1.\" $NetBSD: sysctl.7,v 1.13 2007/06/25 23:36:18 christos Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd June 19, 2007 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Sh Top level names 72The top level names are defined with a CTL_ prefix in 73.Aq Pa sys/sysctl.h , 74and are as follows. 75The next and subsequent levels down are found in the include files 76listed here, and described in separate sections below. 77.Bl -column securityXX CTLXSECURITYXX "Next level namesXX" 78.It Sy Name Constant Next level names Description 79.It kern CTL\_KERN sys/sysctl.h High kernel limits 80.It vm CTL\_VM uvm/uvm_param.h Virtual memory 81.It vfs CTL\_VFS sys/mount.h Filesystem 82.It net CTL\_NET sys/socket.h Networking 83.It debug CTL\_DEBUG sys/sysctl.h Debugging 84.It hw CTL\_HW sys/sysctl.h Generic CPU, I/O 85.It machdep CTL\_MACHDEP sys/sysctl.h Machine dependent 86.It user CTL\_USER sys/sysctl.h User-level 87.It ddb CTL\_DDB sys/sysctl.h In-kernel debugger 88.It proc CTL\_PROC sys/sysctl.h Per-process 89.It vendor CTL\_VENDOR ? Vendor specific 90.It emul CTL\_EMUL sys/sysctl.h Emulation settings 91.It security CTL\_SECURITY sys/sysctl.h Security settings 92.El 93.Sh The debug.* subtree 94The debugging variables vary from system to system. 95A debugging variable may be added or deleted without need to recompile 96.Nm 97to know about it. 98Each time it runs, 99.Nm 100gets the list of debugging variables from the kernel and 101displays their current values. 102The system defines twenty 103.Va ( struct ctldebug ) 104variables named 105.Dv debug0 106through 107.Dv debug19 . 108They are declared as separate variables so that they can be 109individually initialized at the location of their associated variable. 110The loader prevents multiple use of the same variable by issuing errors 111if a variable is initialized in more than one place. 112For example, to export the variable 113.Dv dospecialcheck 114as a debugging variable, the following declaration would be used: 115.Bd -literal -offset indent -compact 116int dospecialcheck = 1; 117struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 118.Ed 119.Pp 120Note that the dynamic implementation of 121.Nm 122currently in use largely makes this particular 123.Nm 124interface obsolete. 125See 126.Xr sysctl 8 127.\" and 128.\" .Xr sysctl 9 129for more information. 130.Sh The vfs.* subtree 131A distinguished second level name, 132.Li vfs.generic ( VFS_GENERIC ) , 133is used to get general information about all filesystems. 134One of its third level identifiers is 135.Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 136that gives the highest valid filesystem type number. 137Its other third level identifier is 138.Li vfs.generic.conf ( VFS_CONF ) 139that returns configuration information about the filesystem 140type given as a fourth level identifier. 141The remaining second level identifiers are the 142filesystem type number returned by a 143.Xr statvfs 2 144call or from 145.Li vfs.generic.conf . 146The third level identifiers available for each filesystem 147are given in the header file that defines the mount 148argument structure for that filesystem. 149.Sh The hw.* subtree 150The string and integer information available for the 151.Li hw 152level is detailed below. 153The changeable column shows whether a process with appropriate 154privilege may change the value. 155.Bl -column "Second level nameXXXXXX" "struct disk_sysctlXXX" -offset indent 156.It Sy Second level name Type Changeable 157.It hw.alignbytes integer no 158.It hw.byteorder integer no 159.It hw.cnmagic string yes 160.It hw.disknames string no 161.It hw.diskstats struct no 162.It hw.machine string no 163.It hw.machine_arch string no 164.It hw.model string no 165.It hw.ncpu integer no 166.It hw.pagesize integer no 167.It hw.physmem integer no 168.It hw.physmem64 quad no 169.It hw.usermem integer no 170.It hw.usermem64 quad no 171.El 172.Pp 173.Bl -tag -width "123456" 174.It Li hw.alignbytes ( HW_ALIGNBYTES ) 175Alignment constraint for all possible data types. 176This shows the value 177.Dv ALIGNBYTES 178in 179.Pa /usr/include/machine/param.h , 180at the kernel compilation time. 181.It Li hw.byteorder ( HW_BYTEORDER ) 182The byteorder (4,321, or 1,234). 183.It Li hw.cnmagic ( HW_CNMAGIC ) 184The console magic key sequence. 185.It Li hw.disknames ( HW_DISKNAMES ) 186The list of (space separated) disk device names on the system. 187.It Li hw.iostatnames ( HW_IOSTATNAMES ) 188A space separated list of devices that will have I/O statistics 189collected on them. 190.It Li hw.iostats ( HW_IOSTATS ) 191Return statistical information on the NFS mounts, disk and tape 192devices on the system. 193An array of 194.Va struct io_sysctl 195structures is returned, 196whose size depends on the current number of such objects in the system. 197The third level name is the size of the 198.Va struct io_sysctl . 199The type of object can be determined by examining the 200.Va type 201element of 202.Va struct io_sysctl . 203Which can be 204.Dv IOSTAT_DISK 205(disk drive), 206.Dv IOSTAT_TAPE 207(tape drive), or 208.Dv IOSTAT_NFS 209(NFS mount). 210.It Li hw.machine ( HW_MACHINE ) 211The machine class. 212.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 213The machine CPU class. 214.It Li hw.model ( HW_MODEL ) 215The machine model. 216.It Li hw.ncpu ( HW_NCPU ) 217The number of CPUs. 218.ne 1i 219.It Li hw.pagesize ( HW_PAGESIZE ) 220The software page size. 221.It Li hw.physmem ( HW_PHYSMEM ) 222The bytes of physical memory as a 32-bit integer. 223.It Li hw.physmem64 ( HW_PHYSMEM64 ) 224The bytes of physical memory as a 64-bit integer. 225.It Li hw.usermem ( HW_USERMEM ) 226The bytes of non-kernel memory as a 32-bit integer. 227.It Li hw.usermem64 ( HW_USERMEM64 ) 228The bytes of non-kernel memory as a 64-bit integer. 229.El 230.Sh The kern.* subtree 231The string and integer information available for the 232.Li kern 233level is detailed below. 234The changeable column shows whether a process with appropriate 235privilege may change the value. 236The types of data currently available are process information, 237system vnodes, the open file entries, routing table entries, 238virtual memory statistics, load average history, and clock rate 239information. 240.Bl -column "kern.posix_reader_writer_locks" "struct clockrateXXX" -offset indent 241.It Sy Second level name Type Changeable 242.It kern.argmax integer no 243.It kern.autonicetime integer yes 244.It kern.autoniceval integer yes 245.It kern.boottime struct timeval no 246.It kern.bufq node not applicable 247.It kern.ccpu integer no 248.It kern.clockrate struct clockinfo no 249.It kern.consdev integer no 250.It kern.cp\_id struct no 251.It kern.cp\_time uint64_t[\|] no 252.It kern.defcorename string yes 253.It kern.domainname string yes 254.It kern.drivers struct kinfo_drivers no 255.It kern.file struct file no 256.It kern.forkfsleep integer yes 257.It kern.fscale integer no 258.It kern.fsync integer no 259.It kern.hardclock\_ticks integer no 260.It kern.hostid integer yes 261.It kern.hostname string yes 262.It kern.iov\_max integer no 263.It kern.job\_control integer no 264.It kern.labeloffset integer no 265.It kern.labelsector integer no 266.It kern.login\_name\_max integer no 267.It kern.logsigexit integer yes 268.It kern.mapped\_files integer no 269.It kern.maxfiles integer yes 270.It kern.maxpartitions integer no 271.It kern.maxphys integer no 272.It kern.maxproc integer yes 273.It kern.maxptys integer yes 274.It kern.maxvnodes integer yes 275.It kern.mbuf node not applicable 276.It kern.memlock integer no 277.It kern.memlock\_range integer no 278.It kern.memory\_protection integer no 279.It kern.monotonic\_clock integer no 280.It kern.msgbuf integer no 281.It kern.msgbufsize integer no 282.It kern.ngroups integer no 283.It kern.ntptime struct ntptimeval no 284.It kern.osrelease string no 285.It kern.osrev integer no 286.It kern.ostype string no 287.It kern.pipe node not applicable 288.It kern.posix1 integer no 289.It kern.posix\_barriers integer no 290.It kern.posix\_reader\_writer\_locks integer no 291.It kern.posix\_semaphores integer no 292.It kern.posix\_spin\_locks integer no 293.It kern.posix\_threads integer no 294.It kern.posix\_timers integer no 295.It kern.proc struct kinfo_proc no 296.It kern.proc2 struct kinfo_proc2 no 297.It kern.proc\_args string no 298.It kern.prof node not applicable 299.It kern.rawpartition integer no 300.It kern.root\_device string no 301.It kern.root\_partition integer no 302.It kern.rtc\_offset integer yes 303.It kern.saved\_ids integer no 304.It kern.securelevel integer raise only 305.It kern.synchronized\_io integer no 306.It kern.ipc node not applicable 307.It kern.timex struct no 308.It kern.tkstat node not applicable 309.It kern.urandom integer no 310.It kern.version string no 311.It kern.vnode struct vnode no 312.El 313.ne 1i 314.Pp 315.Bl -tag -width "123456" 316.It Li kern.argmax ( KERN_ARGMAX ) 317The maximum bytes of argument to 318.Xr execve 2 . 319.It Li kern.autonicetime ( KERN_AUTONICETIME ) 320The number of seconds of CPU-time a non-root process may accumulate before 321having its priority lowered from the default to the value of KERN_AUTONICEVAL. 322If set to 0, automatic lowering of priority is not performed, and if set to \-1 323all non-root processes are immediately lowered. 324.It Li kern.autoniceval ( KERN_AUTONICEVAL ) 325The priority assigned for automatically niced processes. 326.It Li kern.boottime ( KERN_BOOTTIME ) 327A 328.Va struct timeval 329structure is returned. 330This structure contains the time that the system was booted. 331.It Li kern.ccpu ( KERN_CCPU ) 332The scheduler exponential decay value. 333.It Li kern.clockrate ( KERN_CLOCKRATE ) 334A 335.Va struct clockinfo 336structure is returned. 337This structure contains the clock, statistics clock and profiling clock 338frequencies, the number of micro-seconds per hz tick, and the clock 339skew rate. 340.It Li kern.consdev ( KERN_CONSDEV ) 341Console device. 342.It Li kern.cp_id ( KERN_CP_ID ) 343Mapping of CPU number to CPU id. 344.It Li kern.cp_time ( KERN_CP_TIME ) 345Returns an array of CPUSTATES uint64_ts. 346This array contains the 347number of clock ticks spent in different CPU states. 348On multi-processor systems, the sum across all CPUs is returned unless 349appropriate space is given for one data set for each CPU. 350Data for a specific CPU can also be obtained by adding the number of the 351CPU at the end of the MIB, enlarging it by one. 352.It Li kern.defcorename ( KERN_DEFCORENAME ) 353Default template for the name of core dump files (see also 354.Li proc.pid.corename 355in the per-process variables 356.Li proc.* , 357and 358.Xr core 5 359for format of this template). 360The default value is 361.Nm %n.core 362and can be changed with the kernel configuration option 363.Cd options DEFCORENAME 364(see 365.Xr options 4 366). 367.It Li kern.domainname ( KERN_DOMAINNAME ) 368Get or set the YP domain name. 369.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 370Perform a crash dump on system panic. 371.It Li kern.drivers ( KERN_DRIVERS ) 372Return an array of 373.Va struct kinfo_drivers 374that contains the name and major device numbers of all the device drivers 375in the current kernel. 376The 377.Va d_name 378field is always a NUL terminated string. 379The 380.Va d_bmajor 381field will be set to \-1 if the driver doesn't have a block device. 382.It Li kern.file ( KERN_FILE ) 383Return the entire file table. 384The returned data consists of a single 385.Va struct filelist 386followed by an array of 387.Va struct file , 388whose size depends on the current number of such objects in the system. 389.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 390If 391.Xr fork 2 392system call fails due to limit on number of processes (either 393the global maxproc limit or user's one), wait for this many 394milliseconds before returning 395.Er EAGAIN 396error to process. 397Useful to keep heavily forking runaway processes in bay. 398Default zero (no sleep). 399Maximum is 20 seconds. 400.It Li kern.fscale ( KERN_FSCALE ) 401The kernel fixed-point scale factor. 402.It Li kern.fsync ( KERN_FSYNC ) 403Return 1 if the POSIX 1003.1b File Synchronization Option is available 404on this system, 405otherwise 0. 406.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 407Returns the number of 408.Xr hardclock 9 409ticks. 410.It Li kern.hostid ( KERN_HOSTID ) 411Get or set the host id. 412.It Li kern.hostname ( KERN_HOSTNAME ) 413Get or set the hostname. 414.It Li kern.iov_max ( KERN_IOV_MAX ) 415Return the maximum number of 416.Va iovec 417structures that a process has available for use with 418.Xr preadv 2 , 419.Xr pwritev 2 , 420.Xr readv 2 , 421.Xr recvmsg 2 , 422.Xr sendmsg 2 423and 424.Xr writev 2 . 425.It Li kern.job_control ( KERN_JOB_CONTROL ) 426Return 1 if job control is available on this system, otherwise 0. 427.It Li kern.labeloffset ( KERN_LABELOFFSET ) 428The offset within the sector specified by KERN_LABELSECTOR of the 429.Xr disklabel 5 . 430.It Li kern.labelsector ( KERN_LABELSECTOR ) 431The sector number containing the 432.Xr disklabel 5 . 433.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 434The size of the storage required for a login name, in bytes, 435including the terminating NUL. 436.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 437If this flag is non-zero, the kernel will 438.Xr log 9 439all process exits due to signals which create a 440.Xr core 5 441file, and whether the coredump was created. 442.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 443Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available 444on this system, 445otherwise 0. 446.It Li kern.maxfiles ( KERN_MAXFILES ) 447The maximum number of open files that may be open in the system. 448.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 449The maximum number of partitions allowed per disk. 450.It Li kern.maxphys ( KERN_MAXPHYS ) 451Maximum raw I/O transfer size. 452.It Li kern.maxproc ( KERN_MAXPROC ) 453The maximum number of simultaneous processes the system will allow. 454.It Li kern.maxptys ( KERN_MAXPTYS ) 455The maximum number of pseudo terminals. 456This value can be both raised and lowered, though it cannot 457be set lower than number of currently used ptys. 458See also 459.Xr pty 4 . 460.It Li kern.maxvnodes ( KERN_MAXVNODES ) 461The maximum number of vnodes available on the system. 462This can only be raised. 463.It Li kern.mbuf ( KERN_MBUF ) 464Return information about the mbuf control variables. 465Mbufs are data structures which store network packets and other data 466structures in the networking code, see 467.Xr mbuf 9 . 468The third level names for the mbuf variables are detailed below. 469The changeable column shows whether a process with appropriate 470privilege may change the value. 471.Bl -column "kern.mbuf.nmbclusters" "struct integerXXX" -offset indent 472.It Sy Third level name Type Changeable 473.\" XXX Changeable? really? 474.It kern.mbuf.mblowat integer yes 475.It kern.mbuf.mclbytes integer yes 476.It kern.mbuf.mcllowat integer yes 477.It kern.mbuf.msize integer yes 478.It kern.mbuf.nmbclusters integer yes 479.El 480.Pp 481The variables are as follows: 482.Bl -tag -width "123456" 483.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 484The mbuf low water mark. 485.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 486The mbuf cluster size. 487.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 488The mbuf cluster low water mark. 489.It Li kern.mbuf.msize ( MBUF_MSIZE ) 490The mbuf base size. 491.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 492The limit on the number of mbuf clusters. 493The variable can only be increased, and only increased on machines with 494direct-mapped pool pages. 495.El 496.It Li kern.memlock ( KERN_MEMLOCK ) 497Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available 498on this system, 499otherwise 0. 500.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 501Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available 502on this system, 503otherwise 0. 504.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 505Returns 1 if the POSIX 1003.1b Memory Protection Option is available 506on this system, 507otherwise 0. 508.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 509Returns the standard version the implementation of the POSIX 1003.1b 510Monotonic Clock Option conforms to, 511otherwise 0. 512.It Li kern.msgbuf ( KERN_MSGBUF ) 513The kernel message buffer, rotated so that the head of the circular kernel 514message buffer is at the start of the returned data. 515The returned data may contain NUL bytes. 516.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 517The maximum number of characters that the kernel message buffer can hold. 518.It Li kern.ngroups ( KERN_NGROUPS ) 519The maximum number of supplemental groups. 520.It Li kern.ntptime ( KERN_NTPTIME ) 521A 522.Va struct ntptimeval 523structure is returned. 524This structure contains data used by the 525.Xr ntpd 8 526program. 527.It Li kern.osrelease ( KERN_OSRELEASE ) 528The system release string. 529.It Li kern.osrevision ( KERN_OSREV ) 530The system revision string. 531.It Li kern.ostype ( KERN_OSTYPE ) 532The system type string. 533.It Li kern.pipe ( KERN_PIPE ) 534Pipe settings. 535The third level names for the integer pipe settings is detailed below. 536The changeable column shows whether a process with appropriate 537privilege may change the value. 538.Bl -column "kern.pipe.maxbigpipesXXX" "integerXXX" -offset indent 539.It Sy Third level name Type Changeable 540.It kern.pipe.kvasiz integer yes 541.It kern.pipe.maxbigpipes integer yes 542.It kern.pipe.maxkvasz integer yes 543.It kern.pipe.limitkva integer yes 544.It kern.pipe.nbigpipes integer yes 545.El 546.Pp 547The variables are as follows: 548.Bl -tag -width "123456" 549.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 550Amount of kernel memory consumed by pipe buffers. 551.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 552Maximum number of "big" pipes. 553.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 554Maximum amount of kernel memory to be used for pipes. 555.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 556Limit for direct transfers via page loan. 557.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 558Number of "big" pipes. 559.El 560.It Li kern.posix1version ( KERN_POSIX1 ) 561The version of ISO/IEC 9945 (POSIX 1003.1) with which the system 562attempts to comply. 563.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 564The version of 565.St -p1003.1 566and its 567Barriers 568option to which the system attempts to conform, 569otherwise 0. 570.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 571The version of 572.St -p1003.1 573and its 574Read-Write Locks 575option to which the system attempts to conform, 576otherwise 0. 577.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 578The version of 579.St -p1003.1 580and its 581Semaphores 582option to which the system attempts to conform, 583otherwise 0. 584.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 585The version of 586.St -p1003.1 587and its 588Spin Locks 589option to which the system attempts to conform, 590otherwise 0. 591.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 592The version of 593.St -p1003.1 594and its 595Threads 596option to which the system attempts to conform, 597otherwise 0. 598.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 599The version of 600.St -p1003.1 601and its 602Timers 603option to which the system attempts to conform, 604otherwise 0. 605.It Li kern.proc ( KERN_PROC ) 606Return the entire process table, or a subset of it. 607An array of 608.Va struct kinfo_proc 609structures is returned, 610whose size depends on the current number of such objects in the system. 611The third and fourth level numeric names are as follows: 612.Bl -column "Third level nameXXXXXX" "Fourth level is:XXXXXX" -offset indent 613.It Sy Third level name Fourth level is: 614.It KERN\_PROC\_ALL None 615.It KERN\_PROC\_GID A group ID 616.It KERN\_PROC\_PID A process ID 617.It KERN\_PROC\_PGRP A process group 618.It KERN\_PROC\_RGID A real group ID 619.It KERN\_PROC\_RUID A real user ID 620.It KERN\_PROC\_SESSION A session ID 621.It KERN\_PROC\_TTY A tty device 622.It KERN\_PROC\_UID A user ID 623.El 624.It Li kern.proc2 ( KERN_PROC2 ) 625As for KERN_PROC, but an array of 626.Va struct kinfo_proc2 627structures are returned. 628The fifth level name is the size of the 629.Va struct kinfo_proc2 630and the sixth level name is the number of structures to return. 631.It Li kern.proc_args ( KERN_PROC_ARGS ) 632Return the argv or environment strings (or the number thereof) 633of a process. 634Multiple strings are returned separated by NUL characters. 635The third level name is the process ID. 636The fourth level name is as follows: 637.Bl -column "Third level nameXXXXXX" -offset indent 638.It KERN\_PROC\_ARGV The argv strings 639.It KERN\_PROC\_ENV The environ strings 640.It KERN\_PROC\_NARGV The number of argv strings 641.It KERN\_PROC\_NENV The number of environ strings 642.El 643.It Li kern.profiling ( KERN_PROF ) 644Return profiling information about the kernel. 645If the kernel is not compiled for profiling, 646attempts to retrieve any of the KERN_PROF values will 647fail with 648.Er EOPNOTSUPP . 649The third level names for the string and integer profiling information 650is detailed below. 651The changeable column shows whether a process with appropriate 652privilege may change the value. 653.Bl -column "kern.profiling.gmonparam" "struct gmonparam" -offset indent 654.It Sy Third level name Type Changeable 655.It kern.profiling.count u_short[\|] yes 656.It kern.profiling.froms u_short[\|] yes 657.It kern.profiling.gmonparam struct gmonparam no 658.It kern.profiling.state integer yes 659.It kern.profiling.tos struct tostruct yes 660.El 661.Pp 662The variables are as follows: 663.Bl -tag -width "123456" 664.It Li kern.profiling.count ( GPROF_COUNT ) 665Array of statistical program counter counts. 666.It Li kern.profiling.froms ( GPROF_FROMS ) 667Array indexed by program counter of call-from points. 668.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 669Structure giving the sizes of the above arrays. 670.It Li kern.profiling.state ( GPROF_STATE ) 671Profiling state. 672If set to GMON_PROF_ON, starts profiling. 673If set to GMON_PROF_OFF, stops profiling. 674.It Li kern.profiling.tos ( GPROF_TOS ) 675Array of 676.Va struct tostruct 677describing destination of calls and their counts. 678.El 679.It Li kern.rawpartition ( KERN_RAWPARTITION ) 680The raw partition of a disk (a == 0). 681.It Li kern.root_device ( KERN_ROOT_DEVICE ) 682The name of the root device (e.g., 683.Dq wd0 ) . 684.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 685The root partition on the root device (a == 0). 686.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 687Return the offset of real time clock from UTC in minutes. 688.It Li kern.saved_ids ( KERN_SAVED_IDS ) 689Returns 1 if saved set-group and saved set-user ID is available. 690.It Li kern.sbmax ( KERN_SBMAX ) 691Maximum socket buffer size. 692.\" XXX units? 693.It Li kern.securelevel ( KERN_SECURELVL ) 694The system security level. 695This level may be raised by processes with appropriate privilege. 696It may only be lowered by process 1. 697.It Li kern.somaxkva ( KERN_SOMAXKVA ) 698Maximum amount of kernel memory to be used for socket buffers. 699.\" XXX units? 700.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 701Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available 702on this system, 703otherwise 0. 704.It Li kern.ipc ( KERN_SYSVIPC ) 705Return information about the SysV IPC parameters. 706The third level names for the ipc variables are detailed below. 707.Bl -column "KERN_SYSVIPC_MSGXXX" "integerXXX" "noXXX" -offset indent 708.It Sy Third level name Type Changeable 709.It kern.ipc.sysvmsg integer no 710.It kern.ipc.sysvsem integer no 711.It kern.ipc.sysvshm integer no 712.It kern.ipc.sysvipc_info struct no 713.It kern.ipc.shmmax integer no 714.It kern.ipc.shmmni integer yes 715.It kern.ipc.shmseg integer yes 716.It kern.ipc.shmmaxpgs integer yes 717.It kern.ipc.shm_use_phys integer yes 718.El 719.Bl -tag -width "123456" 720.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 721Returns 1 if System V style message queue functionality is available 722on this system, 723otherwise 0. 724.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 725Returns 1 if System V style semaphore functionality is available 726on this system, 727otherwise 0. 728.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 729Returns 1 if System V style share memory functionality is available 730on this system, 731otherwise 0. 732.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 733Return System V style IPC configuration and run-time information. 734The fourth level name selects the System V style IPC facility. 735.Bl -column "KERN_SYSVIPC_MSG_INFOXXX" "struct shm_sysctl_infoXXX" -offset indent 736.It Sy Fourth level name Type 737.It KERN\_SYSVIPC\_MSG\_INFO struct msg_sysctl_info 738.It KERN\_SYSVIPC\_SEM\_INFO struct sem_sysctl_info 739.It KERN\_SYSVIPC\_SHM\_INFO struct shm_sysctl_info 740.El 741.Pp 742.Bl -tag -width "123456" 743.It Li KERN_SYSVIPC_MSG_INFO 744Return information on the System V style message facility. 745The 746.Sy msg_sysctl_info 747structure is defined in 748.Aq Pa sys/msg.h . 749.It Li KERN_SYSVIPC_SEM_INFO 750Return information on the System V style semaphore facility. 751The 752.Sy sem_sysctl_info 753structure is defined in 754.Aq Pa sys/sem.h . 755.It Li KERN_SYSVIPC_SHM_INFO 756Return information on the System V style shared memory facility. 757The 758.Sy shm_sysctl_info 759structure is defined in 760.Aq Pa sys/shm.h . 761.El 762.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 763Max shared memory segment size in bytes. 764.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 765Max number of shared memory identifiers. 766.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 767Max shared memory segments per process. 768.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 769Max amount of shared memory in pages. 770.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 771Locking of shared memory in physical memory. 772If 0, memory can be swapped 773out, otherwise it will be locked in physical memory. 774.El 775.It Li kern.timex ( KERN_TIMEX ) 776Not available. 777.It Li kern.tkstat ( KERN_TKSTAT ) 778Return information about the number of characters sent and received 779on ttys. 780The third level names for the tty statistic variables are detailed below. 781The changeable column shows whether a process 782with appropriate privilege may change the value. 783.Bl -column "KERNXTKSTATXRAWCCXXX" "struct integerXXX" -offset indent 784.It Sy Third level name Type Changeable 785.It kern.tkstat.cancc quad no 786.It kern.tkstat.nin quad no 787.It kern.tkstat.nout quad no 788.It kern.tkstat.rawcc quad no 789.El 790.Pp 791The variables are as follows: 792.Bl -tag -width "123456" 793.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 794The number of canonical input characters. 795.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 796The total number of input characters. 797.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 798The total number of output characters. 799.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 800The number of raw input characters. 801.El 802.It Li kern.urandom ( KERN_URND ) 803Random integer value. 804.It Li kern.veriexec 805Tunings for Verixec. 806.Bl -tag -width "123456" 807.It Li kern.veriexec.algorithms 808Returns a string with the supported algorithms in Veriexec. 809.It Li kern.veriexec.count 810Sub-nodes are added to this node as new mounts are monitored by Veriexec. 811Each mount will be under its own 812.No tableN 813node. 814Under each node there will be three variables, indicating the mount 815point, the file-system type, and the number of entries. 816.It Li kern.veriexec.strict 817Controls the strict level of Veriexec. 818See 819.Xr security 8 820for more information on each level's implications. 821.It Li kern.veriexec.verbose 822Controls the verbosity level of Veriexec. 823If 0, only the minimal 824indication required will be given about what's happening - fingerprint 825mismatches, removal of entries from the tables, modification of a 826fingerprinted file. 827If 1, more messages will be printed (ie., when a file with a valid 828fingerprint is accessed). 829Verbose level 2 is debug mode. 830.El 831.It Li kern.version ( KERN_VERSION ) 832The system version string. 833.It Li kern.vnode ( KERN_VNODE ) 834Return the entire vnode table. 835Note, the vnode table is not necessarily a consistent snapshot of 836the system. 837The returned data consists of an array whose size depends on the 838current number of such objects in the system. 839Each element of the array contains the kernel address of a vnode 840.Va struct vnode * 841followed by the vnode itself 842.Va struct vnode . 843.It Li kern.coredump.setid 844Settings related to set-id processes coredumps. 845By default, set-id processes do not dump core in situations where 846other processes would. 847The settings in this node allows an administrator to change this 848behavior. 849.Pp 850.Bl -tag -width "123456" 851.It Li kern.coredump.setid.dump 852If non-zero, set-id processes will dump core. 853.It Li kern.coredump.setid.group 854The group-id for the set-id processes' coredump. 855.It Li kern.coredump.setid.mode 856The mode for the set-id processes' coredump. 857See 858.Xr chmod 1 . 859.It Li kern.coredump.setid.owner 860The user-id that will be used as the owner of the set-id processes' 861coredump. 862.It Li kern.coredump.setid.path 863The path to which set-id processes' coredumps will be saved to. 864Same syntax as kern.defcorename. 865.El 866.\" XXX kern.lwp 867.El 868.Sh The machdep.* subtree 869The set of variables defined is architecture dependent. 870Most architectures define at least the following variables. 871.Bl -column "CONSOLE_DEVICEXXX" "integerXXX" -offset indent 872.It Sy Second level name Type Changeable 873.It Li CPU_CONSDEV dev_t no 874.El 875.Sh The net.* subtree 876The string and integer information available for the 877.Li net 878level is detailed below. 879The changeable column shows whether a process with appropriate 880privilege may change the value. 881The second and third levels are typically the protocol family and 882protocol number, though this is not always the case. 883.Bl -column "Second level nameX" "IPsec key management valuesX" -offset indent 884.It Sy Second level name Type Changeable 885.It net.route routing messages no 886.It net.inet IPv4 values yes 887.It net.inet6 IPv6 values yes 888.It net.key IPsec key management values yes 889.El 890.Pp 891.Bl -tag -width "123456" 892.It Li net.route ( PF_ROUTE ) 893.\" XXX really? 894Return the entire routing table or a subset of it. 895The data is returned as a sequence of routing messages (see 896.Xr route 4 897for the header file, format and meaning). 898The length of each message is contained in the message header. 899.Pp 900The third level name is a protocol number, which is currently always 0. 901The fourth level name is an address family, which may be set to 0 to 902select all address families. 903The fifth and sixth level names are as follows: 904.Bl -column "Fifth level nameXXXXXX" "Sixth level is:XXX" -offset indent 905.It Sy Fifth level name Sixth level is: 906.It NET\_RT\_FLAGS rtflags 907.It NET\_RT\_DUMP None 908.It NET\_RT\_IFLIST None 909.El 910.It Li net.inet ( PF_INET ) 911Get or set various global information about the IPv4 912.Pq Internet Protocol version 4 . 913The third level name is the protocol. 914The fourth level name is the variable name. 915The currently defined protocols and names are: 916.Bl -column "Protocol name" "sack.globalmaxholes" "integer" -offset 4n 917.It Sy Protocol name Variable name Type Changeable 918.It arp down integer yes 919.It arp keep integer yes 920.It arp prune integer yes 921.It arp refresh integer yes 922.It carp allow integer yes 923.It carp preempt integer yes 924.It carp log integer yes 925.It carp arpbalance integer yes 926.It icmp errppslimit integer yes 927.It icmp maskrepl integer yes 928.It icmp rediraccept integer yes 929.It icmp redirtimeout integer yes 930.It ip allowsrcrt integer yes 931.It ip anonportmax integer yes 932.It ip anonportmin integer yes 933.It ip checkinterface integer yes 934.It ip directed-broadcast integer yes 935.It ip do_loopback_cksum integer yes 936.It ip forwarding integer yes 937.It ip forwsrcrt integer yes 938.It ip gifttl integer yes 939.It ip grettl integer yes 940.It ip hashsize integer yes 941.It ip hostzerobroadcast integer yes 942.It ip lowportmin integer yes 943.It ip lowportmax integer yes 944.It ip maxflows integer yes 945.It ip maxfragpackets integer yes 946.It ip mtudisc integer yes 947.It ip mtudisctimeout integer yes 948.It ip random_id integer yes 949.It ip redirect integer yes 950.It ip subnetsarelocal integer yes 951.It ip ttl integer yes 952.It tcp rfc1323 integer yes 953.It tcp sendspace integer yes 954.It tcp recvspace integer yes 955.It tcp mssdflt integer yes 956.It tcp syn_cache_limit integer yes 957.It tcp syn_bucket_limit integer yes 958.It tcp syn_cache_interval integer yes 959.It tcp init_win integer yes 960.It tcp init_win_local integer yes 961.It tcp mss_ifmtu integer yes 962.It tcp win_scale integer yes 963.It tcp timestamps integer yes 964.It tcp compat_42 integer yes 965.It tcp cwm integer yes 966.It tcp cwm_burstsize integer yes 967.It tcp ack_on_push integer yes 968.It tcp keepidle integer yes 969.It tcp keepintvl integer yes 970.It tcp keepcnt integer yes 971.It tcp slowhz integer no 972.It tcp keepinit integer yes 973.It tcp log_refused integer yes 974.It tcp rstppslimit integer yes 975.It tcp ident struct no 976.It tcp drop struct no 977.It tcp sack.enable integer yes 978.It tcp sack.globalholes integer no 979.It tcp sack.globalmaxholes integer yes 980.It tcp sack.maxholes integer yes 981.It tcp ecn.enable integer yes 982.It tcp ecn.maxretries integer yes 983.It tcp congctl.selected string yes 984.It tcp congctl.available string yes 985.It tcp abc.enable integer yes 986.It tcp abc.aggressive integer yes 987.It udp checksum integer yes 988.It udp do_loopback_cksum integer yes 989.It udp recvspace integer yes 990.It udp sendspace integer yes 991.El 992.Pp 993The variables are as follows: 994.Bl -tag -width "123456" 995.It Li arp.down 996Failed ARP entry lifetime. 997.It Li arp.keep 998Valid ARP entry lifetime. 999.It Li arp.prune 1000ARP cache pruning interval. 1001.It Li arp.refresh 1002ARP entry refresh interval. 1003.It Li carp.allow 1004If set to 0, incoming 1005.Xr carp 4 1006packets will not be processed. 1007If set to any other value, processing will occur. 1008Enabled by default. 1009.It Li carp.arpbalance 1010If set to any value other than 0, the ARP balancing functionality of 1011.Xr carp 4 1012is enabled. 1013When ARP requests are received for an IP address which is part of any virtual 1014host, carp will hash the source IP in the ARP request to select one of the 1015virtual hosts from the set of all the virtual hosts which have that IP address. 1016The master of that host will respond with the correct virtual MAC address. 1017Disabled by default. 1018.It Li carp.log 1019If set to any value other than 0, 1020.Xr carp 4 1021will log errors. 1022Disabled by default. 1023.It Li carp.preempt 1024If set to 0, 1025.Xr carp 4 1026will not attempt to become master if it is receiving advertisements from 1027another active master. 1028If set to any other value, carp will become master of the virtual host if it 1029believes it can send advertisements more frequently than the current master. 1030Disabled by default. 1031.It Li ip.allowsrcrt 1032If set to 1, the host accepts source routed packets. 1033.It Li ip.anonportmax 1034The highest port number to use for TCP and UDP ephemeral port allocation. 1035This cannot be set to less than 1024 or greater than 65535, and must 1036be greater than 1037.Li ip.anonportmin . 1038.It Li ip.anonportmin 1039The lowest port number to use for TCP and UDP ephemeral port allocation. 1040This cannot be set to less than 1024 or greater than 65535. 1041.It Li ip.checkinterface 1042If set to non-zero, the host will reject packets addressed to it 1043that arrive on an interface not bound to that address. 1044Currently, this must be disabled if ipnat is used to translate the 1045destination address to another local interface, or if addresses 1046are added to the loopback interface instead of the interface where 1047the packets for those packets are received. 1048.It Li ip.directed-broadcast 1049If set to 1, enables directed broadcast behavior for the host. 1050.It Li ip.do_loopback_cksum 1051Perform IP checksum on loopback. 1052.It Li ip.forwarding 1053If set to 1, enables IP forwarding for the host, 1054meaning that the host is acting as a router. 1055.It Li ip.forwsrcrt 1056If set to 1, enables forwarding of source-routed packets for the host. 1057This value may only be changed if the kernel security level is less than 1. 1058.It Li ip.gifttl 1059The maximum time-to-live (hop count) value for an IPv4 packet generated by 1060.Xr gif 4 1061tunnel interface. 1062.It Li ip.grettl 1063The maximum time-to-live (hop count) value for an IPv4 packet generated by 1064.Xr gre 4 1065tunnel interface. 1066.It Li ip.hashsize 1067The size of IPv4 Fast Forward hash table. 1068This value must be a power of 2 (64, 256...). 1069A larger hash table size results in fewer collisions. 1070Also see 1071.Li ip.maxflows . 1072.It Li ip.hostzerobroadcast 1073All zeroes address is broadcast address. 1074.It Li ip.lowportmax 1075The highest port number to use for TCP and UDP reserved port allocation. 1076This cannot be set to less than 0 or greater than 1024, and must 1077be greater than 1078.Li ip.lowportmin . 1079.It Li ip.lowportmin 1080The lowest port number to use for TCP and UDP reserved port allocation. 1081This cannot be set to less than 0 or greater than 1024, and must 1082be smaller than 1083.Li ip.lowportmax . 1084.It Li ip.maxflows 1085IPv4 Fast Forwarding is enabled by default. 1086If set to 0, IPv4 Fast Forwarding is disabled. 1087.Li ip.maxflows 1088controls the maximum amount of flows which can be created. 1089The default value is 256. 1090.It Li ip.maxfragpackets 1091The maximum number of fragmented packets the node will accept. 10920 means that the node will not accept any fragmented packets. 1093\-1 means that the node will accept as many fragmented packets as it receives. 1094The flag is provided basically for avoiding possible DoS attacks. 1095.It Li ip.mtudisc 1096If set to 1, enables Path MTU Discovery (RFC 1191). 1097When Path MTU Discovery is enabled, the transmitted TCP segment 1098size will be determined by the advertised maximum segment size 1099(MSS) from the remote end, as constrained by the path MTU. 1100If MTU Discovery is disabled, the transmitted segment size will 1101never be greater than 1102.Li tcp.mssdflt 1103(the local maximum segment size). 1104.It Li ip.mtudisctimeout 1105The number of seconds in which a route added by the Path MTU 1106Discovery engine will time out. 1107When the route times out, the Path 1108MTU Discovery engine will attempt to probe a larger path MTU. 1109.It Li ip.random_id 1110Assign random ip_id values. 1111.It Li ip.redirect 1112If set to 1, ICMP redirects may be sent by the host. 1113This option is ignored unless the host is routing IP packets, 1114and should normally be enabled on all systems. 1115.It Li ip.subnetsarelocal 1116If set to 1, subnets are to be considered local addresses. 1117.It Li ip.ttl 1118The maximum time-to-live (hop count) value for an IP packet sourced by 1119the system. 1120This value applies to normal transport protocols, not to ICMP. 1121.It Li icmp.errppslimit 1122The variable specifies the maximum number of outgoing ICMP error messages, 1123per second. 1124ICMP error messages that exceeded the value are subject to rate limitation 1125and will not go out from the node. 1126Negative value disables rate limitation. 1127.It Li icmp.maskrepl 1128If set to 1, ICMP network mask requests are to be answered. 1129.It Li icmp.rediraccept 1130If set to non-zero, the host will accept ICMP redirect packets. 1131Note that routers will never accept ICMP redirect packets, 1132and the variable is meaningful on IP hosts only. 1133.It Li icmp.redirtimeout 1134The variable specifies lifetime of routing entries generated by incoming 1135ICMP redirect. 1136This defaults to 600 seconds. 1137.It Li icmp.returndatabytes 1138Number of bytes to return in an ICMP error message. 1139.It Li tcp.ack_on_push 1140If set to 1, TCP is to immediately transmit an ACK upon reception of 1141a packet with PUSH set. 1142This can avoid losing a round trip time in some rare situations, 1143but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1144Use of this option is generally not recommended, but 1145the variable exists in case your configuration really needs it. 1146.It Li tcp.compat_42 1147If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1148Use of this option is not recommended, although it may be 1149required in order to communicate with extremely old TCP implementations. 1150.It Li tcp.cwm 1151If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1152Monitoring algorithm. 1153This algorithm prevents line-rate bursts of packets that could 1154otherwise occur when data begins flowing on an idle TCP connection. 1155These line-rate bursts can contribute to network and router congestion. 1156This can be particularly useful on World Wide Web servers 1157which support HTTP/1.1, which has lingering connections. 1158.It Li tcp.cwm_burstsize 1159The Congestion Window Monitoring allowed burst size, in terms 1160of packet count. 1161.It Li tcp.delack_ticks 1162Number of ticks to delay sending an ACK. 1163.It Li tcp.do_loopback_cksum 1164Perform TCP checksum on loopback. 1165.It Li tcp.init_win 1166A value indicating the TCP initial congestion window. 1167If this value is 0, an auto-tuning algorithm designed to use an initial 1168window of approximately 4K bytes is in use. 1169Otherwise, this value indicates a fixed number of packets. 1170.It Li tcp.init_win_local 1171Like 1172.Li tcp.init_win , 1173but used when communicating with hosts on a local network. 1174.It Li tcp.keepcnt 1175Number of keepalive probes sent before declaring a connection dead. 1176If set to zero, there is no limit; 1177keepalives will be sent until some kind of 1178response is received from the peer. 1179.It Li tcp.keepidle 1180Time a connection must be idle before keepalives are sent (if keepalives 1181are enabled for the connection). 1182See also tcp.slowhz. 1183.It Li tcp.keepintvl 1184Time after a keepalive probe is sent until, in the absence of any response, 1185another probe is sent. 1186See also tcp.slowhz. 1187.It Li tcp.log_refused 1188If set to 1, refused TCP connections to the host will be logged. 1189.It Li tcp.keepinit 1190Timeout in seconds during connection establishment. 1191.It Li tcp.mss_ifmtu 1192If set to 1, TCP calculates the outgoing maximum segment size based on 1193the MTU of the appropriate interface. 1194If set to 0, it is calculated based on the greater of the MTU of the 1195interface, and the largest (non-loopback) interface MTU on the system. 1196.It Li tcp.mssdflt 1197The default maximum segment size both advertised to the peer 1198and to use when either the peer does not advertise a maximum segment size to 1199us during connection setup or Path MTU Discovery 1200.Li ( ip.mtudisc ) 1201is disabled. 1202Do not change this value unless you really know what you are doing. 1203.It Li tcp.recvspace 1204The default TCP receive buffer size. 1205.It Li tcp.rfc1323 1206If set to 1, enables RFC 1323 extensions to TCP. 1207.It Li tcp.rstppslimit 1208The variable specifies the maximum number of outgoing TCP RST packets, 1209per second. 1210TCP RST packet that exceeded the value are subject to rate limitation 1211and will not go out from the node. 1212Negative value disables rate limitation. 1213.It Li tcp.ident 1214Return the user ID of a connected socket pair. 1215(RFC1413 Identification Protocol lookups.) 1216.It Li tcp.drop 1217Drop a TCP socket pair connection. 1218.It Li tcp.sack.enable 1219If set to 1, enables RFC 2018 Selective ACKnowledgement. 1220.It Li tcp.sack.globalholes 1221Global number of TCP SACK holes. 1222.It Li tcp.sack.globalmaxholes 1223Global maximum number of TCP SACK holes. 1224.It Li tcp.sack.maxholes 1225Maximum number of TCP SACK holes allowed per connection. 1226.It Li tcp.ecn.enable 1227If set to 1, enables RFC 3168 Explicit Congestion Notification. 1228.It Li tcp.ecn.maxretries 1229Number of times to retry sending the ECN-setup packet. 1230.It Li tcp.sendspace 1231The default TCP send buffer size. 1232.It Li tcp.slowhz 1233The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1234of a clock that ticks tcp.slowhz times per second. 1235(That is, their values 1236must be divided by the tcp.slowhz value to get times in seconds.) 1237.It Li tcp.syn_bucket_limit 1238The maximum number of entries allowed per hash bucket in the TCP 1239compressed state engine. 1240.It Li tcp.syn_cache_limit 1241The maximum number of entries allowed in the TCP compressed state 1242engine. 1243.It Li tcp.timestamps 1244If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1245used for measuring TCP round trip times, are enabled. 1246.It Li tcp.win_scale 1247If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1248for increasing the TCP window size, are enabled. 1249.It Li tcp.congctl.available 1250The available TCP congestion control algorithms. 1251.It Li tcp.congctl.selected 1252The currently selected TCP congestion control algorithm. 1253.It Li tcp.abc.enable 1254If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1255If set to 0, use traditional Packet Counting. 1256.It Li tcp.abc.aggressive 1257Choose the L parameter found in RFC 3465. 1258L is the maximum cwnd increase for an ack during slow start. 1259If set to 1, use L=2*SMSS. 1260If set to 0, use L=1*SMSS. 1261It has no effect unless tcp.abc.enable is set to 1. 1262.It Li udp.checksum 1263If set to 1, UDP checksums are being computed. 1264Received non-zero UDP checksums are always checked. 1265Disabling UDP checksums is strongly discouraged. 1266.It Li udp.sendspace 1267The default UDP send buffer size. 1268.It Li udp.recvspace 1269The default UDP receive buffer size. 1270.El 1271.Pp 1272For variables net.*.ipsec, please refer to 1273.Xr ipsec 4 . 1274.It Li net.inet6 ( PF_INET6 ) 1275Get or set various global information about the IPv6 1276.Pq Internet Protocol version 6 . 1277The third level name is the protocol. 1278The fourth level name is the variable name. 1279The currently defined protocols and names are: 1280.Bl -column "Protocol name" "Variable nameXX" "integer" "yes" -offset indent 1281.It Sy Protocol name Variable name Type Changeable 1282.It icmp6 errppslimit integer yes 1283.It icmp6 mtudisc_hiwat integer yes 1284.It icmp6 mtudisc_lowat integer yes 1285.It icmp6 nd6_debug integer yes 1286.It icmp6 nd6_delay integer yes 1287.It icmp6 nd6_maxnudhint integer yes 1288.It icmp6 nd6_mmaxtries integer yes 1289.It icmp6 nd6_prune integer yes 1290.It icmp6 nd6_umaxtries integer yes 1291.It icmp6 nd6_useloopback integer yes 1292.It icmp6 nodeinfo integer yes 1293.It icmp6 rediraccept integer yes 1294.It icmp6 redirtimeout integer yes 1295.It ip6 accept_rtadv integer yes 1296.It ip6 anonportmax integer yes 1297.It ip6 anonportmin integer yes 1298.It ip6 auto_flowlabel integer yes 1299.It ip6 dad_count integer yes 1300.It ip6 defmcasthlim integer yes 1301.It ip6 forwarding integer yes 1302.It ip6 gifhlim integer yes 1303.It ip6 hashsize integer yes 1304.It ip6 hlim integer yes 1305.It ip6 hdrnestlimit integer yes 1306.It ip6 kame_version string no 1307.It ip6 keepfaith integer yes 1308.It ip6 log_interval integer yes 1309.It ip6 lowportmax integer yes 1310.It ip6 lowportmin integer yes 1311.It ip6 maxflows integer yes 1312.It ip6 maxfragpackets integer yes 1313.It ip6 maxfrags integer yes 1314.It ip6 redirect integer yes 1315.It ip6 rr_prune integer yes 1316.It ip6 use_deprecated integer yes 1317.It ip6 v6only integer yes 1318.It udp6 do_loopback_cksum integer yes 1319.It udp6 recvspace integer yes 1320.It udp6 sendspace integer yes 1321.El 1322.Pp 1323The variables are as follows: 1324.Bl -tag -width "123456" 1325.It Li ip6.accept_rtadv 1326If set to non-zero, the node will accept ICMPv6 router advertisement packets 1327and autoconfigures address prefixes and default routers. 1328The node must be a host 1329.Pq not a router 1330for the option to be meaningful. 1331.It Li ip6.anonportmax 1332The highest port number to use for TCP and UDP ephemeral port allocation. 1333This cannot be set to less than 1024 or greater than 65535, and must 1334be greater than 1335.Li ip6.anonportmin . 1336.It Li ip6.anonportmin 1337The lowest port number to use for TCP and UDP ephemeral port allocation. 1338This cannot be set to less than 1024 or greater than 65535. 1339.It Li ip6.auto_flowlabel 1340On connected transport protocol packets, 1341fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1342.It Li ip6.dad_count 1343The variable configures number of IPv6 DAD 1344.Pq duplicated address detection 1345probe packets. 1346The packets will be generated when IPv6 interface addresses are configured. 1347.It Li ip6.defmcasthlim 1348The default hop limit value for an IPv6 multicast packet sourced by the node. 1349This value applies to all the transport protocols on top of IPv6. 1350There are APIs to override the value, as documented in 1351.Xr ip6 4 . 1352.It Li ip6.forwarding 1353If set to 1, enables IPv6 forwarding for the node, 1354meaning that the node is acting as a router. 1355If set to 0, disables IPv6 forwarding for the node, 1356meaning that the node is acting as a host. 1357IPv6 specification defines node behavior for 1358.Dq router 1359case and 1360.Dq host 1361case quite differently, and changing this variable during operation 1362may cause serious trouble. 1363It is recommended to configure the variable at bootstrap time, 1364and bootstrap time only. 1365.It Li ip6.gifhlim 1366The maximum hop limit value for an IPv6 packet generated by 1367.Xr gif 4 1368tunnel interface. 1369.It Li ip6.hdrnestlimit 1370The number of IPv6 extension headers permitted on incoming IPv6 packets. 1371If set to 0, the node will accept as many extension headers as possible. 1372.It Li ip6.hashsize 1373The size of IPv6 Fast Forward hash table. 1374This value must be a power of 2 (64, 256...). 1375A larger hash table size results in fewer collisions. 1376Also see 1377.Li ip6.maxflows . 1378.It Li ip6.hlim 1379The default hop limit value for an IPv6 unicast packet sourced by the node. 1380This value applies to all the transport protocols on top of IPv6. 1381There are APIs to override the value, as documented in 1382.Xr ip6 4 . 1383.It Li ip6.kame_version 1384The string identifies the version of KAME IPv6 stack implemented in the kernel. 1385.It Li ip6.keepfaith 1386If set to non-zero, it enables 1387.Dq FAITH 1388TCP relay IPv6-to-IPv4 translator code in the kernel. 1389Refer 1390.Xr faith 4 1391and 1392.Xr faithd 8 1393for detail. 1394.It Li ip6.log_interval 1395The variable controls amount of logs generated by IPv6 packet 1396forwarding engine, by setting interval between log output 1397.Pq in seconds . 1398.It Li ip6.lowportmax 1399The highest port number to use for TCP and UDP reserved port allocation. 1400This cannot be set to less than 0 or greater than 1024, and must 1401be greater than 1402.Li ip6.lowportmin . 1403.It Li ip6.lowportmin 1404The lowest port number to use for TCP and UDP reserved port allocation. 1405This cannot be set to less than 0 or greater than 1024, and must 1406be smaller than 1407.Li ip6.lowportmax . 1408.It Li ip6.maxflows 1409IPv6 Fast Forwarding is enabled by default. 1410If set to 0, IPv6 Fast Forwarding is disabled. 1411.Li ip6.maxflows 1412controls the maximum amount of flows which can be created. 1413The default value is 256. 1414.It Li ip6.maxfragpackets 1415The maximum number of fragmented packets the node will accept. 14160 means that the node will not accept any fragmented packets. 1417\-1 means that the node will accept as many fragmented packets as it receives. 1418The flag is provided basically for avoiding possible DoS attacks. 1419.It Li ip6.maxfrags 1420The maximum number of fragments the node will accept. 14210 means that the node will not accept any fragments. 1422\-1 means that the node will accept as many fragments as it receives. 1423The flag is provided basically for avoiding possible DoS attacks. 1424.It Li ip6.redirect 1425If set to 1, ICMPv6 redirects may be sent by the node. 1426This option is ignored unless the node is routing IP packets, 1427and should normally be enabled on all systems. 1428.It Li ip6.rr_prune 1429The variable specifies interval between IPv6 router renumbering prefix 1430babysitting, in seconds. 1431.It Li ip6.use_deprecated 1432The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1433.It Li ip6.v6only 1434The variable specifies initial value for 1435.Dv IPV6_V6ONLY 1436socket option for 1437.Dv AF_INET6 1438socket. 1439Please refer to 1440.Xr ip6 4 1441for detail. 1442.It Li icmp6.errppslimit 1443The variable specifies the maximum number of outgoing ICMPv6 error messages, 1444per second. 1445ICMPv6 error messages that exceeded the value are subject to rate limitation 1446and will not go out from the node. 1447Negative value disables rate limitation. 1448.It Li icmp6.mtudisc_hiwat 1449.It Li icmp6.mtudisc_lowat 1450The variables define the maximum number of routing table entries, 1451created due to path MTU discovery 1452.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1453When IPv6 path MTU discovery happens, we keep path MTU information into 1454the routing table. 1455If the number of routing table entries exceed the value, 1456the kernel will not attempt to keep the path MTU information. 1457.Li icmp6.mtudisc_hiwat 1458is used when we have verified ICMPv6 too big messages. 1459.Li icmp6.mtudisc_lowat 1460is used when we have unverified ICMPv6 too big messages. 1461Verification is performed by using address/port pairs kept in connected pcbs. 1462Negative value disables the upper limit. 1463.It Li icmp6.nd6_debug 1464If set to non-zero, kernel IPv6 neighbor discovery code will generate 1465debugging messages. 1466The debug outputs are useful to diagnose IPv6 interoperability issues. 1467The flag must be set to 0 for normal operation. 1468.It Li icmp6.nd6_delay 1469The variable specifies 1470.Dv DELAY_FIRST_PROBE_TIME 1471timing constant in IPv6 neighbor discovery specification 1472.Pq RFC 2461 , 1473in seconds. 1474.It Li icmp6.nd6_maxnudhint 1475IPv6 neighbor discovery permits upper layer protocols to supply reachability 1476hints, to avoid unnecessary neighbor discovery exchanges. 1477The variable defines the number of consecutive hints the neighbor discovery 1478layer will take. 1479For example, by setting the variable to 3, neighbor discovery layer 1480will take 3 consecutive hints in maximum. 1481After receiving 3 hints, neighbor discovery layer will perform 1482normal neighbor discovery process. 1483.It Li icmp6.nd6_mmaxtries 1484The variable specifies 1485.Dv MAX_MULTICAST_SOLICIT 1486constant in IPv6 neighbor discovery specification 1487.Pq RFC 2461 . 1488.It Li icmp6.nd6_prune 1489The variable specifies interval between IPv6 neighbor cache babysitting, 1490in seconds. 1491.It Li icmp6.nd6_umaxtries 1492The variable specifies 1493.Dv MAX_UNICAST_SOLICIT 1494constant in IPv6 neighbor discovery specification 1495.Pq RFC 2461 . 1496.It Li icmp6.nd6_useloopback 1497If set to non-zero, kernel IPv6 stack will use loopback interface for 1498local traffic. 1499.It Li icmp6.nodeinfo 1500The variable enables responses to ICMPv6 node information queries. 1501If you set the variable to 0, responses will not be generated for 1502ICMPv6 node information queries. 1503Since node information queries can have a security impact, it is 1504possible to fine tune which responses should be answered. 1505Two separate bits can be set. 1506.Bl -tag -width "12345" 1507.It 1 1508Respond to ICMPv6 FQDN queries, e.g. 1509.Li ping6 -w . 1510.It 2 1511Respond to ICMPv6 node addresses queries, e.g. 1512.Li ping6 -a . 1513.El 1514.It Li icmp6.rediraccept 1515If set to non-zero, the host will accept ICMPv6 redirect packets. 1516Note that IPv6 routers will never accept ICMPv6 redirect packets, 1517and the variable is meaningful on IPv6 hosts 1518.Pq non-router 1519only. 1520.It Li icmp6.redirtimeout 1521The variable specifies lifetime of routing entries generated by incoming 1522ICMPv6 redirect. 1523.It Li udp6.do_loopback_cksum 1524Perform UDP checksum on loopback. 1525.It Li udp6.recvspace 1526Default UDP receive buffer size. 1527.It Li udp6.sendspace 1528Default UDP send buffer size. 1529.El 1530.Pp 1531We reuse net.*.tcp for 1532.Tn TCP 1533over 1534.Tn IPv6 , 1535and therefore we do not have variables net.*.tcp6. 1536Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1537Please refer to 1538.Li PF_INET 1539section above. 1540For variables net.*.ipsec6, please refer to 1541.Xr ipsec 4 . 1542.It Li net.key ( PF_KEY ) 1543Get or set various global information about the IPsec key management. 1544The third level name is the variable name. 1545The currently defined variable and names are: 1546.Bl -column "blockacq_lifetime" "integer" "yes" -offset indent 1547.It Sy Variable name Type Changeable 1548.It debug integer yes 1549.It spi_try integer yes 1550.It spi_min_value integer yes 1551.It spi_max_value integer yes 1552.It larval_lifetime integer yes 1553.It blockacq_count integer yes 1554.It blockacq_lifetime integer yes 1555.It esp_keymin integer yes 1556.It esp_auth integer yes 1557.It ah_keymin integer yes 1558.El 1559The variables are as follows: 1560.Bl -tag -width "123456" 1561.It Li debug 1562Turn on debugging message from within the kernel. 1563The value is a bitmap, as defined in 1564.Pa /usr/include/netkey/key_debug.h . 1565.It Li spi_try 1566The number of times the kernel will try to obtain an unique SPI 1567when it generates it from random number generator. 1568.It Li spi_min_value 1569Minimum SPI value when generating it within the kernel. 1570.It Li spi_max_value 1571Maximum SPI value when generating it within the kernel. 1572.It Li larval_lifetime 1573Lifetime for LARVAL SAD entries, in seconds. 1574.It Li blockacq_count 1575Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1576It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1577key management daemon. 1578.It Li blockacq_lifetime 1579Lifetime of ACQUIRE PF_KEY message. 1580.It Li esp_keymin 1581Minimum ESP key length, in bits. 1582The value is used when the kernel creates proposal payload 1583on ACQUIRE PF_KEY message. 1584.It Li esp_auth 1585Whether ESP authentication should be used or not. 1586Non-zero value indicates that ESP authentication should be used. 1587The value is used when the kernel creates proposal payload 1588on ACQUIRE PF_KEY message. 1589.It Li ah_keymin 1590Minimum AH key length, in bits, 1591The value is used when the kernel creates proposal payload 1592on ACQUIRE PF_KEY message. 1593.El 1594.El 1595.Sh The proc.* subtree 1596The string and integer information available for the 1597.Li proc 1598level is detailed below. 1599The changeable column shows whether a process with appropriate 1600privilege may change the value. 1601These values are per-process, 1602and as such may change from one process to another. 1603When a process is created, 1604the default values are inherited from its parent. 1605When a set-user-ID or set-group-ID binary is executed, the 1606value of PROC_PID_CORENAME is reset to the system default value. 1607The second level name is either the magic value PROC_CURPROC, which 1608points to the current process, or the PID of the target process. 1609.Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" "yes" -offset indent 1610.It Sy Third level name Type Changeable 1611.It proc.pid.corename string yes 1612.It proc.pid.rlimit node not applicable 1613.It proc.pid.stopfork int yes 1614.It proc.pid.stopexec int yes 1615.It proc.pid.stopexit int yes 1616.El 1617.Bl -tag -width "123456" 1618.Pp 1619.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1620The template used for the core dump file name (see 1621.Xr core 5 1622for details). 1623The base name must either be 1624.Nm core 1625or end with the suffix ``.core'' (the super-user may set arbitrary names). 1626By default it points to KERN_DEFCORENAME. 1627.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1628Return resources limits, as defined for the 1629.Xr getrlimit 2 1630and 1631.Xr setrlimit 2 1632system calls. 1633The fourth level name is one of: 1634.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA 1635.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1636The maximum amount of CPU time (in seconds) to be used by each process. 1637.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1638The largest size (in bytes) file that may be created. 1639.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1640The maximum size (in bytes) of the data segment for a process; 1641this defines how far a program may extend its break with the 1642.Xr sbrk 2 1643system call. 1644.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1645The maximum size (in bytes) of the stack segment for a process; 1646this defines how far a program's stack segment may be extended. 1647Stack extension is performed automatically by the system. 1648.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1649The largest size (in bytes) 1650.Pa core 1651file that may be created. 1652.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1653The maximum size (in bytes) to which a process's resident set size may 1654grow. 1655This imposes a limit on the amount of physical memory to be given to 1656a process; if memory is tight, the system will prefer to take memory 1657from processes that are exceeding their declared resident set size. 1658.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1659The maximum size (in bytes) which a process may lock into memory 1660using the 1661.Xr mlock 2 1662function. 1663.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1664The maximum number of simultaneous processes for this user id. 1665.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1666The maximum number of open files for this process. 1667.\" XXX proc.pid.rlimit.sbsize 1668.El 1669.Pp 1670The fifth level name is one of 1671.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or 1672.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1673to select respectively the soft or hard limit. 1674Both are of type integer. 1675.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1676If non zero, the process' children will be stopped after 1677.Xr fork 2 1678calls. 1679The children is created in the SSTOP state and is never scheduled 1680for running before being stopped. 1681This feature helps attaching a process with a debugger such as 1682.Xr gdb 1 1683before it had the opportunity to actually do anything. 1684.Pp 1685This value is inherited by the process's children, and it also 1686apply to emulation specific system calls that fork a new process, such as 1687.Fn sproc 1688or 1689.Fn clone . 1690.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1691If non zero, the process will be stopped on next 1692.Xr exec 3 1693call. 1694The process created by 1695.Xr exec 3 1696is created in the SSTOP state and is never scheduled for running 1697before being stopped. 1698This feature helps attaching a process with a debugger such as 1699.Xr gdb 1 1700before it had the opportunity to actually do anything. 1701.Pp 1702This value is inherited by the process's children. 1703.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 1704If non zero, the process will be stopped on when it has cause to exit, 1705either by way of calling 1706.Xr exit 3 , 1707.Xr _exit 2 , 1708or by the receipt of a specific signal. 1709The process is stopped before any of its resources or vm space is 1710released allowing examination of the termination state of a process 1711before it disappears. 1712This feature can be used to examine the final conditions of the 1713process's vmspace via 1714.Xr pmap 1 1715or its resource settings with 1716.Xr sysctl 8 1717before it disappears. 1718.Pp 1719This value is also inherited by the process's children. 1720.El 1721.Sh The user.* subtree ( CTL_USER ) 1722The string and integer information available for the 1723.Li user 1724level is detailed below. 1725The changeable column shows whether a process with appropriate 1726privilege may change the value. 1727.Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" -offset indent 1728.It Sy Second level name Type Changeable 1729.It user.atexit_max integer no 1730.It user.bc_base_max integer no 1731.It user.bc_dim_max integer no 1732.It user.bc_scale_max integer no 1733.It user.bc_string_max integer no 1734.It user.coll_weights_max integer no 1735.It user.cs_path string no 1736.It user.expr_nest_max integer no 1737.It user.line_max integer no 1738.It user.posix2_c_bind integer no 1739.It user.posix2_c_dev integer no 1740.It user.posix2_char_term integer no 1741.It user.posix2_fort_dev integer no 1742.It user.posix2_fort_run integer no 1743.It user.posix2_localedef integer no 1744.It user.posix2_sw_dev integer no 1745.It user.posix2_upe integer no 1746.It user.posix2_version integer no 1747.It user.re_dup_max integer no 1748.It user.stream_max integer no 1749.It user.stream_max integer no 1750.It user.tzname_max integer no 1751.El 1752.Bl -tag -width "123456" 1753.Pp 1754.It Li user.atexit_max ( USER_ATEXIT_MAX ) 1755The maximum number of functions that may be registered with 1756.Xr atexit 3 . 1757.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 1758The maximum ibase/obase values in the 1759.Xr bc 1 1760utility. 1761.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 1762The maximum array size in the 1763.Xr bc 1 1764utility. 1765.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 1766The maximum scale value in the 1767.Xr bc 1 1768utility. 1769.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 1770The maximum string length in the 1771.Xr bc 1 1772utility. 1773.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 1774The maximum number of weights that can be assigned to any entry of 1775the LC_COLLATE order keyword in the locale definition file. 1776.It Li user.cs_path ( USER_CS_PATH ) 1777Return a value for the 1778.Ev PATH 1779environment variable that finds all the standard utilities. 1780.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 1781The maximum number of expressions that can be nested within 1782parenthesis by the 1783.Xr expr 1 1784utility. 1785.It Li user.line_max ( USER_LINE_MAX ) 1786The maximum length in bytes of a text-processing utility's input 1787line. 1788.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 1789Return 1 if the system supports at least one terminal type capable of 1790all operations described in POSIX 1003.2, otherwise 0. 1791.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 1792Return 1 if the system's C-language development facilities support the 1793C-Language Bindings Option, otherwise 0. 1794.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 1795Return 1 if the system supports the C-Language Development Utilities Option, 1796otherwise 0. 1797.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 1798Return 1 if the system supports the FORTRAN Development Utilities Option, 1799otherwise 0. 1800.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 1801Return 1 if the system supports the FORTRAN Runtime Utilities Option, 1802otherwise 0. 1803.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 1804Return 1 if the system supports the creation of locales, otherwise 0. 1805.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 1806Return 1 if the system supports the Software Development Utilities Option, 1807otherwise 0. 1808.It Li user.posix2_upe ( USER_POSIX2_UPE ) 1809Return 1 if the system supports the User Portability Utilities Option, 1810otherwise 0. 1811.It Li user.posix2_version ( USER_POSIX2_VERSION ) 1812The version of POSIX 1003.2 with which the system attempts to comply. 1813.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 1814The maximum number of repeated occurrences of a regular expression 1815permitted when using interval notation. 1816.ne 1i 1817.It Li user.stream_max ( USER_STREAM_MAX ) 1818The minimum maximum number of streams that a process may have open 1819at any one time. 1820.It Li user.tzname_max ( USER_TZNAME_MAX ) 1821The minimum maximum number of types supported for the name of a 1822timezone. 1823.El 1824.Sh The vm.* subtree ( CTL_VM ) 1825The string and integer information available for the 1826.Li vm 1827level is detailed below. 1828The changeable column shows whether a process with appropriate 1829privilege may change the value. 1830.Bl -column "Second level nameXXXXXX" "struct uvmexp_sysctlXXX" -offset indent 1831.It Sy Second level name Type Changeable 1832.It vm.anonmax int yes 1833.It vm.anonmin int yes 1834.It vm.bufcache int yes 1835.It vm.bufmem int no 1836.It vm.bufmem_hiwater int yes 1837.It vm.bufmem_lowater int yes 1838.It vm.execmax int yes 1839.It vm.execmin int yes 1840.It vm.filemax int yes 1841.It vm.filemin int yes 1842.It vm.loadavg struct loadavg no 1843.It vm.maxslp int no 1844.It vm.nkmempages int no 1845.It vm.uspace int no 1846.It vm.uvmexp struct uvmexp no 1847.It vm.uvmexp2 struct uvmexp_sysctl no 1848.It vm.vmmeter struct vmtotal no 1849.El 1850.Pp 1851.Bl -tag -width "123456" 1852.It Li vm.anonmax ( VM_ANONMAX ) 1853The percentage of physical memory which will be reclaimed 1854from other types of memory usage to store anonymous application data. 1855.It Li vm.anonmin ( VM_ANONMIN ) 1856The percentage of physical memory which will be always be available for 1857anonymous application data. 1858.It Li vm.bufcache ( VM_BUFCACHE ) 1859The percentage of physical memory which will be available 1860for the buffer cache. 1861.It Li vm.bufmem ( VM_BUFMEM ) 1862The amount of kernel memory that is being used by the buffer cache. 1863.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 1864The minimum amount of kernel memory to reserve for the 1865buffer cache. 1866.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 1867The maximum amount of kernel memory to be used for the 1868buffer cache. 1869.It Li vm.execmax ( VM_EXECMAX ) 1870The percentage of physical memory which will be reclaimed 1871from other types of memory usage to store cached executable data. 1872.It Li vm.execmin ( VM_EXECMIN ) 1873The percentage of physical memory which will be always be available for 1874cached executable data. 1875.It Li vm.filemax ( VM_FILEMAX ) 1876The percentage of physical memory which will be reclaimed 1877from other types of memory usage to store cached file data. 1878.It Li vm.filemin ( VM_FILEMIN ) 1879The percentage of physical memory which will be always be available for 1880cached file data. 1881.It Li vm.loadavg ( VM_LOADAVG ) 1882Return the load average history. 1883The returned data consists of a 1884.Va struct loadavg . 1885.It Li vm.maxslp ( VM_MAXSLP ) 1886The value of the maxslp kernel global variable. 1887.It Li vm.vmmeter ( VM_METER ) 1888Return system wide virtual memory statistics. 1889The returned data consists of a 1890.Va struct vmtotal . 1891.It Li vm.uspace ( VM_USPACE ) 1892The number of bytes allocated for each kernel stack. 1893.It Li vm.uvmexp ( VM_UVMEXP ) 1894Return system wide virtual memory statistics. 1895The returned data consists of a 1896.Va struct uvmexp . 1897.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 1898Return system wide virtual memory statistics. 1899The returned data consists of a 1900.Va struct uvmexp_sysctl . 1901.\" XXX vm.idlezero 1902.El 1903.Sh The ddb.* subtree ( CTL_DDB ) 1904The integer information available for the 1905.Li ddb 1906level is detailed below. 1907The changeable column shows whether a process with appropriate 1908privilege may change the value. 1909.\" XXX sort 1910.Bl -column "ddb.fromconsoleXXX" "integerXXX" -offset indent 1911.It Sy Second level name Type Changeable 1912.It ddb.radix integer yes 1913.It ddb.maxoff integer yes 1914.It ddb.lines integer yes 1915.It ddb.tabstops integer yes 1916.It ddb.onpanic integer yes 1917.It ddb.fromconsole integer yes 1918.El 1919.Pp 1920.Bl -tag -width "123456" 1921.It Li ddb.radix ( DBCTL_RADIX ) 1922The input and output radix. 1923.It Li ddb.maxoff ( DBCTL_MAXOFF ) 1924The maximum symbol offset. 1925.It Li ddb.lines ( DBCTL_LINES ) 1926Number of display lines. 1927.It Li ddb.tabstops ( DBCTL_TABSTOPS ) 1928Tab width. 1929.It Li ddb.onpanic ( DBCTL_ONPANIC ) 1930If non-zero, DDB will be entered when the kernel panics. 1931.It Li ddb.fromconsole ( DBCTL_FROMCONSOLE ) 1932If not zero, DDB may be entered by sending a break on a serial 1933console or by a special key sequence on a graphics console. 1934.\" XXX tee_msgbuf maxwidth commandonenter 1935.El 1936.Pp 1937These MIB nodes are also available as variables from within the DDB. 1938See 1939.Xr ddb 4 1940for more details. 1941.Sh The security.* subtree ( CTL_SECURITY ) 1942The 1943.Li security 1944level contains various security-related settings for 1945the system. 1946Available settings are detailed below. 1947.Pp 1948.Bl -tag -width "123456" 1949.It Li security.curtain 1950If non-zero, will filter return objects according to the user-id 1951requesting information about them, preventing from users any 1952access to objects they don't own. 1953.Pp 1954At the moment, it affects 1955.Xr ps 1 , 1956.Xr netstat 1 1957(for 1958.Dv PF_INET , 1959.Dv PF_INET6 , 1960and 1961.Dv PF_UNIX 1962PCBs), and 1963.Xr w 1 . 1964.It Li security.models 1965.Nx 1966supports pluggable security models. 1967Every security model used, whether if loaded as an LKM or built with the system, 1968is required to add an entry to this node with at least one element, 1969.Dq name , 1970indicating the name of the security model. 1971.Pp 1972In addition to the name, any settings and other information private to the 1973security model will be available under this node. 1974See 1975.Xr secmodel 9 1976for more information. 1977.It Li security.pax 1978Settings for PaX -- exploit mitigation features. 1979For more information on any of the PaX features, please see 1980.Xr paxctl 8 1981and 1982.Xr security 8 . 1983.Pp 1984.Bl -tag -width "123456" 1985.It Li security.pax.mprotect.enable 1986Enable PaX MPROTECT restrictions. 1987.Pp 1988These are 1989.Xr mprotect 2 1990restrictions to better enforce a W^X policy. 1991The value of this 1992knob must be non-zero for PaX MPROTECT to be enabled, even if a 1993program is set to explicit enable. 1994.It Li security.pax.mprotect.global 1995Specifies the default global policy for programs without an 1996explicit enable/disable flag. 1997.Pp 1998When non-zero, all programs will get the PaX MPROTECT restrictions, 1999except those exempted with 2000.Xr paxctl 8 . 2001Otherwise, all programs will not get the PaX MPROTECT restrictions, 2002except those specifically marked as such with 2003.Xr paxctl 8 . 2004.It Li security.pax.segvguard.enable 2005Enable PaX Segvguard. 2006.Pp 2007PaX Segvguard can detect and prevent certain exploitation attempts, where 2008an attacker may try for example to brute-force function return addresses 2009of respawning daemons. 2010.Pp 2011.Em Note : 2012The 2013.Nx 2014interface and implementation of the Segvguard is still experimental, and may 2015change in future releases. 2016.It Li security.pax.segvguard.global 2017Specifies the default global policy for programs without an 2018explicit enable/disable flag. 2019.Pp 2020When non-zero, all programs will get the PaX Segvguard, 2021except those exempted with 2022.Xr paxctl 8 . 2023Otherwise, no program will get the PaX Segvguard restrictions, 2024except those specifically marked as such with 2025.Xr paxctl 8 . 2026.It Li security.pax.segvguard.expiry_timeout 2027If the max number was not reached within this timeout (in seconds), the entry 2028will expire. 2029.It Li security.pax.segvguard.suspend_timeout 2030Number of seconds to suspend a user from running a faulting program when the 2031limit was exceeded. 2032.It Li security.pax.segvguard.max_crashes 2033Max number of segfaults a program can receive before suspension. 2034.El 2035.El 2036.Sh The vendor.* subtree ( CTL_VENDOR ) 2037The 2038.Li vendor 2039toplevel name is reserved to be used by vendors who wish to 2040have their own private MIB tree. 2041Intended use is to store values under 2042.Dq vendor.\*[Lt]yourname\*[Gt].* . 2043.Sh SEE ALSO 2044.Xr sysctl 3 , 2045.Xr ipsec 4 , 2046.Xr tcp 4 , 2047.Xr security 8 , 2048.Xr sysctl 8 2049.Sh HISTORY 2050The 2051.Nm 2052variables first appeared in 2053.Bx 4.4 . 2054