Whitespace-only fixes. Translators, please ignore.
This commit is contained in:
Warren Block
parent
47786e5cf1
commit
8c7eaba7a3
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=42267
1 changed files with 146 additions and 144 deletions
|
|
@ -2482,17 +2482,17 @@ device crypto</screen>
|
|||
<screen>&prompt.root; <userinput>ifconfig gif0 tunnel <replaceable>external1 external2</replaceable></userinput></screen>
|
||||
|
||||
<para>In this example, the corporate <acronym>LAN</acronym>'s
|
||||
external <acronym>IP</acronym> address is <hostid
|
||||
role="ipaddr">172.16.5.4</hostid> and its internal
|
||||
<acronym>IP</acronym> address is <hostid
|
||||
role="ipaddr">10.246.38.1</hostid>. The home
|
||||
external <acronym>IP</acronym> address is
|
||||
<hostid role="ipaddr">172.16.5.4</hostid> and its internal
|
||||
<acronym>IP</acronym> address is
|
||||
<hostid role="ipaddr">10.246.38.1</hostid>. The home
|
||||
<acronym>LAN</acronym>'s external <acronym>IP</acronym>
|
||||
address is <hostid role="ipaddr">192.168.1.12</hostid> and its
|
||||
internal private <acronym>IP</acronym> address is <hostid
|
||||
role="ipaddr">10.0.0.5</hostid>.</para>
|
||||
address is <hostid role="ipaddr">192.168.1.12</hostid> and
|
||||
its internal private <acronym>IP</acronym> address is
|
||||
<hostid role="ipaddr">10.0.0.5</hostid>.</para>
|
||||
|
||||
<para>If this is confusing, review the following example output
|
||||
from &man.ifconfig.8;:</para>
|
||||
<para>If this is confusing, review the following example
|
||||
output from &man.ifconfig.8;:</para>
|
||||
|
||||
<programlisting>Gateway 1:
|
||||
|
||||
|
|
@ -2698,8 +2698,8 @@ Foreground mode.
|
|||
seem to be part of the same network. Most likely both
|
||||
networks are protected by a firewall. To allow traffic to
|
||||
flow between them, rules need to be added to pass packets.
|
||||
For the &man.ipfw.8; firewall, add the following lines to the
|
||||
firewall configuration file:</para>
|
||||
For the &man.ipfw.8; firewall, add the following lines to
|
||||
the firewall configuration file:</para>
|
||||
|
||||
<programlisting>ipfw add 00201 allow log esp from any to any
|
||||
ipfw add 00202 allow log ah from any to any
|
||||
|
|
@ -3767,35 +3767,37 @@ VII. References <co id="co-ref"/></programlisting>
|
|||
<programlisting>options RACCT
|
||||
options RCTL</programlisting>
|
||||
|
||||
<para>The entire system will need rebuilt. See <xref
|
||||
linkend="kernelconfig"/>, which will provide instructions for
|
||||
the process. Once this is complete, the <command>rctl</command>
|
||||
may be used to set rules for the system.</para>
|
||||
<para>The entire system will need rebuilt. See
|
||||
<xref linkend="kernelconfig"/>, which will provide instructions
|
||||
for the process. Once this is complete, the
|
||||
<command>rctl</command> may be used to set rules for the
|
||||
system.</para>
|
||||
|
||||
<para>Rule syntax is simple, controlled through the use of
|
||||
a <emphasis>subject</emphasis>, a <emphasis>subject-id</emphasis>,
|
||||
<emphasis>resource</emphasis>, and <emphasis>action</emphasis>.
|
||||
Take the following example rule:</para>
|
||||
a <emphasis>subject</emphasis>, a
|
||||
<emphasis>subject-id</emphasis>, <emphasis>resource</emphasis>,
|
||||
and <emphasis>action</emphasis>. Take the following example
|
||||
rule:</para>
|
||||
|
||||
<programlisting>user:trhodes:<literal>maxproc</literal>:<literal>deny</literal>=10/user</programlisting>
|
||||
|
||||
<para>This rule shows a basic premise of a rule, here the
|
||||
subject is <literal>user</literal> and the subject-id
|
||||
is <literal>trhodes</literal>. The maxproc is, of course,
|
||||
max number of processes, which is considered the resource.
|
||||
The action here is set to <literal>deny</literal>, which blocks
|
||||
any new processes from being created. In the previous example,
|
||||
the user, <literal>trhodes</literal> will be constrained
|
||||
to <literal>10</literal> (ten) processes and no greater.
|
||||
Other actions are available and could be log to the console,
|
||||
pass a notification to &man.devd.8;, or
|
||||
send a sigterm to the process.</para>
|
||||
<para>This rule shows a basic premise of a rule, here the subject
|
||||
is <literal>user</literal> and the subject-id is
|
||||
<literal>trhodes</literal>. The maxproc is, of course, max
|
||||
number of processes, which is considered the resource. The
|
||||
action here is set to <literal>deny</literal>, which blocks any
|
||||
new processes from being created. In the previous example, the
|
||||
user, <literal>trhodes</literal> will be constrained to
|
||||
<literal>10</literal> (ten) processes and no greater. Other
|
||||
actions are available and could be log to the console, pass a
|
||||
notification to &man.devd.8;, or send a sigterm to the
|
||||
process.</para>
|
||||
|
||||
<para>Some care must be taken while adding rules. The one above
|
||||
will unfortunately block my user from doing the most simple tasks
|
||||
after I have logged in and executed a <command>screen</command>
|
||||
session. When a resource limit has been hit, an error will
|
||||
be printed, as in this example:</para>
|
||||
will unfortunately block my user from doing the most simple
|
||||
tasks after I have logged in and executed a
|
||||
<command>screen</command> session. When a resource limit has
|
||||
been hit, an error will be printed, as in this example:</para>
|
||||
|
||||
<screen>&prompt.user; <userinput>man test</userinput>
|
||||
/usr/bin/man: Cannot fork: Resource temporarily unavailable
|
||||
|
|
@ -3808,9 +3810,9 @@ eval: Cannot fork: Resource temporarily unavailable</screen>
|
|||
<screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen>
|
||||
|
||||
<para>Rules may also persist across reboots if they have been
|
||||
added to <filename>/etc/rctl.conf</filename>. The
|
||||
format is a rule, without the preceding command. For example,
|
||||
the previous rule could be added like the following:</para>
|
||||
added to <filename>/etc/rctl.conf</filename>. The format is a
|
||||
rule, without the preceding command. For example, the previous
|
||||
rule could be added like the following:</para>
|
||||
|
||||
<programlisting># Block jail from using more than 2G memory:
|
||||
jail:httpd:memoryuse:deny=2G/jail</programlisting>
|
||||
|
|
@ -3826,7 +3828,7 @@ jail:httpd:memoryuse:deny=2G/jail</programlisting>
|
|||
|
||||
<screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen>
|
||||
|
||||
<para>Many other resources exist which can be used to excert
|
||||
<para>Many other resources exist which can be used to exert
|
||||
additional control over various <literal>subjects</literal>.
|
||||
See &man.rctl.8; to learn about them.</para>
|
||||
</sect1>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue