options GATEWAY
Enables IPFORWARDING (which see) and (on most ports) increases the size of NMBCLUSTERS (which see). In general, GATEWAY is used to indicate that a system should act as a router, and IPFORWARDING is not invoked directly. (Note that GATEWAY has no impact on protocols other than IP, such as CLNP). GATEWAY option also compiles IPv4 and IPv6 fast forwarding code into the kernel.
options ICMPPRINTFS
The
ICMPPRINTFS option will enable debugging information to be printed about the
icmp(4) protocol.
options IPFORWARDING=value
If
value is 1 this enables IP routing behavior. If
value is 0 (the default), it disables it. The
GATEWAY option sets this to 1 automatically. With this option enabled, the machine will forward IP datagrams destined for other machines between its interfaces. Note that even without this option, the kernel will still forward some packets (such as source routed packets) -- removing
GATEWAY and
IPFORWARDING is insufficient to stop all routing through a bastion host on a firewall -- source routing is controlled independently. To turn off source routing, use
options IPFORWSRCRT=0 (which see). Note that IP forwarding may be turned on and off independently of the setting of the
IPFORWARDING option through the use of the
net.inet.ip.forwarding sysctl variable. If
net.inet.ip.forwarding is 1, IP forwarding is on. See
sysctl(8) and
sysctl(3) for details.
options IPFORWSRCRT=value
If
value is set to zero, source routing of IP datagrams is turned off. If
value is set to one (the default) or the option is absent, source routed IP datagrams are forwarded by the machine. Note that source routing of IP packets may be turned on and off independently of the setting of the
IPFORWSRCRT option through the use of the
net.inet.ip.forwsrcrt sysctl variable. If
net.inet.ip.forwsrcrt is 1, forwarding of source routed IP datagrams is on. See
sysctl(8) and
sysctl(3) for details.
options IFA_STATS
Tells the kernel to maintain per-address statistics on bytes sent and received over (currently) Internet and AppleTalk addresses. The option is not recommended as it degrades system stability.
options IFQ_MAXLEN=value
Increases the allowed size of the network interface packet queues. The default queue size is 50 packets, and you do not normally need to increase it.
options IPSELSRC
Includes support for source-address selection policies. See
in_getifa(9).
options MROUTING
Includes support for IP multicast routers. You certainly want
INET with this. Multicast routing is controlled by the
mrouted(8) daemon. See also option
PIM.
options PIM
Includes support for Protocol Independent Multicast (PIM) routing. You need MROUTING and INET with this. Software using this can be found e.g. in pkgsrc/net/xorp.
options INET
Includes support for the TCP/IP protocol stack. You almost certainly want this. See
inet(4) for details.
options INET6
Includes support for the IPv6 protocol stack. See
inet6(4) for details. Unlike
INET,
INET6 enables multicast routing code as well. This option requires
INET at this moment, but it should not.
options ND6_DEBUG
The option sets the default value of net.inet6.icmp6.nd6_debug to 1, for debugging IPv6 neighbor discovery protocol handling. See
sysctl(3) for details.
options IPSEC
Includes support for the IPsec protocol, using the KAME implementation. See
ipsec(4) for details.
options IPSEC_DEBUG
Enables debugging code in IPsec stack. See
ipsec(4) for details.
options IPSEC_ESP
Includes support for IPsec ESP protocol, using the KAME implementation. See
ipsec(4) for details.
options FAST_IPSEC
Includes support for the IPsec protocol, using the implementation derived from
OpenBSD, relaying on
opencrypto(9) to carry out cryptographic operations. See
fast_ipsec(4) for details.
options IPSEC_NAT_T
Includes support for IPsec Network Address Translator traversal (NAT-T), as described in RFCs 3947 and 3948. This feature might be patent-encumbered in some countries.
options ALTQ
Enabled ALTQ (Alternate Queueing). For simple rate-limiting, use
tbrconfig(8) to set up the interface transmission rate. To use queueing disciplines, their appropriate kernel options should also be defined (documented below). Queueing disciplines are managed by
altqd(8). See
altq(9) for details.
options ALTQ_HFSC
Include support for ALTQ-implemented HFSC (Hierarchical Fair Service Curve) module. HFSC supports both link-sharing and guaranteed real-time services. HFSC employs a service curve based QoS model, and its unique feature is an ability to decouple delay and bandwidth allocation. Requires ALTQ_RED to use the RED queueing discipline on HFSC classes, or ALTQ_RIO to use the RIO queueing discipline on HFSC classes. This option assumes ALTQ.
options ALTQ_PRIQ
Include support for ALTQ-implemented PRIQ (Priority Queueing). PRIQ implements a simple priority-based queueing discipline. A higher priority class is always served first. Requires ALTQ_RED to use the RED queueing discipline on HFSC classes, or ALTQ_RIO to use the RIO queueing discipline on HFSC classes. This option assumes ALTQ.
options ALTQ_WFQ
Include support for ALTQ-implemented WFQ (Weighted Fair Queueing). WFQ implements a weighted-round robin scheduler for a set of queues. A weight can be assigned to each queue to give a different proportion of the link capacity. A hash function is used to map a flow to one of a set of queues. This option assumes ALTQ.
options ALTQ_FIFOQ
Include support for ALTQ-implemented FIFO queueing. FIFOQ is a simple drop-tail FIFO (First In, First Out) queueing discipline. This option assumes ALTQ.
options ALTQ_RIO
Include support for ALTQ-implemented RIO (RED with In/Out). The original RIO has 2 sets of RED parameters; one for in-profile packets and the other for out-of-profile packets. At the ingress of the network, profile meters tag packets as IN or OUT based on contracted profiles for customers. Inside the network, IN packets receive preferential treatment by the RIO dropper. ALTQ/RIO has 3 drop precedence levels defined for the Assured Forwarding PHB of DiffServ (RFC 2597). This option assumes ALTQ.
options ALTQ_BLUE
Include support for ALTQ-implemented Blue buffer management. Blue is another active buffer management mechanism. This option assumes ALTQ.
options ALTQ_FLOWVALVE
Include support for ALTQ-implemented Flowvalve. Flowvalve is a simple implementation of a RED penalty box that identifies and punishes misbehaving flows. This option requires ALTQ_RED and assumes ALTQ.
options ALTQ_CDNR
Include support for ALTQ-implemented CDNR (diffserv traffic conditioner) packet marking/manipulation. Traffic conditioners are components to meter, mark, or drop incoming packets according to some rules. As opposed to queueing disciplines, traffic conditioners handle incoming packets at an input interface. This option assumes ALTQ.
options ALTQ_NOPCC
Disables use of processor cycle counter to measure time in ALTQ. This option should be defined for a non-Pentium i386 CPU which does not have TSC, SMP (per-CPU counters are not in sync), or power management which affects processor cycle counter. This option assumes ALTQ.
options ALTQ_IPSEC
Include support for IPsec in IPv4 ALTQ. This option assumes ALTQ.
options ALTQ_JOBS
Include support for ALTQ-implemented JoBS (Joint Buffer Management and Scheduling). This option assumes ALTQ.
options ALTQ_AFMAP
Include support for an undocumented ALTQ feature that is used to map an IP flow to an ATM VC (Virtual Circuit). This option assumes ALTQ.
options ALTQ_LOCALQ
Include support for ALTQ-implemented local queues. Its practical use is undefined. Assumes ALTQ.
options SUBNETSARELOCAL
Sets default value for net.inet.ip.subnetsarelocal variable, which controls whether non-directly-connected subnets of connected networks are considered "local" for purposes of choosing the MSS for a TCP connection. This is mostly present for historic reasons and completely irrelevant if you enable Path MTU discovery.
options HOSTZEROBROADCAST
Sets default value for net.inet.ip.hostzerobroadcast variable, which controls whether the zeroth host address of each connected subnet is also considered a broadcast address. Default value is "1", for compatibility with old systems; if this is set to zero on all hosts on a subnet, you should be able to fit an extra host per subnet on the ".0" address.
options MCLSHIFT=value
This option is the base-2 logarithm of the size of mbuf clusters. The BSD networking stack keeps network packets in a linked list, or chain, of kernel buffer objects called mbufs. The system provides larger mbuf clusters as an optimization for large packets, instead of using long chains for large packets. The mbuf cluster size, or MCLBYTES, must be a power of two, and is computed as two raised to the power MCLSHIFT. On systems with Ethernet network adapters, MCLSHIFT is often set to 11, giving 2048-byte mbuf clusters, large enough to hold a 1500-byte Ethernet frame in a single cluster. Systems with network interfaces supporting larger frame sizes like ATM, FDDI, or HIPPI may perform better with MCLSHIFT set to 12 or 13, giving mbuf cluster sizes of 4096 and 8192 bytes, respectively.
options ISO,TPIP
Include support for the ubiquitous OSI protocol stack. See
iso(4) for details. This option assumes
INET.
options EON
Include support for tunneling OSI protocols over IP. Known to be broken, or at least very fragile, and undocumented.
options NETATALK
Include support for the AppleTalk protocol stack. The kernel provides provision for the Datagram Delivery Protocol (DDP), providing SOCK_DGRAM support and AppleTalk routing. This stack is used by the NETATALK package, which adds support for AppleTalk server services via user libraries and applications.
options BLUETOOTH
Include support for the Bluetooth protocol stack. See
bluetooth(4) for details.
options IPNOPRIVPORTS
Normally, only root can bind a socket descriptor to a so-called “privileged” TCP port, that is, a port number in the range 0-1023. This option eliminates those checks from the kernel. This can be useful if there is a desire to allow daemons without privileges to bind those ports, e.g., on firewalls. The security tradeoffs in doing this are subtle. This option should only be used by experts.
options TCP_COMPAT_42
TCP bug compatibility with 4.2BSD. In 4.2BSD, TCP sequence numbers were 32-bit signed values. Modern implementations of TCP use unsigned values. This option clamps the initial sequence number to start in the range 2^31 rather than the full unsigned range of 2^32. Also, under 4.2BSD, keepalive packets must contain at least one byte or else the remote end would not respond.
options TCP_DEBUG
Record the last TCP_NDEBUG TCP packets with SO_DEBUG set, and decode to the console if tcpconsdebug is set.
options TCP_NDEBUG
Number of packets to record for TCP_DEBUG. Defaults to 100.
options TCP_SENDSPACE=value
options TCP_RECVSPACE=value
These options set the max TCP window size to other sizes than the default. The TCP window sizes can be altered via
sysctl(8) as well.
options TCP_INIT_WIN=value
This option sets the initial TCP window size for non-local connections, which is used when the transmission starts. The default size is 1, but if the machine should act more aggressively, the initial size can be set to some other value. The initial TCP window size can be set via
sysctl(8) as well.
options PFIL_HOOKS
This option turns on the packet filter interface hooks. See
pfil(9) for details. This option assumes
INET.
options IPFILTER_LOG
This option, in conjunction with pseudo-device ipfilter, enables logging of IP packets using IP-Filter.
options IPFILTER_LOOKUP
This option enables the IP-Filter
ippool(8) functionality to be enabled.
options IPFILTER_COMPAT
This option enables older IP-Filter binaries to work.
options IPFILTER_DEFAULT_BLOCK
This option sets the default policy of IP-Filter. If it is set, IP-Filter will block packets by default.
options BRIDGE_IPF
This option causes bridge devices to use the IP and/or IPv6 filtering hooks, forming a link-layer filter that uses protocol-layer rules. This option assumes the presence of pseudo-device ipfilter.
options MBUFTRACE
This option can help track down mbuf leaks. When enabled, mbufs are tagged with the devices and protocols using them, which slightly decreases network performance. This additional information can be viewed with
netstat(1):
netstat -mssv
Not all devices or protocols support this option.