xref: /netbsd-src/share/man/man7/sysctl.7 (revision d8c86e1768d8cd72bad35a1e286c24e1525f2159)

.\"	$NetBSD: sysctl.7,v 1.167 2024/03/07 23:03:55 gutteridge Exp $
.\"
.\" Copyright (c) 1993
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"	@(#)sysctl.3	8.4 (Berkeley) 5/9/95
.\"
.Dd March 7, 2024
.Dt SYSCTL 7
.Os
.Sh NAME
.Nm sysctl
.Nd system information variables
.Sh DESCRIPTION
The
.Xr sysctl 3
library function and the
.Xr sysctl 8
utility are used to get and set values of system variables, maintained
by the kernel.
The variables are organized in a tree and identified by a sequence of
numbers, conventionally separated by dots with the topmost identifier
at the left side.
The numbers have corresponding text names.
The
.Xr sysctlnametomib 3
function or the
.Fl M
argument to the
.Xr sysctl 8
utility can be used to convert the text representation to the
numeric one.
.Pp
The individual sysctl variables are described below, both the textual
and numeric form where applicable.
The textual names can be used as argument to the
.Xr sysctl 8
utility and in the file
.Pa /etc/sysctl.conf .
The numeric names are usually defined as preprocessor constants and
are intended for use by programs.
Every such constant expands to one integer, which identifies the
sysctl variable relative to the upper level of the tree.
See the
.Xr sysctl 3
manual page for programming examples.
.Ss Top level names
The top level names are defined with a
.Va CTL_
prefix in
.In sys/sysctl.h ,
and are as follows.
The next and subsequent levels down are found in the include files
listed here, and described in separate sections below.
.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits"
.It Sy Name  Ta Sy Constant     Ta Sy Next level names Ta Sy Description
.It kern     Ta Dv CTL_KERN     Ta In sys/sysctl.h     Ta High kernel limits
.It vm       Ta Dv CTL_VM       Ta In uvm/uvm_param.h  Ta Virtual memory
.It vfs      Ta Dv CTL_VFS      Ta In sys/mount.h      Ta Filesystem
.It net      Ta Dv CTL_NET      Ta In sys/socket.h     Ta Networking
.It debug    Ta Dv CTL_DEBUG    Ta In sys/sysctl.h     Ta Debugging
.It hw       Ta Dv CTL_HW       Ta In sys/sysctl.h     Ta Generic CPU, I/O
.It machdep  Ta Dv CTL_MACHDEP  Ta In sys/sysctl.h     Ta Machine dependent
.It user     Ta Dv CTL_USER     Ta In sys/sysctl.h     Ta User-level
.It ddb      Ta Dv CTL_DDB      Ta In sys/sysctl.h     Ta In-kernel debugger
.It proc     Ta Dv CTL_PROC     Ta In sys/sysctl.h     Ta Per-process
.It vendor   Ta Dv CTL_VENDOR   Ta ?                   Ta Vendor specific
.It emul     Ta Dv CTL_EMUL     Ta In sys/sysctl.h     Ta Emulation settings
.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h     Ta Security settings
.El
.Ss The debug.* subtree
The debugging variables vary from system to system.
A debugging variable may be added or deleted without need to recompile
.Nm
to know about it.
Each time it runs,
.Nm
gets the list of debugging variables from the kernel and
displays their current values.
The system defines twenty
.Vt ( struct ctldebug )
variables named
.Dv debug0
through
.Dv debug19 .
They are declared as separate variables so that they can be
individually initialized at the location of their associated variable.
The loader prevents multiple use of the same variable by issuing errors
if a variable is initialized in more than one place.
For example, to export the variable
.Va dospecialcheck
as a debugging variable, the following declaration would be used:
.Pp
.Bd -literal -offset indent -compact
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
.Ed
.Pp
Note that the dynamic implementation of
.Nm
currently in use largely makes this particular
.Nm
interface obsolete.
See
.Xr sysctl 8
.\" and
.\" .Xr sysctl 9
for more information.
.Ss The vfs.* subtree
A distinguished second level name,
.Li vfs.generic ( Dv VFS_GENERIC ) ,
is used to get general information about all file systems.
It has the following third level identifiers:
.Bl -tag -width "123456"
.It Li vfs.generic.maxtypenum ( Dv VFS_MAXTYPENUM )
The highest valid file system type number.
.It Li vfs.generic.conf ( Dv VFS_CONF )
Returns configuration information about the file system type given as a fourth
level identifier.
.It Li vfs.generic.usermount ( Dv VFS_USERMOUNT )
Controls whether users other than the super-user can mount file
systems.
Defaults to
.Li 0 ,
so only the super-user can mount file systems.
.Pp
File systems mounted by unprivileged users must be mounted with the
.Li nodev
and
.Li nosuid
.Xr mount 8
options.
.It Li vfs.generic.magiclinks ( Dv VFS_MAGICLINKS )
Controls whether expansion of variables is going to be performed on
pathnames or not.
Defaults to
.Li 0 ,
no variable expansion.
Variables are of the form
.Li @name
and the variables supported are described in
.Xr symlink 7
under
.Dq "MAGIC SYMLINKS" .
.El
.Pp
A second level name for controlling the
.Xr wapbl 4
(Write Ahead Physical Block Logging file system journaling)
capabilities with the following third level identifiers:
.Bl -tag -width "123456"
.It Li vfs.wapbl.flush_disk_cache
Controls whether to attempt to flush the disk cache on each commit.
It defaults to 1 and it should always be on to ensure integrity
of file system metadata in the event of a power loss.
For slow disks, turning it off can improve performance.
.It Li vfs.wapbl.verbose_commit
For each transaction log commit, print the number of bytes written
and the time it took to commit as seconds.nanoseconds.
.El
.Pp
The remaining second level identifiers are the file system names, identified
by the type number returned by a
.Xr statvfs 2
call or from
.Li vfs.generic.conf .
.Pp
The third level identifiers available for each file system
are given in the header file that defines the mount
argument structure for that file system.
.Ss The hw.* subtree
The string and integer information available for the
.Li hw
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It hw.alignbytes	integer	no
.It hw.byteorder	integer	no
.It hw.cnmagic	string	yes
.It hw.disknames	string	no
.It hw.diskstats	struct	no
.It hw.machine	string	no
.It hw.machine_arch	string	no
.It hw.model	string	no
.It hw.ncpu	integer	no
.It hw.ncpuonline	integer	no
.It hw.pagesize	integer	no
.It hw.physmem	integer	no
.It hw.physmem64	quad	no
.It hw.usermem	integer	no
.It hw.usermem64	quad	no
.El
.Bl -tag -width "123456"
.It Li hw.alignbytes ( Dv HW_ALIGNBYTES )
Alignment constraint for all possible data types.
This shows the value
.Dv ALIGNBYTES
in
.In machine/param.h ,
at the kernel compilation time.
.It Li hw.byteorder ( Dv HW_BYTEORDER )
The byteorder (4321, or 1234).
.It Li hw.cnmagic ( Dv HW_CNMAGIC )
The console magic key sequence.
.It Li hw.disknames ( Dv HW_DISKNAMES )
The list of (space separated) disk device names on the system.
.It Li hw.iostatnames ( Dv HW_IOSTATNAMES )
A space separated list of devices that will have I/O statistics
collected on them.
.It Li hw.iostats ( Dv HW_IOSTATS )
Return statistical information on the NFS mounts, disk and tape
devices on the system.
An array of
.Vt struct io_sysctl
structures is returned,
whose size depends on the current number of such objects in the system.
The third level name is the size of the
.Vt struct io_sysctl .
The type of object can be determined by examining the
.Va type
element of
.Vt struct io_sysctl .
Which can be
.Dv IOSTAT_DISK
(disk drive),
.Dv IOSTAT_TAPE
(tape drive), or
.Dv IOSTAT_NFS
(NFS mount).
.It Li hw.machine ( Dv HW_MACHINE )
The machine class.
.It Li hw.machine_arch ( Dv HW_MACHINE_ARCH )
The machine CPU class.
.It Li hw.model ( Dv HW_MODEL )
The machine model.
.It Li hw.ncpu ( Dv HW_NCPU )
The number of CPUs configured.
.It Li hw.ncpuonline ( Dv HW_NCPUONLINE )
The number of CPUs online.
.It Li hw.pagesize ( Dv HW_PAGESIZE )
The software page size.
.It Li hw.physmem ( Dv HW_PHYSMEM )
The bytes of physical memory as a 32-bit integer.
.It Li hw.physmem64 ( Dv HW_PHYSMEM64 )
The bytes of physical memory as a 64-bit integer.
.It Li hw.usermem ( Dv HW_USERMEM )
The bytes of non-kernel memory as a 32-bit integer.
.It Li hw.usermem64 ( Dv HW_USERMEM64 )
The bytes of non-kernel memory as a 64-bit integer.
.El
.Ss The kern.* subtree
This subtree includes data generally related to the kernel.
The string and integer information available for the
.Li kern
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "kern.posix_reader_writer_locks" \
"struct kinfo_drivers" "not applicable"
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It kern.aio_listio_max	integer	yes
.It kern.aio_max	integer	yes
.It kern.arandom	integer	no
.It kern.argmax	integer	no
.It kern.boothowto	integer	no
.It kern.boottime	struct timespec	no
.It kern.buildinfo	string	no
.\".It kern.bufq	node	not applicable
.It kern.ccpu	integer	no
.It kern.clockrate	struct clockinfo	no
.It kern.consdev	integer	no
.It kern.coredump	node	not applicable
.It kern.cp_id	struct	no
.It kern.cp_time	uint64_t[\|]	no
.It kern.cryptodevallowsoft	integer	yes
.It kern.defcorename	string	yes
.It kern.detachall	integer	yes
.It kern.domainname	string	yes
.It kern.drivers	struct kinfo_drivers	no
.It kern.dump_on_panic	integer	yes
.It kern.expose_address	integer	yes
.It kern.file	struct file	no
.It kern.forkfsleep	integer	yes
.It kern.fscale	integer	no
.It kern.fsync	integer	no
.It kern.hardclock_ticks	integer	no
.It kern.heartbeat.max_period	integer	yes
.It kern.hostid	integer	yes
.It kern.hostname	string	yes
.It kern.iov_max	integer	no
.It kern.ipc	node	not applicable
.It kern.job_control	integer	no
.It kern.labeloffset	integer	no
.It kern.labelsector	integer	no
.It kern.login_name_max	integer	no
.It kern.logsigexit	integer	yes
.It kern.lwp	struct kinfo_lwp	yes
.It kern.mapped_files	integer	no
.It kern.maxfiles	integer	yes
.It kern.maxlwp	integer	yes
.It kern.maxpartitions	integer	no
.It kern.maxphys	integer	no
.It kern.maxproc	integer	yes
.It kern.maxptys	integer	yes
.It kern.maxvnodes	integer	yes
.It kern.messages	integer	yes
.It kern.mbuf	node	not applicable
.It kern.memlock	integer	no
.It kern.memlock_range	integer	no
.It kern.memory_protection	integer	no
.It kern.module	node	not applicable
.It kern.monotonic_clock	integer	no
.It kern.mqueue	node	not applicable
.It kern.msgbuf	integer	no
.It kern.msgbufsize	integer	no
.It kern.ngroups	integer	no
.\".It kern.no_sa_support	integer	yes
.It kern.ntptime	struct ntptimeval	no
.It kern.osrelease	string	no
.It kern.osrevision	integer	no
.It kern.ostype	string	no
.\".It kern.panic_now	integer	yes
.It kern.pipe	node	not applicable
.It kern.pool	struct pool_sysctl	no
.\" .It kern.posix	node	not applicable
.It kern.posix1version	integer	no
.It kern.posix_aio	integer	no
.It kern.posix_barriers	integer	no
.It kern.posix_reader_writer_locks	integer	no
.\".It kern.posix_sched	integer	yes
.It kern.posix_semaphores	integer	no
.It kern.posix_spin_locks	integer	no
.It kern.posix_threads	integer	no
.It kern.posix_timers	integer	no
.It kern.proc	struct kinfo_proc	no
.It kern.proc2	struct kinfo_proc2	no
.It kern.proc_args	string	no
.It kern.profiling	node	not applicable
.\".It kern.pset	node	not applicable
.It kern.rawpartition	integer	no
.It kern.root_device	string	no
.It kern.root_partition	integer	no
.It kern.rtc_offset	integer	yes
.It kern.saved_ids	integer	no
.It kern.sbmax	integer	yes
.It kern.sched	node	not applicable
.It kern.securelevel	integer	raise only
.It kern.sofixedbuf	boolean	yes
.It kern.somaxkva	integer	yes
.It kern.sooptions	integer	yes
.It kern.synchronized_io	integer	no
.It kern.timecounter	node	not applicable
.It kern.timex	struct	no
.It kern.tkstat	node	not applicable
.It kern.tty	node	not applicable
.It kern.urandom	integer	no
.It kern.usercrypto	integer	yes
.It kern.userasymcrypto	integer	yes
.It kern.veriexec	node	not applicable
.It kern.version	string	no
.It kern.vnode	struct vnode	no
.El
.Bl -tag -width "123456"
.It Li kern.aio_listio_max
The maximum number of asynchronous I/O operations in a single list
I/O call.
Like with all variables related to
.Xr aio 3 ,
the variable may be created and removed dynamically
upon loading or unloading the corresponding kernel module.
.It Li kern.aio_max
The maximum number of asynchronous I/O operations.
.It Li kern.arandom ( Dv KERN_ARND )
Returns independent uniformly distributed bytes at random each time, as
many as requested up to 256, derived from the system entropy pool; see
.Xr rnd 4 .
.Pp
Reading
.Li kern.arandom
is equivalent to reading up to 256 bytes at a time from
.Pa /dev/urandom :
reading
.Li kern.arandom
never blocks, and once the system entropy pool has full entropy, output
subsequently read from
.Li kern.arandom
is fit for use as cryptographic key material.
For example, the
.Xr arc4random 3
library routine uses
.Li kern.arandom
internally to seed a cryptographic pseudorandom number generator.
.It Li kern.argmax ( Dv KERN_ARGMAX )
The maximum bytes of argument to
.Xr execve 2 .
.It Li kern.boothowto
Flags passed from the boot loader; see
.Xr reboot 2
for the meanings of the flags.
.It Li kern.boottime ( Dv KERN_BOOTTIME )
A
.Vt struct timespec
structure is returned.
This structure contains the time that the system was booted.
That time is defined (for this purpose) to be the time at
which the kernel first started accumulating clock ticks.
.It Li kern.bufq
This variable contains information on the
.Xr bufq 9
subsystem.
Currently, the only third level name implemented is
.Dv kern.bufq.strategies
which provides a list of buffer queue strategies currently available.
.It Li kern.buildinfo
When the kernel is built, the build environment may optionally provide
arbitrary information to be stored in this variable.
.It Li kern.ccpu ( Dv KERN_CCPU )
The scheduler exponential decay value.
.It Li kern.clockrate ( Dv KERN_CLOCKRATE )
A
.Vt struct clockinfo
structure is returned.
This structure contains the clock, statistics clock and profiling clock
frequencies, the number of micro-seconds per hz tick, and the clock
skew rate.
Refer to
.Xr hz 9
for additional details.
.It Li kern.consdev ( Dv KERN_CONSDEV )
Console device.
.It Li kern.coredump
Settings related to set-id processes coredumps.
By default, set-id processes do not dump core in situations where
other processes would.
The settings in this node allows an administrator to change this
behavior.
.Pp
The third level name is
.Dv kern.coredump.setid
and fourth level variables are described below.
.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent
.It Sy Fourth level name Ta Sy Type Ta Sy Changeable
.It kern.coredump.setid.dump	integer	yes
.It kern.coredump.setid.group	integer	yes
.It kern.coredump.setid.mode	integer	yes
.It kern.coredump.setid.owner	integer	yes
.It kern.coredump.setid.path	string	yes
.El
.Bl -tag -width "123456"
.It Li kern.coredump.setid.dump
If non-zero, set-id processes will dump core.
.It Li kern.coredump.setid.group
The group-id for the set-id processes' coredump.
.It Li kern.coredump.setid.mode
The mode for the set-id processes' coredump.
See
.Xr chmod 1 .
.It Li kern.coredump.setid.owner
The user-id that will be used as the owner of the set-id processes'
coredump.
.It Li kern.coredump.setid.path
The path to which set-id processes' coredumps will be saved to.
Same syntax as kern.defcorename.
.El
.It Li kern.cp_id ( Dv KERN_CP_ID )
Mapping of CPU number to CPU id.
.It Li kern.cp_time ( Dv KERN_CP_TIME )
Returns an array of
.Dv CPUSTATES
.Vt uint64_t Ns s .
This array contains the
number of clock ticks spent in different CPU states.
On multi-processor systems, the sum across all CPUs is returned unless
appropriate space is given for one data set for each CPU.
Data for a specific CPU can also be obtained by adding the number of the
CPU at the end of the MIB, enlarging it by one.
.It Li kern.cryptodevallowsoft
This variable controls userland access to hardware versus software transforms
in the
.Xr crypto 4
system.
The available values are as follows:
.Bl -tag -width XX0 -offset indent
.It Dv < 0
Always force userlevel requests to use software transforms.
.It Dv = 0
If present, use hardware and grant userlevel requests for
non-accelerated transforms (handling the latter in software).
.It Dv > 0
Allow user requests only for transforms which are hardware-accelerated.
.El
.It Li kern.defcorename ( Dv KERN_DEFCORENAME )
Default template for the name of core dump files (see also
.Li proc.pid.corename
in the per-process variables
.Li proc.* ,
and
.Xr core 5
for format of this template).
The default value is
.Pa %n.core
and can be changed with the kernel configuration option
.Cd options DEFCORENAME
(see
.Xr options 4
).
.It Li kern.detachall
Detach all devices at shutdown.
.It Li kern.domainname ( Dv KERN_DOMAINNAME )
Get or set the YP domain name.
.It Li kern.drivers ( Dv KERN_DRIVERS )
Return an array of
.Vt struct kinfo_drivers
that contains the name and major device numbers of all the device drivers
in the current kernel.
The
.Va d_name
field is always a NUL terminated string.
The
.Va d_bmajor
field will be set to \-1 if the driver doesn't have a block device.
.It Li kern.expose_address
Expose kernel addresses in
.Xr sysctl 3
calls used by
.Xr fstat 1
and
.Xr sockstat 1 .
If it is set to
.Dv 0
access is not allowed.
If it is set to
.Dv 1
then only processes that have opened
.Pa /dev/kmem
can have access.
If it is set to
.Dv 2
every process is allowed.
Defaults to
.Dv 0
for
.Dv KASLR
kernels
and
.Dv 1
otherwise.
Allowing general access renders KASLR ineffective; allowing only kmem
accessing programs weakens KASLR if those programs can be subverted
to leak the addresses.
.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC )
Perform a crash dump on system
.Xr panic 9 .
.It Li kern.file ( Dv KERN_FILE )
Return the entire file table.
The returned data consists of a single
.Vt struct filelist
followed by an array of
.Vt struct file ,
whose size depends on the current number of such objects in the system.
.It Li kern.forkfsleep ( Dv KERN_FORKFSLEEP )
If
.Xr fork 2
system call fails due to limit on number of processes (either
the global maxproc limit or user's one), wait for this many
milliseconds before returning
.Er EAGAIN
error to process.
Useful to keep heavily forking runaway processes in bay.
Default zero (no sleep).
Maximum is 20 seconds.
.It Li kern.fscale ( Dv KERN_FSCALE )
The kernel fixed-point scale factor.
.It Li kern.fsync ( Dv KERN_FSYNC )
Return 1 if the
.St -p1003.1b-93
File Synchronization Option is available
on this system,
otherwise\ 0.
.It Li kern.hardclock_ticks ( Dv KERN_HARDCLOCK_TICKS )
Returns the number of
.Xr hardclock 9
ticks.
.It Li kern.heartbeat.max_period
Time in seconds since the last
.Cd options HEARTBEAT
progress check has passed before it will trigger a panic.
See
.Xr options 4 .
.It Li kern.hist
This variable contains kernel history data if the kernel was
configured for any of the options
.Dv UVHMIST ,
.Dv USB_DEBUG ,
.Dv BIOHIST ,
or
.Dv SCDEBUG .
(See
.Xr options 4
for more details.)
The third-level names correspond to each available history table.
The values of the history tables are in an internal format, and can be
decoded by the
.Xr vmstat 1
utility's
.Fl U
and
.Fl u
options;
the
.Fl l
option can be used to see which tables are available.
.It Li kern.hostid ( Dv KERN_HOSTID )
Get or set the host identifier.
This is aimed to replace the legacy
.Xr gethostid 3
and
.Xr sethostid 3
system calls.
.It Li kern.hostname ( Dv KERN_HOSTNAME )
Get or set the
.Xr hostname 1 .
.It Li kern.iov_max ( Dv KERN_IOV_MAX )
Return the maximum number of
.Vt iovec
structures that a process has available for use with
.Xr preadv 2 ,
.Xr pwritev 2 ,
.Xr readv 2 ,
.Xr recvmsg 2 ,
.Xr sendmsg 2
and
.Xr writev 2 .
.It Li kern.ipc ( Dv KERN_SYSVIPC )
Return information about the SysV IPC parameters.
The third level names for the ipc variables are detailed below.
.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.ipc.sysvmsg	integer	no
.It kern.ipc.sysvsem	integer	no
.It kern.ipc.sysvshm	integer	no
.It kern.ipc.sysvipc_info	struct	no
.It kern.ipc.shmmax	integer	yes
.It kern.ipc.shmmni	integer	yes
.It kern.ipc.shmseg	integer	yes
.It kern.ipc.shmmaxpgs	integer	yes
.It kern.ipc.shm_use_phys	integer	yes
.It kern.ipc.msgmni	integer	yes
.It kern.ipc.msgseg	integer	yes
.It kern.ipc.semmni	integer	yes
.It kern.ipc.semmns	integer	yes
.It kern.ipc.semmnu	integer	yes
.El
.Bl -tag -width "123456"
.It Li kern.ipc.sysvmsg ( Dv KERN_SYSVIPC_MSG )
Returns 1 if System V style message queue functionality is available
on this system,
otherwise\ 0.
.It Li kern.ipc.sysvsem ( Dv KERN_SYSVIPC_SEM )
Returns 1 if System V style semaphore functionality is available
on this system,
otherwise\ 0.
.It Li kern.ipc.sysvshm ( Dv KERN_SYSVIPC_SHM )
Returns 1 if System V style share memory functionality is available
on this system,
otherwise\ 0.
.It Li kern.ipc.sysvipc_info ( Dv KERN_SYSVIPC_INFO )
Return System V style IPC configuration and run-time information.
The fourth level name selects the System V style IPC facility.
.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent
.It Sy Fourth level name Ta Sy Type
.It KERN_SYSVIPC_MSG_INFO	struct msg_sysctl_info
.It KERN_SYSVIPC_SEM_INFO	struct sem_sysctl_info
.It KERN_SYSVIPC_SHM_INFO	struct shm_sysctl_info
.El
.Bl -tag -width "123456"
.It Li KERN_SYSVIPC_MSG_INFO
Return information on the System V style message facility.
The
.Sy msg_sysctl_info
structure is defined in
.In sys/msg.h .
.It Li KERN_SYSVIPC_SEM_INFO
Return information on the System V style semaphore facility.
The
.Sy sem_sysctl_info
structure is defined in
.In sys/sem.h .
.It Li KERN_SYSVIPC_SHM_INFO
Return information on the System V style shared memory facility.
The
.Sy shm_sysctl_info
structure is defined in
.In sys/shm.h .
.El
.It Li kern.ipc.shmmax ( Dv KERN_SYSVIPC_SHMMAX )
Max shared memory segment size in bytes.
.It Li kern.ipc.shmmni ( Dv KERN_SYSVIPC_SHMMNI )
Max number of shared memory identifiers.
.It Li kern.ipc.shmseg ( Dv KERN_SYSVIPC_SHMSEG )
Max shared memory segments per process.
.It Li kern.ipc.shmmaxpgs ( Dv KERN_SYSVIPC_SHMMAXPGS )
Max amount of shared memory in pages.
.It Li kern.ipc.shm_use_phys ( Dv KERN_SYSVIPC_SHMUSEPHYS )
Locking of shared memory in physical memory.
If 0, memory can be swapped
out, otherwise it will be locked in physical memory.
.It Li kern.ipc.msgmni
Max number of message queue identifiers.
.It Li kern.ipc.msgseg
Max number of number of message segments.
.It Li kern.ipc.semmni
Max number of number of semaphore identifiers.
.It Li kern.ipc.semmns
Max number of number of semaphores in system.
.It Li kern.ipc.semmnu
Max number of undo structures in system.
.El
.It Li kern.job_control ( Dv KERN_JOB_CONTROL )
Return 1 if job control is available on this system, otherwise\ 0.
.It Li kern.labeloffset ( Dv KERN_LABELOFFSET )
The offset within the sector specified by
.Dv KERN_LABELSECTOR
of the
.Xr disklabel 5 .
.It Li kern.labelsector ( Dv KERN_LABELSECTOR )
The sector number containing the
.Xr disklabel 5 .
.It Li kern.login_name_max ( Dv KERN_LOGIN_NAME_MAX )
The size of the storage required for a login name, in bytes,
including the terminating NUL.
.It Li kern.logsigexit ( Dv KERN_LOGSIGEXIT )
If this flag is non-zero, the kernel will
.Xr log 9
all process exits due to signals which create a
.Xr core 5
file, and whether the coredump was created.
.It Li kern.lwp ( Dv KERN_LWP )
Returns information about the current light-weight process.
The
.Sy kinfo_lwp
structure is defined in
.In sys/sysctl.h .
.It Li kern.mapped_files ( Dv KERN_MAPPED_FILES )
Returns 1 if the
.St -p1003.1b-93
Memory Mapped Files Option is available on this system,
otherwise\ 0.
.It Li kern.maxfiles ( Dv KERN_MAXFILES )
The maximum number of open files that may be open in the system.
This also controls the maximum file locks per unprivileged user
enforced by
.Xr fcntl 2
and
.Xr flock 2 .
.It Li kern.maxpartitions ( Dv KERN_MAXPARTITIONS )
The maximum number of partitions allowed per disk.
.It Li kern.maxlwp
The maximum number of Lightweight Processes (threads) the system allows
per uid.
.It Li kern.maxphys ( Dv KERN_MAXPHYS )
Maximum raw I/O transfer size.
.It Li kern.maxproc ( Dv KERN_MAXPROC )
The maximum number of simultaneous processes the system will allow.
.It Li kern.maxptys ( Dv KERN_MAXPTYS )
The maximum number of pseudo terminals.
This value can be both raised and lowered, though it cannot
be set lower than number of currently used ptys.
See also
.Xr pty 4 .
.It Li kern.maxvnodes ( Dv KERN_MAXVNODES )
The maximum number of vnodes available on the system.
This cannot be lowered below the number of currently active vnodes.
.It Li kern.mbuf ( Dv KERN_MBUF )
Return information about the mbuf control variables.
Mbufs are data structures which store network packets and other data
structures in the networking code, see
.Xr mbuf 9 .
The third level names for the mbuf variables are detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "kern.mbuf.nmbclusters_limit" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.\" XXX Changeable? really?
.It kern.mbuf.mblowat	integer	yes
.It kern.mbuf.mclbytes	integer	yes
.It kern.mbuf.mcllowat	integer	yes
.It kern.mbuf.msize	integer	yes
.It kern.mbuf.nmbclusters	integer	yes
.It kern.mbuf.nmbclusters_limit	integer	no
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.mbuf.mblowat ( Dv MBUF_MBLOWAT )
The mbuf low water mark.
.It Li kern.mbuf.mclbytes ( Dv MBUF_MCLBYTES )
The mbuf cluster size.
.It Li kern.mbuf.mcllowat ( Dv MBUF_MCLLOWAT )
The mbuf cluster low water mark.
.It Li kern.mbuf.msize ( Dv MBUF_MSIZE )
The mbuf base size.
.It Li kern.mbuf.nmbclusters ( Dv MBUF_NMBCLUSTERS )
The limit on the number of mbuf clusters.
The variable can only be increased, and only increased on machines with
direct-mapped pool pages.
.It Li kern.mbuf.nmbclusters_limit ( Dv MBUF_NMBCLUSTERS_LIMIT )
The limit of nmbclusters.
.El
.It Li kern.memlock ( Dv KERN_MEMLOCK )
Returns 1 if the
.St -p1003.1b-93
Process Memory Locking Option is available on this system,
otherwise\ 0.
.It Li kern.memlock_range ( Dv KERN_MEMLOCK_RANGE )
Returns 1 if the
.St -p1003.1b-93
Range Memory Locking Option is available on this system,
otherwise\ 0.
.It Li kern.memory_protection ( Dv KERN_MEMORY_PROTECTION )
Returns 1 if the
.St -p1003.1b-93
Memory Protection Option is available on this system,
otherwise\ 0.
.It Li kern.messages
Kernel console message verbosity.
See
.Aq Pa sys/reboot.h
.Bl -column "verbosity" "setting" -offset indent
.It Sy Value Ta Sy Verbosity Ta Sy sys/reboot.h equivalent
.It 0 Ta Silent Ta Sy AB_SILENT
.It 1 Ta Quiet Ta Sy AB_QUIET
.It 2 Ta Normal Ta Sy AB_NORMAL
.It 3 Ta Verbose Ta Sy AB_VERBOSE
.It 4 Ta Debug Ta Sy AB_DEBUG
.El
.It Li kern.module
Settings related to kernel modules.
The third level names for the settings are described below.
.Bl -column "kern.module.autounload_unsafe" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.module.autoload	integer	yes
.It kern.module.autounload_unsafe	integer	yes
.It kern.module.autotime	integer	yes
.It kern.module.verbose	boolean	yes
.El
.Pp
The variables are as follows:
.Bl -tag -width 6n
.It Li kern.module.autoload
A boolean that controls whether kernel modules are loaded automatically.
See
.Xr module 7
for details.
.It Li kern.module.autounload_unsafe
A boolean that controls whether the kernel will autounload modules that
were automatically loaded and have not been audited for autounload.
.Pp
By default, only modules that have been audited will be autounloaded,
and only if they were autoloaded to begin with.
.It Li kern.module.autotime
An integer that controls the delay before an attempt is made to
automatically unload a module that was auto-loaded.
Setting this value to zero disables the auto-unload function.
.It Li kern.module.verbose
A boolean that enables or disables verbose
debug messages related to kernel modules.
.El
.It Li kern.monotonic_clock ( Dv KERN_MONOTONIC_CLOCK )
Returns the standard version the implementation of the
.St -p1003.1b-93
Monotonic Clock Option conforms to,
otherwise\ 0.
.It Li kern.mqueue
Settings related to POSIX message queues; see
.Xr mqueue 3 .
This node is created dynamically when
the corresponding kernel module is loaded.
The third level names for the settings are described below.
.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.mqueue.mq_open_max	integer	yes
.It kern.mqueue.mq_prio_max	integer	yes
.It kern.mqueue.mq_max_msgsize	integer	yes
.It kern.mqueue.mq_def_maxmsg	integer	yes
.It kern.mqueue.mq_max_maxmsg	integer	yes
.El
.Pp
The variables are:
.Bl -tag -width "123456"
.It Li kern.mqueue.mq_open_max
The maximum number of message queue descriptors any single process can open.
.It Li kern.mqueue.mq_prio_max
The maximum priority of a message.
.It Li kern.mqueue.mq_max_msgsize
The maximum size of a message in a message queue.
.It Li kern.mqueue.mq_def_maxmsg
The default maximum message count.
.It Li kern.mqueue.mq_max_maxmsg
The maximum number of messages in a message queue.
.El
.It Li kern.msgbuf ( Dv KERN_MSGBUF )
The kernel message buffer, rotated so that the head of the circular kernel
message buffer is at the start of the returned data.
The returned data may contain NUL bytes.
.It Li kern.msgbufsize ( Dv KERN_MSGBUFSIZE )
The maximum number of characters that the kernel message buffer can hold.
.It Li kern.ngroups ( Dv KERN_NGROUPS )
The maximum number of supplemental groups.
.\" .It Li kern.no_sa_support
.\" XXX: Undocumented.
.It Li kern.ntptime ( Dv KERN_NTPTIME )
A
.Vt struct ntptimeval
structure is returned.
This structure contains data used by the
.Xr ntpd 8
program.
.It Li kern.osrelease ( Dv KERN_OSRELEASE )
The system release string.
.It Li kern.osrevision ( Dv KERN_OSREV )
The system revision, expressed as an integer.
.It Li kern.ostype ( Dv KERN_OSTYPE )
The system type string.
.\".It Li kern.panic_now
.\" XXX: Undocumented.
.It Li kern.pipe ( Dv KERN_PIPE )
Pipe settings.
The third level names for the  integer pipe settings is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.pipe.kvasiz	integer	yes
.It kern.pipe.maxbigpipes	integer	yes
.It kern.pipe.maxkvasz	integer	yes
.It kern.pipe.limitkva	integer	yes
.It kern.pipe.nbigpipes	integer	yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.pipe.kvasiz ( Dv KERN_PIPE_KVASIZ )
Amount of kernel memory consumed by pipe buffers.
.It Li kern.pipe.maxbigpipes ( Dv KERN_PIPE_MAXBIGPIPES )
Maximum number of
.Dq big
pipes.
.It Li kern.pipe.maxkvasz ( Dv KERN_PIPE_MAXKVASZ )
Maximum amount of kernel memory to be used for pipes.
.It Li kern.pipe.limitkva ( Dv KERN_PIPE_LIMITKVA )
Limit for direct transfers via page loan.
.It Li kern.pipe.nbigpipes ( Dv KERN_PIPE_NBIGPIPES )
Number of
.Dq big
pipes.
.El
.It Li kern.pool
Provides statistics about the
.Xr pool 9
and
.Xr pool_cache 9
subsystems.
.\" XXX: Undocumented .It Li kern.posix ( ? )
.\"	 This is a node in which the only variable is semmax.
.It Li kern.posix1version ( Dv KERN_POSIX1 )
The version of ISO/IEC 9945
.Pq St -p1003.1
with which the system attempts to comply.
.It Li kern.posix_aio
The version of
.St -p1003.1
and its Asynchronous I/O option to which the system attempts to conform.
.It Li kern.posix_barriers ( Dv KERN_POSIX_BARRIERS )
The version of
.St -p1003.1
and its
Barriers
option to which the system attempts to conform,
otherwise\ 0.
.It Li kern.posix_reader_writer_locks ( Dv KERN_POSIX_READER_WRITER_LOCKS )
The version of
.St -p1003.1
and its
Read-Write Locks
option to which the system attempts to conform,
otherwise\ 0.
.\".It Li kern.posix_sched
.\" XXX: Undocumented.
.It Li kern.posix_semaphores ( Dv KERN_POSIX_SEMAPHORES )
The version of
.St -p1003.1
and its
Semaphores
option to which the system attempts to conform,
otherwise\ 0.
.It Li kern.posix_spin_locks ( Dv KERN_POSIX_SPIN_LOCKS )
The version of
.St -p1003.1
and its
Spin Locks
option to which the system attempts to conform,
otherwise\ 0.
.It Li kern.posix_threads ( Dv KERN_POSIX_THREADS )
The version of
.St -p1003.1
and its
Threads
option to which the system attempts to conform,
otherwise\ 0.
.It Li kern.posix_timers ( Dv KERN_POSIX_TIMERS )
The version of
.St -p1003.1
and its
Timers
option to which the system attempts to conform,
otherwise\ 0.
.It Li kern.proc ( Dv KERN_PROC )
Return the entire process table, or a subset of it.
An array of
.Vt struct kinfo_proc
structures is returned,
whose size depends on the current number of such objects in the system.
The third and fourth level numeric names are as follows:
.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent
.It Sy Third level name Ta Sy Fourth level is :
.It KERN_PROC_ALL	None
.It KERN_PROC_GID	A group ID
.It KERN_PROC_PID	A process ID
.It KERN_PROC_PGRP	A process group
.It KERN_PROC_RGID	A real group ID
.It KERN_PROC_RUID	A real user ID
.It KERN_PROC_SESSION	A session ID
.It KERN_PROC_TTY	A tty device
.It KERN_PROC_UID	A user ID
.El
.It Li kern.proc2 ( Dv KERN_PROC2 )
As for
.Dv KERN_PROC ,
but an array of
.Vt struct kinfo_proc2
structures are returned.
The fifth level name is the size of the
.Vt struct kinfo_proc2
and the sixth level name is the number of structures to return.
.It Li kern.proc_args ( Dv KERN_PROC_ARGS )
Return the argv or environment strings (or the number thereof)
of a process.
Multiple strings are returned separated by NUL characters.
The third level name is the process ID.
The fourth level name is as follows:
.Bl -column "KERN_PROG_PATHNAME" "The full pathname of the executable" -offset indent
.It Dv KERN_PROC_ARGV	The argv strings
.It Dv KERN_PROC_ENV	The environ strings
.It Dv KERN_PROC_NARGV	The number of argv strings
.It Dv KERN_PROC_NENV	The number of environ strings
.It Dv KERN_PROC_PATHNAME	The full pathname of the executable
.It Dv KERN_PROC_CWD	The current working directory
.El
.It Li kern.profiling ( Dv KERN_PROF )
Return profiling information about the kernel.
If the kernel is not compiled for profiling,
attempts to retrieve any of the
.Dv KERN_PROF
values will fail with
.Er EOPNOTSUPP .
The third level names for the string and integer profiling information
is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.profiling.count	u_short[\|]	yes
.It kern.profiling.froms	u_short[\|]	yes
.It kern.profiling.gmonparam	struct gmonparam	no
.It kern.profiling.state	integer	yes
.It kern.profiling.tos	struct tostruct	yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.profiling.count ( Dv GPROF_COUNT )
Array of statistical program counter counts.
.It Li kern.profiling.froms ( Dv GPROF_FROMS )
Array indexed by program counter of call-from points.
.It Li kern.profiling.gmonparams ( Dv GPROF_GMONPARAM )
Structure giving the sizes of the above arrays.
.It Li kern.profiling.state ( Dv GPROF_STATE )
Profiling state.
If set to
.Dv GMON_PROF_ON ,
starts profiling.
If set to
.Dv GMON_PROF_OFF ,
stops profiling.
.It Li kern.profiling.tos ( Dv GPROF_TOS )
Array of
.Vt struct tostruct
describing destination of calls and their counts.
.El
.\" .It Li kern.pset
.\" XXX: Undocumented.
.It Li kern.rawpartition ( Dv KERN_RAWPARTITION )
The raw partition of a disk (a == 0).
.It Li kern.root_device ( Dv KERN_ROOT_DEVICE )
The name of the root device (e.g.,
.Dq wd0 ) .
.It Li kern.root_partition ( Dv KERN_ROOT_PARTITION )
The root partition on the root device (a == 0).
.It Li kern.rtc_offset ( Dv KERN_RTC_OFFSET )
Return the offset of real time clock from UTC in minutes.
.It Li kern.saved_ids ( Dv KERN_SAVED_IDS )
Returns 1 if saved set-group and saved set-user ID is available.
.It Li kern.sbmax ( Dv KERN_SBMAX )
Maximum socket buffer size in bytes.
.It Li kern.securelevel ( Dv KERN_SECURELVL )
See
.Xr secmodel_securelevel 9 .
.It Li kern.sched ( dynamic )
Influence the scheduling of LWPs, their priorisation and how they are
distributed on and moved between CPUs.
.Bl -column "kern.sched.balance_period" "integer" "Changeable" -offset indent
.It Sy Third level name	   Sy Type	 Sy Changeable
.It kern.sched.cacheht_time	   integer	 yes
.It kern.sched.balance_period	   integer	 yes
.It kern.sched.average_weight	   integer	 yes
.It kern.sched.min_catch	   integer	 yes
.It kern.sched.timesoftints	   integer	 yes
.It kern.sched.kpreempt_pri	   integer	 yes
.It kern.sched.upreempt_pri	   integer	 yes
.It kern.sched.maxts	   integer	 yes
.It kern.sched.mints	   integer	 yes
.It kern.sched.name	   string	 no
.It kern.sched.rtts	   integer	 no
.It kern.sched.pri_min	   integer	 no
.It kern.sched.pri_max	   integer	 no
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.sched.cacheht_time ( dynamic )
Cache hotness time in which a LWP is kept on one particular CPU
and not moved to another CPU.
This reduces the overhead of flushing and reloading caches.
Defaults to 3ms.
Needs to be given in
.Dq hz
units, see
.Xr mstohz 9 .
.It Li kern.sched.balance_period ( dynamic )
Interval at which the CPU queues are checked for re-balancing.
Defaults to 300ms.
Needs to be given in
.Dq hz
units, see
.Xr mstohz 9 .
.It Li kern.sched.average_weight ( dynamic )
Can be used to influence how likely LWPs are to be migrated from
one CPU's queue of LWPs that are ready to run to a different, idle CPU.
The value gives the percentage for weighting the average count of
migratable threads from the past against the current number of
migratable threads.
A small value gives more weight to the past, a larger values more weight
on the current situation.
Defaults to 50 and must be between 0 and 100.
.It Li kern.sched.min_catch ( dynamic )
Minimum count of migratable (runnable) threads for catching (stealing)
from another CPU.
Defaults to 1 but can be increased to decrease chance of thread
migration between CPUs.
.It Li kern.sched.timesoftints ( dynamic )
Enable tracking of CPU time for soft interrupts
as part of a LWP's real execution time.
Set to a non-zero value to enable,
and see
.Xr ps 1
for printing CPU times.
.It Li kern.sched.kpreempt_pri ( dynamic )
Minimum priority to trigger kernel preemption.
.It Li kern.sched.upreempt_pri ( dynamic )
Minimum priority to trigger user preemption.
.It Li kern.sched.maxts ( dynamic )
Scheduler specific maximal time quantum (in milliseconds).
Must be set to a value larger than
.Dq mints
and between 10 and
.Dq hz
as given by the
.Dv kern.clockrate
sysctl.
Provided by the M2 scheduler.
.It Li kern.sched.mints ( dynamic )
Scheduler specific minimal time quantum (in milliseconds).
Must be set to a value smaller than
.Dq maxts
and between 1 and
.Dq hz
as given by the
.Dq kern.clockrate
sysctl.
Provided by the M2 scheduler.
.It Li kern.sched.name ( dynamic )
Scheduler name.
Provided both by the M2 and the 4BSD scheduler.
.It Li kern.sched.rtts ( dynamic )
Fixed scheduler specific round-robin time quantum in milliseconds.
Provided both by the M2 and the 4BSD scheduler.
.It Li kern.sched.pri_min ( dynamic )
Minimal POSIX real-time priority.
See
.Xr sched 3 .
.It Li kern.sched.pri_max ( dynamic )
Maximal POSIX real-time priority.
See
.Xr sched 3 .
.El
.It Li kern.sofixedbuf ( Dv KERN_SOFIXEDBUF )
Prevent socket buffer autoscaling when a size is set with
.Dv SO_SNDBUF
or
.Dv SO_RCVBUF .
.It Li kern.somaxkva ( Dv KERN_SOMAXKVA )
Maximum amount of kernel memory to be used for socket buffers in bytes.
.It Li kern.sooptions
Set the default socket option flags for
.Xr socket 2
creation.
See
.Xr setsockopt 2
for a list of supported flags.
.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO )
Returns 1 if the
.St -p1003.1b-93
Synchronized I/O Option is available on this system,
otherwise\ 0.
.It Li kern.timecounter ( dynamic )
Display and control the timecounter source of the system.
.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.timecounter.choice	string	no
.It kern.timecounter.hardware	string	yes
.It kern.timecounter.timestepwarnings	integer	yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.timecounter.choice ( dynamic )
The list of available timecounters with their quality and frequency.
.It Li kern.timecounter.hardware ( dynamic )
The currently selected timecounter source.
.It Li kern.timecounter.timestepwarnings ( dynamic )
If non-zero display a message each time the time is stepped.
.El
.It Li kern.timex ( Dv KERN_TIMEX )
Not available.
.It Li kern.tkstat ( Dv KERN_TKSTAT )
Return information about the number of characters sent and received
on ttys.
The third level names for the tty statistic variables are detailed below.
The changeable column shows whether a process
with appropriate privilege may change the value.
.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.tkstat.cancc	quad	no
.It kern.tkstat.nin	quad	no
.It kern.tkstat.nout	quad	no
.It kern.tkstat.rawcc	quad	no
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.tkstat.cancc ( Dv KERN_TKSTAT_CANCC )
The number of canonical input characters.
.It Li kern.tkstat.nin ( Dv KERN_TKSTAT_NIN )
The total number of input characters.
.It Li kern.tkstat.nout ( Dv KERN_TKSTAT_NOUT )
The total number of output characters.
.It Li kern.tkstat.rawcc ( Dv KERN_TKSTAT_RAWCC )
The number of raw input characters.
.El
.It Li kern.tty
The third level names for the tty setup variables are detailed below.
The changeable column shows whether a process
with appropriate privilege may change the value.
.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.tty.qsize	int	yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.tty.qsize
Control/display the size of the default input and output queues selected
during tty creation.
Is converted to a power of two and its range is between
.Dv 1024
and
.Dv 65536 .
.El
.It Li kern.uidinfo
Resource usage for the current user.
.Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.uidinfo.proccnt	integer	no
.It kern.uidinfo.lwpcnt	integer	no
.It kern.uidinfo.lockcnt	integer	no
.It kern.uidinfo.semcnt	integer	no
.It kern.uidinfo.sbsize	integer	no
.El
.Bl -tag -width "123456"
.It Li kern.uidinfo.proccnt
Returns the number of active processes for the current user.
.It Li kern.uidinfo.lwpcnt
Returns the number of active threads for the current user; the first thread
of each process is not counted.
.It Li kern.uidinfo.lockcnt
Number of locks held by the current user.
.It Li kern.uidinfo.semcnt
Number of semaphores held by the current user.
.It Li kern.uidinfo.sbsize
Number of bytes in socket buffers allocated to the current user.
.El
.It Li kern.urandom ( Dv KERN_URND )
Random integer value.
.It Li kern.usercrypto
When enabled, allows userland to
.Xr open 2
the
.Pa /dev/crypto
special device, used by the
.Xr crypto 4
system.
.It Li kern.userasymcrypto
Enables or disables the use of software asymmetric crypto support in the
.Xr crypto 4
system.
.It Li kern.veriexec
Runtime information for
.Xr veriexec 8 .
.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.veriexec.algorithms	string	no
.It kern.veriexec.count	node	not applicable
.It kern.veriexec.strict	integer	yes
.It kern.veriexec.verbose	integer	yes
.El
.Bl -tag -width "123456"
.It Li kern.veriexec.algorithms
Returns a string with the supported algorithms in Veriexec.
.It Li kern.veriexec.count
Sub-nodes are added to this node as new mounts are monitored by Veriexec.
Each mount will be under its own
.No tableN
node.
Under each node there will be three variables, indicating the mount
point, the file system type, and the number of entries.
.It Li kern.veriexec.strict
Controls the strict level of Veriexec.
See
.Xr security 7
for more information on each level's implications.
.It Li kern.veriexec.verbose
Controls the verbosity level of Veriexec.
If 0, only the minimal
indication required will be given about what's happening - fingerprint
mismatches, removal of entries from the tables, modification of a
fingerprinted file.
If 1, more messages will be printed (ie., when a file with a valid
fingerprint is accessed).
Verbose level 2 is debug mode.
.El
.It Li kern.version ( Dv KERN_VERSION )
The system version string.
.It Li kern.vnode ( Dv KERN_VNODE )
Return the entire vnode table.
Note, the vnode table is not necessarily a consistent snapshot of
the system.
The returned data consists of an array whose size depends on the
current number of such objects in the system.
Each element of the array contains the kernel address of a vnode
.Vt struct vnode *
followed by the vnode itself
.Vt struct vnode .
.El
.Ss The machdep.* subtree
The set of variables defined is architecture dependent.
Most architectures define at least the following variables.
.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It Li machdep.booted_kernel	string	no
.El
.\" XXX: Document the above.
.Ss The net.* subtree
The string and integer information available for the
.Li net
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
The second and third levels are typically the protocol family and
protocol number, though this is not always the case.
.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It net.route	routing messages	no
.It net.inet	IPv4 values	yes
.It net.inet6	IPv6 values	yes
.It net.key	IPsec key management values	yes
.El
.Bl -tag -width "123456"
.It Li net.route ( Dv PF_ROUTE )
.\" XXX really?
Return the entire routing table or a subset of it.
The data is returned as a sequence of routing messages (see
.Xr route 4
for the header file, format and meaning).
The length of each message is contained in the message header.
.Pp
The third level name is a protocol number, which is currently always\ 0.
The fourth level name is an address family, which may be set to 0 to
select all address families.
The fifth and sixth level names are as follows:
.Bl -column "Fifth level name" "Sixth level is:" -offset indent
.It Sy Fifth level name Ta Sy Sixth level is :
.It NET_RT_FLAGS	rtflags
.It NET_RT_DUMP	None
.It NET_RT_IFLIST	None
.El
.It Li net.inet ( Dv PF_INET )
Get or set various global information about the IPv4
.Pq Internet Protocol version 4 .
The third level name is the protocol.
The fourth level name is the variable name.
The currently defined protocols and names are:
.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent
.It Sy Protocol	Variable Ta Sy Type Ta Sy Changeable
.It arp	nd_delay	integer	yes
.It arp	nd_bmaxtries	integer	yes
.It arp	nd_umaxtries	integer	yes
.It arp	nd_basereachable	integer	yes
.It arp	nd_retrans	integer	yes
.It arp	nd_nud		integer	yes
.It arp	nd_maxnudhint	integer	yes
.It arp	log_movements	integer	yes
.It arp	log_permanent_modify	integer	yes
.It arp	log_unknown_network	integer	yes
.It arp	log_wrong_iface	integer	yes
.It carp	allow	integer	yes
.It carp	preempt	integer	yes
.It carp	log	integer	yes
.It carp	arpbalance	integer	yes
.It icmp	errppslimit	integer	yes
.It icmp	maskrepl	integer	yes
.It icmp	rediraccept	integer	yes
.It icmp	redirtimeout	integer	yes
.It icmp	bmcastecho	integer	yes
.It icmp	dynamic_rt_msg	boolean	yes
.It ip	allowsrcrt	integer	yes
.It ip 	anonportalgo.selected	string	yes
.It ip 	anonportalgo.available	string	yes
.It ip 	anonportalgo.reserve	struct	yes
.It ip	anonportmax	integer	yes
.It ip	anonportmin	integer	yes
.It ip	checkinterface	integer	yes
.It ip	dad_count	integer	yes
.It ip	directed-broadcast	integer	yes
.It ip	do_loopback_cksum	integer	yes
.It ip	forwarding	integer	yes
.It ip	forwsrcrt	integer	yes
.It ip	gifttl	integer	yes
.It ip	grettl	integer	yes
.It ip	hashsize	integer	yes
.It ip	hostzerobroadcast	integer	yes
.It ip	lowportmin	integer	yes
.It ip	lowportmax	integer	yes
.It ip	maxflows	integer	yes
.It ip	maxfragpackets	integer	yes
.It ip	mtudisc	integer	yes
.It ip	mtudisctimeout	integer	yes
.It ip	random_id	integer	yes
.It ip	redirect	integer	yes
.It ip	subnetsarelocal	integer	yes
.It ip	ttl	integer	yes
.It tcp	rfc1323	integer	yes
.It tcp	sendspace	integer	yes
.It tcp	recvspace	integer	yes
.It tcp	mssdflt	integer	yes
.It tcp	syn_cache_limit	integer	yes
.It tcp	syn_bucket_limit	integer	yes
.It tcp	syn_cache_interval	integer	yes
.It tcp	init_win	integer	yes
.It tcp	init_win_local	integer	yes
.It tcp	mss_ifmtu	integer	yes
.It tcp	win_scale	integer	yes
.It tcp	timestamps	integer	yes
.It tcp	cwm	integer	yes
.It tcp	cwm_burstsize	integer	yes
.It tcp	ack_on_push	integer	yes
.It tcp	keepidle	integer	yes
.It tcp	keepintvl	integer	yes
.It tcp	keepcnt	integer	yes
.It tcp	slowhz	integer	no
.It tcp	keepinit	integer	yes
.It tcp	log_refused	integer	yes
.It tcp	rstppslimit	integer	yes
.It tcp	ident	struct	no
.It tcp	drop	struct	no
.It tcp	sack.enable	integer	yes
.It tcp	sack.globalholes	integer	no
.It tcp	sack.globalmaxholes	integer	yes
.It tcp	sack.maxholes	integer	yes
.It tcp	ecn.enable	integer	yes
.It tcp	ecn.maxretries	integer	yes
.It tcp	congctl.selected	string	yes
.It tcp	congctl.available	string	yes
.It tcp	abc.enable	integer	yes
.It tcp	abc.aggressive	integer	yes
.It udp	checksum	integer	yes
.It udp	do_loopback_cksum	integer	yes
.It udp	recvspace	integer	yes
.It udp	sendspace	integer	yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li arp.nd_delay
The delay in seconds before sending the first probe,
after it has been decided that the entry is stale.
.It Li arp.nd_bmaxtries
The maximum number of broadcasts send to discover the hardware address
claiming an IP address.
.It Li arp.nd_umaxtries
The maximum number of unicasts send to the hardware address to ensure
it still claims an IP address.
.It Li arp.nd_basereachable
The number of milliseconds the ARP entry is considered reachable before
probing reachability.
.It Li arp.nd_retrans
The number of milliseconds between ARP probes.
.It Li arp.nd_nud
If set to non-zero, perform Neighor Unreachability Detection.
.It Li arp.nd_maxnudhint
Neighbor discovery permits upper layer protocols to supply reachability
hints, to avoid unnecessary neighbor discovery exchanges.
The variable defines the number of consecutive hints the neighbor discovery
layer will take.
For example, by setting the variable to 3, neighbor discovery layer
will take 3 consecutive hints in maximum.
After receiving 3 hints, neighbor discovery layer will perform
normal neighbor discovery process.
.It Li carp.allow
If set to 0, incoming
.Xr carp 4
packets will not be processed.
If set to any other value, processing will occur.
Enabled by default.
.It Li carp.arpbalance
If set to any value other than 0, the ARP balancing functionality of
.Xr carp 4
is enabled.
When ARP requests are received for an IP address which is part of any virtual
host, carp will hash the source IP in the ARP request to select one of the
virtual hosts from the set of all the virtual hosts which have that IP address.
The master of that host will respond with the correct virtual MAC address.
Disabled by default.
.It Li carp.log
If set to any value other than 0,
.Xr carp 4
will log errors.
Disabled by default.
.It Li carp.preempt
If set to 0,
.Xr carp 4
will not attempt to become master if it is receiving advertisements from
another active master.
If set to any other value, carp will become master of the virtual host if it
believes it can send advertisements more frequently than the current master.
Disabled by default.
.It Li ip.allowsrcrt
If set to 1, the host accepts source routed packets.
.It Li ip.anonportalgo.available
The available RFC 6056 port randomization algorithms.
.It Li ip.anonportalgo.reserve
A bitmask of ports that will not be used during anonymous or privileged
port selection.
.It Li ip.anonportalgo.selected
The currently selected RFC 6056 port randomization algorithm; see
.Xr rfc6056 7
for details.
.It Li ip.anonportmax
The highest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535, and must
be greater than
.Li ip.anonportmin .
.It Li ip.anonportmin
The lowest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535.
.It Li ip.checkinterface
If set to non-zero, the host will reject packets addressed to it
that arrive on an interface not bound to that address.
Currently, this must be disabled if NAT is used to translate the
destination address to another local interface, or if addresses
are added to the loopback interface instead of the interface where
the packets for those packets are received.
.It Li ip.dad_count
The number of
.Xr arp 4
probes sent for Address Conflict Detection.
Set to 0 to disable this.
.It Li ip.directed-broadcast
If set to 1, enables directed broadcast behavior for the host.
.It Li ip.do_loopback_cksum
Perform IP checksum on loopback.
.It Li ip.forwarding
If set to 1, enables IP forwarding for the host,
meaning that the host is acting as a router.
.It Li ip.forwsrcrt
If set to 1, enables forwarding of source-routed packets for the host.
This value may only be changed if the kernel security level is less than 1.
.It Li ip.gifttl
The maximum time-to-live (hop count) value for an IPv4 packet generated by
.Xr gif 4
tunnel interface.
.It Li ip.grettl
The maximum time-to-live (hop count) value for an IPv4 packet generated by
.Xr gre 4
tunnel interface.
.It Li ip.hashsize
The size of IPv4 Fast Forward hash table.
This value must be a power of 2 (64, 256...).
A larger hash table size results in fewer collisions.
Also see
.Li ip.maxflows .
.It Li ip.hostzerobroadcast
All zeroes address is broadcast address.
.It Li ip.lowportmax
The highest port number to use for TCP and UDP reserved port allocation.
This cannot be set to less than 0 or greater than 1024, and must
be greater than
.Li ip.lowportmin .
.It Li ip.lowportmin
The lowest port number to use for TCP and UDP reserved port allocation.
This cannot be set to less than 0 or greater than 1024, and must
be smaller than
.Li ip.lowportmax .
.It Li ip.maxflows
IPv4 Fast Forwarding is enabled by default.
If set to 0, IPv4 Fast Forwarding is disabled.
.Li ip.maxflows
controls the maximum amount of flows which can be created.
The default value is 256.
.It Li ip.maxfragpackets
The maximum number of fragmented packets the node will accept.
0 means that the node will not accept any fragmented packets.
\-1 means that the node will accept as many fragmented packets as it receives.
The flag is provided basically for avoiding possible DoS attacks.
.It Li ip.mtudisc
If set to 1, enables Path MTU Discovery (RFC 1191).
When Path MTU Discovery is enabled, the transmitted TCP segment
size will be determined by the advertised maximum segment size
(MSS) from the remote end, as constrained by the path MTU.
If MTU Discovery is disabled, the transmitted segment size will
never be greater than
.Li tcp.mssdflt
(the local maximum segment size).
.It Li ip.mtudisctimeout
The number of seconds in which a route added by the Path MTU
Discovery engine will time out.
When the route times out, the Path
MTU Discovery engine will attempt to probe a larger path MTU.
.It Li ip.random_id
Assign random ip_id values.
.It Li ip.redirect
If set to 1, ICMP redirects may be sent by the host.
This option is ignored unless the host is routing IP packets,
and should normally be enabled on all systems.
.It Li ip.subnetsarelocal
If set to 1, subnets are to be considered local addresses.
.It Li ip.ttl
The maximum time-to-live (hop count) value for an IP packet sourced by
the system.
This value applies to normal transport protocols, not to ICMP.
.It Li icmp.errppslimit
The variable specifies the maximum number of outgoing ICMP error messages,
per second.
ICMP error messages that exceeded the value are subject to rate limitation
and will not go out from the node.
Negative value disables rate limitation.
.It Li icmp.maskrepl
If set to 1, ICMP network mask requests are to be answered.
.It Li icmp.rediraccept
If set to non-zero, the host will accept ICMP redirect packets.
Note that routers will never accept ICMP redirect packets,
and the variable is meaningful on IP hosts only.
.It Li icmp.redirtimeout
The variable specifies lifetime of routing entries generated by incoming
ICMP redirect.
This defaults to 600 seconds.
.It Li icmp.returndatabytes
Number of bytes to return in an ICMP error message.
.It Li icmp.bmcastecho
If set to 1, enables responding to ICMP echo or timestamp request to the
broadcast address.
.It Li icmp.dynamic_rt_msg
A boolean that the kernel sends routing message for RTM_DYNAMIC or not.
If set to true, sends such routing message.
.It Li tcp.ack_on_push
If set to 1, TCP is to immediately transmit an ACK upon reception of
a packet with PUSH set.
This can avoid losing a round trip time in some rare situations,
but has the caveat of potentially defeating TCP's delayed ACK algorithm.
Use of this option is generally not recommended, but
the variable exists in case your configuration really needs it.
.It Li tcp.cwm
If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window
Monitoring algorithm.
This algorithm prevents line-rate bursts of packets that could
otherwise occur when data begins flowing on an idle TCP connection.
These line-rate bursts can contribute to network and router congestion.
This can be particularly useful on World Wide Web servers
which support HTTP/1.1, which has lingering connections.
.It Li tcp.cwm_burstsize
The Congestion Window Monitoring allowed burst size, in terms
of packet count.
.It Li tcp.delack_ticks
Number of ticks to delay sending an ACK.
.It Li tcp.do_loopback_cksum
Perform TCP checksum on loopback.
.It Li tcp.init_win
A value indicating the TCP initial congestion window.
The valid range
is 0 to 10 (maximum specified by RFC6928),
with a default of 4 (approximately 4K per RFC3390).
.It Li tcp.init_win_local
Like
.Li tcp.init_win ,
but used when communicating with hosts on a local network.
.It Li tcp.keepcnt
Number of keepalive probes sent before declaring a connection dead.
If set to zero, there is no limit;
keepalives will be sent until some kind of
response is received from the peer.
.It Li tcp.keepidle
Time a connection must be idle before keepalives are sent (if keepalives
are enabled for the connection).
See also tcp.slowhz.
.It Li tcp.keepintvl
Time after a keepalive probe is sent until, in the absence of any response,
another probe is sent.
See also tcp.slowhz.
.It Li tcp.log_refused
If set to 1, refused TCP connections to the host will be logged.
.It Li tcp.keepinit
Timeout in seconds during connection establishment.
.It Li tcp.mss_ifmtu
If set to 1, TCP calculates the outgoing maximum segment size based on
the MTU of the appropriate interface.
If set to 0, it is calculated based on the greater of the MTU of the
interface, and the largest (non-loopback) interface MTU on the system.
.It Li tcp.mssdflt
The default maximum segment size both advertised to the peer
and to use when either the peer does not advertise a maximum segment size to
us during connection setup or Path MTU Discovery
.Li ( ip.mtudisc )
is disabled.
Do not change this value unless you really know what you are doing.
.It Li tcp.recvspace
The default TCP receive buffer size.
.It Li tcp.rfc1323
If set to 1, enables RFC 1323 extensions to TCP.
.It Li tcp.rstppslimit
The variable specifies the maximum number of outgoing TCP RST packets,
per second.
TCP RST packet that exceeded the value are subject to rate limitation
and will not go out from the node.
Negative value disables rate limitation.
.It Li tcp.ident
Return the user ID of a connected socket pair.
(RFC1413 Identification Protocol lookups.)
.It Li tcp.drop
Drop a TCP socket pair connection.
.It Li tcp.sack.enable
If set to 1, enables RFC 2018 Selective ACKnowledgement.
.It Li tcp.sack.globalholes
Global number of TCP SACK holes.
.It Li tcp.sack.globalmaxholes
Global maximum number of TCP SACK holes.
.It Li tcp.sack.maxholes
Maximum number of TCP SACK holes allowed per connection.
.It Li tcp.ecn.enable
If set to 1, enables RFC 3168 Explicit Congestion Notification.
.It Li tcp.ecn.maxretries
Number of times to retry sending the ECN-setup packet.
.It Li tcp.sendspace
The default TCP send buffer size.
.It Li tcp.slowhz
The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks
of a clock that ticks tcp.slowhz times per second.
(That is, their values
must be divided by the tcp.slowhz value to get times in seconds.)
.It Li tcp.syn_bucket_limit
The maximum number of entries allowed per hash bucket in the TCP
compressed state engine.
.It Li tcp.syn_cache_limit
The maximum number of entries allowed in the TCP compressed state
engine.
.It Li tcp.timestamps
If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options,
used for measuring TCP round trip times, are enabled.
.It Li tcp.win_scale
If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options,
for increasing the TCP window size, are enabled.
.It Li tcp.congctl.available
The available TCP congestion control algorithms.
.It Li tcp.congctl.selected
The currently selected TCP congestion control algorithm.
.It Li tcp.abc.enable
If set to 1, use RFC 3465 Appropriate Byte Counting (ABC).
If set to 0, use traditional Packet Counting.
.It Li tcp.abc.aggressive
Choose the L parameter found in RFC 3465.
L is the maximum cwnd increase for an ack during slow start.
If set to 1, use L=2*SMSS.
If set to 0, use L=1*SMSS.
It has no effect unless tcp.abc.enable is set to 1.
.It Li udp.checksum
If set to 1, UDP checksums are being computed.
Received non-zero UDP checksums are always checked.
Disabling UDP checksums is strongly discouraged.
.It Li udp.recvspace
The default UDP receive buffer size.
.It Li udp.sendspace
The default UDP send buffer size.
.El
.Pp
For variables net.*.ipsec, please refer to
.Xr ipsec 4 .
.It Li net.inet6 ( Dv PF_INET6 )
Get or set various global information about the IPv6
.Pq Internet Protocol version 6 .
The third level name is the protocol.
The fourth level name is the variable name.
The currently defined protocols and names are:
.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent
.It Sy Protocol	Variable Ta Sy Type Ta Sy Changeable
.It icmp6	errppslimit	integer	yes
.It icmp6	mtudisc_hiwat	integer	yes
.It icmp6	mtudisc_lowat	integer	yes
.It icmp6	nd6_debug	integer	yes
.It icmp6	nd6_delay	integer	yes
.It icmp6	nd6_maxnudhint	integer	yes
.It icmp6	nd6_mmaxtries	integer	yes
.It icmp6	nd6_prune	integer	yes
.It icmp6	nd6_umaxtries	integer	yes
.It icmp6	nd6_useloopback	integer	yes
.It icmp6	nodeinfo	integer	yes
.It icmp6	rediraccept	integer	yes
.It icmp6	redirtimeout	integer	yes
.It icmp6	reflect_pmtu	boolean	yes
.It icmp6	dynamic_rt_msg	boolean	yes
.It ip6	accept_rtadv	integer	yes
.It ip6	addctlpolicy	struct in6_addrpolicy	no
.It ip6	anonportalgo.selected	string	yes
.It ip6	anonportalgo.available	string	yes
.It ip6	anonportalgo.reserve	struct	yes
.It ip6	anonportmax	integer	yes
.It ip6	anonportmin	integer	yes
.It ip6	auto_flowlabel	integer	yes
.It ip6	dad_count	integer	yes
.It ip6	defmcasthlim	integer	yes
.It ip6	forwarding	integer	yes
.It ip6	gifhlim	integer	yes
.It ip6	hashsize	integer	yes
.It ip6	hlim	integer	yes
.It ip6	hdrnestlimit	integer	yes
.It ip6	kame_version	string	no
.It ip6	keepfaith	integer	yes
.It ip6	log_interval	integer	yes
.It ip6	lowportmax	integer	yes
.It ip6	lowportmin	integer	yes
.It ip6	maxdynroutes	integer	yes
.It ip6	maxifprefixes	integer	yes
.It ip6	maxifdefrouters	integer	yes
.It ip6	maxflows	integer	yes
.It ip6	maxfragpackets	integer	yes
.It ip6	maxfrags	integer	yes
.It ip6	neighborgcthresh	integer	yes
.It ip6	param_rt_msg	integer	yes
.It ip6	redirect	integer	yes
.It ip6	rr_prune	integer	yes
.It ip6	use_deprecated	integer	yes
.It ip6	v6only	integer	yes
.It udp6	do_loopback_cksum	integer	yes
.It udp6	recvspace	integer	yes
.It udp6	sendspace	integer	yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li ip6.accept_rtadv
If set to non-zero, the node will accept ICMPv6 router advertisement packets
and autoconfigures address prefixes and default routers.
The node must be a host
.Pq not a router
for the option to be meaningful.
.It Li ip6.anonportalgo.available
The available RFC 6056 port randomization algorithms.
.It Li ip6.anonportalgo.reserve
A bitmask of ports that will not be used during anonymous or privileged
port selection.
.It Li ip6.anonportalgo.selected
The currently selected RFC 6056 port randomization algorithm; see
.Xr rfc6056 7
for details.
.It Li ip6.anonportmax
The highest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535, and must
be greater than
.Li ip6.anonportmin .
.It Li ip6.anonportmin
The lowest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535.
.It Li ip6.auto_flowlabel
On connected transport protocol packets,
fill IPv6 flowlabel field to help intermediate routers to identify packet flows.
.It Li ip6.dad_count
The variable configures number of IPv6 DAD
.Pq duplicated address detection
probe packets.
The packets will be generated when IPv6 interface addresses are configured.
.It Li ip6.defmcasthlim
The default hop limit value for an IPv6 multicast packet sourced by the node.
This value applies to all the transport protocols on top of IPv6.
There are APIs to override the value, as documented in
.Xr ip6 4 .
.It Li ip6.forwarding
If set to 1, enables IPv6 forwarding for the node,
meaning that the node is acting as a router.
If set to 0, disables IPv6 forwarding for the node,
meaning that the node is acting as a host.
IPv6 specification defines node behavior for
.Dq router
case and
.Dq host
case quite differently, and changing this variable during operation
may cause serious trouble.
It is recommended to configure the variable at bootstrap time,
and bootstrap time only.
.It Li ip6.gifhlim
The maximum hop limit value for an IPv6 packet generated by
.Xr gif 4
tunnel interface.
.It Li ip6.hdrnestlimit
The number of IPv6 extension headers permitted on incoming IPv6 packets.
If set to 0, the node will accept as many extension headers as possible.
.It Li ip6.hashsize
The size of IPv6 Fast Forward hash table.
This value must be a power of 2 (64, 256, ...).
A larger hash table size results in fewer collisions.
Also see
.Li ip6.maxflows .
.It Li ip6.hlim
The default hop limit value for an IPv6 unicast packet sourced by the node.
This value applies to all the transport protocols on top of IPv6.
There are APIs to override the value, as documented in
.Xr ip6 4 .
.It Li ip6.kame_version
The string identifies the version of KAME IPv6 stack implemented in the kernel.
.It Li ip6.keepfaith
If set to non-zero, it enables
.Dq FAITH
TCP relay IPv6-to-IPv4 translator code in the kernel.
Refer
.Xr faith 4
and
.Xr faithd 8
for detail.
.It Li ip6.log_interval
The variable controls amount of logs generated by IPv6 packet
forwarding engine, by setting interval between log output
.Pq in seconds .
.It Li ip6.lowportmax
The highest port number to use for TCP and UDP reserved port allocation.
This cannot be set to less than 0 or greater than 1024, and must
be greater than
.Li ip6.lowportmin .
.It Li ip6.lowportmin
The lowest port number to use for TCP and UDP reserved port allocation.
This cannot be set to less than 0 or greater than 1024, and must
be smaller than
.Li ip6.lowportmax .
.It Li ip6.maxdynroutes
Maximum number of routes created by redirect.
Set it to negative to disable.
The default value is 4096.
.It Li ip6.maxifprefixes
Maximum number of prefixes created by route advertisements per interface.
Set it to negative to disable.
The default value is 16.
.It Li ip6.maxifdefrouters 16
Maximum number of default routers created by route advertisements per interface.
Set it to negative to disable.
The default value is 16.
.It Li ip6.maxflows
IPv6 Fast Forwarding is enabled by default.
If set to 0, IPv6 Fast Forwarding is disabled.
.Li ip6.maxflows
controls the maximum amount of flows which can be created.
The default value is 256.
.It Li ip6.maxfragpackets
The maximum number of fragmented packets the node will accept.
0 means that the node will not accept any fragmented packets.
\-1 means that the node will accept as many fragmented packets as it receives.
The flag is provided basically for avoiding possible DoS attacks.
.It Li ip6.maxfrags
The maximum number of fragments the node will accept.
0 means that the node will not accept any fragments.
\-1 means that the node will accept as many fragments as it receives.
The flag is provided basically for avoiding possible DoS attacks.
.It Li ip6.neighborgcthresh
Maximum number of entries in neighbor cache per interface.
Set to negative to disable.
The default value is 2048.
.It Li ip6.param_rt_msg
If set to 0, parameter changing routing message is suppressed.
If set to 1, parameter changing routing message is sent by RTM_NEWADDR.
Other values are undefined yet.
.It Li ip6.redirect
If set to 1, ICMPv6 redirects may be sent by the node.
This option is ignored unless the node is routing IP packets,
and should normally be enabled on all systems.
.It Li ip6.rr_prune
The variable specifies interval between IPv6 router renumbering prefix
babysitting, in seconds.
.It Li ip6.use_deprecated
The variable controls use of deprecated address, specified in RFC 2462 5.5.4.
.It Li ip6.v6only
The variable specifies initial value for
.Dv IPV6_V6ONLY
socket option for
.Dv AF_INET6
socket.
Please refer to
.Xr ip6 4
for detail.
.It Li icmp6.errppslimit
The variable specifies the maximum number of outgoing ICMPv6 error messages,
per second.
ICMPv6 error messages that exceeded the value are subject to rate limitation
and will not go out from the node.
Negative value disables rate limitation.
.It Li icmp6.mtudisc_hiwat
.It Li icmp6.mtudisc_lowat
The variables define the maximum number of routing table entries,
created due to path MTU discovery
.Pq prevents denial-of-service attacks with ICMPv6 too big messages .
When IPv6 path MTU discovery happens, we keep path MTU information into
the routing table.
If the number of routing table entries exceed the value,
the kernel will not attempt to keep the path MTU information.
.Li icmp6.mtudisc_hiwat
is used when we have verified ICMPv6 too big messages.
.Li icmp6.mtudisc_lowat
is used when we have unverified ICMPv6 too big messages.
Verification is performed by using address/port pairs kept in connected pcbs.
Negative value disables the upper limit.
.It Li icmp6.nd6_debug
If set to non-zero, kernel IPv6 neighbor discovery code will generate
debugging messages.
The debug outputs are useful to diagnose IPv6 interoperability issues.
The flag must be set to 0 for normal operation.
.It Li icmp6.nd6_delay
The variable specifies
.Dv DELAY_FIRST_PROBE_TIME
timing constant in IPv6 neighbor discovery specification
.Pq RFC 2461 ,
in seconds.
.It Li icmp6.nd6_maxnudhint
Neighbor discovery permits upper layer protocols to supply reachability
hints, to avoid unnecessary neighbor discovery exchanges.
The variable defines the number of consecutive hints the neighbor discovery
layer will take.
For example, by setting the variable to 3, neighbor discovery layer
will take 3 consecutive hints in maximum.
After receiving 3 hints, neighbor discovery layer will perform
normal neighbor discovery process.
.It Li icmp6.nd6_mmaxtries
The variable specifies
.Dv MAX_MULTICAST_SOLICIT
constant in IPv6 neighbor discovery specification
.Pq RFC 2461 .
.It Li icmp6.nd6_prune
The variable specifies interval between IPv6 neighbor cache babysitting,
in seconds.
.It Li icmp6.nd6_umaxtries
The variable specifies
.Dv MAX_UNICAST_SOLICIT
constant in IPv6 neighbor discovery specification
.Pq RFC 2461 .
.It Li icmp6.nd6_useloopback
If set to non-zero, kernel IPv6 stack will use loopback interface for
local traffic.
.It Li icmp6.nodeinfo
The variable enables responses to ICMPv6 node information queries.
If you set the variable to 0, responses will not be generated for
ICMPv6 node information queries.
Since node information queries can have a security impact, it is
possible to fine tune which responses should be answered.
Two separate bits can be set.
.Bl -tag -width "12345"
.It 1
Respond to ICMPv6 FQDN queries, e.g.
.Li ping6 -w .
.It 2
Respond to ICMPv6 node addresses queries, e.g.
.Li ping6 -a .
.El
.It Li icmp6.rediraccept
If set to non-zero, the host will accept ICMPv6 redirect packets.
Note that IPv6 routers will never accept ICMPv6 redirect packets,
and the variable is meaningful on IPv6 hosts
.Pq non-router
only.
.It Li icmp6.redirtimeout
The variable specifies lifetime of routing entries generated by incoming
ICMPv6 redirect.
.It Li icmp6.reflect_pmtu
A boolean that icmpv6 reflecting uses path MTU discovery or not.
When not, icmpv6 reflecting uses IPV6_MINMTU.
.It Li icmp6.dynamic_rt_msg
A boolean that the kernel sends routing message for RTM_DYNAMIC or not.
If set to true, sends such routing message.
.It Li udp6.do_loopback_cksum
Perform UDP checksum on loopback.
.It Li udp6.recvspace
Default UDP receive buffer size.
.It Li udp6.sendspace
Default UDP send buffer size.
.El
.Pp
Variables net.inet6.tcp6.* and net.inet6.udp6.* have identical meanings to
net.inet.tcp.* and net.inet.udp.*, respectively.
Please refer to
.Li PF_INET
section above.
For variables net.*.ipsec6, please refer to
.Xr ipsec 4 .
.It Li net.key ( Dv PF_KEY )
Get or set various global information about the IPsec key management.
The third level name is the variable name.
The currently defined variable and names are:
.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent
.It Sy Variable	Type Ta Sy Changeable
.It debug	integer	yes
.It enabled	integer	yes
.It used	integer	no
.It spi_try	integer	yes
.It spi_min_value	integer	yes
.It spi_max_value	integer	yes
.It larval_lifetime	integer	yes
.It blockacq_count	integer	yes
.It blockacq_lifetime	integer	yes
.It esp_keymin	integer	yes
.It esp_auth	integer	yes
.It ah_keymin	integer	yes
.It allow_different_idtype	boolean	yes
.El
The variables are as follows:
.Bl -tag -width "123456"
.It Li debug
Turn on debugging message from within the kernel.
The value is a bitmap, as defined in
.In netipsec/key_debug.h .
.It Li enabled
Control processing of IPsec control messages.
.Bl -tag -width indent
.It 0
Never allow IPsec processing
.It 1
Allow IPsec processing when SPD policies are present.
.It 2
Force IPsec processing even when SPD policies are not present.
.El
.It Li used
Based on if IPsec is enabled, and SPD rule existence, show if
IPsec is being used.
Note that currently once IPsec is being used, it cannot be disabled.
.It Li spi_try
The number of times the kernel will try to obtain an unique SPI
when it generates it from random number generator.
.It Li spi_min_value
Minimum SPI value when generating it within the kernel.
.It Li spi_max_value
Maximum SPI value when generating it within the kernel.
.It Li larval_lifetime
Lifetime for LARVAL SAD entries, in seconds.
.It Li blockacq_count
Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message.
It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the
key management daemon.
.It Li blockacq_lifetime
Lifetime of ACQUIRE PF_KEY message.
.It Li esp_keymin
Minimum ESP key length, in bits.
The value is used when the kernel creates proposal payload
on ACQUIRE PF_KEY message.
.It Li esp_auth
Whether ESP authentication should be used or not.
Non-zero value indicates that ESP authentication should be used.
The value is used when the kernel creates proposal payload
on ACQUIRE PF_KEY message.
.It Li ah_keymin
Minimum AH key length, in bits,
The value is used when the kernel creates proposal payload
on ACQUIRE PF_KEY message.
.It Li allow_different_idtype
A boolean that allow or disallow different identifier types
on IDii and IDir.
Allowing that can improve interconnectivity to some VPN appliances.
.El
.It Li net.local ( Dv PF_LOCAL )
Get or set various global information about
.Dv AF_LOCAL
type sockets.
For some variables, the third level name is the variable name:
.Bl -column "Variable" "integer" "Changeable" -offset indent
.It Sy Variable	Type Ta Sy Changeable
.It inflight	integer	no
.It deferred	integer	no
.El
The variables are as follows:
.Bl -tag -width "123456"
.It Li inflight
The number of file descriptors currently passed between processes,
.Qq in flight .
.It Li deferred
The number of file descriptors passed between processes that have been
deferred for cleanup by a kernel task.
.El
.Pp
Other variables are specific to a socket type:
.Bl -column "seqpacket" "sendspace" "integer" "Changeable" -offset indent
.It Sy "Socket Type"  	Sy Variable	Type Ta Sy Changeable
.It dgram	pcblist	struct	no
.It dgram	recvspace	integer	yes
.It dgram	sendspace	integer	yes
.It seqpacket	pcblist	struct	no
.It stream	pcblist	struct	no
.It stream	recvspace	integer	yes
.It stream	sendspace	integer	yes
.El
The variables are as follows:
.Bl -tag -width "123456"
.It Li dgram.pcblist
The Protocol Control Block list structure for datagram sockets.
Parsed by
.Xr netstat 1
or
.Xr sockstat 1 .
.It Li dgram.recvspace
The default datagram receive buffer size.
.It Li dgram.sendspace
The default datagram send buffer size.
.It Li seqpacket.pcblist
The Protocol Control Block list structure for Sequential Packet sockets.
Parsed by
.Xr netstat 1
or
.Xr sockstat 1 .
.It Li stream.pcblist
The Protocol Control Block list structure for stream sockets.
Parsed by
.Xr netstat 1
or
.Xr sockstat 1 .
.It Li stream.recvspace
The default stream receive buffer size.
.It Li stream.sendspace
The default stream send buffer size.
.El
.El
.Ss The proc.* subtree
The string and integer information available for the
.Li proc
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
These values are per-process,
and as such may change from one process to another.
When a process is created,
the default values are inherited from its parent.
When a set-user-ID or set-group-ID binary is executed, the
value of PROC_PID_CORENAME is reset to the system default value.
The second level name is either the magic value PROC_CURPROC, which
points to the current process, or the PID of the target process.
.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It proc.pid.corename	string	yes
.It proc.pid.rlimit	node	not applicable
.It proc.pid.stopfork	int	yes
.It proc.pid.stopexec	int	yes
.It proc.pid.stopexit	int	yes
.It proc.pid.paxflags	int	no
.El
.Bl -tag -width "123456"
.It Li proc.pid.corename ( Dv PROC_PID_CORENAME )
The template used for the core dump file name (see
.Xr core 5
for details).
The base name must either be
.Pa core
or end with the suffix
.Pa .core
(the super-user may set arbitrary names).
By default it points to
.Dv KERN_DEFCORENAME .
.It Li proc.pid.rlimit ( Dv PROC_PID_LIMIT )
Return resources limits, as defined for the
.Xr getrlimit 2
and
.Xr setrlimit 2
system calls.
The fourth level name is one of:
.Bl -tag -width "123456"
.It Li proc.pid.rlimit.cputime ( Dv PROC_PID_LIMIT_CPU )
The maximum amount of CPU time (in seconds) to be used by each process.
.It Li proc.pid.rlimit.filesize ( Dv PROC_PID_LIMIT_FSIZE )
The largest size (in bytes) file that may be created.
.It Li proc.pid.rlimit.datasize ( Dv PROC_PID_LIMIT_DATA )
The maximum size (in bytes) of the data segment for a process;
this defines how far a program may extend its break with the
.Xr sbrk 2
system call.
.It Li proc.pid.rlimit.stacksize ( Dv PROC_PID_LIMIT_STACK )
The maximum size (in bytes) of the stack segment for a process;
this defines how far a program's stack segment may be extended.
Stack extension is performed automatically by the system.
.It Li proc.pid.rlimit.coredumpsize ( Dv PROC_PID_LIMIT_CORE )
The largest size (in bytes)
.Pa core
file that may be created.
.It Li proc.pid.rlimit.memoryuse ( Dv PROC_PID_LIMIT_RSS )
The maximum size (in bytes) to which a process's resident set size may
grow.
This imposes a limit on the amount of physical memory to be given to
a process; if memory is tight, the system will prefer to take memory
from processes that are exceeding their declared resident set size.
.It Li proc.pid.rlimit.memorylocked ( Dv PROC_PID_LIMIT_MEMLOCK )
The maximum size (in bytes) which a process may lock into memory
using the
.Xr mlock 2
function.
.It Li proc.pid.rlimit.maxproc ( Dv PROC_PID_LIMIT_NPROC )
The maximum number of simultaneous processes for this user id.
.It Li proc.pid.rlimit.descriptors ( Dv PROC_PID_LIMIT_NOFILE )
The maximum number of open files for this process.
.It Li proc.pid.rlimit.sbsize ( Dv PROC_PID_LIMIT_SBSIZE )
The maximum size (in bytes) of the socket buffers
set by the
.Xr setsockopt 2
.Dv SO_RCVBUF
and
.Dv SO_SNDBUF
options.
.It Li proc.pid.rlimit.vmemoryuse ( Dv PROC_PID_LIMIT_AS )
The maximum size (in bytes) which a process can obtain.
.It Li proc.pid.rlimit.maxlwp ( Dv PROC_PID_LIMIT_NTHR )
The maximum number of threads that cen be created and running at one time in
the process.
The first thread of each process is not counted against this.
.El
.Pp
The fifth level name is one of
.Li soft ( Dv PROC_PID_LIMIT_TYPE_SOFT )
or
.Li hard ( Dv PROC_PID_LIMIT_TYPE_HARD ) ,
to select respectively the soft or hard limit.
Both are of type integer.
.It Li proc.pid.stopfork ( Dv PROC_PID_STOPFORK )
If non zero, the process' children will be stopped after
.Xr fork 2
calls.
The children are created in the SSTOP state and are never scheduled
for running before being stopped.
This feature enables attaching to a process with a debugger such as
.Xr gdb 1
before the process has the opportunity to actually do anything.
.Pp
This value is inherited by the process's children, and it also
applies to emulation specific system calls that fork a new process, such as
.Fn sproc
or
.Fn clone .
.It Li proc.pid.stopexec ( Dv PROC_PID_STOPEXEC )
If non zero, the process will be stopped on the next
.Xr exec 3
call.
The process created by
.Xr exec 3
is created in the SSTOP state and is never scheduled for running
before being stopped.
This feature enables attaching to a process with a debugger such as
.Xr gdb 1
before the process has the opportunity to actually do anything.
.Pp
This value is inherited by the process's children.
.It Li proc.pid.stopexit ( Dv PROC_PID_STOPEXIT )
If non zero, the process will be stopped when it has cause to exit,
either by way of calling
.Xr exit 3 ,
.Xr _exit 2 ,
or by the receipt of a specific signal.
The process is stopped before any of its resources or vm space is
released allowing examination of the termination state of the process
before it disappears.
This feature can be used to examine the final conditions of the
process's vmspace via
.Xr pmap 1
or its resource settings with
.Xr sysctl 8
before it disappears.
.Pp
This value is also inherited by the process's children.
.It Li proc.pid.paxflags ( Dv PROC_PID_PAXFLAGS )
This read-only variable returns the current value of the process's pax
flags (see
.Xr paxctl 8 ) .
.El
.Ss The user.* subtree ( Dv CTL_USER )
The string and integer information available for the
.Li user
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It user.atexit_max	integer	no
.It user.bc_base_max	integer	no
.It user.bc_dim_max	integer	no
.It user.bc_scale_max	integer	no
.It user.bc_string_max	integer	no
.It user.coll_weights_max	integer	no
.It user.cs_path	string	no
.It user.expr_nest_max	integer	no
.It user.line_max	integer	no
.It user.posix2_c_bind	integer	no
.It user.posix2_c_dev	integer	no
.It user.posix2_char_term	integer	no
.It user.posix2_fort_dev	integer	no
.It user.posix2_fort_run	integer	no
.It user.posix2_localedef	integer	no
.It user.posix2_sw_dev	integer	no
.It user.posix2_upe	integer	no
.It user.posix2_version	integer	no
.It user.re_dup_max	integer	no
.It user.stream_max	integer	no
.It user.stream_max	integer	no
.It user.tzname_max	integer	no
.El
.Bl -tag -width "123456"
.It Li user.atexit_max ( Dv USER_ATEXIT_MAX )
The maximum number of functions that may be registered with
.Xr atexit 3 .
.It Li user.bc_base_max ( Dv USER_BC_BASE_MAX )
The maximum ibase/obase values in the
.Xr bc 1
utility.
.It Li user.bc_dim_max ( Dv USER_BC_DIM_MAX )
The maximum array size in the
.Xr bc 1
utility.
.It Li user.bc_scale_max ( Dv USER_BC_SCALE_MAX )
The maximum scale value in the
.Xr bc 1
utility.
.It Li user.bc_string_max ( Dv USER_BC_STRING_MAX )
The maximum string length in the
.Xr bc 1
utility.
.It Li user.coll_weights_max ( Dv USER_COLL_WEIGHTS_MAX )
The maximum number of weights that can be assigned to any entry of
the LC_COLLATE order keyword in the locale definition file.
.It Li user.cs_path ( USER_CS_PATH )
Return a value for the
.Ev PATH
environment variable that finds all the standard utilities.
.It Li user.expr_nest_max ( Dv USER_EXPR_NEST_MAX )
The maximum number of expressions that can be nested within
parenthesis by the
.Xr expr 1
utility.
.It Li user.line_max ( Dv USER_LINE_MAX )
The maximum length in bytes of a text-processing utility's input
line.
.It Li user.posix2_char_term ( Dv USER_POSIX2_CHAR_TERM )
Return 1 if the system supports at least one terminal type capable of
all operations described in
.St -p1003.2 ,
otherwise\ 0.
.It Li user.posix2_c_bind ( Dv USER_POSIX2_C_BIND )
Return 1 if the system's C-language development facilities support the
C-Language Bindings Option, otherwise\ 0.
.It Li user.posix2_c_dev ( Dv USER_POSIX2_C_DEV )
Return 1 if the system supports the C-Language Development Utilities Option,
otherwise\ 0.
.It Li user.posix2_fort_dev ( Dv USER_POSIX2_FORT_DEV )
Return 1 if the system supports the FORTRAN Development Utilities Option,
otherwise\ 0.
.It Li user.posix2_fort_run ( Dv USER_POSIX2_FORT_RUN )
Return 1 if the system supports the FORTRAN Runtime Utilities Option,
otherwise\ 0.
.It Li user.posix2_localedef ( Dv USER_POSIX2_LOCALEDEF )
Return 1 if the system supports the creation of locales, otherwise\ 0.
.It Li user.posix2_sw_dev ( Dv USER_POSIX2_SW_DEV )
Return 1 if the system supports the Software Development Utilities Option,
otherwise\ 0.
.It Li user.posix2_upe ( Dv USER_POSIX2_UPE )
Return 1 if the system supports the User Portability Utilities Option,
otherwise\ 0.
.It Li user.posix2_version ( Dv USER_POSIX2_VERSION )
The version of
.St -p1003.2
with which the system attempts to comply.
.It Li user.re_dup_max ( Dv USER_RE_DUP_MAX )
The maximum number of repeated occurrences of a regular expression
permitted when using interval notation.
.It Li user.stream_max ( Dv USER_STREAM_MAX )
The minimum maximum number of streams that a process may have open
at any one time.
.It Li user.tzname_max ( Dv USER_TZNAME_MAX )
The minimum maximum number of types supported for the name of a
timezone.
.El
.Ss The vm.* subtree ( Dv CTL_VM )
The string and integer information available for the
.Li vm
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It vm.anonmax	int	yes
.It vm.anonmin	int	yes
.It vm.bufcache	int	yes
.It vm.bufmem	int	no
.It vm.bufmem_hiwater	int	yes
.It vm.bufmem_lowater	int	yes
.It vm.execmax	int	yes
.It vm.execmin	int	yes
.It vm.filemax	int	yes
.It vm.filemin	int	yes
.It vm.loadavg	struct loadavg	no
.It vm.maxslp	int	no
.It vm.nkmempages	int	no
.It vm.uspace	int	no
.It vm.uvmexp	struct uvmexp	no
.It vm.uvmexp2	struct uvmexp_sysctl	no
.It vm.vmmeter	struct vmtotal	no
.It vm.proc.map	struct kinfo_vmentry	no
.It vm.guard_size	unsigned int	no
.It vm.thread_guard_size	unsigned int	yes
.It vm.swap_encrypt	bool	yes
.El
.Bl -tag -width "123456"
.It Li vm.anonmax ( Dv VM_ANONMAX )
The percentage of physical memory which will be reclaimed
from other types of memory usage to store anonymous application data.
.It Li vm.anonmin ( Dv VM_ANONMIN )
The percentage of physical memory which will be always be available for
anonymous application data.
.It Li vm.bufcache ( Dv VM_BUFCACHE )
The percentage of physical memory which will be available
for the buffer cache.
.It Li vm.bufmem ( Dv VM_BUFMEM )
The amount of kernel memory that is being used by the buffer cache.
.It Li vm.bufmem_lowater ( Dv VM_BUFMEM_LOWATER )
The minimum amount of kernel memory to reserve for the
buffer cache.
.It Li vm.bufmem_hiwater ( Dv VM_BUFMEM_HIWATER )
The maximum amount of kernel memory to be used for the
buffer cache.
.It Li vm.execmax ( Dv VM_EXECMAX )
The percentage of physical memory which will be reclaimed
from other types of memory usage to store cached executable data.
.It Li vm.execmin ( Dv VM_EXECMIN )
The percentage of physical memory which will be always be available for
cached executable data.
.It Li vm.filemax ( Dv VM_FILEMAX )
The percentage of physical memory which will be reclaimed
from other types of memory usage to store cached file data.
.It Li vm.filemin ( Dv VM_FILEMIN )
The percentage of physical memory which will be always be available for
cached file data.
.It Li vm.loadavg ( Dv VM_LOADAVG )
Return the load average history.
The returned data consists of a
.Vt struct loadavg .
.It Li vm.maxslp ( Dv VM_MAXSLP )
The value of the maxslp kernel global variable.
.It Li vm.vmmeter ( Dv VM_METER )
Return system wide virtual memory statistics.
The returned data consists of a
.Vt struct vmtotal .
.It vm.user_va0_disable
A flag which controls whether user processes can map virtual address\ 0.
.It Li vm.proc.map ( Dv VM_PROC )
The third level is
.Dv VM_PROC_MAP ,
the fourth is the pid of the process to display the vm object entries for, and
the fifth is the size of
.Vt struct kinfo_vmentry .
Returns an array of
.Vt struct kinfo_vmentry
objects.
.It Li vm.ubc_direct Bq Sy "EXPERIMENTAL" Ns No , default off
Use direct map for UBC I/O, avoiding need to map and unmap buffer memory.
Speeds up operation for fast I/O devices like NVMe, especially
on multi-CPU systems.
Only available on some architectures.
.It Li vm.uspace ( Dv VM_USPACE )
The number of bytes allocated for each kernel stack.
.It Li vm.uvmexp ( Dv VM_UVMEXP )
Return system wide virtual memory statistics.
The returned data consists of a
.Vt struct uvmexp .
.It Li vm.uvmexp2 ( Dv VM_UVMEXP2 )
Return system wide virtual memory statistics.
The returned data consists of a
.Vt struct uvmexp_sysctl .
.It Li vm.guard_size
Return system wide guard size for the main thread of a program.
.It Li vm.thread_guard_size
Return system wide default size for the guard area of all other threads
of a program.
.It Li vm.swap_encrypt
If true, encrypt data while swapped out to disk.
.Pp
Each swap device maintains an independent AES-256 key, generated when
the first page is swapped to that device.
Each page is swapped independently using AES-CBC, with an
initialization vector chosen by the encryption under the AES-256 key of
the little-endian swap slot number padded to 128 bits with zeros.
(This is essentially the
.Xr cgd 4
.Sq encblkno1
method.)
.Pp
Changes to
.Li vm.swap_encrypt
only affect pages of swap newly written out.
To force encrypting or decrypting all existing swap, or to rekey
previously encrypted swap, you can remove the swap devices and re-add
them with
.Xr swapctl 8 ,
with the caveat that whatever pages were already written to disk
unencrypted or encrypted with a compromised key may still be written to
disk afterward.
.El
.Ss The ddb.* subtree ( Dv CTL_DDB )
The information available for the
.Li ddb
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "Second level name" "integer" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It ddb.commandonenter	string	yes
.It ddb.dumpstack 	integer	yes
.It ddb.fromconsole	integer	yes
.It ddb.lines	integer	yes
.It ddb.maxoff	integer	yes
.It ddb.maxwidth	integer	yes
.It ddb.onpanic	integer	yes
.It ddb.panicstackframes	integer	yes
.It ddb.radix	integer	yes
.It ddb.tabstops	integer	yes
.It ddb.tee_msgbuf	integer	yes
.El
.Bl -tag -width "123456"
.It Li ddb.commandonenter
If not empty, the string is used as the DDB command to be executed each time
DDB is entered.
.It Li ddb.dumpstack
A value of 1 causes a stack trace to be printed on entering ddb from a panic.
A value of 0 disables this behaviour.
The default value is 1.
.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE )
If not zero, DDB may be entered by sending a break on a serial
console or by a special key sequence on a graphics console.
.It Li ddb.lines ( Dv DDBCTL_LINES )
Number of display lines.
.It Li ddb.maxoff ( Dv DDBCTL_MAXOFF )
The maximum symbol offset.
.It Li ddb.maxwidth ( Dv DDBCTL_MAXWIDTH )
The maximum output line width.
.It Li ddb.onpanic ( Dv DDBCTL_ONPANIC )
If greater than zero, DDB will be entered if the kernel panics.
A value of 1 causes the system to enter DDB on panic.
A value of 0 causes the kernel to attempt to print a stack trace, then
reboot, while a value of \-1 means neither a stack trace will be printed
nor DDB entered.
.It Li ddb.panicstackframes
Number of stack frames to display on panic.
Useful to avoid scrolling away the interesting frames on a glass tty.
Default value is
.Dv 65535
(all frames), useful value around
.Dv 10 .
.It Li ddb.radix ( Dv DDBCTL_RADIX )
The input and output radix.
.It Li ddb.tabstops ( Dv DDBCTL_TABSTOPS )
Tab width.
.It Li ddb.tee_msgbuf
If not zero, DDB will output also to the kernel message buffer.
.El
.Pp
Some of these MIB
nodes are also available as variables from within the debugger.
See
.Xr ddb 4
for more details.
.Ss The security.* subtree ( Dv CTL_SECURITY )
The
.Li security
level contains various security-related settings for
the system.
The available second level names are:
.Bl -column "Second level name" "integer" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It Li security.curtain	integer	yes
.It Li security.models	node	not applicable
.It Li security.pax	node	not applicable
.El
.Pp
Available settings are detailed below.
.Bl -tag -width "123456"
.It Li security.curtain
If non-zero, will filter return objects according to the user ID
requesting information about them, preventing users from
accessing any objects they do not own.
.Pp
At the moment, it affects
.Xr ps 1 ,
.Xr netstat 1
(for
.Dv PF_INET ,
.Dv PF_INET6 ,
and
.Dv PF_UNIX
PCBs), and
.Xr w 1 .
.It Li security.models
.Nx
supports pluggable security models.
Every security model used, whether if loaded as a module or built with the system,
is required to add an entry to this node with at least one element,
.Dq name ,
indicating the name of the security model.
.Pp
In addition to the name, any settings and other information private to the
security model will be available under this node.
See
.Xr secmodel 9
for more information.
.It Li security.pax
Settings for PaX \(em exploit mitigation features.
For more information on any of the PaX features, please see
.Xr paxctl 8
and
.Xr security 7 .
The available third and fourth level names are:
.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \
-offset 2n
.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable
.It Li security.pax.aslr.enabled	integer	yes
.\".It Li security.pax.aslr.exec_len	integer	yes
.It Li security.pax.aslr.global	integer	yes
.\".It Li security.pax.aslr.mmap_len	integer	yes
.\".It Li security.pax.aslr.stack_len	integer	yes
.It Li security.pax.mprotect.enabled	integer	yes
.It Li security.pax.mprotect.global	integer	yes
.It Li security.pax.mprotect.ptrace	integer	yes
.It Li security.pax.segvguard.enabled	integer	yes
.It Li security.pax.segvguard.expiry_timeout	integer	yes
.It Li security.pax.segvguard.global	integer	yes
.It Li security.pax.segvguard.max_crashes	integer	yes
.It Li security.pax.segvguard.suspend_timeout	integer	yes
.El
.Bl -tag -width "123456"
.It Li security.pax.aslr.enabled
Enable PaX ASLR (Address Space Layout Randomization).
.Pp
The value of this
knob must be non-zero for PaX ASLR to be enabled, even if a program is set to
explicit enable.
.\".It Li security.pax.aslr.exec_len
.\" XXX: Undocumented.
.It Li security.pax.aslr.global
Specifies the default global policy for programs without an
explicit enable/disable flag.
.Pp
When non-zero, all programs will get PaX ASLR, except those exempted with
.Xr paxctl 8 .
Otherwise, all programs will not get PaX ASLR, except those specifically
marked as such with
.Xr paxctl 8 .
.\".It Li security.pax.aslr.mmap_len
.\" XXX: Undocumented.
.\" .It Li security.pax.aslr.stack_len
.\" XXX: Undocumented.
.It Li security.pax.mprotect.enabled
Enable PaX MPROTECT restrictions.
.Pp
These are
.Xr mprotect 2
restrictions to better enforce a W^X policy.
The value of this
knob must be non-zero for PaX MPROTECT to be enabled, even if a
program is set to explicit enable.
.It Li security.pax.mprotect.global
Specifies the default global policy for programs without an
explicit enable/disable flag.
.Pp
When non-zero, all programs will get the PaX MPROTECT restrictions,
except those exempted with
.Xr paxctl 8 .
Otherwise, all programs will not get the PaX MPROTECT restrictions,
except those specifically marked as such with
.Xr paxctl 8 .
.It Li security.pax.mprotect.ptrace
This variable allows
.Xr ptrace 2
to override PaX MPROTECT permissions.
It can have the following values:
.Bl -tag -width XX -compact
.It 0
Does not let override any permissions.
.It 1
Disables PaX MPROTECT from processes that start executing while traced (default).
.It 2
Bypasses PaX MPROTECT for all processes being traced.
.El
.It Li security.pax.segvguard.enabled
Enable PaX Segvguard.
.Pp
PaX Segvguard can detect and prevent certain exploitation attempts, where
an attacker may try for example to brute-force function return addresses
of respawning daemons.
.Pp
.Em Note :
The
.Nx
interface and implementation of the Segvguard is still experimental, and may
change in future releases.
.It Li security.pax.segvguard.expiry_timeout
If the max number was not reached within this timeout (in seconds), the entry
will expire.
.It Li security.pax.segvguard.global
Specifies the default global policy for programs without an
explicit enable/disable flag.
.Pp
When non-zero, all programs will get the PaX Segvguard,
except those exempted with
.Xr paxctl 8 .
Otherwise, no program will get the PaX Segvguard restrictions,
except those specifically marked as such with
.Xr paxctl 8 .
.It Li security.pax.segvguard.max_crashes
The maximum number of segfaults a program can receive before suspension.
.It Li security.pax.segvguard.suspend_timeout
Number of seconds to suspend a user from running a faulting program when the
limit was exceeded.
.El
.El
.Ss The vendor.* subtree ( Dv CTL_VENDOR )
The
.Li vendor
toplevel name is reserved to be used by vendors who wish to
have their own private MIB tree.
Intended use is to store values under
.Dq vendor.<yourname>.* .
.Sh SEE ALSO
.Xr sysctl 3 ,
.Xr ipsec 4 ,
.Xr tcp 4 ,
.Xr security 7 ,
.Xr sysctl 8
.Sh HISTORY
The
.Nm
variables first appeared in
.Bx 4.4 .