +Now give as +.Sy \&ic +any sequence that needs to be sent just before +each character to be inserted. +Most terminals with a true insert mode +will not give +.Sy \&ic ; +terminals that use a sequence to open a screen +position should give it here. +(If your terminal has both, +insert mode is usually preferable to +.Sy \&ic . +Do not give both unless the terminal actually requires both to be used +in combination.) +If post-insert padding is needed, give this as a number of milliseconds +in +.Sy \&ip +(a string option). +Any other sequence that may need to be +sent after insertion of a single character can also be given in +.Sy \&ip . +If your terminal needs to be placed into an `insert mode' +and needs a special code preceding each inserted character, +then both +.Sy \&im Ns / Sy \&ei +and +.Sy \&ic +can be given, and both will be used. +The +.Sy \&IC +capability, with one parameter +.Em n , +will repeat the effects of +.Sy \&ic +.Em n +times. +.Pp +It is occasionally necessary to move around while in insert mode +to delete characters on the same line +(e.g., if there is a tab after the insertion position). +If your terminal allows motion while in +insert mode, you can give the capability +.Sy \&mi +to speed up inserting +in this case. +Omitting +.Sy \&mi +will affect only speed. +Some terminals +(notably Datamedia's) must not have +.Sy \&mi +because of the way their +insert mode works. +.Pp +Finally, you can specify +.Sy \&dc +to delete a single character, +.Sy \&DC +with one parameter +.Em n +to delete +.Em n +characters, +and delete mode by giving +.Sy \&dm +and +.Sy \&ed +to enter and exit delete mode +(which is any mode the terminal needs to be placed in for +.Sy \&dc +to work). +.Ss Highlighting, Underlining, and Visible Bells +If your terminal has one or more kinds of display attributes, +these can be represented in a number of different ways. +You should choose one display form as +.Em standout mode , +representing a good high-contrast, easy-on-the-eyes format +for highlighting error messages and other attention getters. +(If you have a choice, reverse video plus half-bright is good, +or reverse video alone.) +The sequences to enter and exit standout mode +are given as +.Sy \&so +and +.Sy \&se , +respectively. +If the code to change into or out of standout +mode leaves one or even two blank spaces or garbage characters on the screen, +as the +.Tn TVI +912 and Teleray 1061 do, +then +.Sy \&sg +should be given to tell how many characters are left. +.Pp +Codes to begin underlining and end underlining can be given as +.Sy \&us +and +.Sy \&ue , +respectively. +Underline mode change garbage is specified by +.Sy \&ug , +similar to +.Sy \&sg . +If the terminal has a code to underline the current character and move +the cursor one position to the right, +such as the Microterm Mime, +this can be given as +.Sy \&uc . +.Pp +Other capabilities to enter various highlighting modes include +.Sy \&mb +(blinking), +.Sy \&md +(bold or extra bright), +.Sy \&mh +(dim or half-bright), +.Sy \&mk +(blanking or invisible text), +.Sy \&mp +(protected), +.Sy \&mr +(reverse video), +.Sy \&me +(turn off +.Em all +attribute modes), +.Sy \&as +(enter alternate character set mode), and +.Sy \&ae +(exit alternate character set mode). +Turning on any of these modes singly may or may not turn off other modes. +.Pp +If there is a sequence to set arbitrary combinations of mode, +this should be given as +.Sy \&sa +(set attributes), taking 9 parameters. +Each parameter is either 0 or 1, +as the corresponding attributes is on or off. +The 9 parameters are, in order: standout, underline, reverse, blink, +dim, bold, blank, protect, and alternate character set. +Not all modes need be supported by +.Sy \&sa , +only those for which corresponding attribute commands exist. +(It is unlikely that a +.Nm Ns -using +program will support this capability, which is defined for compatibility +with +.Xr terminfo 5 . ) +.Pp +Terminals with the +.Dq magic cookie +glitches +.Pf ( Sy \&sg +and +.Sy \&ug ) , +rather than maintaining extra attribute bits for each character cell, +instead deposit special +.Dq cookies , +or +.Dq garbage characters , +when they receive mode-setting sequences, +which affect the display algorithm. +.Pp +Some terminals, +such as the Hewlett-Packard 2621, +automatically leave standout +mode when they move to a new line or when the cursor is addressed. +Programs using standout mode +should exit standout mode on such terminals +before moving the cursor or sending a newline. +On terminals where this is not a problem, +the +.Sy \&ms +capability should be present +to say that this overhead is unnecessary. +.Pp +If the terminal has +a way of flashing the screen to indicate an error quietly +(a bell replacement), +this can be given as +.Sy \&vb ; +it must not move the cursor. +.Pp +If the cursor needs to be made more visible than normal +when it is not on the bottom line +(to change, for example, a non-blinking underline into an easier-to-find +block or blinking underline), +give this sequence as +.Sy \&vs . +If there is a way to make the cursor completely invisible, give that as +.Sy \&vi . +The capability +.Sy \&ve , +which undoes the effects of both of these modes, +should also be given. +.Pp +If your terminal correctly displays underlined characters +(with no special codes needed) +even though it does not overstrike, +then you should give the capability +.Sy \&ul . +If overstrikes are erasable with a blank, +this should be indicated by giving +.Sy \&eo . +.Ss Keypad +If the terminal has a keypad that transmits codes when the keys are pressed, +this information can be given. +Note that it is not possible to handle +terminals where the keypad only works in local mode +(this applies, for example, to the unshifted Hewlett-Packard 2621 keys). +If the keypad can be set to transmit or not transmit, +give these codes as +.Sy \&ks +and +.Sy \&ke . +Otherwise the keypad is assumed to always transmit. +The codes sent by the left-arrow, right-arrow, up-arrow, down-arrow, +and home keys can be given as +.Sy \&kl , +.Sy \&kr , +.Sy \&ku , +.Sy \&kd , +and +.Sy \&kh , +respectively. +If there are function keys such as f0, f1, ..., f9, the codes they send +can be given as +.Sy \&k0 , +.Sy \&k1 , +\&..., +.Sy \&k9 . +If these keys have labels other than the default f0 through f9, the labels +can be given as +.Sy \&l0 , +.Sy \&l1 , +\&..., +.Sy \&l9 . +The codes transmitted by certain other special keys can be given: +.Sy \&kH +(home down), +.Sy \&kb +(backspace), +.Sy \&ka +(clear all tabs), +.Sy \&kt +(clear the tab stop in this column), +.Sy \&kC +(clear screen or erase), +.Sy \&kD +(delete character), +.Sy \&kL +(delete line), +.Sy \&kM +(exit insert mode), +.Sy \&kE +(clear to end of line), +.Sy \&kS +(clear to end of screen), +.Sy \&kI +(insert character or enter insert mode), +.Sy \&kA +(insert line), +.Sy \&kN +(next page), +.Sy \&kP +(previous page), +.Sy \&kF +(scroll forward/down), +.Sy \&kR +(scroll backward/up), and +.Sy \&kT +(set a tab stop in this column). +In addition, if the keypad has a 3 by 3 array of keys +including the four arrow keys, then the other five keys can be given as +.Sy \&K1 , +.Sy \&K2 , +.Sy \&K3 , +.Sy \&K4 , +and +.Sy \&K5 . +These keys are useful when the effects of a 3 by 3 directional pad are needed. +The obsolete +.Sy \&ko +capability formerly used to describe +.Dq other +function keys has been +completely supplanted by the above capabilities. +.Pp +The +.Sy \&ma +entry is also used to indicate arrow keys on terminals that have +single-character arrow keys. +It is obsolete but still in use in +version 2 of +.Sy \&vi +which must be run on some minicomputers due to +memory limitations. +This field is redundant with +.Sy \&kl , +.Sy \&kr , +.Sy \&ku , +.Sy \&kd , +and +.Sy \&kh . +It consists of groups of two characters. +In each group, the first character is what an arrow key sends, and the +second character is the corresponding +.Sy \&vi +command. +These commands are +.Ar h +for +.Sy \&kl , +.Ar j +for +.Sy \&kd , +.Ar k +for +.Sy \&ku , +.Ar l +for +.Sy \&kr , +and +.Ar H +for +.Sy \&kh . +For example, the Mime would have +.Dq Li ma=^Hh^Kj^Zk^Xl +indicating arrow keys left (^H), down (^K), up (^Z), and right (^X). +(There is no home key on the Mime.) +.Ss Tabs and Initialization +If the terminal needs to be in a special mode when running +a program that uses these capabilities, +the codes to enter and exit this mode can be given as +.Sy \&ti +and +.Sy \&te . +This arises, for example, from terminals like the Concept with more than +one page of memory. +If the terminal has only memory-relative cursor addressing and not +screen-relative cursor addressing, +a screen-sized window must be fixed into +the display for cursor addressing to work properly. +This is also used for the Tektronix 4025, where +.Sy \&ti +sets the command character to be the one used by +.Nm . +.Pp +Other capabilities +include +.Sy \&is , +an initialization string for the terminal, +and +.Sy \&if , +the name of a file containing long initialization strings. +These strings are expected to set the terminal into modes +consistent with the rest of the +.Nm +description. +They are normally sent to the terminal by the +.Xr tset 1 +program each time the user logs in. +They will be printed in the following order: +.Sy \&is ; +setting tabs using +.Sy \&ct +and +.Sy \&st ; +and finally +.Sy \&if . +.Pf ( Xr terminfo 5 +uses +.Sy \&i\&1-i2 +instead of +.Sy \&is +and runs the program +.Sy \&iP +and prints +.Sy "\&i\&3" +after the other initializations.) +A pair of sequences that does a harder reset from a totally unknown state +can be analogously given as +.Sy \&rs +and +.Sy \&if . +These strings are output by the +.Xr reset 1 +program, which is used when the terminal gets into a wedged state. +.Pf ( Xr terminfo 5 +uses +.Sy "\&r1-r3" +instead of +.Sy \&rs . ) +Commands are normally placed in +.Sy \&rs +and +.Sy \&rf +only if they produce annoying effects on the screen and are not necessary +when logging in. +For example, the command to set the VT100 into 80-column mode +would normally be part of +.Sy \&is , +but it causes an annoying glitch of the screen and is not normally needed +since the terminal is usually already in 80-column mode. +.Pp +If the terminal has hardware tabs, +the command to advance to the next tab stop can be given as +.Sy \&ta +(usually +.Sy \&^I ) . +A +.Dq backtab +command which moves leftward to the previous tab stop +can be given as +.Sy \&bt . +By convention, +if the terminal driver modes indicate that tab stops are being expanded +by the computer rather than being sent to the terminal, +programs should not use +.Sy \&ta +or +.Sy \&bt +even if they are present, +since the user may not have the tab stops properly set. +If the terminal has hardware tabs that are initially set every +.Ar n +positions when the terminal is powered up, then the numeric parameter +.Sy \&it +is given, showing the number of positions between tab stops. +This is normally used by the +.Xr tset 1 +command to determine whether to set the driver mode for hardware tab +expansion, and whether to set the tab stops. +If the terminal has tab stops that can be saved in nonvolatile memory, the +.Nm +description can assume that they are properly set. +.Pp +If there are commands to set and clear tab stops, they can be given as +.Sy \&ct +(clear all tab stops) and +.Sy \&st +(set a tab stop in the current column of every row). +If a more complex sequence is needed to set the tabs than can be +described by this, the sequence can be placed in +.Sy \&is +or +.Sy \&if . +.Ss Delays +Certain capabilities control padding in the terminal driver. +These are primarily needed by hardcopy terminals and are used by the +.Xr tset 1 +program to set terminal driver modes appropriately. +Delays embedded in the capabilities +.Sy \&cr , +.Sy \&sf , +.Sy \&le , +.Sy \&ff , +and +.Sy \&ta +will cause the appropriate delay bits to be set in the terminal driver. +If +.Sy \&pb +(padding baud rate) is given, these values can be ignored at baud rates +below the value of +.Sy \&pb . +For +.Bx 4.2 +.Xr tset 1 , +the delays are given as numeric capabilities +.Sy \&dC , +.Sy \&dN , +.Sy \&dB , +.Sy \&dF , +and +.Sy \&dT +instead. +.Ss Miscellaneous +If the terminal requires other than a +.Dv NUL +(zero) character as a pad, +this can be given as +.Sy \&pc . +Only the first character of the +.Sy \&pc +string is used. +.Pp +If the terminal has commands to save and restore the position of the +cursor, give them as +.Sy \&sc +and +.Sy \&rc . +.Pp +If the terminal has an extra +.Dq status line +that is not normally used by +software, this fact can be indicated. +If the status line is viewed as an extra line below the bottom line, +then the capability +.Sy \&hs +should be given. +Special strings to go to a position in the status line and to return +from the status line can be given as +.Sy \&ts +and +.Sy \&fs . +.Pf ( Sy \&fs +must leave the cursor position in the same place that it was before +.Sy \&ts . +If necessary, the +.Sy \&sc +and +.Sy \&rc +strings can be included in +.Sy \&ts +and +.Sy \&fs +to get this effect.) +The capability +.Sy \&ts +takes one parameter, which is the column number of the status line +to which the cursor is to be moved. +If escape sequences and other special commands such as tab work while in +the status line, the flag +.Sy \&es +can be given. +A string that turns off the status line (or otherwise erases its contents) +should be given as +.Sy \&ds . +The status line is normally assumed to be the same width as the +rest of the screen, i.e.\& +.Sy \&co . +If the status line is a different width (possibly because the terminal +does not allow an entire line to be loaded), then its width in columns +can be indicated with the numeric parameter +.Sy \&ws . +.Pp +If the terminal can move up or down half a line, this can be +indicated with +.Sy \&hu +(half-line up) and +.Sy \&hd +(half-line down). +This is primarily useful for superscripts and subscripts on hardcopy +terminals. +If a hardcopy terminal can eject to the next page (form feed), +give this as +.Sy \&ff +(usually +.Sy \&^L ) . +.Pp +If there is a command to repeat a given character a given number of times +(to save time transmitting a large number of identical characters), +this can be indicated with the parameterized string +.Sy \&rp . +The first parameter is the character to be repeated and the second is +the number of times to repeat it. +(This is a +.Xr terminfo 5 +feature that is unlikely to be supported by a program that uses +.Nm . ) +.Pp +If the terminal has a settable command character, such as the +Tektronix 4025, this can be indicated with +.Sy \&CC . +A prototype command character is chosen which is used in all capabilities. +This character is given in the +.Sy \&CC +capability to identify it. +The following convention is supported on some +.Ux +systems: +The environment is to be searched for a +.Ev \&CC +variable, +and if found, +all occurrences of the prototype character are replaced by the character +in the environment variable. +This use of the +.Ev \&CC +environment variable +is a very bad idea, as it conflicts with +.Xr make 1 . +.Pp +Terminal descriptions that do not represent a specific kind of known +terminal, such as +.Em switch , +.Em dialup , +.Em patch , +and +.Em network , +should include the +.Sy \&gn +(generic) capability so that programs can complain that they do not know +how to talk to the terminal. +(This capability does not apply to +.Em virtual +terminal descriptions for which the escape sequences are known.) +.Pp +If the terminal uses xoff/xon +.Pq Tn DC3 Ns / Ns Tn DC1 +handshaking for flow control, give +.Sy \&xo . +Padding information should still be included so that routines can make +better decisions about costs, but actual pad characters will not be +transmitted. +.Pp +If the terminal has a +.Dq meta key +which acts as a shift key, setting the +8th bit of any character transmitted, then this fact can be indicated with +.Sy \&km . +Otherwise, software will assume that the 8th bit is parity and it will +usually be cleared. +If strings exist to turn this +.Dq meta mode +on and off, they can be given as +.Sy \&mm +and +.Sy \&mo . +.Pp +If the terminal has more lines of memory than will fit on the screen at once, +the number of lines of memory can be indicated with +.Sy \&lm . +An explicit value of 0 indicates that the number of lines is not fixed, +but that there is still more memory than fits on the screen. +.Pp +If the terminal is one of those supported by the +.Ux +system virtual +terminal protocol, the terminal number can be given as +.Sy \&vt . +.Pp +Media copy strings which control an auxiliary printer +connected to the terminal can be given as +.Sy \&ps : +print the contents of the screen; +.Sy \&pf : +turn off the printer; and +.Sy \&po : +turn on the printer. +When the printer is on, all text sent to the terminal will be sent to the +printer. +It is undefined whether the text is also displayed on the terminal screen +when the printer is on. +A variation +.Sy \&pO +takes one parameter and leaves the printer on for as many characters as the +value of the parameter, then turns the printer off. +The parameter should not exceed 255. +All text, including +.Sy \&pf , +is transparently passed to the printer while +.Sy \&pO +is in effect. +.Pp +Strings to program function keys can be given as +.Sy \&pk , +.Sy \&pl , +and +.Sy \&px . +Each of these strings takes two parameters: the function key number +to program (from 0 to 9) and the string to program it with. +Function key numbers out of this range may program undefined keys +in a terminal-dependent manner. +The differences among the capabilities are that +.Sy \&pk +causes pressing the given key to be the same as the user typing the given +string; +.Sy \&pl +causes the string to be executed by the terminal in local mode; +and +.Sy \&px +causes the string to be transmitted to the computer. +Unfortunately, due to lack of a definition for string parameters in +.Nm , +only +.Xr terminfo 5 +supports these capabilities. +.Ss Glitches and Brain-damage +Hazeltine terminals, which do not allow `~' characters to be displayed, +should indicate +.Sy \&hz . +.Pp +The +.Sy \&nc +capability, now obsolete, formerly indicated Datamedia terminals, +which echo +.Sy \&\er \en +for +carriage return then ignore a following linefeed. +.Pp +Terminals that ignore a linefeed immediately after an +.Sy \&am +wrap, such as the Concept, should indicate +.Sy \&xn . +.Pp +If +.Sy \&ce +is required to get rid of standout +(instead of merely writing normal text on top of it), +.Sy \&xs +should be given. +.Pp +Teleray terminals, where tabs turn all characters moved over to blanks, +should indicate +.Sy \&xt +(destructive tabs). +This glitch is also taken to mean that it is not possible +to position the cursor on top of a \*(lqmagic cookie\*(rq, and that +to erase standout mode it is necessary to use delete and insert line. +.Pp +The Beehive Superbee, which is unable to correctly transmit the +.Dv ESC +or +.Sy \&^C +characters, has +.Sy \&xb , +indicating that the +.Dq \&f\&1 +key is used for +.Dv ESC +and +.Dq \&f\&2 +for ^C. +(Only certain Superbees have this problem, depending on the +.Tn ROM . ) +.Pp +Other specific terminal problems may be corrected by adding more +capabilities of the form +.Sy x Em x . +.Ss Similar Terminals +If there are two very similar terminals, +one can be defined as being just like the other with certain exceptions. +The string capability +.Sy \&tc +can be given +with the name of the similar terminal. +This capability must be +.Em last , +and the combined length of the entries +must not exceed 1024. +The capabilities given before +.Sy \&tc +override those in the terminal type invoked by +.Sy \&tc . +A capability can be cancelled by placing +.Sy \&xx@ +to the left of the +.Sy \&tc +invocation, where +.Sy \&xx +is the capability. +For example, the entry +.Bd -literal -offset indent +hn\||\|2621\-nl:ks@:ke@:tc=2621: +.Ed +.Pp +defines a +.Dq 2621\-nl +that does not have the +.Sy \&ks +or +.Sy \&ke +capabilities, +hence does not turn on the function key labels when in visual mode. +This is useful for different modes for a terminal, or for different +user preferences. +.Sh FILES +.Bl -tag -width /usr/share/misc/termcap.db -compact +.It Pa /usr/share/misc/termcap +File containing terminal descriptions. +.It Pa /usr/share/misc/termcap.db +Hash database file containing terminal descriptions (see +.Xr cap_mkdb 1 ) . +.El +.Sh SEE ALSO +.Xr cap_mkdb 1 , +.Xr ex 1 , +.Xr more 1 , +.Xr tset 1 , +.Xr ul 1 , +.Xr vi 1 , +.Xr curses 3 , +.Xr printf 3 , +.Xr termcap 3 , +.Xr terminfo 3 , +.Xr terminfo 5 , +.Xr term 7 +.Sh HISTORY +The +.Nm +file format appeared in +.Bx 3 . +.Sh CAVEATS +The +.Nm +functions +were replaced by +.Xr terminfo 5 +in +.At V +Release 2.0. +The transition will be relatively painless if capabilities flagged as +.Dq obsolete +are avoided. +.Sh BUGS +Lines and columns are now stored by the kernel as well as in the termcap +entry. +Most programs now use the kernel information primarily; the information +in this file is used only if the kernel does not have any information. +.Pp +Historically, the total length of a single entry (excluding only +escaped newlines) was limited to 1023 bytes, not including the NUL +terminator. +Larger entries may lead to a buffer overflow on some systems. +.Pp +Not all programs support all entries. diff --git a/static/openbsd/man5/terminfo.5 b/static/openbsd/man5/terminfo.5 new file mode 100644 index 00000000..63439085 --- /dev/null +++ b/static/openbsd/man5/terminfo.5 @@ -0,0 +1,3842 @@ +'\" t +.\" DO NOT EDIT THIS FILE BY HAND! +.\" It is generated from terminfo.head, ./../include/Caps ./../include/Caps-ncurses, and terminfo.tail. +.\" +.\" Note: this must be run through tbl before nroff. +.\" The magic cookie on the first line triggers this under some man programs. +.\"*************************************************************************** +.\" Copyright 2018-2021,2023 Thomas E. Dickey * +.\" Copyright 1998-2016,2017 Free Software Foundation, Inc. * +.\" * +.\" Permission is hereby granted, free of charge, to any person obtaining a * +.\" copy of this software and associated documentation files (the * +.\" "Software"), to deal in the Software without restriction, including * +.\" without limitation the rights to use, copy, modify, merge, publish, * +.\" distribute, distribute with modifications, sublicense, and/or sell * +.\" copies of the Software, and to permit persons to whom the Software is * +.\" furnished to do so, subject to the following conditions: * +.\" * +.\" The above copyright notice and this permission notice shall be included * +.\" in all copies or substantial portions of the Software. * +.\" * +.\" THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * +.\" OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * +.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * +.\" IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, * +.\" DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR * +.\" OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR * +.\" THE USE OR OTHER DEALINGS IN THE SOFTWARE. * +.\" * +.\" Except as contained in this notice, the name(s) of the above copyright * +.\" holders shall not be used in advertising or otherwise to promote the * +.\" sale, use or other dealings in this Software without prior written * +.\" authorization. * +.\"*************************************************************************** +.\" +.\" $Id: terminfo.5,v 1.3 2024/08/23 15:10:40 nicm Exp $ +.TH terminfo 5 2023-07-01 "ncurses 6.4" "File formats" +.ds n 5 +.ds d /usr/share/terminfo +.ie \n(.g .ds `` \(lq +.el .ds `` `` +.ie \n(.g .ds '' \(rq +.el .ds '' '' +.de bP +.ie n .IP \(bu 4 +.el .IP \(bu 2 +.. +.de NS +.ie n .sp +.el .sp .5 +.ie n .in +4 +.el .in +2 +.nf +.ft C \" Courier +.. +.de NE +.fi +.ft R +.ie n .in -4 +.el .in -2 +.. +.SH NAME +terminfo \- terminal capability database +.SH SYNOPSIS +\*d/*/* +.SH DESCRIPTION +.I Terminfo +is a database describing terminals, +used by screen-oriented programs such as +\fBnvi\fP(1), +\fBlynx\fP(1), +\fBmutt\fP(1), +and other curses applications, +using high-level calls to libraries such as \fBcurses\fP(3). +It is also used via low-level calls by non-curses applications +which may be screen-oriented (such as \fBclear\fP(1)) +or non-screen (such as \fBtabs\fP(1)). +.PP +.I Terminfo +describes terminals by giving a set of capabilities which they +have, by specifying how to perform screen operations, and by +specifying padding requirements and initialization sequences. +.PP +This manual describes \fBncurses\fP +version 6.4 (patch 20230826). +.SS Terminfo Entry Syntax +Entries in +.I terminfo +consist of a sequence of fields: +.bP +Each field ends with a comma \*(``,\*('' +(embedded commas may be +escaped with a backslash or written as \*(``\\054\*(''). +.bP +White space between fields is ignored. +.bP +The first field in a \fIterminfo\fP entry begins in the first column. +.bP +Newlines and leading whitespace (spaces or tabs) +may be used for formatting entries for readability. +These are removed from parsed entries. +.IP +The \fBinfocmp\fP \fB\-f\fP and \fB\-W\fP options rely on this to +format if-then-else expressions, +or to enforce maximum line-width. +The resulting formatted terminal description can be read by \fBtic\fP. +.bP +The first field for each terminal gives the names which are known for the +terminal, separated by \*(``|\*('' characters. +.IP +The first name given is the most common abbreviation for the terminal +(its primary name), +the last name given should be a long name fully identifying the terminal +(see \fBlongname\fP(3)), +and all others are treated as synonyms (aliases) for the primary terminal name. +.IP +X/Open Curses advises that all names but the last should be in lower case +and contain no blanks; +the last name may well contain upper case and blanks for readability. +.IP +This implementation is not so strict; +it allows mixed case in the primary name and aliases. +If the last name has no embedded blanks, +it allows that to be both an alias and a verbose name +(but will warn about this ambiguity). +.bP +Lines beginning with a \*(``#\*('' in the first column are treated as comments. +.IP +While comment lines are legal at any point, the output of \fBcaptoinfo\fP +and \fBinfotocap\fP (aliases for \fBtic\fP) +will move comments so they occur only between entries. +.PP +Terminal names (except for the last, verbose entry) should +be chosen using the following conventions. +The particular piece of hardware making up the terminal should +have a root name, thus \*(``hp2621\*(''. +This name should not contain hyphens. +Modes that the hardware can be in, or user preferences, should +be indicated by appending a hyphen and a mode suffix. +Thus, a vt100 in 132-column mode would be vt100\-w. +The following suffixes should be used where possible: +.PP +.TS +center ; +l c l +l l l. +\fBSuffix Meaning Example\fP +\-\fInn\fP Number of lines on the screen aaa\-60 +\-\fIn\fPp Number of pages of memory c100\-4p +\-am With automargins (usually the default) vt100\-am +\-m Mono mode; suppress color ansi\-m +\-mc Magic cookie; spaces when highlighting wy30\-mc +\-na No arrow keys (leave them in local) c100\-na +\-nam Without automatic margins vt100\-nam +\-nl No status line att4415\-nl +\-ns No status line hp2626\-ns +\-rv Reverse video c100\-rv +\-s Enable status line vt100\-s +\-vb Use visible bell instead of beep wy370\-vb +\-w Wide mode (> 80 columns, usually 132) vt100\-w +.TE +.PP +For more on terminal naming conventions, see the \fBterm\fP(7) manual page. +.SS Terminfo Capabilities Syntax +The terminfo entry consists of several \fIcapabilities\fP, +i.e., features that the terminal has, +or methods for exercising the terminal's features. +.PP +After the first field (giving the name(s) of the terminal entry), +there should be one or more \fIcapability\fP fields. +These are boolean, numeric or string names with corresponding values: +.bP +Boolean capabilities are true when present, false when absent. +There is no explicit value for boolean capabilities. +.bP +Numeric capabilities have a \*(``#\*('' following the name, +then an unsigned decimal integer value. +.bP +String capabilities have a \*(``=\*('' following the name, +then an string of characters making up the capability value. +.IP +String capabilities can be split into multiple lines, +just as the fields comprising a terminal entry can be +split into multiple lines. +While blanks between fields are ignored, +blanks embedded within a string value are retained, +except for leading blanks on a line. +.PP +Any capability can be \fIcanceled\fP, +i.e., suppressed from the terminal entry, +by following its name with \*(``@\*('' +rather than a capability value. +.SS Similar Terminals +If there are two very similar terminals, one (the variant) can be defined as +being just like the other (the base) with certain exceptions. +In the +definition of the variant, the string capability \fBuse\fP can be given with +the name of the base terminal: +.bP +The capabilities given before +.B use +override those in the base type named by +.BR use . +.bP +If there are multiple \fBuse\fP capabilities, they are merged in reverse order. +That is, the rightmost \fBuse\fP reference is processed first, then the one to +its left, and so forth. +.bP +Capabilities given explicitly in the entry override +those brought in by \fBuse\fP references. +.PP +A capability can be canceled by placing \fBxx@\fP to the left of the +use reference that imports it, where \fIxx\fP is the capability. +For example, the entry +.RS +.PP +2621\-nl, smkx@, rmkx@, use=2621, +.RE +.PP +defines a 2621\-nl that does not have the \fBsmkx\fP or \fBrmkx\fP capabilities, +and hence does not turn on the function key labels when in visual mode. +This is useful for different modes for a terminal, or for different +user preferences. +.PP +An entry included via \fBuse\fP can contain canceled capabilities, +which have the same effect as if those cancels were inline in the +using terminal entry. +.SS Predefined Capabilities +.\" Head of terminfo man page ends here +.ps -1 +The following is a complete table of the capabilities included in a +terminfo description block and available to terminfo-using code. In each +line of the table, + +The \fBvariable\fR is the name by which the programmer (at the terminfo level) +accesses the capability. + +The \fBcapname\fR is the short name used in the text of the database, +and is used by a person updating the database. +Whenever possible, capnames are chosen to be the same as or similar to +the ANSI X3.64-1979 standard (now superseded by ECMA-48, which uses +identical or very similar names). Semantics are also intended to match +those of the specification. + +The termcap code is the old +.B termcap +capability name (some capabilities are new, and have names which termcap +did not originate). +.P +Capability names have no hard length limit, but an informal limit of 5 +characters has been adopted to keep them short and to allow the tabs in +the source file +.B Caps +to line up nicely. + +Finally, the description field attempts to convey the semantics of the +capability. You may find some codes in the description field: +.TP +(P) +indicates that padding may be specified +.TP +#[1-9] +in the description field indicates that the string is passed +through \fBtparm\fP(3) with parameters as given (#\fIi\fP). +.IP +If no parameters are listed in the description, +passing the string through \fBtparm\fP(3) may give unexpected results, +e.g., if it contains percent (%%) signs. +.TP +(P*) +indicates that padding may vary in proportion to the number of +lines affected +.TP +(#\d\fIi\fP\u) +indicates the \fIi\fP\uth\d parameter. + +.PP +These are the boolean capabilities: + +.na +.TS H +center; +c l l c +c l l c +lw25 lw7 lw2 lw20. +\fBVariable Cap- TCap Description\fR +\fBBooleans name Code\fR +auto_left_margin bw bw T{ +cub1 wraps from column 0 to last column +T} +auto_right_margin am am T{ +terminal has automatic margins +T} +back_color_erase bce ut T{ +screen erased with background color +T} +can_change ccc cc T{ +terminal can re-define existing colors +T} +ceol_standout_glitch xhp xs T{ +standout not erased by overwriting (hp) +T} +col_addr_glitch xhpa YA T{ +only positive motion for hpa/mhpa caps +T} +cpi_changes_res cpix YF T{ +changing character pitch changes resolution +T} +cr_cancels_micro_mode crxm YB T{ +using cr turns off micro mode +T} +dest_tabs_magic_smso xt xt T{ +tabs destructive, magic so char (t1061) +T} +eat_newline_glitch xenl xn T{ +newline ignored after 80 cols (concept) +T} +erase_overstrike eo eo T{ +can erase overstrikes with a blank +T} +generic_type gn gn T{ +generic line type +T} +hard_copy hc hc T{ +hardcopy terminal +T} +hard_cursor chts HC T{ +cursor is hard to see +T} +has_meta_key km km T{ +Has a meta key (i.e., sets 8th-bit) +T} +has_print_wheel daisy YC T{ +printer needs operator to change character set +T} +has_status_line hs hs T{ +has extra status line +T} +hue_lightness_saturation hls hl T{ +terminal uses only HLS color notation (Tektronix) +T} +insert_null_glitch in in T{ +insert mode distinguishes nulls +T} +lpi_changes_res lpix YG T{ +changing line pitch changes resolution +T} +memory_above da da T{ +display may be retained above the screen +T} +memory_below db db T{ +display may be retained below the screen +T} +move_insert_mode mir mi T{ +safe to move while in insert mode +T} +move_standout_mode msgr ms T{ +safe to move while in standout mode +T} +needs_xon_xoff nxon nx T{ +padding will not work, xon/xoff required +T} +no_esc_ctlc xsb xb T{ +beehive (f1=escape, f2=ctrl C) +T} +no_pad_char npc NP T{ +pad character does not exist +T} +non_dest_scroll_region ndscr ND T{ +scrolling region is non-destructive +T} +non_rev_rmcup nrrmc NR T{ +smcup does not reverse rmcup +T} +over_strike os os T{ +terminal can overstrike +T} +prtr_silent mc5i 5i T{ +printer will not echo on screen +T} +row_addr_glitch xvpa YD T{ +only positive motion for vpa/mvpa caps +T} +semi_auto_right_margin sam YE T{ +printing in last column causes cr +T} +status_line_esc_ok eslok es T{ +escape can be used on the status line +T} +tilde_glitch hz hz T{ +cannot print ~'s (Hazeltine) +T} +transparent_underline ul ul T{ +underline character overstrikes +T} +xon_xoff xon xo T{ +terminal uses xon/xoff handshaking +T} +.TE +.ad + +These are the numeric capabilities: + +.na +.TS H +center; +c l l c +c l l c +lw25 lw7 lw2 lw20. +\fBVariable Cap- TCap Description\fR +\fBNumeric name Code\fR +columns cols co T{ +number of columns in a line +T} +init_tabs it it T{ +tabs initially every # spaces +T} +label_height lh lh T{ +rows in each label +T} +label_width lw lw T{ +columns in each label +T} +lines lines li T{ +number of lines on screen or page +T} +lines_of_memory lm lm T{ +lines of memory if > line. 0 means varies +T} +magic_cookie_glitch xmc sg T{ +number of blank characters left by smso or rmso +T} +max_attributes ma ma T{ +maximum combined attributes terminal can handle +T} +max_colors colors Co T{ +maximum number of colors on screen +T} +max_pairs pairs pa T{ +maximum number of color-pairs on the screen +T} +maximum_windows wnum MW T{ +maximum number of definable windows +T} +no_color_video ncv NC T{ +video attributes that cannot be used with colors +T} +num_labels nlab Nl T{ +number of labels on screen +T} +padding_baud_rate pb pb T{ +lowest baud rate where padding needed +T} +virtual_terminal vt vt T{ +virtual terminal number (CB/unix) +T} +width_status_line wsl ws T{ +number of columns in status line +T} +.TE +.ad + +The following numeric capabilities are present in the SVr4.0 term structure, +but are not yet documented in the man page. They came in with SVr4's +printer support. + +.na +.TS H +center; +c l l c +c l l c +lw25 lw7 lw2 lw20. +\fBVariable Cap- TCap Description\fR +\fBNumeric name Code\fR +bit_image_entwining bitwin Yo T{ +number of passes for each bit-image row +T} +bit_image_type bitype Yp T{ +type of bit-image device +T} +buffer_capacity bufsz Ya T{ +numbers of bytes buffered before printing +T} +buttons btns BT T{ +number of buttons on mouse +T} +dot_horz_spacing spinh Yc T{ +spacing of dots horizontally in dots per inch +T} +dot_vert_spacing spinv Yb T{ +spacing of pins vertically in pins per inch +T} +max_micro_address maddr Yd T{ +maximum value in micro_..._address +T} +max_micro_jump mjump Ye T{ +maximum value in parm_..._micro +T} +micro_col_size mcs Yf T{ +character step size when in micro mode +T} +micro_line_size mls Yg T{ +line step size when in micro mode +T} +number_of_pins npins Yh T{ +numbers of pins in print-head +T} +output_res_char orc Yi T{ +horizontal resolution in units per line +T} +output_res_horz_inch orhi Yk T{ +horizontal resolution in units per inch +T} +output_res_line orl Yj T{ +vertical resolution in units per line +T} +output_res_vert_inch orvi Yl T{ +vertical resolution in units per inch +T} +print_rate cps Ym T{ +print rate in characters per second +T} +wide_char_size widcs Yn T{ +character step size when in double wide mode +T} +.TE +.ad + +These are the string capabilities: + +.na +.TS H +center; +c l l c +c l l c +lw25 lw7 lw2 lw20. +\fBVariable Cap- TCap Description\fR +\fBString name Code\fR +acs_chars acsc ac T{ +graphics charset pairs, based on vt100 +T} +back_tab cbt bt T{ +back tab (P) +T} +bell bel bl T{ +audible signal (bell) (P) +T} +carriage_return cr cr T{ +carriage return (P*) (P*) +T} +change_char_pitch cpi ZA T{ +Change number of characters per inch to #1 +T} +change_line_pitch lpi ZB T{ +Change number of lines per inch to #1 +T} +change_res_horz chr ZC T{ +Change horizontal resolution to #1 +T} +change_res_vert cvr ZD T{ +Change vertical resolution to #1 +T} +change_scroll_region csr cs T{ +change region to line #1 to line #2 (P) +T} +char_padding rmp rP T{ +like ip but when in insert mode +T} +clear_all_tabs tbc ct T{ +clear all tab stops (P) +T} +clear_margins mgc MC T{ +clear right and left soft margins +T} +clear_screen clear cl T{ +clear screen and home cursor (P*) +T} +clr_bol el1 cb T{ +Clear to beginning of line +T} +clr_eol el ce T{ +clear to end of line (P) +T} +clr_eos ed cd T{ +clear to end of screen (P*) +T} +column_address hpa ch T{ +horizontal position #1, absolute (P) +T} +command_character cmdch CC T{ +terminal settable cmd character in prototype !? +T} +create_window cwin CW T{ +define a window #1 from #2,#3 to #4,#5 +T} +cursor_address cup cm T{ +move to row #1 columns #2 +T} +cursor_down cud1 do T{ +down one line +T} +cursor_home home ho T{ +home cursor (if no cup) +T} +cursor_invisible civis vi T{ +make cursor invisible +T} +cursor_left cub1 le T{ +move left one space +T} +cursor_mem_address mrcup CM T{ +memory relative cursor addressing, move to row #1 columns #2 +T} +cursor_normal cnorm ve T{ +make cursor appear normal (undo civis/cvvis) +T} +cursor_right cuf1 nd T{ +non-destructive space (move right one space) +T} +cursor_to_ll ll ll T{ +last line, first column (if no cup) +T} +cursor_up cuu1 up T{ +up one line +T} +cursor_visible cvvis vs T{ +make cursor very visible +T} +define_char defc ZE T{ +Define a character #1, #2 dots wide, descender #3 +T} +delete_character dch1 dc T{ +delete character (P*) +T} +delete_line dl1 dl T{ +delete line (P*) +T} +dial_phone dial DI T{ +dial number #1 +T} +dis_status_line dsl ds T{ +disable status line +T} +display_clock dclk DK T{ +display clock +T} +down_half_line hd hd T{ +half a line down +T} +ena_acs enacs eA T{ +enable alternate char set +T} +enter_alt_charset_mode smacs as T{ +start alternate character set (P) +T} +enter_am_mode smam SA T{ +turn on automatic margins +T} +enter_blink_mode blink mb T{ +turn on blinking +T} +enter_bold_mode bold md T{ +turn on bold (extra bright) mode +T} +enter_ca_mode smcup ti T{ +string to start programs using cup +T} +enter_delete_mode smdc dm T{ +enter delete mode +T} +enter_dim_mode dim mh T{ +turn on half-bright mode +T} +enter_doublewide_mode swidm ZF T{ +Enter double-wide mode +T} +enter_draft_quality sdrfq ZG T{ +Enter draft-quality mode +T} +enter_insert_mode smir im T{ +enter insert mode +T} +enter_italics_mode sitm ZH T{ +Enter italic mode +T} +enter_leftward_mode slm ZI T{ +Start leftward carriage motion +T} +enter_micro_mode smicm ZJ T{ +Start micro-motion mode +T} +enter_near_letter_quality snlq ZK T{ +Enter NLQ mode +T} +enter_normal_quality snrmq ZL T{ +Enter normal-quality mode +T} +enter_protected_mode prot mp T{ +turn on protected mode +T} +enter_reverse_mode rev mr T{ +turn on reverse video mode +T} +enter_secure_mode invis mk T{ +turn on blank mode (characters invisible) +T} +enter_shadow_mode sshm ZM T{ +Enter shadow-print mode +T} +enter_standout_mode smso so T{ +begin standout mode +T} +enter_subscript_mode ssubm ZN T{ +Enter subscript mode +T} +enter_superscript_mode ssupm ZO T{ +Enter superscript mode +T} +enter_underline_mode smul us T{ +begin underline mode +T} +enter_upward_mode sum ZP T{ +Start upward carriage motion +T} +enter_xon_mode smxon SX T{ +turn on xon/xoff handshaking +T} +erase_chars ech ec T{ +erase #1 characters (P) +T} +exit_alt_charset_mode rmacs ae T{ +end alternate character set (P) +T} +exit_am_mode rmam RA T{ +turn off automatic margins +T} +exit_attribute_mode sgr0 me T{ +turn off all attributes +T} +exit_ca_mode rmcup te T{ +strings to end programs using cup +T} +exit_delete_mode rmdc ed T{ +end delete mode +T} +exit_doublewide_mode rwidm ZQ T{ +End double-wide mode +T} +exit_insert_mode rmir ei T{ +exit insert mode +T} +exit_italics_mode ritm ZR T{ +End italic mode +T} +exit_leftward_mode rlm ZS T{ +End left-motion mode +T} +exit_micro_mode rmicm ZT T{ +End micro-motion mode +T} +exit_shadow_mode rshm ZU T{ +End shadow-print mode +T} +exit_standout_mode rmso se T{ +exit standout mode +T} +exit_subscript_mode rsubm ZV T{ +End subscript mode +T} +exit_superscript_mode rsupm ZW T{ +End superscript mode +T} +exit_underline_mode rmul ue T{ +exit underline mode +T} +exit_upward_mode rum ZX T{ +End reverse character motion +T} +exit_xon_mode rmxon RX T{ +turn off xon/xoff handshaking +T} +fixed_pause pause PA T{ +pause for 2-3 seconds +T} +flash_hook hook fh T{ +flash switch hook +T} +flash_screen flash vb T{ +visible bell (may not move cursor) +T} +form_feed ff ff T{ +hardcopy terminal page eject (P*) +T} +from_status_line fsl fs T{ +return from status line +T} +goto_window wingo WG T{ +go to window #1 +T} +hangup hup HU T{ +hang-up phone +T} +init_1string is1 i1 T{ +initialization string +T} +init_2string is2 is T{ +initialization string +T} +init_3string is3 i3 T{ +initialization string +T} +init_file if if T{ +name of initialization file +T} +init_prog iprog iP T{ +path name of program for initialization +T} +initialize_color initc Ic T{ +initialize color #1 to (#2,#3,#4) +T} +initialize_pair initp Ip T{ +Initialize color pair #1 to fg=(#2,#3,#4), bg=(#5,#6,#7) +T} +insert_character ich1 ic T{ +insert character (P) +T} +insert_line il1 al T{ +insert line (P*) +T} +insert_padding ip ip T{ +insert padding after inserted character +T} +key_a1 ka1 K1 T{ +upper left of keypad +T} +key_a3 ka3 K3 T{ +upper right of keypad +T} +key_b2 kb2 K2 T{ +center of keypad +T} +key_backspace kbs kb T{ +backspace key +T} +key_beg kbeg @1 T{ +begin key +T} +key_btab kcbt kB T{ +back-tab key +T} +key_c1 kc1 K4 T{ +lower left of keypad +T} +key_c3 kc3 K5 T{ +lower right of keypad +T} +key_cancel kcan @2 T{ +cancel key +T} +key_catab ktbc ka T{ +clear-all-tabs key +T} +key_clear kclr kC T{ +clear-screen or erase key +T} +key_close kclo @3 T{ +close key +T} +key_command kcmd @4 T{ +command key +T} +key_copy kcpy @5 T{ +copy key +T} +key_create kcrt @6 T{ +create key +T} +key_ctab kctab kt T{ +clear-tab key +T} +key_dc kdch1 kD T{ +delete-character key +T} +key_dl kdl1 kL T{ +delete-line key +T} +key_down kcud1 kd T{ +down-arrow key +T} +key_eic krmir kM T{ +sent by rmir or smir in insert mode +T} +key_end kend @7 T{ +end key +T} +key_enter kent @8 T{ +enter/send key +T} +key_eol kel kE T{ +clear-to-end-of-line key +T} +key_eos ked kS T{ +clear-to-end-of-screen key +T} +key_exit kext @9 T{ +exit key +T} +key_f0 kf0 k0 T{ +F0 function key +T} +key_f1 kf1 k1 T{ +F1 function key +T} +key_f10 kf10 k; T{ +F10 function key +T} +key_f11 kf11 F1 T{ +F11 function key +T} +key_f12 kf12 F2 T{ +F12 function key +T} +key_f13 kf13 F3 T{ +F13 function key +T} +key_f14 kf14 F4 T{ +F14 function key +T} +key_f15 kf15 F5 T{ +F15 function key +T} +key_f16 kf16 F6 T{ +F16 function key +T} +key_f17 kf17 F7 T{ +F17 function key +T} +key_f18 kf18 F8 T{ +F18 function key +T} +key_f19 kf19 F9 T{ +F19 function key +T} +key_f2 kf2 k2 T{ +F2 function key +T} +key_f20 kf20 FA T{ +F20 function key +T} +key_f21 kf21 FB T{ +F21 function key +T} +key_f22 kf22 FC T{ +F22 function key +T} +key_f23 kf23 FD T{ +F23 function key +T} +key_f24 kf24 FE T{ +F24 function key +T} +key_f25 kf25 FF T{ +F25 function key +T} +key_f26 kf26 FG T{ +F26 function key +T} +key_f27 kf27 FH T{ +F27 function key +T} +key_f28 kf28 FI T{ +F28 function key +T} +key_f29 kf29 FJ T{ +F29 function key +T} +key_f3 kf3 k3 T{ +F3 function key +T} +key_f30 kf30 FK T{ +F30 function key +T} +key_f31 kf31 FL T{ +F31 function key +T} +key_f32 kf32 FM T{ +F32 function key +T} +key_f33 kf33 FN T{ +F33 function key +T} +key_f34 kf34 FO T{ +F34 function key +T} +key_f35 kf35 FP T{ +F35 function key +T} +key_f36 kf36 FQ T{ +F36 function key +T} +key_f37 kf37 FR T{ +F37 function key +T} +key_f38 kf38 FS T{ +F38 function key +T} +key_f39 kf39 FT T{ +F39 function key +T} +key_f4 kf4 k4 T{ +F4 function key +T} +key_f40 kf40 FU T{ +F40 function key +T} +key_f41 kf41 FV T{ +F41 function key +T} +key_f42 kf42 FW T{ +F42 function key +T} +key_f43 kf43 FX T{ +F43 function key +T} +key_f44 kf44 FY T{ +F44 function key +T} +key_f45 kf45 FZ T{ +F45 function key +T} +key_f46 kf46 Fa T{ +F46 function key +T} +key_f47 kf47 Fb T{ +F47 function key +T} +key_f48 kf48 Fc T{ +F48 function key +T} +key_f49 kf49 Fd T{ +F49 function key +T} +key_f5 kf5 k5 T{ +F5 function key +T} +key_f50 kf50 Fe T{ +F50 function key +T} +key_f51 kf51 Ff T{ +F51 function key +T} +key_f52 kf52 Fg T{ +F52 function key +T} +key_f53 kf53 Fh T{ +F53 function key +T} +key_f54 kf54 Fi T{ +F54 function key +T} +key_f55 kf55 Fj T{ +F55 function key +T} +key_f56 kf56 Fk T{ +F56 function key +T} +key_f57 kf57 Fl T{ +F57 function key +T} +key_f58 kf58 Fm T{ +F58 function key +T} +key_f59 kf59 Fn T{ +F59 function key +T} +key_f6 kf6 k6 T{ +F6 function key +T} +key_f60 kf60 Fo T{ +F60 function key +T} +key_f61 kf61 Fp T{ +F61 function key +T} +key_f62 kf62 Fq T{ +F62 function key +T} +key_f63 kf63 Fr T{ +F63 function key +T} +key_f7 kf7 k7 T{ +F7 function key +T} +key_f8 kf8 k8 T{ +F8 function key +T} +key_f9 kf9 k9 T{ +F9 function key +T} +key_find kfnd @0 T{ +find key +T} +key_help khlp %1 T{ +help key +T} +key_home khome kh T{ +home key +T} +key_ic kich1 kI T{ +insert-character key +T} +key_il kil1 kA T{ +insert-line key +T} +key_left kcub1 kl T{ +left-arrow key +T} +key_ll kll kH T{ +lower-left key (home down) +T} +key_mark kmrk %2 T{ +mark key +T} +key_message kmsg %3 T{ +message key +T} +key_move kmov %4 T{ +move key +T} +key_next knxt %5 T{ +next key +T} +key_npage knp kN T{ +next-page key +T} +key_open kopn %6 T{ +open key +T} +key_options kopt %7 T{ +options key +T} +key_ppage kpp kP T{ +previous-page key +T} +key_previous kprv %8 T{ +previous key +T} +key_print kprt %9 T{ +print key +T} +key_redo krdo %0 T{ +redo key +T} +key_reference kref &1 T{ +reference key +T} +key_refresh krfr &2 T{ +refresh key +T} +key_replace krpl &3 T{ +replace key +T} +key_restart krst &4 T{ +restart key +T} +key_resume kres &5 T{ +resume key +T} +key_right kcuf1 kr T{ +right-arrow key +T} +key_save ksav &6 T{ +save key +T} +key_sbeg kBEG &9 T{ +shifted begin key +T} +key_scancel kCAN &0 T{ +shifted cancel key +T} +key_scommand kCMD *1 T{ +shifted command key +T} +key_scopy kCPY *2 T{ +shifted copy key +T} +key_screate kCRT *3 T{ +shifted create key +T} +key_sdc kDC *4 T{ +shifted delete-character key +T} +key_sdl kDL *5 T{ +shifted delete-line key +T} +key_select kslt *6 T{ +select key +T} +key_send kEND *7 T{ +shifted end key +T} +key_seol kEOL *8 T{ +shifted clear-to-end-of-line key +T} +key_sexit kEXT *9 T{ +shifted exit key +T} +key_sf kind kF T{ +scroll-forward key +T} +key_sfind kFND *0 T{ +shifted find key +T} +key_shelp kHLP #1 T{ +shifted help key +T} +key_shome kHOM #2 T{ +shifted home key +T} +key_sic kIC #3 T{ +shifted insert-character key +T} +key_sleft kLFT #4 T{ +shifted left-arrow key +T} +key_smessage kMSG %a T{ +shifted message key +T} +key_smove kMOV %b T{ +shifted move key +T} +key_snext kNXT %c T{ +shifted next key +T} +key_soptions kOPT %d T{ +shifted options key +T} +key_sprevious kPRV %e T{ +shifted previous key +T} +key_sprint kPRT %f T{ +shifted print key +T} +key_sr kri kR T{ +scroll-backward key +T} +key_sredo kRDO %g T{ +shifted redo key +T} +key_sreplace kRPL %h T{ +shifted replace key +T} +key_sright kRIT %i T{ +shifted right-arrow key +T} +key_srsume kRES %j T{ +shifted resume key +T} +key_ssave kSAV !1 T{ +shifted save key +T} +key_ssuspend kSPD !2 T{ +shifted suspend key +T} +key_stab khts kT T{ +set-tab key +T} +key_sundo kUND !3 T{ +shifted undo key +T} +key_suspend kspd &7 T{ +suspend key +T} +key_undo kund &8 T{ +undo key +T} +key_up kcuu1 ku T{ +up-arrow key +T} +keypad_local rmkx ke T{ +leave 'keyboard_transmit' mode +T} +keypad_xmit smkx ks T{ +enter 'keyboard_transmit' mode +T} +lab_f0 lf0 l0 T{ +label on function key f0 if not f0 +T} +lab_f1 lf1 l1 T{ +label on function key f1 if not f1 +T} +lab_f10 lf10 la T{ +label on function key f10 if not f10 +T} +lab_f2 lf2 l2 T{ +label on function key f2 if not f2 +T} +lab_f3 lf3 l3 T{ +label on function key f3 if not f3 +T} +lab_f4 lf4 l4 T{ +label on function key f4 if not f4 +T} +lab_f5 lf5 l5 T{ +label on function key f5 if not f5 +T} +lab_f6 lf6 l6 T{ +label on function key f6 if not f6 +T} +lab_f7 lf7 l7 T{ +label on function key f7 if not f7 +T} +lab_f8 lf8 l8 T{ +label on function key f8 if not f8 +T} +lab_f9 lf9 l9 T{ +label on function key f9 if not f9 +T} +label_format fln Lf T{ +label format +T} +label_off rmln LF T{ +turn off soft labels +T} +label_on smln LO T{ +turn on soft labels +T} +meta_off rmm mo T{ +turn off meta mode +T} +meta_on smm mm T{ +turn on meta mode (8th-bit on) +T} +micro_column_address mhpa ZY T{ +Like column_address in micro mode +T} +micro_down mcud1 ZZ T{ +Like cursor_down in micro mode +T} +micro_left mcub1 Za T{ +Like cursor_left in micro mode +T} +micro_right mcuf1 Zb T{ +Like cursor_right in micro mode +T} +micro_row_address mvpa Zc T{ +Like row_address #1 in micro mode +T} +micro_up mcuu1 Zd T{ +Like cursor_up in micro mode +T} +newline nel nw T{ +newline (behave like cr followed by lf) +T} +order_of_pins porder Ze T{ +Match software bits to print-head pins +T} +orig_colors oc oc T{ +Set all color pairs to the original ones +T} +orig_pair op op T{ +Set default pair to its original value +T} +pad_char pad pc T{ +padding char (instead of null) +T} +parm_dch dch DC T{ +delete #1 characters (P*) +T} +parm_delete_line dl DL T{ +delete #1 lines (P*) +T} +parm_down_cursor cud DO T{ +down #1 lines (P*) +T} +parm_down_micro mcud Zf T{ +Like parm_down_cursor in micro mode +T} +parm_ich ich IC T{ +insert #1 characters (P*) +T} +parm_index indn SF T{ +scroll forward #1 lines (P) +T} +parm_insert_line il AL T{ +insert #1 lines (P*) +T} +parm_left_cursor cub LE T{ +move #1 characters to the left (P) +T} +parm_left_micro mcub Zg T{ +Like parm_left_cursor in micro mode +T} +parm_right_cursor cuf RI T{ +move #1 characters to the right (P*) +T} +parm_right_micro mcuf Zh T{ +Like parm_right_cursor in micro mode +T} +parm_rindex rin SR T{ +scroll back #1 lines (P) +T} +parm_up_cursor cuu UP T{ +up #1 lines (P*) +T} +parm_up_micro mcuu Zi T{ +Like parm_up_cursor in micro mode +T} +pkey_key pfkey pk T{ +program function key #1 to type string #2 +T} +pkey_local pfloc pl T{ +program function key #1 to execute string #2 +T} +pkey_xmit pfx px T{ +program function key #1 to transmit string #2 +T} +plab_norm pln pn T{ +program label #1 to show string #2 +T} +print_screen mc0 ps T{ +print contents of screen +T} +prtr_non mc5p pO T{ +turn on printer for #1 bytes +T} +prtr_off mc4 pf T{ +turn off printer +T} +prtr_on mc5 po T{ +turn on printer +T} +pulse pulse PU T{ +select pulse dialing +T} +quick_dial qdial QD T{ +dial number #1 without checking +T} +remove_clock rmclk RC T{ +remove clock +T} +repeat_char rep rp T{ +repeat char #1 #2 times (P*) +T} +req_for_input rfi RF T{ +send next input char (for ptys) +T} +reset_1string rs1 r1 T{ +reset string +T} +reset_2string rs2 r2 T{ +reset string +T} +reset_3string rs3 r3 T{ +reset string +T} +reset_file rf rf T{ +name of reset file +T} +restore_cursor rc rc T{ +restore cursor to position of last save_cursor +T} +row_address vpa cv T{ +vertical position #1 absolute (P) +T} +save_cursor sc sc T{ +save current cursor position (P) +T} +scroll_forward ind sf T{ +scroll text up (P) +T} +scroll_reverse ri sr T{ +scroll text down (P) +T} +select_char_set scs Zj T{ +Select character set, #1 +T} +set_attributes sgr sa T{ +define video attributes #1-#9 (PG9) +T} +set_background setb Sb T{ +Set background color #1 +T} +set_bottom_margin smgb Zk T{ +Set bottom margin at current line +T} +set_bottom_margin_parm smgbp Zl T{ +Set bottom margin at line #1 or (if smgtp is not given) #2 lines from bottom +T} +set_clock sclk SC T{ +set clock, #1 hrs #2 mins #3 secs +T} +set_color_pair scp sp T{ +Set current color pair to #1 +T} +set_foreground setf Sf T{ +Set foreground color #1 +T} +set_left_margin smgl ML T{ +set left soft margin at current column. (ML is not in BSD termcap). +T} +set_left_margin_parm smglp Zm T{ +Set left (right) margin at column #1 +T} +set_right_margin smgr MR T{ +set right soft margin at current column +T} +set_right_margin_parm smgrp Zn T{ +Set right margin at column #1 +T} +set_tab hts st T{ +set a tab in every row, current columns +T} +set_top_margin smgt Zo T{ +Set top margin at current line +T} +set_top_margin_parm smgtp Zp T{ +Set top (bottom) margin at row #1 +T} +set_window wind wi T{ +current window is lines #1-#2 cols #3-#4 +T} +start_bit_image sbim Zq T{ +Start printing bit image graphics +T} +start_char_set_def scsd Zr T{ +Start character set definition #1, with #2 characters in the set +T} +stop_bit_image rbim Zs T{ +Stop printing bit image graphics +T} +stop_char_set_def rcsd Zt T{ +End definition of character set #1 +T} +subscript_characters subcs Zu T{ +List of subscriptable characters +T} +superscript_characters supcs Zv T{ +List of superscriptable characters +T} +tab ht ta T{ +tab to next 8-space hardware tab stop +T} +these_cause_cr docr Zw T{ +Printing any of these characters causes CR +T} +to_status_line tsl ts T{ +move to status line, column #1 +T} +tone tone TO T{ +select touch tone dialing +T} +underline_char uc uc T{ +underline char and move past it +T} +up_half_line hu hu T{ +half a line up +T} +user0 u0 u0 T{ +User string #0 +T} +user1 u1 u1 T{ +User string #1 +T} +user2 u2 u2 T{ +User string #2 +T} +user3 u3 u3 T{ +User string #3 +T} +user4 u4 u4 T{ +User string #4 +T} +user5 u5 u5 T{ +User string #5 +T} +user6 u6 u6 T{ +User string #6 +T} +user7 u7 u7 T{ +User string #7 +T} +user8 u8 u8 T{ +User string #8 +T} +user9 u9 u9 T{ +User string #9 +T} +wait_tone wait WA T{ +wait for dial-tone +T} +xoff_character xoffc XF T{ +XOFF character +T} +xon_character xonc XN T{ +XON character +T} +zero_motion zerom Zx T{ +No motion for subsequent character +T} +.TE +.ad + +The following string capabilities are present in the SVr4.0 term structure, +but were originally not documented in the man page. + +.na +.TS H +center; +c l l c +c l l c +lw25 lw7 lw2 lw18. +\fBVariable Cap- TCap Description\fR +\fBString name Code\fR +alt_scancode_esc scesa S8 T{ +Alternate escape for scancode emulation +T} +bit_image_carriage_return bicr Yv T{ +Move to beginning of same row +T} +bit_image_newline binel Zz T{ +Move to next row of the bit image +T} +bit_image_repeat birep Xy T{ +Repeat bit image cell #1 #2 times +T} +char_set_names csnm Zy T{ +Produce #1'th item from list of character set names +T} +code_set_init csin ci T{ +Init sequence for multiple codesets +T} +color_names colornm Yw T{ +Give name for color #1 +T} +define_bit_image_region defbi Yx T{ +Define rectangular bit image region +T} +device_type devt dv T{ +Indicate language/codeset support +T} +display_pc_char dispc S1 T{ +Display PC character #1 +T} +end_bit_image_region endbi Yy T{ +End a bit-image region +T} +enter_pc_charset_mode smpch S2 T{ +Enter PC character display mode +T} +enter_scancode_mode smsc S4 T{ +Enter PC scancode mode +T} +exit_pc_charset_mode rmpch S3 T{ +Exit PC character display mode +T} +exit_scancode_mode rmsc S5 T{ +Exit PC scancode mode +T} +get_mouse getm Gm T{ +Curses should get button events, parameter #1 not documented. +T} +key_mouse kmous Km T{ +Mouse event has occurred +T} +mouse_info minfo Mi T{ +Mouse status information +T} +pc_term_options pctrm S6 T{ +PC terminal options +T} +pkey_plab pfxl xl T{ +Program function key #1 to type string #2 and show string #3 +T} +req_mouse_pos reqmp RQ T{ +Request mouse position +T} +scancode_escape scesc S7 T{ +Escape for scancode emulation +T} +set0_des_seq s0ds s0 T{ +Shift to codeset 0 (EUC set 0, ASCII) +T} +set1_des_seq s1ds s1 T{ +Shift to codeset 1 +T} +set2_des_seq s2ds s2 T{ +Shift to codeset 2 +T} +set3_des_seq s3ds s3 T{ +Shift to codeset 3 +T} +set_a_background setab AB T{ +Set background color to #1, using ANSI escape +T} +set_a_foreground setaf AF T{ +Set foreground color to #1, using ANSI escape +T} +set_color_band setcolor Yz T{ +Change to ribbon color #1 +T} +set_lr_margin smglr ML T{ +Set both left and right margins to #1, #2. (ML is not in BSD termcap). +T} +set_page_length slines YZ T{ +Set page length to #1 lines +T} +set_tb_margin smgtb MT T{ +Sets both top and bottom margins to #1, #2 +T} +.TE +.ad + +.in .8i +The XSI Curses standard added these hardcopy capabilities. +They were used in some post-4.1 versions of System V curses, +e.g., Solaris 2.5 and IRIX 6.x. +Except for \fBYI\fP, the \fBncurses\fR termcap names for them are invented. +According to the XSI Curses standard, they have no termcap names. +If your compiled terminfo entries use these, +they may not be binary-compatible with System V terminfo +entries after SVr4.1; beware! + +.na +.TS H +center; +c l l c +c l l c +lw25 lw7 lw2 lw20. +\fBVariable Cap- TCap Description\fR +\fBString name Code\fR +enter_horizontal_hl_mode ehhlm Xh T{ +Enter horizontal highlight mode +T} +enter_left_hl_mode elhlm Xl T{ +Enter left highlight mode +T} +enter_low_hl_mode elohlm Xo T{ +Enter low highlight mode +T} +enter_right_hl_mode erhlm Xr T{ +Enter right highlight mode +T} +enter_top_hl_mode ethlm Xt T{ +Enter top highlight mode +T} +enter_vertical_hl_mode evhlm Xv T{ +Enter vertical highlight mode +T} +set_a_attributes sgr1 sA T{ +Define second set of video attributes #1-#6 +T} +set_pglen_inch slength YI T{ +Set page length to #1 hundredth of an inch (some implementations use sL for termcap). +T} +.TE +.ad +.\"*************************************************************************** +.\" Copyright 2018-2022,2023 Thomas E. Dickey * +.\" Copyright 1998-2016,2017 Free Software Foundation, Inc. * +.\" * +.\" Permission is hereby granted, free of charge, to any person obtaining a * +.\" copy of this software and associated documentation files (the * +.\" "Software"), to deal in the Software without restriction, including * +.\" without limitation the rights to use, copy, modify, merge, publish, * +.\" distribute, distribute with modifications, sublicense, and/or sell * +.\" copies of the Software, and to permit persons to whom the Software is * +.\" furnished to do so, subject to the following conditions: * +.\" * +.\" The above copyright notice and this permission notice shall be included * +.\" in all copies or substantial portions of the Software. * +.\" * +.\" THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * +.\" OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * +.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * +.\" IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, * +.\" DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR * +.\" OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR * +.\" THE USE OR OTHER DEALINGS IN THE SOFTWARE. * +.\" * +.\" Except as contained in this notice, the name(s) of the above copyright * +.\" holders shall not be used in advertising or otherwise to promote the * +.\" sale, use or other dealings in this Software without prior written * +.\" authorization. * +.\"*************************************************************************** +.\" +.\" $Id: terminfo.5,v 1.3 2024/08/23 15:10:40 nicm Exp $ +.ps +1 +.SS User-Defined Capabilities +. +The preceding section listed the \fIpredefined\fP capabilities. +They deal with some special features for terminals no longer +(or possibly never) produced. +Occasionally there are special features of newer terminals which +are awkward or impossible to represent by reusing the predefined +capabilities. +.PP +\fBncurses\fP addresses this limitation by allowing user-defined capabilities. +The \fBtic\fP and \fBinfocmp\fP programs provide +the \fB\-x\fP option for this purpose. +When \fB\-x\fP is set, +\fBtic\fP treats unknown capabilities as user-defined. +That is, if \fBtic\fP encounters a capability name +which it does not recognize, +it infers its type (boolean, number or string) from the syntax +and makes an extended table entry for that capability. +The \fBuse_extended_names\fP(3) function makes this information +conditionally available to applications. +The ncurses library provides the data leaving most of the behavior +to applications: +.bP +User-defined capability strings whose name begins +with \*(``k\*('' are treated as function keys. +.bP +The types (boolean, number, string) determined by \fBtic\fP +can be inferred by successful calls on \fBtigetflag\fP, etc. +.bP +If the capability name happens to be two characters, +the capability is also available through the termcap interface. +.PP +While termcap is said to be extensible because it does not use a predefined set +of capabilities, +in practice it has been limited to the capabilities defined by +terminfo implementations. +As a rule, +user-defined capabilities intended for use by termcap applications should +be limited to booleans and numbers to avoid running past the 1023 byte +limit assumed by termcap implementations and their applications. +In particular, providing extended sets of function keys (past the 60 +numbered keys and the handful of special named keys) is best done using +the longer names available using terminfo. +.PP +The ncurses library uses a few of these user-defined capabilities, +as described in \fBuser_caps\fR(5). +Other user-defined capabilities (including function keys) are +described in the terminal database, in the section on +.I "NCURSES USER-DEFINABLE CAPABILITIES" +. +.SS A Sample Entry +. +The following entry, describing an ANSI-standard terminal, is representative +of what a \fBterminfo\fP entry for a modern terminal typically looks like. +.PP +.nf +.ft CW +\s-2ansi|ansi/pc-term compatible with color, + am, mc5i, mir, msgr, + colors#8, cols#80, it#8, lines#24, ncv#3, pairs#64, + acsc=+\\020\\,\\021-\\030.^Y0\\333`\\004a\\261f\\370g\\361h\\260 + j\\331k\\277l\\332m\\300n\\305o~p\\304q\\304r\\304s_t\\303 + u\\264v\\301w\\302x\\263y\\363z\\362{\\343|\\330}\\234~\\376, + bel=^G, blink=\\E[5m, bold=\\E[1m, cbt=\\E[Z, clear=\\E[H\\E[J, + cr=^M, cub=\\E[%p1%dD, cub1=\\E[D, cud=\\E[%p1%dB, cud1=\\E[B, + cuf=\\E[%p1%dC, cuf1=\\E[C, cup=\\E[%i%p1%d;%p2%dH, + cuu=\\E[%p1%dA, cuu1=\\E[A, dch=\\E[%p1%dP, dch1=\\E[P, + dl=\\E[%p1%dM, dl1=\\E[M, ech=\\E[%p1%dX, ed=\\E[J, el=\\E[K, + el1=\\E[1K, home=\\E[H, hpa=\\E[%i%p1%dG, ht=\\E[I, hts=\\EH, + ich=\\E[%p1%d@, il=\\E[%p1%dL, il1=\\E[L, ind=^J, + indn=\\E[%p1%dS, invis=\\E[8m, kbs=^H, kcbt=\\E[Z, kcub1=\\E[D, + kcud1=\\E[B, kcuf1=\\E[C, kcuu1=\\E[A, khome=\\E[H, kich1=\\E[L, + mc4=\\E[4i, mc5=\\E[5i, nel=\\r\\E[S, op=\\E[39;49m, + rep=%p1%c\\E[%p2%{1}%-%db, rev=\\E[7m, rin=\\E[%p1%dT, + rmacs=\\E[10m, rmpch=\\E[10m, rmso=\\E[m, rmul=\\E[m, + s0ds=\\E(B, s1ds=\\E)B, s2ds=\\E*B, s3ds=\\E+B, + setab=\\E[4%p1%dm, setaf=\\E[3%p1%dm, + sgr=\\E[0;10%?%p1%t;7%; + %?%p2%t;4%; + %?%p3%t;7%; + %?%p4%t;5%; + %?%p6%t;1%; + %?%p7%t;8%; + %?%p9%t;11%;m, + sgr0=\\E[0;10m, smacs=\\E[11m, smpch=\\E[11m, smso=\\E[7m, + smul=\\E[4m, tbc=\\E[3g, u6=\\E[%i%d;%dR, u7=\\E[6n, + u8=\\E[?%[;0123456789]c, u9=\\E[c, vpa=\\E[%i%p1%dd, +.fi +.ft R +.PP +Entries may continue onto multiple lines by placing white space at +the beginning of each line except the first. +Comments may be included on lines beginning with \*(``#\*(''. +Capabilities in +.I terminfo +are of three types: +.bP +Boolean capabilities which indicate that the terminal has +some particular feature, +.bP +numeric capabilities giving the size of the terminal +or the size of particular delays, and +.bP +string +capabilities, which give a sequence which can be used to perform particular +terminal operations. +.SS Types of Capabilities +All capabilities have names. +For instance, the fact that +ANSI-standard terminals have +.I "automatic margins" +(i.e., an automatic return and line-feed +when the end of a line is reached) is indicated by the capability \fBam\fP. +Hence the description of ansi includes \fBam\fP. +Numeric capabilities are followed by the character \*(``#\*('' +and then a positive value. +Thus \fBcols\fP, which indicates the number of columns the terminal has, +gives the value \*(``80\*('' for ansi. +Values for numeric capabilities may be specified in +decimal, +octal, or +hexadecimal, +using the C programming language conventions +(e.g., 255, 0377 and 0xff or 0xFF). +.PP +Finally, string valued capabilities, +such as \fBel\fP (clear to end of line sequence) +are given by the two-character code, +an \*(``=\*('', and then +a string ending at the next following \*(``,\*(''. +.PP +A number of escape sequences are provided in the string valued capabilities +for easy encoding of characters there: +.bP +Both \fB\eE\fP and \fB\ee\fP +map to an \s-1ESCAPE\s0 character, +.bP +\fB^x\fP maps to a control-x for any appropriate \fIx\fP, and +.bP +the sequences +.RS 6 +.PP +\fB\en\fP, \fB\el\fP, \fB\er\fP, \fB\et\fP, \fB\eb\fP, \fB\ef\fP, and \fB\es\fP +.RE +.IP +produce +.RS 6 +.PP +\fInewline\fP, \fIline-feed\fP, \fIreturn\fP, \fItab\fP, \fIbackspace\fP, \fIform-feed\fP, and \fIspace\fP, +.RE +.IP +respectively. +.PP +X/Open Curses does not say what \*(``appropriate \fIx\fP\*('' might be. +In practice, that is a printable ASCII graphic character. +The special case \*(``^?\*('' is interpreted as DEL (127). +In all other cases, the character value is AND'd with 0x1f, +mapping to ASCII control codes in the range 0 through 31. +.PP +Other escapes include +.bP +\fB\e^\fP for \fB^\fP, +.bP +\fB\e\e\fP for \fB\e\fP, +.bP +\fB\e\fP, for comma, +.bP +\fB\e:\fP for \fB:\fP, +.bP +and \fB\e0\fP for null. +.IP +\fB\e0\fP will produce \e200, which does not terminate a string but behaves +as a null character on most terminals, providing CS7 is specified. +See \fBstty\fP(1). +.IP +The reason for this quirk is to maintain binary compatibility of the +compiled terminfo files with other implementations, +e.g., the SVr4 systems, which document this. +Compiled terminfo files use null-terminated strings, with no lengths. +Modifying this would require a new binary format, +which would not work with other implementations. +.PP +Finally, characters may be given as three octal digits after a \fB\e\fP. +.PP +A delay in milliseconds may appear anywhere in a string capability, enclosed in +$<..> brackets, as in \fBel\fP=\eEK$<5>, +and padding characters are supplied by \fBtputs\fP(3) +to provide this delay. +.bP +The delay must be a number with at most one decimal +place of precision; +it may be followed by suffixes \*(``*\*('' or \*(``/\*('' or both. +.bP +A \*(``*\*('' +indicates that the padding required is proportional to the number of lines +affected by the operation, and the amount given is the per-affected-unit +padding required. +(In the case of insert character, the factor is still the +number of \fIlines\fP affected.) +.IP +Normally, padding is advisory if the device has the \fBxon\fP +capability; it is used for cost computation but does not trigger delays. +.bP +A \*(``/\*('' +suffix indicates that the padding is mandatory and forces a delay of the given +number of milliseconds even on devices for which \fBxon\fP is present to +indicate flow control. +.PP +Sometimes individual capabilities must be commented out. +To do this, put a period before the capability name. +For example, see the second +.B ind +in the example above. +.br +.ne 5 +.SS Fetching Compiled Descriptions +The \fBncurses\fP library searches for terminal descriptions in several places. +It uses only the first description found. +The library has a compiled-in list of places to search +which can be overridden by environment variables. +Before starting to search, +\fBncurses\fP eliminates duplicates in its search list. +.bP +If the environment variable TERMINFO is set, it is interpreted as the pathname +of a directory containing the compiled description you are working on. +Only that directory is searched. +.bP +If TERMINFO is not set, +\fBncurses\fP will instead look in the directory \fB$HOME/.terminfo\fP +for a compiled description. +.bP +Next, if the environment variable TERMINFO_DIRS is set, +\fBncurses\fP will interpret the contents of that variable +as a list of colon-separated directories (or database files) to be searched. +.IP +An empty directory name (i.e., if the variable begins or ends +with a colon, or contains adjacent colons) +is interpreted as the system location \fI\*d\fP. +.bP +Finally, \fBncurses\fP searches these compiled-in locations: +.RS +.bP +a list of directories (?), and +.bP +the system terminfo directory, \fI\*d\fP (the compiled-in default). +.RE +.SS Preparing Descriptions +We now outline how to prepare descriptions of terminals. +The most effective way to prepare a terminal description is by imitating +the description of a similar terminal in +.I terminfo +and to build up a description gradually, using partial descriptions +with +.I vi +or some other screen-oriented program to check that they are correct. +Be aware that a very unusual terminal may expose deficiencies in +the ability of the +.I terminfo +file to describe it +or bugs in the screen-handling code of the test program. +.PP +To get the padding for insert line right (if the terminal manufacturer +did not document it) a severe test is to edit a large file at 9600 baud, +delete 16 or so lines from the middle of the screen, then hit the \*(``u\*('' +key several times quickly. +If the terminal messes up, more padding is usually needed. +A similar test can be used for insert character. +.SS Basic Capabilities +The number of columns on each line for the terminal is given by the +\fBcols\fP numeric capability. +If the terminal is a \s-1CRT\s0, then the +number of lines on the screen is given by the \fBlines\fP capability. +If the terminal wraps around to the beginning of the next line when +it reaches the right margin, then it should have the \fBam\fP capability. +If the terminal can clear its screen, leaving the cursor in the home +position, then this is given by the \fBclear\fP string capability. +If the terminal overstrikes +(rather than clearing a position when a character is struck over) +then it should have the \fBos\fP capability. +If the terminal is a printing terminal, with no soft copy unit, +give it both +.B hc +and +.BR os . +.RB ( os +applies to storage scope terminals, such as \s-1TEKTRONIX\s+1 4010 +series, as well as hard copy and APL terminals.) +If there is a code to move the cursor to the left edge of the current +row, give this as +.BR cr . +(Normally this will be carriage return, control/M.) +If there is a code to produce an audible signal (bell, beep, etc) +give this as +.BR bel . +.PP +If there is a code to move the cursor one position to the left +(such as backspace) that capability should be given as +.BR cub1 . +Similarly, codes to move to the right, up, and down should be +given as +.BR cuf1 , +.BR cuu1 , +and +.BR cud1 . +These local cursor motions should not alter the text they pass over, +for example, you would not normally use \*(``\fBcuf1\fP=\ \*('' because the +space would erase the character moved over. +.PP +A very important point here is that the local cursor motions encoded +in +.I terminfo +are undefined at the left and top edges of a \s-1CRT\s0 terminal. +Programs should never attempt to backspace around the left edge, +unless +.B bw +is given, +and never attempt to go up locally off the top. +In order to scroll text up, a program will go to the bottom left corner +of the screen and send the +.B ind +(index) string. +.PP +To scroll text down, a program goes to the top left corner +of the screen and sends the +.B ri +(reverse index) string. +The strings +.B ind +and +.B ri +are undefined when not on their respective corners of the screen. +.PP +Parameterized versions of the scrolling sequences are +.B indn +and +.B rin +which have the same semantics as +.B ind +and +.B ri +except that they take one parameter, and scroll that many lines. +They are also undefined except at the appropriate edge of the screen. +.PP +The \fBam\fP capability tells whether the cursor sticks at the right +edge of the screen when text is output, but this does not necessarily +apply to a +.B cuf1 +from the last column. +The only local motion which is defined from the left edge is if +.B bw +is given, then a +.B cub1 +from the left edge will move to the right edge of the previous row. +If +.B bw +is not given, the effect is undefined. +This is useful for drawing a box around the edge of the screen, for example. +If the terminal has switch selectable automatic margins, +the +.I terminfo +file usually assumes that this is on; i.e., \fBam\fP. +If the terminal has a command which moves to the first column of the next +line, that command can be given as +.B nel +(newline). +It does not matter if the command clears the remainder of the current line, +so if the terminal has no +.B cr +and +.B lf +it may still be possible to craft a working +.B nel +out of one or both of them. +.PP +These capabilities suffice to describe +hard-copy and \*(``glass-tty\*('' terminals. +Thus the model 33 teletype is described as +.PP +.DT +.nf +.ft CW +.\".in -2 +\s-133\||\|tty33\||\|tty\||\|model 33 teletype, + bel=^G, cols#72, cr=^M, cud1=^J, hc, ind=^J, os,\s+1 +.\".in +2 +.ft R +.fi +.PP +while the Lear Siegler \s-1ADM-3\s0 is described as +.PP +.DT +.nf +.ft CW +.\".in -2 +\s-1adm3\||\|3\||\|lsi adm3, + am, bel=^G, clear=^Z, cols#80, cr=^M, cub1=^H, cud1=^J, + ind=^J, lines#24,\s+1 +.\".in +2 +.ft R +.fi +.SS Parameterized Strings +Cursor addressing and other strings requiring parameters +in the terminal are described by a +parameterized string capability, +with \fIprintf\fP-like escapes such as \fI%x\fP in it. +For example, to address the cursor, the +.B cup +capability is given, using two parameters: +the row and column to address to. +(Rows and columns are numbered from zero and refer to the +physical screen visible to the user, not to any unseen memory.) +If the terminal has memory relative cursor addressing, +that can be indicated by +.BR mrcup . +.PP +The parameter mechanism uses a stack and special \fB%\fP codes +to manipulate it. +Typically a sequence will push one of the +parameters onto the stack and then print it in some format. +Print (e.g., \*(``%d\*('') is a special case. +Other operations, including \*(``%t\*('' pop their operand from the stack. +It is noted that more complex operations are often necessary, +e.g., in the \fBsgr\fP string. +.PP +The \fB%\fP encodings have the following meanings: +.TP 5 +\fB%%\fP +outputs \*(``%\*('' +.TP +\fB%\fI[[\fR:\fI]flags][width[.precision]][\fBdoxXs\fI]\fR +as in \fBprintf\fP(3), flags are \fI[\-+#]\fP and \fIspace\fP. +Use a \*(``:\*('' to allow the next character to be a \*(``\-\*('' flag, +avoiding interpreting \*(``%\-\*('' as an operator. +.TP +\f(CW%c\fP +print \fIpop()\fP like %c in \fBprintf\fP +.TP +\fB%s\fP +print \fIpop()\fP like %s in \fBprintf\fP +.TP +\fB%p\fI[1\-9]\fR +push \fIi\fP'th parameter +.TP +\fB%P\fI[a\-z]\fR +set dynamic variable \fI[a\-z]\fP to \fIpop()\fP +.TP +\fB%g\fI[a\-z]\fR +get dynamic variable \fI[a\-z]\fP and push it +.TP +\fB%P\fI[A\-Z]\fR +set static variable \fI[a\-z]\fP to \fIpop()\fP +.TP +\fB%g\fI[A\-Z]\fR +get static variable \fI[a\-z]\fP and push it +.IP +The terms \*(``static\*('' and \*(``dynamic\*('' are misleading. +Historically, these are simply two different sets of variables, +whose values are not reset between calls to \fBtparm\fP(3). +However, that fact is not documented in other implementations. +Relying on it will adversely impact portability to other implementations: +.RS +.bP +SVr2 curses supported \fIdynamic\fP variables. +Those are set only by a \fB%P\fP operator. +A \fB%g\fP for a given variable without first setting it with \fB%P\fP +will give unpredictable results, because dynamic variables are +an uninitialized local array on the stack in the \fBtparm\fP function. +.bP +SVr3.2 curses supported \fIstatic\fP variables. +Those are an array in the \fBTERMINAL\fP +structure (declared in \fBterm.h\fP), +and are zeroed automatically when the \fBsetupterm\fP function +allocates the data. +.bP +SVr4 curses made no further improvements +to the \fIdynamic/static\fP variable feature. +.bP +Solaris XPG4 curses does not distinguish between \fIdynamic\fP and +\fIstatic\fP variables. +They are the same. +Like SVr4 curses, XPG4 curses does not initialize these explicitly. +.bP +Before version 6.3, ncurses stores both \fIdynamic\fP and \fIstatic\fP +variables in persistent storage, initialized to zeros. +.bP +Beginning with version 6.3, ncurses stores \fIstatic\fP and \fIdynamic\fP +variables in the same manner as SVr4. +.RS +.bP +Unlike other implementations, ncurses zeros dynamic variables +before the first \fB%g\fP or \fB%P\fP operator. +.bP +Like SVr2, +the scope of dynamic variables in ncurses +is within the current call to +\fBtparm\fP. +Use static variables if persistent storage is needed. +.RE +.RE +.TP +\fB%\(aq\fIc\fB\(aq\fR +char constant \fIc\fP +.TP +\fB%{\fInn\fB}\fR +integer constant \fInn\fP +.TP +\fB%l\fP +push strlen(pop) +.TP +\fB%+\fP, \fB%\-\fP, \fB%*\fP, \fB%/\fP, \fB%m\fP +arithmetic (%m is \fImod\fP): \fIpush(pop() op pop())\fP +.TP +\fB%&\fP, \fB%|\fP, \fB%^\fP +bit operations (AND, OR and exclusive-OR): \fIpush(pop() op pop())\fP +.TP +\fB%=\fP, \fB%>\fP, \fB%<\fP +logical operations: \fIpush(pop() op pop())\fP +.TP +\fB%A\fP, \fB%O\fP +logical AND and OR operations (for conditionals) +.TP +\fB%!\fP, \fB%~\fP +unary operations (logical and bit complement): \fIpush(op pop())\fP +.TP +\fB%i\fP +add 1 to first two parameters (for ANSI terminals) +.TP +\fB%?\fP \fIexpr\fP \fB%t\fP \fIthenpart\fP \fB%e\fP \fIelsepart\fP \fB%;\fP +This forms an if-then-else. +The \fB%e\fP \fIelsepart\fP is optional. +Usually the \fB%?\fP \fIexpr\fP part pushes a value onto the stack, +and \fB%t\fP pops it from the stack, testing if it is nonzero (true). +If it is zero (false), control passes to the \fB%e\fP (else) part. +.IP +It is possible to form else-if's a la Algol 68: +.RS +\fB%?\fP c\d1\u \fB%t\fP b\d1\u \fB%e\fP c\d2\u \fB%t\fP b\d2\u \fB%e\fP c\d3\u \fB%t\fP b\d3\u \fB%e\fP c\d4\u \fB%t\fP b\d4\u \fB%e\fP \fB%;\fP +.RE +.IP +where c\di\u are conditions, b\di\u are bodies. +.IP +Use the \fB\-f\fP option of \fBtic\fP or \fBinfocmp\fP to see +the structure of if-then-else's. +Some strings, e.g., \fBsgr\fP can be very complicated when written +on one line. +The \fB\-f\fP option splits the string into lines with the parts indented. +.PP +Binary operations are in postfix form with the operands in the usual order. +That is, to get x\-5 one would use \*(``%gx%{5}%\-\*(''. +\fB%P\fP and \fB%g\fP variables are +persistent across escape-string evaluations. +.PP +Consider the HP2645, which, to get to row 3 and column 12, needs +to be sent \eE&a12c03Y padded for 6 milliseconds. +The order of the rows and columns is inverted here, +and the row and column are printed as two digits. +The corresponding terminal description is expressed thus: +.RS +cup=\eE&a%p2%dc%p1%dY$<6>, +.RE +.PP +The Microterm \s-1ACT-IV\s0 needs the current row and column sent +preceded by a \fB^T\fP, with the row and column simply encoded in binary, +.RS +cup=^T%p1%c%p2%c +.RE +.PP +Terminals which use \*(``%c\*('' need to be able to +backspace the cursor (\fBcub1\fP), +and to move the cursor up one line on the screen (\fBcuu1\fP). +This is necessary because it is not always safe to transmit \fB\en\fP +\fB^D\fP and \fB\er\fP, as the system may change or discard them. +(The library routines dealing with terminfo set tty modes so that +tabs are never expanded, so \et is safe to send. +This turns out to be essential for the Ann Arbor 4080.) +.PP +A final example is the \s-1LSI ADM\s0-3a, which uses row and column +offset by a blank character, thus +.RS +cup=\eE=%p1%\(aq \(aq%+%c%p2%\(aq \(aq%+%c +.RE +.PP +After sending \*(``\eE=\*('', this pushes the first parameter, pushes the +ASCII value for a space (32), adds them (pushing the sum on the stack +in place of the two previous values) and outputs that value as a character. +Then the same is done for the second parameter. +More complex arithmetic is possible using the stack. +.SS Cursor Motions +If the terminal has a fast way to home the cursor +(to very upper left corner of screen) then this can be given as +\fBhome\fP; similarly a fast way of getting to the lower left-hand corner +can be given as \fBll\fP; this may involve going up with \fBcuu1\fP +from the home position, +but a program should never do this itself (unless \fBll\fP does) because it +can make no assumption about the effect of moving up from the home position. +Note that the home position is the same as addressing to (0,0): +to the top left corner of the screen, not of memory. +(Thus, the \eEH sequence on HP terminals cannot be used for +.BR home .) +.PP +If the terminal has row or column absolute cursor addressing, +these can be given as single parameter capabilities +.B hpa +(horizontal position absolute) +and +.B vpa +(vertical position absolute). +Sometimes these are shorter than the more general two parameter +sequence (as with the hp2645) and can be used in preference to +.BR cup . +If there are parameterized local motions (e.g., move +.I n +spaces to the right) these can be given as +.BR cud , +.BR cub , +.BR cuf , +and +.B cuu +with a single parameter indicating how many spaces to move. +These are primarily useful if the terminal does not have +.BR cup , +such as the \s-1TEKTRONIX\s+1 4025. +.PP +If the terminal needs to be in a special mode when running +a program that uses these capabilities, +the codes to enter and exit this mode can be given +as \fBsmcup\fP and \fBrmcup\fP. +This arises, for example, from terminals like the Concept with more than +one page of memory. +If the terminal has only memory relative cursor addressing and not screen +relative cursor addressing, a one screen-sized window must be fixed into +the terminal for cursor addressing to work properly. +This is also used for the \s-1TEKTRONIX\s+1 4025, +where +.B smcup +sets the command character to be the one used by terminfo. +If the \fBsmcup\fP sequence will not restore the screen after an +\fBrmcup\fP sequence is output (to the state prior to outputting +\fBrmcup\fP), specify \fBnrrmc\fP. +.SS Margins +SVr4 (and X/Open Curses) +list several string capabilities for setting margins. +Two were intended for use with terminals, +and another six were intended for use with printers. +.bP +The two terminal capabilities assume that the terminal may have +the capability of setting the left and/or right margin at the current +cursor column position. +.bP +The printer capabilities assume that the printer may have +two types of capability: +.RS +.bP +the ability to set a top and/or bottom margin using the current +line position, and +.bP +parameterized capabilities for setting the top, bottom, left, right margins +given the number of rows or columns. +.RE +.PP +In practice, the categorization into \*(``terminal\*('' and \*(``printer\*('' +is not suitable: +.bP +The AT&T SVr4 terminal database uses \fBsmgl\fP four times, +for AT&T hardware. +.IP +Three of the four are printers. +They lack the ability to set left/right margins by specifying the column. +.bP +Other (non-AT&T) terminals may support margins +but using different assumptions from AT&T. +.IP +For instance, the DEC VT420 supports left/right margins, +but only using a column parameter. +As an added complication, the VT420 uses two settings to fully enable +left/right margins (left/right margin mode, and origin mode). +The former enables the margins, which causes printed text +to wrap within margins, but the latter is needed to prevent +cursor-addressing outside those margins. +.bP +Both DEC VT420 left/right margins are set with a single control sequence. +If either is omitted, the corresponding margin is set to the left or +right edge of the display (rather than leaving the margin unmodified). +.PP +These are the margin-related capabilities: +.TS +center; +l l +_ _ +lw8 l. +\fBName Description\fP +smgl Set left margin at current column +smgr Set right margin at current column +smgb Set bottom margin at current line +smgt Set top margin at current line +smgbp Set bottom margin at line \fIN\fP +smglp Set left margin at column \fIN\fP +smgrp Set right margin at column \fIN\fP +smgtp Set top margin at line \fIN\fP +smglr Set both left and right margins to \fIL\fP and \fIR\fP +smgtb Set both top and bottom margins to \fIT\fP and \fIB\fP +.TE +.PP +When writing an application that +uses these string capabilities, +the pairs should be first checked to see +if each capability in the pair is set or only one is set: +.bP +If both \fBsmglp\fP and \fBsmgrp\fP are set, +each is used with a single argument, \fIN\fP, +that gives the column number of the left and right margin, respectively. +.bP +If both \fBsmgtp\fP and \fBsmgbp\fP are set, +each is used to set the top and bottom margin, +respectively: +.RS 4 +.bP +\fBsmgtp\fP is used with a single argument, \fIN\fP, +the line number of the top margin. +.bP +\fBsmgbp\fP is used with two arguments, \fIN\fP and \fIM\fP, +that give the line number of the bottom margin, +the first counting from the top of the +page and the second counting from the bottom. +This accommodates the two styles of specifying +the bottom margin in different manufacturers' printers. +.RE +.IP +When designing a terminfo entry for a +printer that has a settable bottom margin, +only the first or second argument should be used, depending on the printer. +When developing an application that uses \fBsmgbp\fP to set the bottom margin, +both arguments must be given. +.PP +Conversely, when only one capability in the pair is set: +.bP +If only one of \fBsmglp\fP and \fBsmgrp\fP is set, +then it is used with two arguments, +the column number of the left and right margins, in that order. +.bP +Likewise, if only one of \fBsmgtp\fP and \fBsmgbp\fP is set, then it +is used with two arguments that give the top and bottom margins, +in that order, counting from the top of the page. +.IP +When designing a terminfo entry for a printer that requires setting both +left and right or top and bottom margins simultaneously, +only one capability in the pairs +\fBsmglp\fP and \fBsmgrp\fP or +\fBsmgtp\fP and \fBsmgbp\fP should be defined, +leaving the other unset. +.PP +Except for very old terminal descriptions, e.g., those developed for SVr4, +the scheme just described should be considered obsolete. +An improved set of capabilities was added late in the SVr4 releases +(\fBsmglr\fP and \fBsmgtb\fP), +which explicitly use two parameters for setting the left/right or top/bottom +margins. +.PP +When setting margins, the line- and column-values are zero-based. +.PP +The \fBmgc\fP string capability should be defined. +Applications such as \fBtabs\fP(1) rely upon this to reset all margins. +.\" +.SS Area Clears +If the terminal can clear from the current position to the end of the +line, leaving the cursor where it is, this should be given as \fBel\fP. +If the terminal can clear from the beginning of the line to the current +position inclusive, leaving +the cursor where it is, this should be given as \fBel1\fP. +If the terminal can clear from the current position to the end of the +display, then this should be given as \fBed\fP. +\fBEd\fP is only defined from the first column of a line. +(Thus, it can be simulated by a request to delete a large number of lines, +if a true +.B ed +is not available.) +.\" +.SS Insert/delete line and vertical motions +If the terminal can open a new blank line before the line where the cursor +is, this should be given as \fBil1\fP; this is done only from the first +position of a line. +The cursor must then appear on the newly blank line. +If the terminal can delete the line which the cursor is on, then this +should be given as \fBdl1\fP; this is done only from the first position on +the line to be deleted. +Versions of +.B il1 +and +.B dl1 +which take a single parameter and insert or delete that many lines can +be given as +.B il +and +.BR dl . +.PP +If the terminal has a settable scrolling region (like the vt100) +the command to set this can be described with the +.B csr +capability, which takes two parameters: +the top and bottom lines of the scrolling region. +The cursor position is, alas, undefined after using this command. +.PP +It is possible to get the effect of insert or delete line using +.B csr +on a properly chosen region; the +.B sc +and +.B rc +(save and restore cursor) commands may be useful for ensuring that +your synthesized insert/delete string does not move the cursor. +(Note that the \fBncurses\fP(3) library does this synthesis +automatically, so you need not compose insert/delete strings for +an entry with \fBcsr\fP). +.PP +Yet another way to construct insert and delete might be to use a combination of +index with the memory-lock feature found on some terminals (like the HP\-700/90 +series, which however also has insert/delete). +.PP +Inserting lines at the top or bottom of the screen can also be +done using +.B ri +or +.B ind +on many terminals without a true insert/delete line, +and is often faster even on terminals with those features. +.PP +The boolean \fBnon_dest_scroll_region\fP should be set if each scrolling +window is effectively a view port on a screen-sized canvas. +To test for +this capability, create a scrolling region in the middle of the screen, +write something to the bottom line, move the cursor to the top of the region, +and do \fBri\fP followed by \fBdl1\fP or \fBind\fP. +If the data scrolled +off the bottom of the region by the \fBri\fP re-appears, then scrolling +is non-destructive. +System V and XSI Curses expect that \fBind\fP, \fBri\fP, +\fBindn\fP, and \fBrin\fP will simulate destructive scrolling; their +documentation cautions you not to define \fBcsr\fP unless this is true. +This \fBcurses\fP implementation is more liberal and will do explicit erases +after scrolling if \fBndsrc\fP is defined. +.PP +If the terminal has the ability to define a window as part of +memory, which all commands affect, +it should be given as the parameterized string +.BR wind . +The four parameters are the starting and ending lines in memory +and the starting and ending columns in memory, in that order. +.PP +If the terminal can retain display memory above, then the +\fBda\fP capability should be given; if display memory can be retained +below, then \fBdb\fP should be given. +These indicate +that deleting a line or scrolling may bring non-blank lines up from below +or that scrolling back with \fBri\fP may bring down non-blank lines. +.SS Insert/Delete Character +There are two basic kinds of intelligent terminals with respect to +insert/delete character which can be described using +.I terminfo. +The most common insert/delete character operations affect only the characters +on the current line and shift characters off the end of the line rigidly. +Other terminals, such as the Concept 100 and the Perkin Elmer Owl, make +a distinction between typed and untyped blanks on the screen, shifting +upon an insert or delete only to an untyped blank on the screen which is +either eliminated, or expanded to two untyped blanks. +.PP +You can determine the +kind of terminal you have by clearing the screen and then typing +text separated by cursor motions. +Type \*(``abc\ \ \ \ def\*('' using local +cursor motions (not spaces) between the \*(``abc\*('' and the \*(``def\*(''. +Then position the cursor before the \*(``abc\*('' and put the terminal in insert +mode. +If typing characters causes the rest of the line to shift +rigidly and characters to fall off the end, then your terminal does +not distinguish between blanks and untyped positions. +If the \*(``abc\*('' +shifts over to the \*(``def\*('' which then move together around the end of the +current line and onto the next as you insert, you have the second type of +terminal, and should give the capability \fBin\fP, which stands for +\*(``insert null\*(''. +.PP +While these are two logically separate attributes (one line versus multi-line +insert mode, and special treatment of untyped spaces) we have seen no +terminals whose insert mode cannot be described with the single attribute. +.PP +Terminfo can describe both terminals which have an insert mode, and terminals +which send a simple sequence to open a blank position on the current line. +Give as \fBsmir\fP the sequence to get into insert mode. +Give as \fBrmir\fP the sequence to leave insert mode. +Now give as \fBich1\fP any sequence needed to be sent just before sending +the character to be inserted. +Most terminals with a true insert mode +will not give \fBich1\fP; terminals which send a sequence to open a screen +position should give it here. +.PP +If your terminal has both, insert mode is usually preferable to \fBich1\fP. +Technically, you should not give both unless the terminal actually requires +both to be used in combination. +Accordingly, some non-curses applications get +confused if both are present; the symptom is doubled characters in an update +using insert. +This requirement is now rare; most \fBich\fP sequences do not +require previous smir, and most smir insert modes do not require \fBich1\fP +before each character. +Therefore, the new \fBcurses\fP actually assumes this +is the case and uses either \fBrmir\fP/\fBsmir\fP or \fBich\fP/\fBich1\fP as +appropriate (but not both). +If you have to write an entry to be used under +new curses for a terminal old enough to need both, include the +\fBrmir\fP/\fBsmir\fP sequences in \fBich1\fP. +.PP +If post insert padding is needed, give this as a number of milliseconds +in \fBip\fP (a string option). +Any other sequence which may need to be +sent after an insert of a single character may also be given in \fBip\fP. +If your terminal needs both to be placed into an \*(``insert mode\*('' and +a special code to precede each inserted character, then both +.BR smir / rmir +and +.B ich1 +can be given, and both will be used. +The +.B ich +capability, with one parameter, +.IR n , +will repeat the effects of +.B ich1 +.I n +times. +.PP +If padding is necessary between characters typed while not +in insert mode, give this as a number of milliseconds padding in \fBrmp\fP. +.PP +It is occasionally necessary to move around while in insert mode +to delete characters on the same line (e.g., if there is a tab after +the insertion position). +If your terminal allows motion while in +insert mode you can give the capability \fBmir\fP to speed up inserting +in this case. +Omitting \fBmir\fP will affect only speed. +Some terminals +(notably Datamedia's) must not have \fBmir\fP because of the way their +insert mode works. +.PP +Finally, you can specify +.B dch1 +to delete a single character, +.B dch +with one parameter, +.IR n , +to delete +.I n characters, +and delete mode by giving \fBsmdc\fP and \fBrmdc\fP +to enter and exit delete mode (any mode the terminal needs to be placed +in for +.B dch1 +to work). +.PP +A command to erase +.I n +characters (equivalent to outputting +.I n +blanks without moving the cursor) +can be given as +.B ech +with one parameter. +.SS "Highlighting, Underlining, and Visible Bells" +If your terminal has one or more kinds of display attributes, +these can be represented in a number of different ways. +You should choose one display form as +\f2standout mode\fP, +representing a good, high contrast, easy-on-the-eyes, +format for highlighting error messages and other attention getters. +(If you have a choice, reverse video plus half-bright is good, +or reverse video alone.) +The sequences to enter and exit standout mode +are given as \fBsmso\fP and \fBrmso\fP, respectively. +If the code to change into or out of standout +mode leaves one or even two blank spaces on the screen, +as the TVI 912 and Teleray 1061 do, +then \fBxmc\fP should be given to tell how many spaces are left. +.PP +Codes to begin underlining and end underlining can be given as \fBsmul\fP +and \fBrmul\fP respectively. +If the terminal has a code to underline the current character and move +the cursor one space to the right, +such as the Microterm Mime, +this can be given as \fBuc\fP. +.PP +Other capabilities to enter various highlighting modes include +.B blink +(blinking) +.B bold +(bold or extra bright) +.B dim +(dim or half-bright) +.B invis +(blanking or invisible text) +.B prot +(protected) +.B rev +(reverse video) +.B sgr0 +(turn off +.I all +attribute modes) +.B smacs +(enter alternate character set mode) +and +.B rmacs +(exit alternate character set mode). +Turning on any of these modes singly may or may not turn off other modes. +.PP +If there is a sequence to set arbitrary combinations of modes, +this should be given as +.B sgr +(set attributes), +taking 9 parameters. +Each parameter is either zero (0) or nonzero, +as the corresponding attribute is on or off. +The 9 parameters are, in order: +standout, underline, reverse, blink, dim, bold, blank, protect, alternate +character set. +Not all modes need be supported by +.BR sgr , +only those for which corresponding separate attribute commands exist. +.PP +For example, the DEC vt220 supports most of the modes: +.PP +.TS +center; +l l l +l l l +lw18 lw14 l. +\fBtparm parameter attribute escape sequence\fP + +none none \\E[0m +p1 standout \\E[0;1;7m +p2 underline \\E[0;4m +p3 reverse \\E[0;7m +p4 blink \\E[0;5m +p5 dim not available +p6 bold \\E[0;1m +p7 invis \\E[0;8m +p8 protect not used +p9 altcharset ^O (off) ^N (on) +.TE +.PP +We begin each escape sequence by turning off any existing modes, since +there is no quick way to determine whether they are active. +Standout is set up to be the combination of reverse and bold. +The vt220 terminal has a protect mode, +though it is not commonly used in sgr +because it protects characters on the screen from the host's erasures. +The altcharset mode also is different in that it is either ^O or ^N, +depending on whether it is off or on. +If all modes are turned on, the resulting sequence is \\E[0;1;4;5;7;8m^N. +.PP +Some sequences are common to different modes. +For example, ;7 is output when either p1 or p3 is true, that is, if +either standout or reverse modes are turned on. +.PP +Writing out the above sequences, along with their dependencies yields +.PP +.ne 11 +.TS +center; +l l l +l l l +lw18 lw14 l. +\fBsequence when to output terminfo translation\fP + +.ft CW +\\E[0 always \\E[0 +;1 if p1 or p6 %?%p1%p6%|%t;1%; +;4 if p2 %?%p2%|%t;4%; +;5 if p4 %?%p4%|%t;5%; +;7 if p1 or p3 %?%p1%p3%|%t;7%; +;8 if p7 %?%p7%|%t;8%; +m always m +^N or ^O if p9 ^N, else ^O %?%p9%t^N%e^O%; +.ft R +.TE +.PP +Putting this all together into the sgr sequence gives: +.PP +.ft CW +.nf + sgr=\\E[0%?%p1%p6%|%t;1%;%?%p2%t;4%;%?%p4%t;5%; + %?%p1%p3%|%t;7%;%?%p7%t;8%;m%?%p9%t\\016%e\\017%;, +.fi +.ft R +.PP +Remember that if you specify sgr, you must also specify sgr0. +Also, some implementations rely on sgr being given if sgr0 is, +Not all terminfo entries necessarily have an sgr string, however. +Many terminfo entries are derived from termcap entries +which have no sgr string. +The only drawback to adding an sgr string is that termcap also +assumes that sgr0 does not exit alternate character set mode. +.PP +Terminals with the \*(``magic cookie\*('' glitch +.RB ( xmc ) +deposit special \*(``cookies\*('' when they receive mode-setting sequences, +which affect the display algorithm rather than having extra bits for +each character. +Some terminals, such as the HP 2621, automatically leave standout +mode when they move to a new line or the cursor is addressed. +Programs using standout mode should exit standout mode before +moving the cursor or sending a newline, +unless the +.B msgr +capability, asserting that it is safe to move in standout mode, is present. +.PP +If the terminal has +a way of flashing the screen to indicate an error quietly (a bell replacement) +then this can be given as \fBflash\fP; it must not move the cursor. +.PP +If the cursor needs to be made more visible than normal when it is +not on the bottom line (to make, for example, a non-blinking underline into an +easier to find block or blinking underline) +give this sequence as +.BR cvvis . +If there is a way to make the cursor completely invisible, give that as +.BR civis . +The capability +.B cnorm +should be given which undoes the effects of both of these modes. +.PP +If your terminal correctly generates underlined characters +(with no special codes needed) +even though it does not overstrike, +then you should give the capability \fBul\fP. +If a character overstriking another leaves both characters on the screen, +specify the capability \fBos\fP. +If overstrikes are erasable with a blank, +then this should be indicated by giving \fBeo\fP. +.SS Keypad and Function Keys +If the terminal has a keypad that transmits codes when the keys are pressed, +this information can be given. +Note that it is not possible to handle +terminals where the keypad only works in local (this applies, for example, +to the unshifted HP 2621 keys). +If the keypad can be set to transmit or not transmit, +give these codes as \fBsmkx\fP and \fBrmkx\fP. +Otherwise the keypad is assumed to always transmit. +.PP +The codes sent by the left arrow, right arrow, up arrow, down arrow, +and home keys can be given as +\fBkcub1, kcuf1, kcuu1, kcud1, \fRand\fB khome\fP respectively. +If there are function keys such as f0, f1, ..., f10, the codes they send +can be given as \fBkf0, kf1, ..., kf10\fP. +If these keys have labels other than the default f0 through f10, the labels +can be given as \fBlf0, lf1, ..., lf10\fP. +.PP +The codes transmitted by certain other special keys can be given: +.bP +.B kll +(home down), +.bP +.B kbs +(backspace), +.bP +.B ktbc +(clear all tabs), +.bP +.B kctab +(clear the tab stop in this column), +.bP +.B kclr +(clear screen or erase key), +.bP +.B kdch1 +(delete character), +.bP +.B kdl1 +(delete line), +.bP +.B krmir +(exit insert mode), +.bP +.B kel +(clear to end of line), +.bP +.B ked +(clear to end of screen), +.bP +.B kich1 +(insert character or enter insert mode), +.bP +.B kil1 +(insert line), +.bP +.B knp +(next page), +.bP +.B kpp +(previous page), +.bP +.B kind +(scroll forward/down), +.bP +.B kri +(scroll backward/up), +.bP +.B khts +(set a tab stop in this column). +.PP +In addition, if the keypad has a 3 by 3 array of keys including the four +arrow keys, the other five keys can be given as +.BR ka1 , +.BR ka3 , +.BR kb2 , +.BR kc1 , +and +.BR kc3 . +These keys are useful when the effects of a 3 by 3 directional pad are needed. +.PP +Strings to program function keys can be given as +.BR pfkey , +.BR pfloc , +and +.BR pfx . +A string to program screen labels should be specified as \fBpln\fP. +Each of these strings takes two parameters: the function key number to +program (from 0 to 10) and the string to program it with. +Function key numbers out of this range may program undefined keys in +a terminal dependent manner. +The difference between the capabilities is that +.B pfkey +causes pressing the given key to be the same as the user typing the +given string; +.B pfloc +causes the string to be executed by the terminal in local; and +.B pfx +causes the string to be transmitted to the computer. +.PP +The capabilities \fBnlab\fP, \fBlw\fP and \fBlh\fP +define the number of programmable +screen labels and their width and height. +If there are commands to turn the labels on and off, +give them in \fBsmln\fP and \fBrmln\fP. +\fBsmln\fP is normally output after one or more pln +sequences to make sure that the change becomes visible. +.SS Tabs and Initialization +A few capabilities are used only for tabs: +.bP +If the terminal has hardware tabs, the command to advance to the next +tab stop can be given as +.B ht +(usually control/I). +.bP +A \*(``back-tab\*('' command which moves leftward to the preceding tab stop can +be given as +.BR cbt . +.IP +By convention, if the teletype modes indicate that tabs are being +expanded by the computer rather than being sent to the terminal, +programs should not use +.B ht +or +.B cbt +even if they are present, since the user may not have the tab stops +properly set. +.bP +If the terminal has hardware tabs which are initially set every +.I n +spaces when the terminal is powered up, +the numeric parameter +.B it +is given, showing the number of spaces the tabs are set to. +.IP +The \fBit\fP capability is normally used by the \fBtset\fP +command to determine whether to set the mode for hardware tab expansion, +and whether to set the tab stops. +If the terminal has tab stops that can be saved in non-volatile memory, +the terminfo description can assume that they are properly set. +.PP +Other capabilities +include +.bP +.BR is1 , +.BR is2 , +and +.BR is3 , +initialization strings for the terminal, +.bP +.BR iprog , +the path name of a program to be run to initialize the terminal, +.bP +and \fBif\fP, the name of a file containing long initialization strings. +.PP +These strings are expected to set the terminal into modes consistent +with the rest of the terminfo description. +They are normally sent to the terminal, by the +.I init +option of the \fBtput\fP program, each time the user logs in. +They will be printed in the following order: +.RS +.TP +run the program +.B iprog +.TP +output +.br +\fBis1\fP and +.br +\fBis2\fP +.TP +set the margins using +\fBmgc\fP or +.br +\fBsmglp\fP and \fBsmgrp\fP or +.br +\fBsmgl\fP and \fBsmgr\fP +.TP +set tabs using +.B tbc +and +.B hts +.TP +print the file +\fBif\fP +.TP +and finally output +\fBis3\fP. +.RE +.PP +Most initialization is done with +.BR is2 . +Special terminal modes can be set up without duplicating strings +by putting the common sequences in +.B is2 +and special cases in +.B is1 +and +.BR is3 . +.PP +A set of sequences that does a harder reset from a totally unknown state +can be given as +.BR rs1 , +.BR rs2 , +.B rf +and +.BR rs3 , +analogous to +.B is1 , +.B is2 , +.B if +and +.B is3 +respectively. +These strings are output +by \fIreset\fP option of \fBtput\fP, +or by the \fBreset\fP program +(an alias of \fBtset\fP), +which is used when the terminal gets into a wedged state. +Commands are normally placed in +.BR rs1 , +.B rs2 +.B rs3 +and +.B rf +only if they produce annoying effects on the screen and are not +necessary when logging in. +For example, the command to set the vt100 into 80-column mode would +normally be part of +.BR is2 , +but it causes an annoying glitch of the screen and is not normally +needed since the terminal is usually already in 80-column mode. +.PP +The \fBreset\fP program writes strings including +.BR iprog , +etc., in the same order as the +.I init +program, using +.BR rs1 , +etc., instead of +.BR is1 , +etc. +If any of +.BR rs1 , +.BR rs2 , +.BR rs3 , +or +.B rf +reset capability strings are missing, +the \fBreset\fP program +falls back upon the corresponding initialization capability string. +.PP +If there are commands to set and clear tab stops, they can be given as +.B tbc +(clear all tab stops) +and +.B hts +(set a tab stop in the current column of every row). +If a more complex sequence is needed to set the tabs than can be +described by this, the sequence can be placed in +.B is2 +or +.BR if . +.PP +The \fBtput reset\fP command uses the same capability strings +as the \fBreset\fP command, +although the two programs (\fBtput\fP and \fBreset\fP) +provide different command-line options. +.PP +In practice, these terminfo capabilities are not often used in +initialization of tabs +(though they are required for the \fBtabs\fP program): +.bP +Almost all hardware terminals (at least those which supported tabs) +initialized those to every \fIeight\fP columns: +.IP +The only exception was the AT&T 2300 series, +which set tabs to every \fIfive\fP columns. +.bP +In particular, developers of the hardware terminals which are commonly used +as models for modern terminal emulators provided documentation demonstrating +that \fIeight\fP columns were the standard. +.bP +Because of this, the terminal initialization programs +\fBtput\fP and \fBtset\fP +use the +\fBtbc\fP (\fBclear_all_tabs\fP) and +\fBhts\fP (\fBset_tab\fP) capabilities directly +only when the \fBit\fP (\fBinit_tabs\fP) capability +is set to a value other than \fIeight\fP. +.SS Delays and Padding +Many older and slower terminals do not support either XON/XOFF or DTR +handshaking, including hard copy terminals and some very archaic CRTs +(including, for example, DEC VT100s). +These may require padding characters +after certain cursor motions and screen changes. +.PP +If the terminal uses xon/xoff handshaking for flow control (that is, +it automatically emits ^S back to the host when its input buffers are +close to full), set +.BR xon . +This capability suppresses the emission of padding. +You can also set it +for memory-mapped console devices effectively that do not have a speed limit. +Padding information should still be included so that routines can +make better decisions about relative costs, but actual pad characters will +not be transmitted. +.PP +If \fBpb\fP (padding baud rate) is given, padding is suppressed at baud rates +below the value of \fBpb\fP. +If the entry has no padding baud rate, then +whether padding is emitted or not is completely controlled by \fBxon\fP. +.PP +If the terminal requires other than a null (zero) character as a pad, +then this can be given as \fBpad\fP. +Only the first character of the +.B pad +string is used. +.SS Status Lines +Some terminals have an extra \*(``status line\*('' which is not normally used by +software (and thus not counted in the terminal's \fBlines\fP capability). +.PP +The simplest case is a status line which is cursor-addressable but not +part of the main scrolling region on the screen; the Heathkit H19 has +a status line of this kind, as would a 24-line VT100 with a 23-line +scrolling region set up on initialization. +This situation is indicated +by the \fBhs\fP capability. +.PP +Some terminals with status lines need special sequences to access the +status line. +These may be expressed as a string with single parameter +\fBtsl\fP which takes the cursor to a given zero-origin column on the +status line. +The capability \fBfsl\fP must return to the main-screen +cursor positions before the last \fBtsl\fP. +You may need to embed the +string values of \fBsc\fP (save cursor) and \fBrc\fP (restore cursor) +in \fBtsl\fP and \fBfsl\fP to accomplish this. +.PP +The status line is normally assumed to be the same width as the width +of the terminal. +If this is untrue, you can specify it with the numeric +capability \fBwsl\fP. +.PP +A command to erase or blank the status line may be specified as \fBdsl\fP. +.PP +The boolean capability \fBeslok\fP specifies that escape sequences, tabs, +etc., work ordinarily in the status line. +.PP +The \fBncurses\fP implementation does not yet use any of these capabilities. +They are documented here in case they ever become important. +.SS Line Graphics +Many terminals have alternate character sets useful for forms-drawing. +Terminfo and \fBcurses\fP have built-in support +for most of the drawing characters +supported by the VT100, with some characters from the AT&T 4410v1 added. +This alternate character set may be specified by the \fBacsc\fP capability. +.PP +.TS H +center; +l l l l l +l l l l l +_ _ _ _ _ +lw25 lw10 lw6 lw6 l. +.\".TH +\fBGlyph ACS Ascii acsc acsc\fP +\fBName Name Default Char Value\fP +arrow pointing right ACS_RARROW > + 0x2b +arrow pointing left ACS_LARROW < , 0x2c +arrow pointing up ACS_UARROW ^ \- 0x2d +arrow pointing down ACS_DARROW v . 0x2e +solid square block ACS_BLOCK # 0 0x30 +diamond ACS_DIAMOND + ` 0x60 +checker board (stipple) ACS_CKBOARD : a 0x61 +degree symbol ACS_DEGREE \e f 0x66 +plus/minus ACS_PLMINUS # g 0x67 +board of squares ACS_BOARD # h 0x68 +lantern symbol ACS_LANTERN # i 0x69 +lower right corner ACS_LRCORNER + j 0x6a +upper right corner ACS_URCORNER + k 0x6b +upper left corner ACS_ULCORNER + l 0x6c +lower left corner ACS_LLCORNER + m 0x6d +large plus or crossover ACS_PLUS + n 0x6e +scan line 1 ACS_S1 ~ o 0x6f +scan line 3 ACS_S3 \- p 0x70 +horizontal line ACS_HLINE \- q 0x71 +scan line 7 ACS_S7 \- r 0x72 +scan line 9 ACS_S9 \&_ s 0x73 +tee pointing right ACS_LTEE + t 0x74 +tee pointing left ACS_RTEE + u 0x75 +tee pointing up ACS_BTEE + v 0x76 +tee pointing down ACS_TTEE + w 0x77 +vertical line ACS_VLINE | x 0x78 +less-than-or-equal-to ACS_LEQUAL < y 0x79 +greater-than-or-equal-to ACS_GEQUAL > z 0x7a +greek pi ACS_PI * { 0x7b +not-equal ACS_NEQUAL ! | 0x7c +UK pound sign ACS_STERLING f } 0x7d +bullet ACS_BULLET o ~ 0x7e +.TE +.PP +A few notes apply to the table itself: +.bP +X/Open Curses incorrectly states that the mapping for \fIlantern\fP is +uppercase \*(``I\*('' although Unix implementations use the +lowercase \*(``i\*('' mapping. +.bP +The DEC VT100 implemented graphics using the alternate character set +feature, temporarily switching \fImodes\fP and sending characters +in the range 0x60 (96) to 0x7e (126) +(the \fBacsc Value\fP column in the table). +.bP +The AT&T terminal added graphics characters outside that range. +.IP +Some of the characters within the range do not match the VT100; +presumably they were used in the AT&T terminal: +\fIboard of squares\fP replaces the VT100 \fInewline\fP symbol, while +\fIlantern symbol\fP replaces the VT100 \fIvertical tab\fP symbol. +The other VT100 symbols for control characters (\fIhorizontal tab\fP, +\fIcarriage return\fP and \fIline-feed\fP) are not (re)used in curses. +.PP +The best way to define a new device's graphics set is to add a column +to a copy of this table for your terminal, giving the character which +(when emitted between \fBsmacs\fP/\fBrmacs\fP switches) will be rendered +as the corresponding graphic. +Then read off the VT100/your terminal +character pairs right to left in sequence; these become the ACSC string. +.SS Color Handling +The curses library functions \fBinit_pair\fP and \fBinit_color\fP +manipulate the \fIcolor pairs\fP and \fIcolor values\fP discussed in this +section +(see \fBcurs_color\fP(3) for details on these and related functions). +.PP +Most color terminals are either \*(``Tektronix-like\*('' or \*(``HP-like\*('': +.bP +Tektronix-like +terminals have a predefined set of \fIN\fP colors +(where \fIN\fP is usually 8), +and can set +character-cell foreground and background characters independently, mixing them +into \fIN\fP\ *\ \fIN\fP color-pairs. +.bP +On HP-like terminals, the user must set each color +pair up separately (foreground and background are not independently settable). +Up to \fIM\fP color-pairs may be set up from 2*\fIM\fP different colors. +ANSI-compatible terminals are Tektronix-like. +.PP +Some basic color capabilities are independent of the color method. +The numeric +capabilities \fBcolors\fP and \fBpairs\fP specify the maximum numbers of colors +and color-pairs that can be displayed simultaneously. +The \fBop\fP (original +pair) string resets foreground and background colors to their default values +for the terminal. +The \fBoc\fP string resets all colors or color-pairs to +their default values for the terminal. +Some terminals (including many PC +terminal emulators) erase screen areas with the current background color rather +than the power-up default background; these should have the boolean capability +\fBbce\fP. +.PP +While the curses library works with \fIcolor pairs\fP +(reflecting the inability of some devices to set foreground +and background colors independently), +there are separate capabilities for setting these features: +.bP +To change the current foreground or background color on a Tektronix-type +terminal, use \fBsetaf\fP (set ANSI foreground) and \fBsetab\fP (set ANSI +background) or \fBsetf\fP (set foreground) and \fBsetb\fP (set background). +These take one parameter, the color number. +The SVr4 documentation describes +only \fBsetaf\fP/\fBsetab\fP; the XPG4 draft says that "If the terminal +supports ANSI escape sequences to set background and foreground, they should +be coded as \fBsetaf\fP and \fBsetab\fP, respectively. +.bP +If the terminal +supports other escape sequences to set background and foreground, they should +be coded as \fBsetf\fP and \fBsetb\fP, respectively. +The \fBvidputs\fP and the \fBrefresh\fP(3) functions +use the \fBsetaf\fP and \fBsetab\fP capabilities if they are defined. +.PP +The \fBsetaf\fP/\fBsetab\fP and \fBsetf\fP/\fBsetb\fP capabilities take a +single numeric argument each. +Argument values 0-7 of \fBsetaf\fP/\fBsetab\fP are portably defined as +follows (the middle column is the symbolic #define available in the header for +the \fBcurses\fP or \fBncurses\fP libraries). +The terminal hardware is free to +map these as it likes, but the RGB values indicate normal locations in color +space. +.PP +.TS H +center; +l c c c +l l n l. +\fBColor #define Value RGB\fP +black \fBCOLOR_BLACK\fP 0 0, 0, 0 +red \fBCOLOR_RED\ \fP 1 max,0,0 +green \fBCOLOR_GREEN\fP 2 0,max,0 +yellow \fBCOLOR_YELLOW\fP 3 max,max,0 +blue \fBCOLOR_BLUE\fP 4 0,0,max +magenta \fBCOLOR_MAGENTA\fP 5 max,0,max +cyan \fBCOLOR_CYAN\fP 6 0,max,max +white \fBCOLOR_WHITE\fP 7 max,max,max +.TE +.PP +The argument values of \fBsetf\fP/\fBsetb\fP historically correspond to +a different mapping, i.e., +.TS H +center; +l c c c +l l n l. +\fBColor #define Value RGB\fP +black \fBCOLOR_BLACK\fP 0 0, 0, 0 +blue \fBCOLOR_BLUE\fP 1 0,0,max +green \fBCOLOR_GREEN\fP 2 0,max,0 +cyan \fBCOLOR_CYAN\fP 3 0,max,max +red \fBCOLOR_RED\ \fP 4 max,0,0 +magenta \fBCOLOR_MAGENTA\fP 5 max,0,max +yellow \fBCOLOR_YELLOW\fP 6 max,max,0 +white \fBCOLOR_WHITE\fP 7 max,max,max +.TE +.PP +It is important to not confuse the two sets of color capabilities; +otherwise red/blue will be interchanged on the display. +.PP +On an HP-like terminal, use \fBscp\fP with a color-pair number parameter to set +which color pair is current. +.PP +Some terminals allow the \fIcolor values\fP to be modified: +.bP +On a Tektronix-like terminal, the capability \fBccc\fP may be present to +indicate that colors can be modified. +If so, the \fBinitc\fP capability will +take a color number (0 to \fBcolors\fP \- 1)and three more parameters which +describe the color. +These three parameters default to being interpreted as RGB +(Red, Green, Blue) values. +If the boolean capability \fBhls\fP is present, +they are instead as HLS (Hue, Lightness, Saturation) indices. +The ranges are +terminal-dependent. +.bP +On an HP-like terminal, \fBinitp\fP may give a capability for changing a +color-pair value. +It will take seven parameters; a color-pair number (0 to +\fBmax_pairs\fP \- 1), and two triples describing first background and then +foreground colors. +These parameters must be (Red, Green, Blue) or +(Hue, Lightness, Saturation) depending on \fBhls\fP. +.PP +On some color terminals, colors collide with highlights. +You can register +these collisions with the \fBncv\fP capability. +This is a bit-mask of +attributes not to be used when colors are enabled. +The correspondence with the +attributes understood by \fBcurses\fP is as follows: +.PP +.TS +center; +l l l l +lw20 lw2 lw10 l. +\fBAttribute Bit Decimal Set by\fP +A_STANDOUT 0 1 sgr +A_UNDERLINE 1 2 sgr +A_REVERSE 2 4 sgr +A_BLINK 3 8 sgr +A_DIM 4 16 sgr +A_BOLD 5 32 sgr +A_INVIS 6 64 sgr +A_PROTECT 7 128 sgr +A_ALTCHARSET 8 256 sgr +A_HORIZONTAL 9 512 sgr1 +A_LEFT 10 1024 sgr1 +A_LOW 11 2048 sgr1 +A_RIGHT 12 4096 sgr1 +A_TOP 13 8192 sgr1 +A_VERTICAL 14 16384 sgr1 +A_ITALIC 15 32768 sitm +.TE +.PP +For example, on many IBM PC consoles, the underline attribute collides with the +foreground color blue and is not available in color mode. +These should have +an \fBncv\fP capability of 2. +.PP +SVr4 curses does nothing with \fBncv\fP, ncurses recognizes it and optimizes +the output in favor of colors. +.SS Miscellaneous +If the terminal requires other than a null (zero) character as a pad, then this +can be given as pad. +Only the first character of the pad string is used. +If the terminal does not have a pad character, specify npc. +Note that ncurses implements the termcap-compatible \fBPC\fP variable; +though the application may set this value to something other than +a null, ncurses will test \fBnpc\fP first and use napms if the terminal +has no pad character. +.PP +If the terminal can move up or down half a line, +this can be indicated with +.B hu +(half-line up) +and +.B hd +(half-line down). +This is primarily useful for superscripts and subscripts on hard-copy terminals. +If a hard-copy terminal can eject to the next page (form feed), give this as +.B ff +(usually control/L). +.PP +If there is a command to repeat a given character a given number of +times (to save time transmitting a large number of identical characters) +this can be indicated with the parameterized string +.BR rep . +The first parameter is the character to be repeated and the second +is the number of times to repeat it. +Thus, tparm(repeat_char, \(aqx\(aq, 10) is the same as \*(``xxxxxxxxxx\*(''. +.PP +If the terminal has a settable command character, +such as the \s-1TEKTRONIX\s+1 4025, +this can be indicated with +.BR cmdch . +A prototype command character is chosen which is used in all capabilities. +This character is given in the +.B cmdch +capability to identify it. +The following convention is supported on some UNIX systems: +The environment is to be searched for a +.B CC +variable, and if found, all +occurrences of the prototype character are replaced with the character +in the environment variable. +.PP +Terminal descriptions that do not represent a specific kind of known +terminal, such as +.IR switch , +.IR dialup , +.IR patch , +and +.IR network , +should include the +.B gn +(generic) capability so that programs can complain that they do not know +how to talk to the terminal. +(This capability does not apply to +.I virtual +terminal descriptions for which the escape sequences are known.) +.PP +If the terminal has a \*(``meta key\*('' which acts as a shift key, +setting the 8th bit of any character transmitted, this fact can +be indicated with +.BR km . +Otherwise, software will assume that the 8th bit is parity and it +will usually be cleared. +If strings exist to turn this \*(``meta mode\*('' on and off, they +can be given as +.B smm +and +.BR rmm . +.PP +If the terminal has more lines of memory than will fit on the screen +at once, the number of lines of memory can be indicated with +.BR lm . +A value of +.BR lm #0 +indicates that the number of lines is not fixed, +but that there is still more memory than fits on the screen. +.PP +If the terminal is one of those supported by the \s-1UNIX\s+1 virtual +terminal protocol, the terminal number can be given as +.BR vt . +.PP +Media copy +strings which control an auxiliary printer connected to the terminal +can be given as +.BR mc0 : +print the contents of the screen, +.BR mc4 : +turn off the printer, and +.BR mc5 : +turn on the printer. +When the printer is on, all text sent to the terminal will be sent +to the printer. +It is undefined whether the text is also displayed on the terminal screen +when the printer is on. +A variation +.B mc5p +takes one parameter, and leaves the printer on for as many characters +as the value of the parameter, then turns the printer off. +The parameter should not exceed 255. +All text, including +.BR mc4 , +is transparently passed to the printer while an +.B mc5p +is in effect. +.SS Glitches and Braindamage +Hazeltine terminals, +which do not allow \*(``~\*('' characters to be displayed should +indicate \fBhz\fP. +.PP +Terminals which ignore a line-feed immediately after an \fBam\fP wrap, +such as the Concept and vt100, +should indicate \fBxenl\fP. +.PP +If +.B el +is required to get rid of standout +(instead of merely writing normal text on top of it), +\fBxhp\fP should be given. +.PP +Teleray terminals, where tabs turn all characters moved over to blanks, +should indicate \fBxt\fP (destructive tabs). +Note: the variable indicating this is now \*(``dest_tabs_magic_smso\*(''; in +older versions, it was teleray_glitch. +This glitch is also taken to mean that it is not possible to position +the cursor on top of a \*(``magic cookie\*('', +that to erase standout mode it is instead necessary to use +delete and insert line. +The ncurses implementation ignores this glitch. +.PP +The Beehive Superbee, which is unable to correctly transmit the escape +or control/C characters, has +.BR xsb , +indicating that the f1 key is used for escape and f2 for control/C. +(Only certain Superbees have this problem, depending on the ROM.) +Note that in older terminfo versions, this capability was called +\*(``beehive_glitch\*(''; it is now \*(``no_esc_ctl_c\*(''. +.PP +Other specific terminal problems may be corrected by adding more +capabilities of the form \fBx\fIx\fR. +.SS Pitfalls of Long Entries +Long terminfo entries are unlikely to be a problem; to date, no entry has even +approached terminfo's 4096-byte string-table maximum. +Unfortunately, the termcap +translations are much more strictly limited (to 1023 bytes), +thus termcap translations of long terminfo entries can cause problems. +.PP +The man pages for 4.3BSD +and older versions of \fBtgetent\fP instruct the user to +allocate a 1024-byte buffer for the termcap entry. +The entry gets null-terminated by +the termcap library, so that makes the maximum safe length for a termcap entry +1k\-1 (1023) bytes. +Depending on what the application and the termcap library being used does, +and where in the termcap file the terminal type that \fBtgetent\fP +is searching for is, several bad things can happen: +.bP +some termcap libraries print a warning message, +.bP +some exit if they find an entry that's longer than 1023 bytes, +.bP +some neither exit nor warn, doing nothing useful, and +.bP +some simply truncate the entries to 1023 bytes. +.PP +Some application programs allocate more than +the recommended 1K for the termcap entry; others do not. +.PP +Each termcap entry has two important sizes associated with it: before +\*(``tc\*('' expansion, and after \*(``tc\*('' expansion. +\*(``tc\*('' is the capability that +tacks on another termcap entry to the end of the current one, to add +on its capabilities. +If a termcap entry does not use the \*(``tc\*('' +capability, then of course the two lengths are the same. +.PP +The \*(``before tc expansion\*('' length is the most important one, because it +affects more than just users of that particular terminal. +This is the +length of the entry as it exists in /etc/termcap, minus the +backslash-newline pairs, which \fBtgetent\fP strips out while reading it. +Some termcap libraries strip off the final newline, too (GNU termcap does not). +Now suppose: +.bP +a termcap entry before expansion is more than 1023 bytes long, +.bP +and the application has only allocated a 1k buffer, +.bP +and the termcap library (like the one in BSD/OS 1.1 and GNU) reads +the whole entry into the buffer, no matter what its length, to see +if it is the entry it wants, +.bP +and \fBtgetent\fP is searching for a terminal type that either is the +long entry, appears in the termcap file after the long entry, or +does not appear in the file at all (so that \fBtgetent\fP has to search +the whole termcap file). +.PP +Then \fBtgetent\fP will overwrite memory, +perhaps its stack, +and probably core dump the program. +Programs like telnet are particularly vulnerable; modern telnets +pass along values like the terminal type automatically. +The results are almost +as undesirable with a termcap library, like SunOS 4.1.3 and Ultrix 4.4, that +prints warning messages when it reads an overly long termcap entry. +If a +termcap library truncates long entries, like OSF/1 3.0, it is immune to dying +here but will return incorrect data for the terminal. +.PP +The \*(``after tc expansion\*('' length will have a similar effect to the +above, but only for people who actually set TERM to that terminal +type, since \fBtgetent\fP only does \*(``tc\*('' expansion once it is found the +terminal type it was looking for, not while searching. +.PP +In summary, a termcap entry that is longer than 1023 bytes can cause, +on various combinations of termcap libraries and applications, a core +dump, warnings, or incorrect operation. +If it is too long even before +\*(``tc\*('' expansion, it will have this effect even for users of some other +terminal types and users whose TERM variable does not have a termcap +entry. +.PP +When in \-C (translate to termcap) mode, the \fBncurses\fP implementation of +\fBtic\fP(1) issues warning messages when the pre-tc length of a termcap +translation is too long. +The \-c (check) option also checks resolved (after tc +expansion) lengths. +.SS Binary Compatibility +It is not wise to count on portability of binary terminfo entries between +commercial UNIX versions. +The problem is that there are at least two versions +of terminfo (under HP\-UX and AIX) which diverged from System V terminfo after +SVr1, and have added extension capabilities to the string table that (in the +binary format) collide with System V and XSI Curses extensions. +.SH EXTENSIONS +Searching for terminal descriptions in +\fB$HOME/.terminfo\fP and TERMINFO_DIRS +is not supported by older implementations. +.PP +Some SVr4 \fBcurses\fP implementations, and all previous to SVr4, do not +interpret the %A and %O operators in parameter strings. +.PP +SVr4/XPG4 do not specify whether \fBmsgr\fP licenses movement while in +an alternate-character-set mode (such modes may, among other things, map +CR and NL to characters that do not trigger local motions). +The \fBncurses\fP implementation ignores \fBmsgr\fP in \fBALTCHARSET\fP +mode. +This raises the possibility that an XPG4 +implementation making the opposite interpretation may need terminfo +entries made for \fBncurses\fP to have \fBmsgr\fP turned off. +.PP +The \fBncurses\fP library handles insert-character and insert-character modes +in a slightly non-standard way to get better update efficiency. +See +the \fBInsert/Delete Character\fP subsection above. +.PP +The parameter substitutions for \fBset_clock\fP and \fBdisplay_clock\fP are +not documented in SVr4 or the XSI Curses standard. +They are deduced from the +documentation for the AT&T 505 terminal. +.PP +Be careful assigning the \fBkmous\fP capability. +The \fBncurses\fP library wants to interpret it as \fBKEY_MOUSE\fP, +for use by terminals and emulators like xterm +that can return mouse-tracking information in the keyboard-input stream. +.PP +X/Open Curses does not mention italics. +Portable applications must assume that numeric capabilities are +signed 16-bit values. +This includes the \fIno_color_video\fP (\fBncv\fP) capability. +The 32768 mask value used for italics with \fBncv\fP can be confused with +an absent or cancelled \fBncv\fP. +If italics should work with colors, +then the \fBncv\fP value must be specified, even if it is zero. +.PP +Different commercial ports of terminfo and curses support different subsets of +the XSI Curses standard and (in some cases) different extension sets. +Here +is a summary, accurate as of October 1995: +.bP +\fBSVR4, Solaris, ncurses\fP \-\- +These support all SVr4 capabilities. +.bP +\fBSGI\fP \-\- +Supports the SVr4 set, adds one undocumented extended string +capability (\fBset_pglen\fP). +.bP +\fBSVr1, Ultrix\fP \-\- +These support a restricted subset of terminfo capabilities. +The booleans end with \fBxon_xoff\fP; +the numerics with \fBwidth_status_line\fP; +and the strings with \fBprtr_non\fP. +.bP +\fBHP/UX\fP \-\- +Supports the SVr1 subset, plus the SVr[234] numerics \fBnum_labels\fP, +\fBlabel_height\fP, \fBlabel_width\fP, plus function keys 11 through 63, plus +\fBplab_norm\fP, \fBlabel_on\fP, and \fBlabel_off\fP, plus some incompatible +extensions in the string table. +.bP +\fBAIX\fP \-\- +Supports the SVr1 subset, plus function keys 11 through 63, plus a number +of incompatible string table extensions. +.bP +\fBOSF\fP \-\- +Supports both the SVr4 set and the AIX extensions. +.SH FILES +.TP 25 +\*d/?/* +files containing terminal descriptions +.SH SEE ALSO +.na +.hy 0 +\fBinfocmp\fP(1), +\fBtabs\fP(1), +\fBtic\fP(1), +\fBcurses\fP(3), +\fBcurs_color\fP(3), +\fBcurs_variables\fP(3), +\fBprintf\fP(3), +\fBterm_variables\fP(3). +\fBterm\fP(\*n). +\fBuser_caps\fP(5). +.SH AUTHORS +Zeyd M. Ben-Halim, Eric S. Raymond, Thomas E. Dickey. +Based on \fIpcurses\fP by Pavel Curtis. diff --git a/static/openbsd/man5/texinfo.5 b/static/openbsd/man5/texinfo.5 new file mode 100644 index 00000000..83387c57 --- /dev/null +++ b/static/openbsd/man5/texinfo.5 @@ -0,0 +1,51 @@ +.\" texinfo(5) +.\" $Id: texinfo.5,v 1.1.1.2 2006/07/17 16:03:58 espie Exp $ +.\" +.\" Copyright (C) 1998, 1999, 2002 Free Software Foundation, Inc. +.\" +.\" Permission is granted to make and distribute verbatim copies of this +.\" manual provided the copyright notice and this permission notice are +.\" preserved on all copies. +.\" +.\" Permission is granted to copy and distribute modified versions of +.\" this manual under the conditions for verbatim copying, provided that +.\" the entire resulting derived work is distributed under the terms of a +.\" permission notice identical to this one. +.\" +.\" Permission is granted to copy and distribute translations of this +.\" manual into another language, under the above conditions for modified +.\" versions, except that this permission notice may be stated in a +.\" translation approved by the Foundation. +.\" +.TH TEXINFO 5 "GNU Texinfo" "FSF" +.SH NAME +texinfo \- software documentation system +.SH DESCRIPTION +Texinfo is a documentation system that uses a single source file to +produce both online information and printed output. It is primarily +designed for writing software manuals. +.PP +For a full description of the Texinfo language and associated tools, +please see the Texinfo manual (written in Texinfo itself). Most likely, +running this command from your shell: +.RS +.I info texinfo +.RE +or this key sequence from inside Emacs: +.RS +.I M-x info RET m texinfo RET +.RE +will get you there. +.SH AVAILABILITY +ftp://ftp.gnu.org/gnu/texinfo/ +.br +or any GNU mirror site. +.SH "REPORTING BUGS" +Please send bug reports to bug-texinfo@gnu.org, +general questions and discussion to help-texinfo@gnu.org. +.SH "SEE ALSO" +info(1), install-info(1), makeinfo(1), texi2dvi(1), texindex(1). +.br +emacs(1), tex(1). +.br +info(5). diff --git a/static/openbsd/man5/ttys.5 b/static/openbsd/man5/ttys.5 new file mode 100644 index 00000000..1f8647a7 --- /dev/null +++ b/static/openbsd/man5/ttys.5 @@ -0,0 +1,188 @@ +.\" $OpenBSD: ttys.5,v 1.14 2022/07/29 13:56:36 millert Exp $ +.\" +.\" Copyright (c) 1985, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" from: @(#)ttys.5 8.1 (Berkeley) 6/4/93 +.\" +.Dd $Mdocdate: July 29 2022 $ +.Dt TTYS 5 +.Os +.Sh NAME +.Nm ttys +.Nd terminal initialization information +.Sh DESCRIPTION +The +.Nm +file contains information that is used by various routines to initialize +and control the use of terminal special files. +This information is read with the +.Xr getttyent 3 +library routines. +.Pp +There is one line in the +.Nm +file per special device file. +Fields are separated by tabs and/or spaces. +Fields comprised of more than one word should be enclosed in double quotes +.Pq Ql \&" . +Blank lines and comments may appear anywhere in the file; comments +are delimited by hash marks +.Pq Ql # +and newlines. +Any unspecified fields will default to null. +.Pp +Each line in +.Nm +is of the format: +.Dl tty command type flags +.Pp +The first field is the +name of the terminal special file as it is found in +.Pa /dev . +.Pp +The second field is the command to execute for the line, +usually +.Xr getty 8 , +which initializes and opens the line, setting the speed, waiting for +a user name and executing the +.Xr login 1 +utility. +It can be, however, any desired command, for example +the start up for a window system terminal emulator or some other +daemon process, and can contain multiple words if quoted. +.Pp +The third field is the type of terminal usually connected to that +tty line, normally the one found in the +.Xr terminfo 5 +database file. +The environment variable +.Dv TERM +is initialized with the value by either +.Xr getty 8 +or +.Xr login 1 . +.Pp +The remaining fields set flags in the +.Fa ty_status +entry (see +.Xr getttyent 3 ) +or specify a window system process that +.Xr init 8 +will maintain for the terminal line. +The following is a list of permitted flags for each tty: +.Bl -tag -width xxxxxxx +.It Ar on +Specify that +.Xr init 8 +should execute the command given in the second field. +.It Ar off +The opposite of on. +.It Ar secure +If +.Ar on +is also specified, allows users with a user ID of 0 to log in on this line. +If set for the +.Ar console +entry, then +.Xr init 8 +will start a single-user shell without asking for the superuser password. +.El +.Pp +Additionally, the following flags modify the default behavior of +the terminal line. +Some of these flags may not be supported by a terminal line driver. +The flag fields should not be quoted. +.Bl -tag -width xxxxxxx +.It Ar local +Treat the line as if it is locally connected. +.It Ar rtscts +Use RTS/CTS hardware flow control, if +possible. +.It Ar mdmbuf +Use DTR/DCD flow control if possible. +.It Ar softcar +Ignore hardware carrier on the line. +.El +.Pp +The string +.Ar window= +may be followed by a quoted command string which +.Xr init 8 +will execute +.Em before +starting the command specified by the second field. +.Pp +Changes to the +.Nm +file take effect after it has been reloaded by +.Xr init 8 , +which can be triggered by sending it a +.Dv HUP +signal. +Reloading the +.Nm +file does +.Em not +change the state of the device-specific terminal flags described above. +The +.Xr ttyflags 8 +utility can be used to set those flags. +.Sh FILES +.Bl -tag -width /etc/ttys -compact +.It Pa /etc/ttys +.El +.Sh EXAMPLES +.Bd -literal +# root login on console at 1200 baud +console "/usr/libexec/getty std.1200" vt100 on secure +# dialup at 1200 baud, no root logins +ttyd0 "/usr/libexec/getty d1200" dialup on # 555-1234 +# Mike's terminal: hp2621 +ttyh0 "/usr/libexec/getty std.9600" hp2621-nl on # 457 Evans +# John's terminal: vt100 +ttyh1 "/usr/libexec/getty std.9600" vt100 on # 459 Evans +# terminal emulate/window system +ttyv0 "/usr/new/xterm -L :0" vs100 on window="/usr/new/Xvs100 0" +# Network pseudo ttys -- don't enable getty +ttyp0 none network +ttyp1 none network off +.Ed +.Sh SEE ALSO +.Xr login 1 , +.Xr getttyent 3 , +.Xr ttyslot 3 , +.Xr gettytab 5 , +.Xr termcap 5 , +.Xr getty 8 , +.Xr init 8 , +.Xr ttyflags 8 +.Sh HISTORY +A +.Nm +file appeared in +.At v5 . diff --git a/static/openbsd/man5/tzfile.5 b/static/openbsd/man5/tzfile.5 new file mode 100644 index 00000000..5571eba7 --- /dev/null +++ b/static/openbsd/man5/tzfile.5 @@ -0,0 +1,163 @@ +.\" $OpenBSD: tzfile.5,v 1.16 2025/06/23 13:53:11 millert Exp $ +.Dd $Mdocdate: June 23 2025 $ +.Dt TZFILE 5 +.Os +.Sh NAME +.Nm tzfile +.Nd time zone information +.Sh DESCRIPTION +The time zone information files used by +.Xr tzset 3 +begin with the magic characters "TZif" to identify themselves as +time zone information files, +followed by a character identifying the version of the file's format +(as of 2013, either an ASCII NUL, a '2', or a '3') +followed by fifteen bytes containing zeroes reserved for future use, +followed by six four-byte integer values written in +.Dq big endian +byte order +.Po +the most significant byte of the value is written first +.Pc . +These values are, +in order: +.Bl -tag -width "tzh_ttisgmtcnt" +.It Fa tzh_ttisgmtcnt +The number of UT/local indicators stored in the file. +.It Fa tzh_ttisstdcnt +The number of standard/wall indicators stored in the file. +.It Fa tzh_leapcnt +The number of leap seconds for which data is stored in the file. +.It Fa tzh_timecnt +The number of "transition times" for which data is stored +in the file. +.It Fa tzh_typecnt +The number of "local time types" for which data is stored +in the file (must not be zero). +.It Fa tzh_charcnt +The number of characters of "time zone abbreviation strings" +stored in the file. +.El +.Pp +The above header is followed by +.Fa tzh_timecnt +four-byte signed integer values sorted in ascending order. +These values are written in +.Dq big endian +byte order. +Each is used as a transition time +.Pq as returned by Xr time 3 +at which the rules for computing local time change. +Next come +.Fa tzh_timecnt +one-byte unsigned integer values; +each one tells which of the different types of +.Dq local time +types +described in the file is associated with the same-indexed transition time. +These values serve as indices into an array of +.Fa ttinfo +structures (with +.Fa tzh_typecnt +entries) that appears next in the file; +these structures are defined as follows: +.Bd -literal -offset indent +struct ttinfo { + int32_t tt_gmtoff; /* UTC offset in seconds */ + unsigned char tt_isdst; /* used to set tm_isdst */ + unsigned char tt_abbrind; /* abbreviation list index */ +}; +.Ed +.Pp +Each structure is written as a four-byte signed integer value for +.Fa tt_gmtoff +in +.Dq big endian +byte order, followed by a one-byte value for +.Fa tt_isdst +and a one-byte value for +.Fa tt_abbrind . +In each structure, +.Fa tt_gmtoff +gives the number of seconds to be added to UT, +.Fa tt_isdst +tells whether +.Fa tm_isdst +should be set by +.Xr localtime 3 +and +.Fa tt_abbrind +serves as an index into the array of time zone abbreviation characters +that follow the +.Fa ttinfo +structure(s) in the file. +.Pp +Then there are +.Fa tzh_leapcnt +pairs of four-byte values, written in +.Dq big endian +byte order; +the first value of each pair gives the time +.Pq as returned by Xr time 3 +at which a leap second occurs; +the second gives the +.Em total +number of leap seconds to be applied after the given time. +The pairs of values are sorted in ascending order by time. +.Pp +Then there are +.Fa tzh_ttisstdcnt +standard/wall indicators, each stored as a one-byte value; +they tell whether the transition times associated with local time types +were specified as standard time or wall clock time, +and are used when a time zone file is used in handling POSIX-style +time zone environment variables. +.Pp +Finally there are +.Fa tzh_ttisgmtcnt +UT/local indicators, each stored as a one-byte value; +they tell whether the transition times associated with local time types +were specified as UT or local time, +and are used when a time zone file is used in handling POSIX-style +time zone environment variables. +.Pp +.Xr localtime 3 +uses the first standard-time +.Fa ttinfo +structure in the file, +or simply the first +.Fa ttinfo +structure in the absence of a standard-time structure, +if either +.Fa tzh_timecnt +is zero or the time argument is less than the first transition time recorded +in the file. +.Pp +For version-2-format time zone files, +the above header and data are followed by a second header and data, +identical in format except that +eight bytes are used for each transition time or leap second time. +After the second header and data comes a newline-enclosed, +POSIX-TZ-environment-variable-style string for use in handling instants +after the last transition time stored in the file +(with nothing between the newlines if there is no POSIX representation for +such instants). +.Pp +For version-3-format time zone files, the POSIX-TZ-style string may +use two minor extensions to the POSIX TZ format, as described in +.Xr tzset 3 . +First, the hours part of its transition times may be signed and range from +\-167 through 167 instead of the POSIX-required unsigned values +from 0 through 24. +Second, DST is in effect all year if it starts +January 1 at 00:00 and ends December 31 at 24:00 plus the difference +between daylight saving and standard time. +.Pp +Future changes to the format may append additional data. +.Sh SEE ALSO +.Xr ctime 3 , +.Xr tzset 3 , +.Xr zic 8 , +.Xr zdump 8 +.\" This file is in the public domain, so clarified as of +.\" 1996-06-05 by Arthur David Olson. diff --git a/static/openbsd/man5/unwind.conf.5 b/static/openbsd/man5/unwind.conf.5 new file mode 100644 index 00000000..6db6be2d --- /dev/null +++ b/static/openbsd/man5/unwind.conf.5 @@ -0,0 +1,186 @@ +.\" $OpenBSD: unwind.conf.5,v 1.37 2025/07/08 14:26:45 schwarze Exp $ +.\" +.\" Copyright (c) 2018 Florian Obser <florian@openbsd.org> +.\" Copyright (c) 2005 Esben Norby <norby@openbsd.org> +.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> +.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> +.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: July 8 2025 $ +.Dt UNWIND.CONF 5 +.Os +.Sh NAME +.Nm unwind.conf +.Nd validating DNS resolver configuration file +.Sh DESCRIPTION +The +.Xr unwind 8 +daemon is a validating DNS resolver. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr unwind 8 . +.El +.Pp +Additional configuration files can be included with the +.Ic include +keyword. +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic forwarder , +.Ic port , +or +.Ic DoT ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +fwd1=192.0.2.53 +fwd2=192.0.2.153 +forwarder { $fwd1 $fwd2 } +.Ed +.Ss Global configuration +.Bl -tag -width Ds +.It Ic block list Ar file Op Cm log +A file containing domains to block, one per line. +If a domain from this list is queried, +.Nm unwind +answers with a return code of +.Dv REFUSED . +With +.Cm log +blocked queries are logged. +The list supports limited wildcard syntax: domains starting with . (dot) +are treated as any subdomains on that zone. +.It Ic forwarder Brq Ar address Oo Ic port Ar number Oc Oo Oo Ic authentication name Ar name Oc Ic DoT Oc ... +A list of addresses of DNS name servers to forward queries to. +.Ic port +defaults to 53. +If +.Ic DoT +is specified, use DNS over TLS when sending queries to the server at +.Ar address . +The default +.Ic port +is 853. +.Ar name +validates the certificate of the DNS over TLS server. +.It Ic preference Brq Ar type ... +A list of DNS name server types to specify the order in which +name servers are picked when measured round-trip time medians are equal. +Additionally, the first mentioned type gets a time bonus. +Validating name servers are always picked over non-validating name servers. +DNS name server types are, +in default order of preference: +.Bl -tag -width "oDoT-forwarder" +.It Ic DoT +DNS over TLS name servers configured in +.Nm . +.It Ic oDoT-forwarder +Name servers configured in +.Nm . +.Nm unwind +tries to opportunistically use DNS over TLS. +.It Ic forwarder +Name servers configured in +.Nm . +.It Ic recursor +.Nm unwind +itself recursively resolves names. +.It Ic oDoT-autoconf +Name servers learned from autoconfiguration. +A list of sources for proposals learned through autoconfiguration +is documented in +.Xr resolvd 8 . +.Nm unwind +tries to opportunistically use DNS over TLS. +.It Ic autoconf +Name servers learned from autoconfiguration. +.It Ic stub +Name servers learned from autoconfiguration, +queried using the libc functions +(see +.Xr asr_run 3 ) . +Will never validate. +Useful when running behind broken middle boxes that do not like edns0. +DNS answers from stub name servers are not cached. +.El +.It Ic force Oo Cm accept bogus Oc Ar type Brq Ar name ... +Force resolving of +.Ar name +and its subdomains by the given resolver +.Ar type . +The +.Ar type +must be listed in the +.Ic preference +list to be used. +If +.Cm accept bogus +is specified, validation is not enforced. +.El +.Sh FILES +.Bl -tag -width "/etc/unwind.conf" -compact +.It Pa /etc/unwind.conf +The default +.Xr unwind 8 +configuration file. +.El +.Sh EXAMPLES +Block requests for domains in +.Pa /etc/blocklist +and log each blocked request: +.Bd -literal -offset indent +block list "/etc/blocklist" log +.Ed +.Pp +Define a DNS over TLS (DoT) forwarder and make it the preferred resolver: +.Bd -literal -offset indent +forwarder { 192.168.1.250 port 8080 authentication name "resolver.local" DoT } +preference { DoT } +.Ed +.Pp +Where a domain requires a specific nameserver +and it may only exist in a nameserver available on the local network, +force +.Xr unwind 8 +to use a specific resolver type: +.Bd -literal -offset indent +force autoconf { domain.local } +.Ed +.Sh SEE ALSO +.Xr rc.conf.local 8 , +.Xr unwind 8 , +.Xr unwindctl 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 6.5 . diff --git a/static/openbsd/man5/user_caps.5 b/static/openbsd/man5/user_caps.5 new file mode 100644 index 00000000..b3e4302b --- /dev/null +++ b/static/openbsd/man5/user_caps.5 @@ -0,0 +1,441 @@ +'\" t +.\"*************************************************************************** +.\" Copyright 2018-2022,2023 Thomas E. Dickey * +.\" Copyright 2017 Free Software Foundation, Inc. * +.\" * +.\" Permission is hereby granted, free of charge, to any person obtaining a * +.\" copy of this software and associated documentation files (the * +.\" "Software"), to deal in the Software without restriction, including * +.\" without limitation the rights to use, copy, modify, merge, publish, * +.\" distribute, distribute with modifications, sublicense, and/or sell * +.\" copies of the Software, and to permit persons to whom the Software is * +.\" furnished to do so, subject to the following conditions: * +.\" * +.\" The above copyright notice and this permission notice shall be included * +.\" in all copies or substantial portions of the Software. * +.\" * +.\" THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * +.\" OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * +.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * +.\" IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, * +.\" DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR * +.\" OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR * +.\" THE USE OR OTHER DEALINGS IN THE SOFTWARE. * +.\" * +.\" Except as contained in this notice, the name(s) of the above copyright * +.\" holders shall not be used in advertising or otherwise to promote the * +.\" sale, use or other dealings in this Software without prior written * +.\" authorization. * +.\"*************************************************************************** +.\" +.\" $Id: user_caps.5,v 1.1 2023/10/17 09:52:08 nicm Exp $ +.TH user_caps 5 2023-08-19 "ncurses 6.4" "File formats" +.ie \n(.g .ds `` \(lq +.el .ds `` `` +.ie \n(.g .ds '' \(rq +.el .ds '' '' +.de NS +.ie n .sp +.el .sp .5 +.ie n .in +4 +.el .in +2 +.nf +.ft CR \" Courier +.. +.de NE +.fi +.ft R +.ie n .in -4 +.el .in -2 +.. +.de bP +.ie n .IP \(bu 4 +.el .IP \(bu 2 +.. +.SH NAME +user_caps \- user-defined terminfo capabilities +.SH SYNOPSIS +.B tic -x, infocmp -x +.SH DESCRIPTION +.SS Background +Before ncurses 5.0, +terminfo databases used a \fIfixed repertoire\fP of terminal +capabilities designed for the SVr2 terminal database in 1984, +and extended in stages through SVr4 (1989), +and standardized in the Single Unix Specification beginning in 1995. +.PP +Most of the \fIextensions\fP in this fixed repertoire were additions +to the tables of boolean, numeric and string capabilities. +Rather than change the meaning of an existing capability, a new name was added. +The terminfo database uses a binary format; binary compatibility was +ensured by using a header which gave the number of items in the +tables for each type of capability. +The standardization was incomplete: +.bP +The \fIbinary format\fP itself is not described +in the X/Open Curses documentation. +Only the \fIsource format\fP is described. +.IP +Library developers rely upon the SVr4 documentation, +and reverse-engineering the compiled terminfo files to match the binary format. +.bP +Lacking a standard for the binary format, most implementations +copy the SVr2 binary format, which uses 16-bit signed integers, +and is limited to 4096-byte entries. +.IP +The format cannot represent very large numeric capabilities, +nor can it represent large numbers of special keyboard definitions. +.bP +The tables of capability names differ between implementations. +.IP +Although they \fImay\fP provide all of the standard capability names, +the position in the tables differs because some features were added as needed, +while others were added (out of order) to comply with X/Open Curses. +.IP +While ncurses' repertoire of predefined capabilities is closest to Solaris, +Solaris's terminfo database has a few differences from +the list published by X/Open Curses. +For example, ncurses can be configured with tables which match the +terminal databases for AIX, HP-UX or OSF/1, +rather than the default Solaris-like configuration. +.bP +In SVr4 curses and ncurses, +the terminal database is defined at compile-time using a text file +which lists the different terminal capabilities. +.IP +In principle, the text-file can be extended, +but doing this requires recompiling and reinstalling the library. +The text-file used in ncurses for terminal capabilities includes +details for various systems past the documented X/Open Curses features. +For example, ncurses supports these capabilities in each configuration: +.RS 8 +.TP 5 +memory_lock +(meml) +lock memory above cursor +.TP 5 +memory_unlock +(memu) +unlock memory +.TP 5 +box_chars_1 +(box1) +box characters primary set +.RE +.IP +The memory lock/unlock capabilities were included because they were used +in the X11R6 terminal description for \fBxterm\fP(1). +The \fIbox1\fP capability is used in tic to help with terminal descriptions +written for AIX. +.PP +During the 1990s, some users were reluctant to use terminfo +in spite of its performance advantages over termcap: +.bP +The fixed repertoire prevented users from adding features +for unanticipated terminal improvements +(or required them to reuse existing capabilities as a workaround). +.bP +The limitation to 16-bit signed integers was also mentioned. +Because termcap stores everything as a string, +it could represent larger numbers. +.PP +Although termcap's extensibility was rarely used +(it was never the \fIspeaker\fP who had actually used the feature), +the criticism had a point. +ncurses 5.0 provided a way to detect nonstandard capabilities, +determine their +type and optionally store and retrieve them in a way which did not interfere +with other applications. +These are referred to as \fIuser-defined capabilities\fP because no +modifications to the toolset's predefined capability names are needed. +.PP +The ncurses utilities \fBtic\fP and \fBinfocmp\fP have a command-line +option \*(``\-x\*('' to control whether the nonstandard capabilities +are stored or retrieved. +A library function \fBuse_extended_names\fP +is provided for the same purpose. +.PP +When compiling a terminal database, if \*(``\-x\*('' is set, +\fBtic\fP will store a user-defined capability if the capability name is not +one of the predefined names. +.PP +Because ncurses provides a termcap library interface, +these user-defined capabilities may be visible to termcap applications: +.bP +The termcap interface (like all implementations of termcap) +requires that the capability names are 2-characters. +.IP +When the capability is simple enough for use in a termcap application, +it is provided as a 2-character name. +.bP +There are other +user-defined capabilities which refer to features not usable in termcap, +e.g., parameterized strings that use more than two parameters +or use more than the trivial expression support provided by termcap. +For these, the terminfo database should have only capability names with +3 or more characters. +.bP +Some terminals can send distinct strings for special keys (cursor-, +keypad- or function-keys) depending on modifier keys (shift, control, etc.). +While terminfo and termcap have a set of 60 predefined function-key names, +to which a series of keys can be assigned, +that is insufficient for more than a dozen keys multiplied by more than +a couple of modifier combinations. +The ncurses database uses a convention based on \fBxterm\fP(1) to +provide extended special-key names. +.IP +Fitting that into termcap's limitation of 2-character names +would be pointless. +These extended keys are available only with terminfo. +.SS Recognized capabilities +The ncurses library uses the user-definable capabilities. +While the terminfo database may have other extensions, +ncurses makes explicit checks for these: +.RS 3 +.TP 3 +AX +\fIboolean\fP, asserts that the terminal interprets SGR 39 and SGR 49 +by resetting the foreground and background color, respectively, to the default. +.IP +This is a feature recognized by the \fBscreen\fP program as well. +.TP 3 +E3 +\fIstring\fP, tells how to clear the terminal's scrollback buffer. +When present, the \fBclear\fP(1) program sends this before clearing +the terminal. +.IP +The command \*(``\fBtput clear\fP\*('' does the same thing. +.TP 3 +NQ +used to suppress a consistency check in tic for the ncurses capabilities +in user6 through user9 (u6, u7, u8 and u9) +which tell how to query the terminal's cursor position +and its device attributes. +.TP 3 +RGB +\fIboolean\fP, \fInumber\fP \fBor\fP \fIstring\fP, +used to assert that the +\fBset_a_foreground\fP and +\fBset_a_background\fP capabilities correspond to \fIdirect colors\fP, +using an RGB (red/green/blue) convention. +This capability allows the \fBcolor_content\fP function to +return appropriate values without requiring the application +to initialize colors using \fBinit_color\fP. +.IP +The capability type determines the values which ncurses sees: +.RS 3 +.TP 3 +\fIboolean\fP +implies that the number of bits for red, green and blue are the same. +Using the maximum number of colors, +ncurses adds two, divides that sum by three, and assigns the result +to red, green and blue in that order. +.IP +If the number of bits needed for the number of colors is not a multiple +of three, the blue (and green) components lose in comparison to red. +.TP 3 +\fInumber\fP +tells ncurses what result to add to red, green and blue. +If ncurses runs out of bits, +blue (and green) lose just as in the \fIboolean\fP case. +.TP 3 +\fIstring\fP +explicitly list the number of bits used for red, green and blue components +as a slash-separated list of decimal integers. +.RE +.IP +Because there are several RGB encodings in use, +applications which make assumptions about the number of bits per color +are unlikely to work reliably. +As a trivial case, for example, one could define \fBRGB#1\fP +to represent the standard eight ANSI colors, i.e., one bit per color. +.TP 3 +U8 +\fInumber\fP, +asserts that ncurses must use Unicode values for line-drawing characters, +and that it should ignore the alternate character set capabilities +when the locale uses UTF-8 encoding. +For more information, see the discussion of +\fBNCURSES_NO_UTF8_ACS\fP in \fBncurses\fP(3). +.IP +Set this capability to a nonzero value to enable it. +.TP 3 +XM +\fIstring\fP, +override ncurses's built-in string which +enables/disables \fBxterm\fP(1) mouse mode. +.IP +ncurses sends a character sequence to the terminal to initialize mouse mode, +and when the user clicks the mouse buttons or (in certain modes) moves the +mouse, handles the characters sent back by the terminal to tell it what +was done with the mouse. +.IP +The mouse protocol is enabled when +the \fImask\fP passed in the \fBmousemask\fP function is nonzero. +By default, ncurses handles the responses for the X11 xterm mouse protocol. +It also knows about the \fISGR 1006\fP xterm mouse protocol, +but must to be told to look for this specifically. +It will not be able to guess which mode is used, +because the responses are enough alike that only confusion would result. +.IP +The \fBXM\fP capability has a single parameter. +If nonzero, the mouse protocol should be enabled. +If zero, the mouse protocol should be disabled. +ncurses inspects this capability if it is present, +to see whether the 1006 protocol is used. +If so, it expects the responses to use the \fISGR 1006\fP xterm mouse protocol. +.IP +The xterm mouse protocol is used by other terminal emulators. +The terminal database uses building-blocks for the various xterm mouse +protocols which can be used in customized terminal descriptions. +.IP +The terminal database building blocks for this mouse +feature also have an experimental capability \fIxm\fP. +The \*(``xm\*('' capability describes the mouse response. +Currently there is no interpreter which would use this +information to make the mouse support completely data-driven. +.IP +\fIxm\fP shows the format of the mouse responses. +In this experimental capability, the parameters are +.RS 5 +.TP 5 +.I p1 +y-ordinate +.TP 5 +.I p2 +x-ordinate +.TP 5 +.I p3 +button +.TP 5 +.I p4 +state, e.g., pressed or released +.TP 5 +.I p5 +y-ordinate starting region +.TP 5 +.I p6 +x-ordinate starting region +.TP 5 +.I p7 +y-ordinate ending region +.TP 5 +.I p8 +x-ordinate ending region +.RE +.IP +Here are examples from the terminal database for the most commonly used +xterm mouse protocols: +.IP +.nf + xterm+x11mouse|X11 xterm mouse protocol, + kmous=\\E[M, XM=\\E[?1000%?%p1%{1}%=%th%el%;, + xm=\\E[M + %?%p4%t%p3%e%{3}%;%'\ '%+%c + %p2%'!'%+%c + %p1%'!'%+%c, + + xterm+sm+1006|xterm SGR-mouse, + kmous=\\E[<, XM=\\E[?1006;1000%?%p1%{1}%=%th%el%;, + xm=\\E[<%i%p3%d; + %p1%d; + %p2%d; + %?%p4%tM%em%;, +.fi +. +.SS Extended key-definitions +Several terminals provide the ability to send distinct strings for +combinations of modified special keys. +There is no standard for what those keys can send. +.PP +Since 1999, \fBxterm\fP(1) has supported +\fIshift\fP, \fIcontrol\fP, \fIalt\fP, and \fImeta\fP modifiers which produce +distinct special-key strings. +In a terminal description, ncurses has no special knowledge of the +modifiers used. +Applications can use the \fInaming convention\fP established for \fBxterm\fP +to find these special keys in the terminal description. +.PP +Starting with the curses convention that \fIkey names\fP begin with \*(``k\*('' +and that shifted special keys are an uppercase name, +ncurses' terminal database defines these names to which a suffix is added: +.PP +.RS 5 +.TS +tab(/) ; +l l . +\fBName\fP/\fBDescription\fP +_ +kDC/special form of kdch1 (delete character) +kDN/special form of kcud1 (cursor down) +kEND/special form of kend (End) +kHOM/special form of khome (Home) +kLFT/special form of kcub1 (cursor-left or cursor-back) +kNXT/special form of knext (Next, or Page-Down) +kPRV/special form of kprev (Prev, or Page-Up) +kRIT/special form of kcuf1 (cursor-right, or cursor-forward) +kUP/special form of kcuu1 (cursor-up) +.TE +.RE +.PP +These are the suffixes used to denote the modifiers: +.PP +.RS 5 +.TS +tab(/) ; +l l . +\fBValue\fP/\fBDescription\fP +_ +2/Shift +3/Alt +4/Shift + Alt +5/Control +6/Shift + Control +7/Alt + Control +8/Shift + Alt + Control +9/Meta +10/Meta + Shift +11/Meta + Alt +12/Meta + Alt + Shift +13/Meta + Ctrl +14/Meta + Ctrl + Shift +15/Meta + Ctrl + Alt +16/Meta + Ctrl + Alt + Shift +.TE +.RE +.PP +None of these are predefined; terminal descriptions can refer to \fInames\fP +which ncurses will allocate at runtime to \fIkey-codes\fP. +To use these keys in an ncurses program, an application could do this: +.bP +using a list of extended key \fInames\fP, +ask \fBtigetstr\fP(3) for their values, and +.bP +given the list of values, +ask \fBkey_defined\fP(3) for the \fIkey-code\fP which +would be returned for those keys by \fBwgetch\fP(3). +.\" +.SH PORTABILITY +The \*(``\-x\*('' extension feature of \fBtic\fP and \fBinfocmp\fP +has been adopted in NetBSD curses. +That implementation stores user-defined capabilities, +but makes no use of these capabilities itself. +.\" +.SH SEE ALSO +\fBinfocmp\fP(1), +\fBtic\fP(1). +.PP +The terminal database section +.I "NCURSES USER-DEFINABLE CAPABILITIES" +summarizes commonly-used user-defined capabilities +which are used in the terminal descriptions. +Some of those features are mentioned in \fBscreen\fP(1) or \fBtmux\fP(1). +.PP +.I "XTerm Control Sequences" +provides further information on the \fBxterm\fP(1) features +which are used in these extended capabilities. +.\" +.SH AUTHORS +Thomas E. Dickey +.br +beginning with ncurses 5.0 (1999) diff --git a/static/openbsd/man5/usermgmt.conf.5 b/static/openbsd/man5/usermgmt.conf.5 new file mode 100644 index 00000000..47f78d5a --- /dev/null +++ b/static/openbsd/man5/usermgmt.conf.5 @@ -0,0 +1,147 @@ +.\" $OpenBSD: usermgmt.conf.5,v 1.14 2016/11/30 20:26:37 jmc Exp $ +.\" $NetBSD: usermgmt.conf.5,v 1.3 2002/10/02 13:49:11 grant Exp $ +.\" +.\" Copyright (c) 2002 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" This document is derived from works contributed to The NetBSD Foundation +.\" by Grant Beattie. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED +.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd $Mdocdate: November 30 2016 $ +.Dt USERMGMT.CONF 5 +.Os +.Sh NAME +.Nm usermgmt.conf +.Nd user management tools configuration file +.Sh DESCRIPTION +The +.Nm usermgmt.conf +file defines the default values used by the user management tools, +.Xr user 8 . +.Pp +Options in this file can be set by manually editing +.Pa /etc/usermgmt.conf +or using the +.Fl D +option to +.Xr useradd 8 . +.Bl -tag -width preserveX +.It Ic base_dir +Sets the base directory name, in which new users' home directories +are created when using the +.Fl m +option to +.Xr useradd 8 . +.It Ic class +Sets the default login class for new users. +See +.Xr login.conf 5 +for more information on user login classes. +.It Ic expire +Sets the default time at which the new accounts expire. +Both the +.Ar expire +and +.Ar inactive +fields should be entered in the form +.Dq month day year , +where month is the month name (the first three characters are +sufficient), day is the day of the month, and year is the year. +Time in seconds since the Epoch (UTC) is also valid. +A value of 0 can be used to disable this feature. +.It Ic group +Sets the default primary group for new users. +If this is the special string +.Cm =uid , +a group is created with the same numeric ID as the UID; +if such a group already exists a warning is given +and no group is created. +It has the format: +.Bd -ragged -offset indent +.Ic group +.Ar gid | name | Cm =uid +.Ed +.It Ic inactive +Sets the default time at which the passwords of new accounts expire. +A value of 0 can be used to disable this feature. +Also see the +.Ar expire +field. +.It Ic password +Specifies a default password encrypted with +.Xr encrypt 1 . +.It Ic preserve +If this value is one of +.Ql true , +.Ql yes , +or a non-zero number, then the user login information will be +preserved when removing a user with +.Xr userdel 8 . +.It Ic range +Specifies the UID boundaries for new users. +If unspecified, the default is +.Dq 1000..60000 . +It has the format: +.Bd -unfilled -offset indent +.Ic range Ar starting-uid Ns Li .. Ns Ar ending-uid +.Ed +.It Ic shell +Sets the default login shell for new users. +.It Ic skel_dir +Sets the default skeleton directory in which to find files +with which to populate the new user's home directory. +.El +.Sh FILES +.Bl -tag -width /etc/usermgmt.conf -compact +.It Pa /etc/usermgmt.conf +.It Pa /etc/skel/* +.It Pa /etc/login.conf +.El +.Sh SEE ALSO +.Xr login.conf 5 , +.Xr passwd 5 , +.Xr user 8 , +.Xr useradd 8 , +.Xr userdel 8 , +.Xr usermod 8 +.Sh STANDARDS +Other implementations of the +.Xr user 8 +utilities use the +.Ar inactive-time +parameter to refer to the maximum number of days allowed between logins (this +is used to lock "stale" accounts that have not been used for a period of time). +However, on +.Ox +systems this parameter refers instead to the password change time. +This is due to differences in the +.Xr passwd 5 +database compared to other operating systems. +.Sh HISTORY +The +.Nm +configuration file first appeared in +.Ox 2.7 . diff --git a/static/openbsd/man5/uuencode.5 b/static/openbsd/man5/uuencode.5 new file mode 100644 index 00000000..7bac8473 --- /dev/null +++ b/static/openbsd/man5/uuencode.5 @@ -0,0 +1,99 @@ +.\" $OpenBSD: uuencode.5,v 1.10 2007/05/31 19:20:19 jmc Exp $ +.\" $NetBSD: uuencode.format.5,v 1.3 1994/11/17 07:39:45 jtc Exp $ +.\" +.\" Copyright (c) 1989, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)uuencode.format.5 8.2 (Berkeley) 1/12/94 +.\" +.Dd $Mdocdate: May 31 2007 $ +.Dt UUENCODE 5 +.Os +.Sh NAME +.Nm uuencode +.Nd format of an encoded uuencode file +.Sh DESCRIPTION +Files output by +.Xr uuencode 1 +consist of a header line, +followed by a number of body lines, +and a trailer line. +The +.Xr uudecode 1 +command +will ignore any lines preceding the header or +following the trailer. +Lines preceding a header must not, of course, +look like a header. +.Pp +The header line is distinguished by having the first +6 characters +.Dq begin\ \& +(note the trailing space). +The word +.Em begin +is followed by a mode (in octal), +and a string which names the remote file. +A space separates the three items in the header line. +.Pp +The body consists of a number of lines, each at most 62 characters +long (including the trailing newline). +These consist of a character count, +followed by encoded characters, +followed by a newline. +The character count is a single printing character, +and represents an integer, the number of bytes +the rest of the line represents. +Such integers are always in the range from 0 to 63 and can +be determined by subtracting the character space (octal 40) +from the character. +.Pp +Groups of 3 bytes are stored in 4 characters, 6 bits per character. +All are offset by a space to make the characters printing. +The last line may be shorter than the normal 45 bytes. +If the size is not a multiple of 3, this fact can be determined +by the value of the count on the last line. +Extra garbage will be included to make the character count a multiple +of 4. +The body is terminated by a line with a count of zero. +This line consists of one +.Tn ASCII +\` (opening single quote) character. +.Pp +The trailer line consists of +.Dq end +on a line by itself. +.Sh SEE ALSO +.Xr mail 1 , +.Xr uudecode 1 , +.Xr uuencode 1 +.Sh HISTORY +The +.Nm +file format appeared in +.Bx 4.0 . +.\" It was named uuencode.5 prior to 4.3 diff --git a/static/openbsd/man5/vm.conf.5 b/static/openbsd/man5/vm.conf.5 new file mode 100644 index 00000000..183debe4 --- /dev/null +++ b/static/openbsd/man5/vm.conf.5 @@ -0,0 +1,554 @@ +.\" $OpenBSD: vm.conf.5,v 1.69 2025/07/06 15:45:02 schwarze Exp $ +.\" +.\" Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org> +.\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: July 6 2025 $ +.Dt VM.CONF 5 +.Os +.Sh NAME +.Nm vm.conf +.Nd virtual machine configuration +.Sh DESCRIPTION +.Nm +is the configuration file for the virtual machine monitor, +.Xr vmm 4 , +which is responsible for creating, destroying, and executing +virtual machines (VMs). +.Pp +.Nm +is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr vmd 8 . +.It Sx VM configuration No and Sx VM instances +Configuration for each individual virtual machine. +.It Sx Switch configuration +Configuration for virtual switches. +.El +.Pp +The current line can be extended over multiple lines using a backslash +.Pq Sq \e . +Comments can be put anywhere in the file using a hash mark +.Pq Sq # +and extend to the end of the current line. +Care should be taken when commenting out multi-line text: +the comment is effective until the end of the entire block. +.Pp +Arguments not beginning with a letter, digit, underscore, or slash +must be quoted. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/vm1.example.com.conf" +.Ed +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and +cannot be a reserved word (for example, +.Ic vm , +.Ic memory , +or +.Ic disk ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +ramdisk="/bsd.rd" +vm "vm1.example.com" { + memory 512M + boot $ramdisk +} +.Ed +.Ss Global configuration +The following settings can be configured globally: +.Bl -tag -width Ds +.It Ic agentx Oo Cm context Ar context Oc Op Cm path Ar socket +Export vm metrics via an AgentX compatible +.Xr snmpd 8 +by connecting to the +.Ar socket . +Metrics can be found under the vmMIB subtree +.Pq mib-2.236 . +If +.Ar socket +is omitted it defaults to +.Pa /var/agentx/master . +.Ar context +is the SNMPv3 context and can usually be omitted. +.It Ic local Cm prefix Ar address Ns / Ns Ar prefix +Set the IPv4 network prefix that is used to allocate subnets for +local interfaces, see +.Ic local interface +in the +.Sx VM configuration +section below. +The default is 100.64.0.0/10. +.It Ic local Cm inet6 Op Cm prefix Ar address Ns / Ns Ar prefix +Enable IPv6 on local interfaces and allocate routable subnets. +If the prefix is not specified, +a random prefix from the +.Dq unique local +network range fd00::/8 is generated on startup. +The specified prefix length must be /64 or smaller. +.It Ic socket Cm owner Ar user : Ns Ar group +Set the +.Xr vmd 8 +control socket owner to the specified +.Ar user +and +.Ar group . +Users with access to the control socket are allowed to use +.Xr vmctl 8 +for restricted access to +.Xr vmd 8 . +If only +.Ar user +is given, +only the user is set. +If only +.Pf : Ar group +is given, +only the group is set. +The default is root:wheel. +.It Ic staggered start Cm parallel Ar parallelism Cm delay Ar delay +Start all configured VMs in a staggered fashion with +.Ar parallelism +instances in parallel every +.Ar delay +seconds. +Defaults to +.Ar parallelism +equal to number of online CPUs and a +.Ar delay +of 30 seconds. +.El +.Ss VM configuration +Each +.Ic vm +section starts with the declaration of a virtual machine +.Ar name : +.Bl -tag -width Ds +.It Ic vm Ar name Brq ... +The +.Ar name +starts with a letter and can contain alphanumeric characters, dots +.Pq Sq .\& , +dashes +.Pq Sq \- , +and underscores +.Pq Sq _ . +Typically this is a hostname. +.El +.Pp +The block enclosed in curly braces can contain the following parameters: +.Bl -tag -width Ds +.It Ic allow instance Brq ... +Set the permissions to create +.Sx VM instances . +.It Ic boot Ar path +Kernel or BIOS image to load when booting the VM. +If not specified, the default is to boot using the BIOS image in +.Pa /etc/firmware/vmm-bios . +.It Ic boot Cm device Ar device +Force VM to boot from +.Ar device . +Valid values are: +.Bl -tag -width "cdrom" +.It Cm cdrom +Boot the ISO image file specified using the +.Ic cdrom +parameter. +.It Cm disk +Boot from the disk image file specified using the +.Ic disk +parameter. +.It Cm net +Boot the kernel specified using the +.Ic boot +parameter as if the VM was network booted. +In addition, the DHCP lease advertises +.Dq auto_install +in the bootfile option making it suitable for use with +.Xr autoinstall 8 . +Note, this is not to be confused with +.Xr pxeboot 8 +but rather a simulated network boot. +.El +.Pp +Currently +.Cm disk +and +.Cm cdrom +only work with VMs booted using BIOS. +.It Ic cdrom Ar path +ISO image file. +.It Ic enable +Automatically start the VM. +This is the default if neither +.Ic enable +nor +.Ic disable +is specified. +.It Ic disable +Do not automatically start this VM. +.It Ic disk Ar path Op Cm format Ar fmt +Disk image file (may be specified multiple times to add multiple disk images). +The format may be specified as either +.Cm qcow2 +(a sparse file format which reduces storage) or +.Cm raw . +If left unspecified, the format defaults to +.Cm raw +if it cannot be derived automatically. +.It Oo Ic local Oc Ic interface Oo Ar name Oc Op Brq ... +Network interface to add to the VM. +The optional +.Ar name +can be either +.Cm tap +to select the next available +.Xr tap 4 +interface on the VM host side (the default) or +.Cm tap Ns Ar N +to select a specific one. +.Pp +Valid options are: +.Bl -tag -width Ds +.It Ic group Ar group-name +Assign the interface to a specific interface +.Dq group . +For example, this can be used to write +.Xr pf.conf 5 +rules for several VM interfaces in the same group. +The +.Ar group-name +must not be longer than 15 characters or end with a digit, +as described in +.Xr ifconfig 8 . +.It Oo Ic locked Oc Ic lladdr Op Ar etheraddr +Change the link layer address (MAC address) of the interface on the +VM guest side. +If not specified, a randomized address is assigned by +.Xr vmd 8 . +If the +.Ic locked +keyword is specified, +.Xr vmd 8 +drops packets from the VM with altered source addresses. +.It Cm rdomain Ar rdomainid +Attach the interface to the routing domain with the specified +.Ar rdomainid . +If attaching to a switch that also has an +.Ar rdomainid +set, the +.Ar rdomainid +configured for the interface takes precedence. +.It Ic switch Ar name +Set the virtual switch by +.Ar name . +See the +.Sx Switch configuration +section about virtual switches. +This option is ignored if a switch with a matching name cannot be found. +.It Ic up +Start the interface forwarding packets. +This is the default. +.It Ic down +Stop the interface from forwarding packets. +.El +.Pp +A +.Ic local +interface auto-generates an IPv4 subnet for the interface, +configures a gateway address on the VM host side, +and runs a simple DHCP/BOOTP server for the VM. +This option can be used for layer 3 mode without configuring a switch. +.Pp +If the global +.Ic local Cm inet6 +option is enabled, a routable IPv6 gateway address is generated +on the host side. +Unlike the IPv4 option, +.Xr vmd 8 +does not respond to DHCPv6 or router solicitation messages itself. +Use +.Xr rad 8 +listening on the interface group, e.g.\& +.Ic interface Cm tap +for auto-configuring the VMs accordingly. +.It Ic interfaces Ar count +Optional minimum number of network interfaces to add to the VM. +If the +.Ar count +is greater than the number of +.Ic interface +statements, additional default interfaces are added. +.It Ic memory Ar bytes +Memory size of the VM in bytes, rounded to megabytes. +A scale multiplier can be used as described in +.Xr scan_scaled 3 . +The default is 512M. +.It Ic owner Ar user : Ns Ar group +Set the owner of the VM to the specified +.Ar user +and +.Ar group . +The owner is allowed to start or stop the VM, pause or unpause the VM, +and open the VM's console. +If only +.Ar user +is given, +only the user is set. +If only +.Pf : Ar group +is given, +only the group is set. +.It Ic sev +Enables AMD Secure Encrypted Virtualization (SEV) for the guest. +.Xr vmd 8 +uses +.Xr psp 4 +to configure the guest for SEV. +.It Ic seves +Enables AMD Encrypted State (SEV-ES) for the guest. +This implicitly enables SEV, too. +.El +.Ss VM instances +It is possible to use configured or running VMs as a template for +additional instances of the VM. +An instance is just like a normal +.Ic vm +and is configured with the following declaration of the virtual machine +.Ar name : +.Bl -tag -width Ds +.It Ic vm Ar parent Ic instance Ar name Brq ... +A virtual machine can be created as an instance of any other configured VM. +.El +.Pp +The new instance inherits settings from the VM +.Ar parent , +except for exclusive options such as +.Ic disk , +.Ic interface lladdr , +or +.Ic interface Ar name . +The configuration options are identical to the +.Sx VM configuration , +but restricted to the allowed instance options. +.Pp +The allowed instance options are configured in the +.Ar parent +VM: +.Bl -tag -width Ds +.It Ic allow instance Brq ... +Allow users to use this VM as a template for VM instances. +By default, the root user can always create instances without +restrictions and users or non-root owners cannot create instances. +An instance inherits the configuration from the VM and the user, +if permitted, is allowed to configure individual VM options. +.El +.Pp +Valid options are: +.Bl -tag -width Ds +.It Ic boot +Allow user to configure the kernel or BIOS image. +The user needs read access to the image. +.It Ic cdrom +Allow user to configure the ISO file. +The user needs read access to the file. +.It Ic disk +Allow user to configure the disk images. +The user needs read and write access to image and instances are not +allowed to reuse disks from the parent VM. +.It Ic instance +Allow user to create additional instances from the instances. +.It Ic interface +Allow user to change network interface settings. +.It Ic memory +Allow user to configure the memory size. +.It Ic owner Ar user Ns Op : Ns Ar group +Allow the specified user or group to create the instances. +The owner is allowed to create VM instances, start or stop the +instances, pause or unpause the instances, and open the instances' +consoles. +.It Ic owner Pf : Ar group +Set the owner to the specified group. +.El +.Ss Switch configuration +A virtual switch allows VMs to communicate with other network interfaces on the +host system via either +.Xr bridge 4 +or +.Xr veb 4 . +The network interface for each virtual switch defined in +.Nm +is pre-configured using +.Xr hostname.if 5 +or +.Xr ifconfig 8 +(see the BRIDGE and VEB sections in +.Xr ifconfig 8 +accordingly). +When a VM is started, virtual network interfaces which are assigned to a +virtual switch have their +.Xr tap 4 +interface automatically added into the corresponding +.Xr bridge 4 +or +.Xr veb 4 +interface underlying the virtual switch. +.Pp +Virtual switches can be configured at any point in the configuration file. +Each +.Ic switch +section starts with a declaration of the virtual switch: +.Bl -tag -width Ds +.It Ic switch Ar name Brq ... +This name can be any string, and is typically a network name. +.El +.Pp +The block enclosed in curly braces can contain the following parameters: +.Bl -tag -width Ds +.It Ic enable +Automatically configure the switch. +This is the default if neither +.Ic enable +nor +.Ic disable +is specified. +.It Ic locked lladdr +If this option is specified, +.Xr vmd 8 +drops packets with altered source addresses that do not match the +link layer addresses (MAC addresses) of the VM interfaces in this switch. +.It Ic disable +Do not automatically configure this switch. +.It Ic group Ar group-name +Assign each interface to a specific interface +.Dq group . +For example, this can be used to write +.Xr pf.conf 5 +rules for several VM interfaces in the same group. +The +.Ar group-name +must not be longer than 15 characters or end with a digit, +as described in +.Xr ifconfig 8 . +.It Ic interface Ar name +Set the +.Xr bridge 4 +or +.Xr veb 4 +network interface of this switch. +.It Ic rdomain Ar rdomainid +Set the routing domain of the switch and all of its VM interfaces to +.Ar rdomainid . +.It Ic up +Start the switch forwarding packets. +This is the default. +.It Ic down +Stop the switch from forwarding packets. +.El +.Sh FILES +.Bl -tag -width /etc/firmware/vmm-bios -compact +.It Pa /etc/vm.conf +default +.Xr vmd 8 +and +.Xr vmctl 8 +configuration file +.It Pa /etc/examples/vm.conf +example configuration file +.It Pa /var/run/vmd.sock +Unix domain +.Xr socket 2 +where +.Xr vmd 8 +listens +.It Pa /etc/firmware/vmm-bios +default BIOS image for booting +.It Pa /var/agentx/master +default Unix domain +.Xr socket 2 +where +.Xr snmpd 8 +listens +.El +.Sh EXAMPLES +Create a new VM with 1GB memory, 1 network interface connected to +.Dq uplink , +with one disk image +.Pa /home/joe/vm2-disk.img , +owned by user +.Sq joe : +.Bd -literal -offset indent +vm "vm2.example.com" { + memory 1G + disk "/home/joe/vm2-disk.img" + interface { switch "uplink" } + owner joe +} +.Ed +.Pp +Create a new VM as an instance from +.Sq vm2.example.com : +.Bd -literal -offset indent +vm "vm2.example.com" instance "vm3.example.com" { + disk "/home/joe/vm3-disk.img" +} +.Ed +.Pp +Create the switch "uplink" with an additional physical network interface: +.Bd -literal -offset indent +switch "uplink" { + interface bridge0 +} +.Ed +.Sh SEE ALSO +.Xr vmm 4 , +.Xr MAKEDEV 8 , +.Xr vmctl 8 , +.Xr vmd 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 5.9 . +.Sh AUTHORS +.An -nosplit +.An Mike Larkin Aq Mt mlarkin@openbsd.org +and +.An Reyk Floeter Aq Mt reyk@openbsd.org . +.Sh CAVEATS +Each guest requires one +.Xr tap 4 +device per assigned interface and one +.Xr pty 4 +device. +Administrators may need to create additional devices using +.Xr MAKEDEV 8 . diff --git a/static/openbsd/man5/x509v3.cnf.5 b/static/openbsd/man5/x509v3.cnf.5 new file mode 100644 index 00000000..89f52d6a --- /dev/null +++ b/static/openbsd/man5/x509v3.cnf.5 @@ -0,0 +1,738 @@ +.\" $OpenBSD: x509v3.cnf.5,v 1.8 2022/03/31 17:27:17 naddy Exp $ +.\" full merge up to: +.\" OpenSSL man5/x509v3_config a41815f0 Mar 17 18:43:53 2017 -0700 +.\" selective merge up to: OpenSSL 36cf10cf Oct 4 02:11:08 2017 -0400 +.\" +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. +.\" Copyright (c) 2004, 2006, 2013, 2014, 2015, 2016 The OpenSSL Project. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 31 2022 $ +.Dt X509V3.CNF 5 +.Os +.Sh NAME +.Nm x509v3.cnf +.Nd X.509 V3 certificate extension configuration format +.Sh DESCRIPTION +Several of the OpenSSL utilities can add extensions to a certificate or +certificate request based on the contents of a configuration file. +The file format is based on the +.Xr openssl.cnf 5 +format. +.Pp +Typically the application will contain an option to point to an +extension section. +Each line of the extension section takes the form: +.Pp +.D1 Ar extension_name Ns = Ns Oo Cm critical , Oc Ar extension_options +.Pp +If +.Cm critical +is present, then the extension will be critical. +.Pp +The format of +.Ar extension_options +depends on the value of +.Ar extension_name . +.Pp +There are four main types of extension: string extensions, multi-valued +extensions, raw extensions, and arbitrary extensions. +.Pp +String extensions simply have a string which contains either the value +itself or how it is obtained. +For example: +.Pp +.Dl nsComment="This is a Comment" +.Pp +Multi-valued extensions have a short form and a long form. +The short form is a list of names and values: +.Pp +.Dl basicConstraints=critical,CA:true,pathlen:1 +.Pp +The long form allows the values to be placed in a separate section: +.Bd -literal -offset indent +basicConstraints=critical,@bs_section + +[bs_section] +CA=true +pathlen=1 +.Ed +.Pp +Both forms are equivalent. +.Pp +The syntax of raw extensions is governed by the extension code: +it can for example contain data in multiple sections. +The correct syntax to use is defined by the extension code itself: +check out the certificate policies extension for an example. +.Pp +If an extension type is unsupported, then the arbitrary extension +syntax must be used; see the +.Sx ARBITRARY EXTENSIONS +section for more details. +.Sh STANDARD EXTENSIONS +The following sections describe each supported extension in detail. +.Ss Basic constraints +This is a multi-valued extension which indicates whether a certificate +is a CA certificate. +The first (mandatory) name is +.Ic CA +followed by +.Cm TRUE +or +.Cm FALSE . +If +.Ic CA +is +.Cm TRUE , +then an optional +.Ic pathlen +name followed by a non-negative value can be included. +For example: +.Bd -literal -offset indent +basicConstraints=CA:TRUE +basicConstraints=CA:FALSE +basicConstraints=critical,CA:TRUE, pathlen:0 +.Ed +.Pp +A CA certificate must include the +.Ic basicConstraints +value with the +.Ic CA +field set to +.Cm TRUE . +An end user certificate must either set +.Ic CA +to +.Cm FALSE +or exclude the extension entirely. +Some software may require the inclusion of +.Ic basicConstraints +with +.Ic CA +set to +.Cm FALSE +for end entity certificates. +.Pp +The +.Ic pathlen +parameter indicates the maximum number of CAs that can appear below +this one in a chain. +So if you have a CA with a +.Ic pathlen +of zero, it can only be used to sign end user certificates and not +further CAs. +.Ss Key usage +Key usage is a multi-valued extension consisting of a list of names of +the permitted key usages. +.Pp +The supported names are: +.Ic digitalSignature , +.Ic nonRepudiation , +.Ic keyEncipherment , +.Ic dataEncipherment , +.Ic keyAgreement , +.Ic keyCertSign , +.Ic cRLSign , +.Ic encipherOnly , +and +.Ic decipherOnly . +Examples: +.Bd -literal -offset indent +keyUsage=digitalSignature, nonRepudiation +keyUsage=critical, keyCertSign +.Ed +.Ss Extended key usage +This extension consists of a list of purposes for +which the certificate public key can be used. +.Pp +These can either be object short names or the dotted numerical form of OIDs. +While any OID can be used, only certain values make sense. +In particular the following PKIX, NS and MS values are meaningful: +.Bl -column emailProtection +.It Em value Ta Em meaning +.It Ic serverAuth Ta TLS server authentication +.It Ic clientAuth Ta TLS client authentication +.It Ic codeSigning Ta code signing +.It Ic emailProtection Ta E-mail protection (S/MIME) +.It Ic timeStamping Ta trusted timestamping +.It Ic OCSPSigning Ta OCSP signing +.It Ic ipsecIKE Ta IPsec internet key exchange +.It Ic msCodeInd Ta Microsoft individual code signing (authenticode) +.It Ic msCodeCom Ta Microsoft commercial code signing (authenticode) +.It Ic msCTLSign Ta Microsoft trust list signing +.It Ic msEFS Ta Microsoft encrypted file system +.El +.Pp +Examples: +.Bd -literal -offset indent +extendedKeyUsage=critical,codeSigning,1.2.3.4 +extendedKeyUsage=serverAuth,clientAuth +.Ed +.Ss Subject key identifier +This is really a string extension and can take two possible values. +Either the word +.Cm hash +which will automatically follow the guidelines in RFC 3280 +or a hex string giving the extension value to include. +The use of the hex string is strongly discouraged. +Example: +.Pp +.Dl subjectKeyIdentifier=hash +.Ss Authority key identifier +The authority key identifier extension permits two options, +.Cm keyid +and +.Cm issuer : +both can take the optional value +.Cm always . +.Pp +If the +.Cm keyid +option is present, an attempt is made to copy the subject +key identifier from the parent certificate. +If the value +.Cm always +is present, then an error is returned if the option fails. +.Pp +The +.Cm issuer +option copies the issuer and serial number from the issuer certificate. +This will only be done if the +.Cm keyid +option fails or is not included unless the +.Cm always +flag will always include the value. +Example: +.Pp +.Dl authorityKeyIdentifier=keyid,issuer +.Ss Subject alternative name +The subject alternative name extension allows various literal values to +be included in the configuration file. +These include +.Ic email +(an email address), +.Ic URI +(a uniform resource indicator), +.Ic DNS +(a DNS domain name), +.Ic RID +(a registered ID: OBJECT IDENTIFIER), +.Ic IP +(an IP address), +.Ic dirName +(a distinguished name), and +.Ic otherName . +.Pp +The +.Ic email +option can include a special +.Cm copy +value. +This will automatically include any email addresses contained in the +certificate subject name in the extension. +.Pp +The IP address used in the +.Ic IP +options can be in either IPv4 or IPv6 format. +.Pp +The value of +.Ic dirName +should point to a section containing the distinguished name to use as a +set of name value pairs. +Multi values AVAs can be formed by prefacing the name with a +.Ql + +character. +.Pp +.Ic otherName +can include arbitrary data associated with an OID: the value should +be the OID followed by a semicolon and the content in standard +.Xr ASN1_generate_nconf 3 +format. +Examples: +.Bd -literal -offset 2n +subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/ +subjectAltName=IP:192.168.7.1 +subjectAltName=IP:13::17 +subjectAltName=email:my@other.address,RID:1.2.3.4 +subjectAltName=otherName:1.2.3.4;UTF8:some other identifier + +subjectAltName=dirName:dir_sect + +[dir_sect] +C=UK +O=My Organization +OU=My Unit +CN=My Name +.Ed +.Ss Issuer alternative name +The issuer alternative name option supports all the literal options of +subject alternative name. +It does not support the +.Ic email : Ns Cm copy +option because that would not make sense. +It does support an additional +.Ic issuer : Ns Cm copy +option that will copy all the subject alternative name values from +the issuer certificate (if possible). +Example: +.Pp +.Dl issuerAltName = issuer:copy +.Ss Authority info access +The authority information access extension gives details about how to +access certain information relating to the CA. +Its syntax is +.Ar accessOID ; location +where +.Ar location +has the same syntax as subject alternative name (except that +.Ic email : Ns Cm copy +is not supported). +.Ar accessOID +can be any valid OID but only certain values are meaningful, +for example +.Cm OCSP +and +.Cm caIssuers . +Example: +.Bd -literal -offset indent +authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ +authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html +.Ed +.Ss CRL distribution points +This is a multi-valued extension whose options can be either in +.Ar name : Ns Ar value +pair form using the same form as subject alternative name or a +single value representing a section name containing all the +distribution point fields. +.Pp +For a +.Ar name : Ns Ar value +pair a new DistributionPoint with the fullName field set to the +given value, both the cRLissuer and reasons fields are omitted in +this case. +.Pp +In the single option case, the section indicated contains values +for each field. +In this section: +.Pp +If the name is +.Ic fullname , +the value field should contain the full name of the distribution +point in the same format as subject alternative name. +.Pp +If the name is +.Ic relativename , +then the value field should contain a section name whose contents +represent a DN fragment to be placed in this field. +.Pp +The name +.Ic CRLIssuer , +if present, should contain a value for this field in subject +alternative name format. +.Pp +If the name is +.Ic reasons , +the value field should consist of a comma separated field containing +the reasons. +Valid reasons are: +.Cm keyCompromise , +.Cm CACompromise , +.Cm affiliationChanged , +.Cm superseded , +.Cm cessationOfOperation , +.Cm certificateHold , +.Cm privilegeWithdrawn , +and +.Cm AACompromise . +.Pp +Simple examples: +.Bd -literal -offset indent +crlDistributionPoints=URI:http://myhost.com/myca.crl +crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl +.Ed +.Pp +Full distribution point example: +.Bd -literal -offset indent +crlDistributionPoints=crldp1_section + +[crldp1_section] +fullname=URI:http://myhost.com/myca.crl +CRLissuer=dirName:issuer_sect +reasons=keyCompromise, CACompromise + +[issuer_sect] +C=UK +O=Organisation +CN=Some Name +.Ed +.Ss Issuing distribution point +This extension should only appear in CRLs. +It is a multi-valued extension whose syntax is similar to the "section" +pointed to by the CRL distribution points extension with a few +differences. +.Pp +The names +.Ic reasons +and +.Ic CRLissuer +are not recognized. +.Pp +The name +.Ic onlysomereasons +is accepted, which sets this field. +The value is in the same format as the CRL distribution point +.Ic reasons +field. +.Pp +The names +.Ic onlyuser , +.Ic onlyCA , +.Ic onlyAA , +and +.Ic indirectCRL +are also accepted. +The values should be a boolean values +.Cm ( TRUE +or +.Cm FALSE ) +to indicate the value of the corresponding field. +Example: +.Bd -literal -offset indent +issuingDistributionPoint=critical, @idp_section + +[idp_section] +fullname=URI:http://myhost.com/myca.crl +indirectCRL=TRUE +onlysomereasons=keyCompromise, CACompromise + +[issuer_sect] +C=UK +O=Organisation +CN=Some Name +.Ed +.Ss Certificate policies +This is a raw extension. +All the fields of this extension can be set by using the appropriate +syntax. +.Pp +If you follow the PKIX recommendations and just use one OID, then you +just include the value of that OID. +Multiple OIDs can be set separated by commas, for example: +.Pp +.Dl certificatePolicies= 1.2.4.5, 1.1.3.4 +.Pp +If you wish to include qualifiers, then the policy OID and qualifiers +need to be specified in a separate section: this is done by using the +.Pf @ Ar section +syntax instead of a literal OID value. +.Pp +The section referred to must include the policy OID using the name +.Ic policyIdentifier . +.Ic CPSuri +qualifiers can be included using the syntax: +.Pp +.D1 Ic CPS . Ns Ar nnn Ns = Ns Ar value +.Pp +.Ic userNotice +qualifiers can be set using the syntax: +.Pp +.D1 Ic userNotice . Ns Ar nnn Ns =@ Ns Ar notice +.Pp +The value of the +.Ic userNotice +qualifier is specified in the relevant section. +This section can include +.Ic explicitText , +.Ic organization , +and +.Ic noticeNumbers +options. +.Ic explicitText +and +.Ic organization +are text strings, +and +.Ic noticeNumbers +is a comma separated list of numbers. +The +.Ic organization +and +.Ic noticeNumbers +options (if included) must +.Em both +be present. +If you use the +.Ic userNotice +option with IE5 then you need the +.Ic ia5org +option at the top level to modify the encoding: otherwise it will +not be interpreted properly. +Example: +.Bd -literal -offset indent +certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect + +[polsect] +policyIdentifier = 1.3.5.8 +CPS.1="http://my.host.name/" +CPS.2="http://my.your.name/" +userNotice.1=@notice + +[notice] +explicitText="Explicit Text Here" +organization="Organisation Name" +noticeNumbers=1,2,3,4 +.Ed +.Pp +The +.Ic ia5org +option changes the type of the +.Ic organization +field. +In RFC 2459, it can only be of type +.Vt DisplayText . +In RFC 3280, +.Vt IA5String +is also permissible. +Some software (for example some versions of MSIE) may require +.Ic ia5org . +.Ss Policy constraints +This is a multi-valued extension which consists of the names +.Ic requireExplicitPolicy +or +.Ic inhibitPolicyMapping +and a non-negative integer value. +At least one component must be present. +Example: +.Pp +.Dl policyConstraints = requireExplicitPolicy:3 +.Ss Inhibit any policy +This is a string extension whose value must be a non-negative integer. +Example: +.Pp +.Dl inhibitAnyPolicy = 2 +.Ss Name constraints +The name constraints extension is a multi-valued extension. +The name should begin with the word +.Cm permitted +or +.Cm excluded , +followed by a semicolon. +The rest of the name and the value follows the syntax of subjectAltName +except +.Ic email : Ns Cm copy +is not supported and the +.Ic IP +form should consist of an IP addresses and subnet mask separated +by a slash. +Examples: +.Bd -literal -offset indent +nameConstraints=permitted;IP:192.168.0.0/255.255.0.0 +nameConstraints=permitted;email:.somedomain.com +nameConstraints=excluded;email:.com +.Ed +.Ss OCSP no check +The OCSP no check extension is a string extension, +but its value is ignored. +Example: +.Pp +.Dl noCheck = ignored +.Ss TLS Feature (aka must staple) +This is a multi-valued extension consisting of a list of TLS extension +identifiers. +Each identifier may be a number in the range from 0 to 65535 or a +supported name. +When a TLS client sends a listed extension, the TLS server is expected +to include that extension in its reply. +.Pp +The supported names are: +.Cm status_request +and +.Cm status_request_v2 . +Example: +.Pp +.Dl tlsfeature = status_request +.Sh DEPRECATED EXTENSIONS +The following extensions are non-standard, Netscape specific and largely +obsolete. +Their use in new applications is discouraged. +.Ss Netscape string extensions +Netscape comment +.Ic ( nsComment ) +is a string extension containing a comment which will be displayed when +the certificate is viewed in some browsers. +Example: +.Pp +.Dl nsComment = "Some Random Comment" +.Pp +Other supported extensions in this category are: +.Ic nsBaseUrl , +.Ic nsRevocationUrl , +.Ic nsCaRevocationUrl , +.Ic nsRenewalUrl , +.Ic nsCaPolicyUrl , +and +.Ic nsSslServerName . +.Ss Netscape certificate type +This is a multi-valued extensions which consists of a list of flags to +be included. +It was used to indicate the purposes for which a certificate could be +used. +The +.Ic basicConstraints , +.Ic keyUsage , +and extended key usage extensions are now used instead. +.Pp +Acceptable values for +.Ic nsCertType +are: +.Cm client , +.Cm server , +.Cm email , +.Cm objsign , +.Cm reserved , +.Cm sslCA , +.Cm emailCA , +.Cm objCA . +.Sh ARBITRARY EXTENSIONS +If an extension is not supported by the OpenSSL code, then it must +be encoded using the arbitrary extension format. +It is also possible to use the arbitrary format for supported +extensions. +Extreme care should be taken to ensure that the data is formatted +correctly for the given extension type. +.Pp +There are two ways to encode arbitrary extensions. +.Pp +The first way is to use the word +.Cm ASN1 +followed by the extension content using the same syntax as +.Xr ASN1_generate_nconf 3 . +For example: +.Bd -literal -offset indent +1.2.3.4=critical,ASN1:UTF8String:Some random data +1.2.3.4=ASN1:SEQUENCE:seq_sect + +[seq_sect] +field1 = UTF8:field1 +field2 = UTF8:field2 +.Ed +.Pp +It is also possible to use the word +.Cm DER +to include the raw encoded data in any extension. +.Bd -literal -offset indent +1.2.3.4=critical,DER:01:02:03:04 +1.2.3.4=DER:01020304 +.Ed +.Pp +The value following +.Cm DER +is a hex dump of the DER encoding of the extension. +Any extension can be placed in this form to override the default behaviour. +For example: +.Pp +.Dl basicConstraints=critical,DER:00:01:02:03 +.Sh FILES +.Bl -tag -width /etc/ssl/x509v3.cnf -compact +.It Pa /etc/ssl/x509v3.cnf +standard configuration file +.El +.Sh SEE ALSO +.Xr openssl 1 , +.Xr ASN1_generate_nconf 3 , +.Xr OPENSSL_config 3 , +.Xr openssl.cnf 5 +.Sh HISTORY +X509v3 extension code was first added to OpenSSL 0.9.2. +.Sh CAVEATS +There is no guarantee that a specific implementation will process a +given extension. +It may therefore sometimes be possible to use certificates for purposes +prohibited by their extensions because a specific application does not +recognize or honour the values of the relevant extensions. +.Pp +The +.Cm DER +and +.Cm ASN1 +options should be used with caution. +It is possible to create totally invalid extensions if they are not used +carefully. +.Pp +If an extension is multi-value and a field value must contain a comma, +the long form must be used. +Otherwise the comma would be misinterpreted as a field separator. +For example, +.Pp +.Dl subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar +.Pp +will produce an error, but the following form is valid: +.Bd -literal -offset indent +subjectAltName=@subject_alt_section + +[subject_alt_section] +subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar +.Ed +.Pp +Due to the behaviour of the OpenSSL CONF library, the same field +name can only occur once in a section. +That means that +.Bd -literal -offset indent +subjectAltName=@alt_section + +[alt_section] +email=steve@here +email=steve@there +.Ed +.Pp +will only use the last value. +This can be worked around by using the form: +.Bd -literal -offset indent +[alt_section] +email.1=steve@here +email.2=steve@there +.Ed diff --git a/static/openbsd/man5/ypldap.conf.5 b/static/openbsd/man5/ypldap.conf.5 new file mode 100644 index 00000000..8c51898f --- /dev/null +++ b/static/openbsd/man5/ypldap.conf.5 @@ -0,0 +1,224 @@ +.\" $OpenBSD: ypldap.conf.5,v 1.30 2025/07/08 14:26:45 schwarze Exp $ +.\" +.\" Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: July 8 2025 $ +.Dt YPLDAP.CONF 5 +.Os +.Sh NAME +.Nm ypldap.conf +.Nd LDAP YP map daemon configuration file +.Sh DESCRIPTION +The +.Xr ypldap 8 +daemon provides YP maps using LDAP as a backend. +.Pp +The +.Nm +config file is divided into the following main sections: +.Bl -tag -width xxxx +.It Sx Macros +Definitions of variables that can be used later, simplifying the +configuration file. +.It Sx Global configuration +Global settings for +.Xr ypldap 8 . +.It Sx Directories +LDAP Directory specific parameters. +.El +.Ss Macros +A macro is defined with a command of the form +.Ar name Ns = Ns Ar value . +The macro +.Ar name +can contain letters, digits, and underscores and cannot be a reserved word +(for example, +.Ic domain ) . +Within unquoted arguments, the string +.Pf $ Ar name +is later expanded to +.Ar value . +.Pp +For example: +.Bd -literal -offset indent +fixed_gecos="Pulled from LDAP" + +fixed attribute gecos $fixed_gecos +.Ed +.Ss Global configuration +Global settings concern the main behaviour of the daemon. +.Pp +.Bl -tag -width Ds -compact +.It Ic domain Ar string +Specify the name of the NIS domain +.Xr ypldap 8 +will provide. +.It Ic interval Ar seconds +Specify the interval in seconds at which the whole directory will be pulled +from LDAP. +.It Ic provide map Ar string +Specify a map that should be provided by +.Xr ypldap 8 +The currently implemented maps are: passwd.byname, passwd.byuid, +group.byname, group.bygid. +.It Ic cafile Ar filename +Load CA certificates from the specified file to validate the server certificate. +If not specified, CA certificates will be loaded from +.Pa /etc/ssl/cert.pem . +.It Ic bind Ar mode +Specify how the domain is made available for binding. +Valid options are: +.Bl -tag -width portmap +.It Ic portmap +Register with +.Xr portmap 8 +and allow +.Xr ypbind 8 +discovery. +This is the default mode. +.It Ic local +Create a YP binding file in +.Pa /var/yp/binding +to enable YP support in the +.Xr passwd 5 +and +.Xr group 5 +databases. +In this mode it is not necessary to run +.Xr portmap 8 , +and +.Xr ypbind 8 +must not be running. +YP services are only available to the host running +.Xr ypldap 8 . +.El +.El +.Ss Directories +Directories are used to describe the LDAP schema and help +.Xr ypldap 8 +convert LDAP entries to +.Xr passwd 5 , +.Xr master.passwd 5 , +and +.Xr group 5 +lines. +Each directory section consists of a declaration of the directory +server name and a set of directives describing how entries from the +directory are used to construct YP map entries. +.Bl -tag -width Ds +.It Ic directory Ar hostname Oo Ic port Ar port Oc Oo tls Oc Brq ... +Defines a directory by hostname and optionally port number. +If the +.Ar tls +argument is not specified, no transport-level security will be used. +Valid options are: +.Bl -tag -width Ds +.It Ic tls +Use STARTTLS to negotiate TLS, by default on port 389. +.It Ic ldaps +Connect with TLS enabled, by default on port 636. +.El +.El +.Pp +Valid directives for directories are: +.Bl -tag -width Ds +.It Xo +.Ic attribute Ar name Ic maps to Ar string +.Xc +Map the +.Xr passwd 5 , +.Xr master.passwd 5 , +or +.Xr group 5 +attribute to the LDAP attribute name supplied. +.It Ic basedn Ar string +Use the supplied search base as starting point for the directory search. +.It Ic certfile Ar string +Use the specified client certificate when connecting to the directory. +The file must contain a PEM encoded certificate. +.It Ic groupdn Ar string +Use the supplied search base as starting point for the directory search for +groups. +If not supplied, the basedn value will be used. +.It Ic bindcred Ar string +Use the supplied credentials for simple authentication against the directory. +.It Ic binddn Ar string +Use the supplied Distinguished Name to bind to the directory. +.It Ic bindext Oo Ar string Oc +Bind to the directory using SASL EXTERNAL, optionally using a supplied identity +string. +When using a TLS client certificate, this allows the client to bind as the +subject of the certificate. +If an identity string is supplied, usually in the form of a distinguished name +prefixed with "dn:", the directory will only allow the bind to succeed if it +matches the subject of the certificate. +.It Ic fixed attribute Ar attribute string +Do not retrieve the specified attribute from LDAP but +instead set it unconditionally to the supplied value for +every entry. +.It Ic group filter Ar string +Use the supplied LDAP filter to retrieve group entries. +.It Ic keyfile Ar string +Use the specified private key when connecting to the directory. +The file must contain a PEM encoded key. +.It Xo +.Ic list Ar name Ic maps to Ar string +.Xc +Map the +.Xr passwd 5 , +.Xr master.passwd 5 , +or +.Xr group 5 +attribute to the LDAP attribute name supplied. +A list creates a comma separated list of all the LDAP attributes found. +.Pp +Valid attributes are: +.Pp +.Bl -tag -width groupmembers -offset indent -compact +.It Ic name +.It Ic passwd +.It Ic uid +.It Ic gid +.It Ic gecos +.It Ic home +.It Ic shell +.It Ic change +.It Ic expire +.It Ic class +.It Ic groupname +.It Ic grouppasswd +.It Ic groupgid +.It Ic groupmembers +.El +.It Ic passwd filter Ar string +Use the supplied LDAP filter to retrieve password entries. +.El +.Sh FILES +.Bl -tag -width /etc/examples/ypldap.conf -compact +.It Pa /etc/ypldap.conf +.Xr ypldap 8 +configuration file. +.It Pa /etc/examples/ypldap.conf +Example configuration file. +.El +.Sh SEE ALSO +.Xr ypbind 8 , +.Xr ypldap 8 , +.Xr ypserv 8 +.Sh HISTORY +The +.Nm +file format first appeared in +.Ox 4.4 . diff --git a/static/openbsd/man5/ypserv.acl.5 b/static/openbsd/man5/ypserv.acl.5 new file mode 100644 index 00000000..914c17da --- /dev/null +++ b/static/openbsd/man5/ypserv.acl.5 @@ -0,0 +1,163 @@ +.\" $OpenBSD: ypserv.acl.5,v 1.27 2022/03/31 17:27:32 naddy Exp $ +.\" +.\" Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS +.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 31 2022 $ +.Dt YPSERV.ACL 5 +.Os +.Sh NAME +.Nm ypserv.acl +.Nd ypserv(8) access control configuration +.Sh DESCRIPTION +The +.Nm +file controls which hosts can connect to the +.Xr yp 8 +server. +.Pp +The format is more complex than the format for +.Xr securenet 5 . +The first two words on each line controls if the line will +.Ic allow +or +.Ic deny +access for a +.Cm host , +network +.Pq Cm net , +or +.Cm all +hosts. +.Pp +The YP +server reads the configuration file and builds a list in memory. +This list is processed from the beginning for every incoming request. +As soon as a +match is found in the list, the search terminates and it returns success +or failure depending on which of +.Ic allow +or +.Ic deny +was specified. +If no match was found in the list, success is returned. +.Pp +If access is denied, every call will cause a +.Dq no such domain +error for the caller. +.Pp +Normally both the local hostname and localhost must be +allowed access. +Otherwise +.Xr ypserv 8 +might not work correctly. +.Pp +There is no default name for this file. +Start +.Xr ypserv 8 +with +.Fl a Ar filename +to read a file with this format. +.Pp +The following syntax may be used: +.Pp +.D1 Ic allow Ns | Ns Ic deny Cm host Ar hostname Ns | Ns Ar ip-address +.Pp +If +.Ic hostname +has more than one IP address, they will all be added to the list. +.Pp +.D1 Ic allow Ns | Ns Ic deny Cm net Ar netnumber Op Cm netmask Ar netnumber +.Pp +If the +.Cm netmask +part of the command isn't given then the netmask will be assumed to be a +class A, B or C net depending on the net number. +.Pp +.D1 Ic allow Ns | Ns Ic deny Cm all +.Pp +A line containing one of these commands will always match any host. +.Sh FILES +.Bl -tag -width /var/yp/ypserv.acl -compact +.It Pa /var/yp/ypserv.acl +a +.Xr ypserv 8 +configuration file +.El +.Sh EXAMPLES +A configuration file might look like the following: +.Bd -literal +# This is an example of an access control file to be used by ypserv. +# +# This file is parsed line by line. First match will terminate the check +# of the caller. +# + +########################################################################### +# This is the commands that will match a single host +# +# allow host <hostname|ip-address> +# deny host <hostname|ip-address> +# +# To process hostname gethostbyname is called. If the hostname has +# multiple ip-addresses all will be added (I hope). ip-address +# processed by inet_aton. +allow host localhost +allow host myypserver +deny host jodie + +########################################################################### +# This is the commands that will match a network +# +# allow net <netnumber> [netmask <netnumber>] +# deny net <netnumber> [netmask <netnumber>] +# +# inet_aton is used for netnumber. +# inet_aton both access numbers as 255.255.255.0 and 0xffffff00. +# +# If netmask isn't given the parser will assume netmask from the first bits +# of the network number. So if the network is subneted the you have to add +# the netmask. In my case I've got the network 139.58.253.0 at home so to +# allow any of my computers to talk with the server I need the following +# line +# +allow net 139.58.253.0 netmask 255.255.255.0 + +########################################################################### +# At last we have a command that will match any caller: +# +# allow all +# deny all +# + +# reject all connections +deny all + +.Ed +.Sh SEE ALSO +.Xr securenet 5 , +.Xr yp 8 , +.Xr ypserv 8 +.Sh AUTHORS +.An Mats O Jansson Aq Mt moj@stacken.kth.se |