1.\" $NetBSD: sysctl.7,v 1.86 2014/11/13 16:10:21 christos Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd November 13, 2014 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Ss Top level names 72The top level names are defined with a 73.Va CTL_ 74prefix in 75.In sys/sysctl.h , 76and are as follows. 77The next and subsequent levels down are found in the include files 78listed here, and described in separate sections below. 79.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits" 80.It Sy Name Ta Sy Constant Ta Sy Next level names Ta Sy Description 81.It kern Ta Dv CTL_KERN Ta In sys/sysctl.h Ta High kernel limits 82.It vm Ta Dv CTL_VM Ta In uvm/uvm_param.h Ta Virtual memory 83.It vfs Ta Dv CTL_VFS Ta In sys/mount.h Ta Filesystem 84.It net Ta Dv CTL_NET Ta In sys/socket.h Ta Networking 85.It debug Ta Dv CTL_DEBUG Ta In sys/sysctl.h Ta Debugging 86.It hw Ta Dv CTL_HW Ta In sys/sysctl.h Ta Generic CPU, I/O 87.It machdep Ta Dv CTL_MACHDEP Ta In sys/sysctl.h Ta Machine dependent 88.It user Ta Dv CTL_USER Ta In sys/sysctl.h Ta User-level 89.It ddb Ta Dv CTL_DDB Ta In sys/sysctl.h Ta In-kernel debugger 90.It proc Ta Dv CTL_PROC Ta In sys/sysctl.h Ta Per-process 91.It vendor Ta Dv CTL_VENDOR Ta ? Ta Vendor specific 92.It emul Ta Dv CTL_EMUL Ta In sys/sysctl.h Ta Emulation settings 93.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h Ta Security settings 94.El 95.Ss The debug.* subtree 96The debugging variables vary from system to system. 97A debugging variable may be added or deleted without need to recompile 98.Nm 99to know about it. 100Each time it runs, 101.Nm 102gets the list of debugging variables from the kernel and 103displays their current values. 104The system defines twenty 105.Vt ( struct ctldebug ) 106variables named 107.Dv debug0 108through 109.Dv debug19 . 110They are declared as separate variables so that they can be 111individually initialized at the location of their associated variable. 112The loader prevents multiple use of the same variable by issuing errors 113if a variable is initialized in more than one place. 114For example, to export the variable 115.Va dospecialcheck 116as a debugging variable, the following declaration would be used: 117.Pp 118.Bd -literal -offset indent -compact 119int dospecialcheck = 1; 120struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 121.Ed 122.Pp 123Note that the dynamic implementation of 124.Nm 125currently in use largely makes this particular 126.Nm 127interface obsolete. 128See 129.Xr sysctl 8 130.\" and 131.\" .Xr sysctl 9 132for more information. 133.Ss The vfs.* subtree 134A distinguished second level name, 135.Li vfs.generic ( VFS_GENERIC ) , 136is used to get general information about all file systems. 137It has the following third level identifiers: 138.Bl -tag -width "123456" 139.It Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 140The highest valid file system type number. 141.It Li vfs.generic.conf ( VFS_CONF ) 142Returns configuration information about the file system type given as a fourth 143level identifier. 144.It Li vfs.generic.usermount ( VFS_USERMOUNT ) 145Determines if non superuser mounts are allowed, defaults to 146.Dv 0 . 147.It Li vfs.generic.magiclinks ( VFS_MAGICLINKS ) 148Controls if expansion of variables is going to be performed on pathnames 149or not. 150Defaults to no variable expansion, 151.Dv 0 . 152Variables are of the form 153.Li @name 154and the variables supported are described in 155.Xr symlink 7 156under 157.Dq "MAGIC SYMLINKS" . 158.El 159.Pp 160A second level name for controlling the 161.Xr wapbl 4 162(Write Ahead Physical Block Logging file system journalling) 163capabilities with the following third level identifiers: 164.Bl -tag -width "123456" 165.It Li vfs.wapbl.flush_disk_cache 166Controls whether to attempt to flush the disk cache on each commit. 167It defaults to 1 and it should always be on to ensure integrity 168of file system metadata in the event of a power loss. 169For slow disks, turning it off can improve performance. 170.It Li vfs.wapbl.verbose_commit 171For each transaction log commit, print the number of bytes written 172and the time it took to commit as seconds.nanoseconds. 173.El 174.Pp 175The remaining second level identifiers are the file system names, identified 176by the type number returned by a 177.Xr statvfs 2 178call or from 179.Li vfs.generic.conf . 180.Pp 181The third level identifiers available for each file system 182are given in the header file that defines the mount 183argument structure for that file system. 184.Ss The hw.* subtree 185The string and integer information available for the 186.Li hw 187level is detailed below. 188The changeable column shows whether a process with appropriate 189privilege may change the value. 190.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent 191.It Sy Second level name Type Changeable 192.It hw.alignbytes integer no 193.It hw.byteorder integer no 194.It hw.cnmagic string yes 195.It hw.disknames string no 196.It hw.diskstats struct no 197.It hw.machine string no 198.It hw.machine_arch string no 199.It hw.model string no 200.It hw.ncpu integer no 201.It hw.ncpuonline integer no 202.It hw.pagesize integer no 203.It hw.physmem integer no 204.It hw.physmem64 quad no 205.It hw.usermem integer no 206.It hw.usermem64 quad no 207.El 208.Pp 209.Bl -tag -width "123456" 210.It Li hw.alignbytes ( HW_ALIGNBYTES ) 211Alignment constraint for all possible data types. 212This shows the value 213.Dv ALIGNBYTES 214in 215.In machine/param.h , 216at the kernel compilation time. 217.It Li hw.byteorder ( HW_BYTEORDER ) 218The byteorder (4321, or 1234). 219.It Li hw.cnmagic ( HW_CNMAGIC ) 220The console magic key sequence. 221.It Li hw.disknames ( HW_DISKNAMES ) 222The list of (space separated) disk device names on the system. 223.It Li hw.iostatnames ( HW_IOSTATNAMES ) 224A space separated list of devices that will have I/O statistics 225collected on them. 226.It Li hw.iostats ( HW_IOSTATS ) 227Return statistical information on the NFS mounts, disk and tape 228devices on the system. 229An array of 230.Vt struct io_sysctl 231structures is returned, 232whose size depends on the current number of such objects in the system. 233The third level name is the size of the 234.Vt struct io_sysctl . 235The type of object can be determined by examining the 236.Va type 237element of 238.Vt struct io_sysctl . 239Which can be 240.Dv IOSTAT_DISK 241(disk drive), 242.Dv IOSTAT_TAPE 243(tape drive), or 244.Dv IOSTAT_NFS 245(NFS mount). 246.It Li hw.machine ( HW_MACHINE ) 247The machine class. 248.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 249The machine CPU class. 250.It Li hw.model ( HW_MODEL ) 251The machine model. 252.It Li hw.ncpu ( HW_NCPU ) 253The number of CPUs configured. 254.It Li hw.ncpuonline ( HW_NCPUONLINE ) 255The number of CPUs online. 256.It Li hw.pagesize ( HW_PAGESIZE ) 257The software page size. 258.It Li hw.physmem ( HW_PHYSMEM ) 259The bytes of physical memory as a 32-bit integer. 260.It Li hw.physmem64 ( HW_PHYSMEM64 ) 261The bytes of physical memory as a 64-bit integer. 262.It Li hw.usermem ( HW_USERMEM ) 263The bytes of non-kernel memory as a 32-bit integer. 264.It Li hw.usermem64 ( HW_USERMEM64 ) 265The bytes of non-kernel memory as a 64-bit integer. 266.El 267.Ss The kern.* subtree 268This subtree includes data generally related to the kernel. 269The string and integer information available for the 270.Li kern 271level is detailed below. 272The changeable column shows whether a process with appropriate 273privilege may change the value. 274.Bl -column "kern.posix_reader_writer_locks" \ 275"struct kinfo_drivers" "not applicable" 276.It Sy Second level name Type Changeable 277.It kern.aio_listio_max integer yes 278.It kern.aio_max integer yes 279.It kern.arandom integer no 280.It kern.argmax integer no 281.It kern.boothowto integer no 282.It kern.boottime struct timeval no 283.It kern.buildinfo string no 284.\".It kern.bufq node not applicable 285.It kern.ccpu integer no 286.It kern.clockrate struct clockinfo no 287.It kern.consdev integer no 288.It kern.coredump node not applicable 289.It kern.cp_id struct no 290.It kern.cp_time uint64_t[\|] no 291.It kern.cryptodevallowsoft integer yes 292.It kern.defcorename string yes 293.It kern.detachall integer yes 294.It kern.domainname string yes 295.It kern.drivers struct kinfo_drivers no 296.It kern.dump_on_panic integer yes 297.It kern.file struct file no 298.It kern.forkfsleep integer yes 299.It kern.fscale integer no 300.It kern.fsync integer no 301.It kern.hardclock_ticks integer no 302.It kern.hostid integer yes 303.It kern.hostname string yes 304.It kern.iov_max integer no 305.It kern.ipc node not applicable 306.It kern.job_control integer no 307.It kern.labeloffset integer no 308.It kern.labelsector integer no 309.It kern.login_name_max integer no 310.It kern.logsigexit integer yes 311.It kern.mapped_files integer no 312.It kern.maxfiles integer yes 313.It kern.maxlwp integer yes 314.It kern.maxpartitions integer no 315.It kern.maxphys integer no 316.It kern.maxproc integer yes 317.It kern.maxptys integer yes 318.It kern.maxvnodes integer yes 319.It kern.mbuf node not applicable 320.It kern.memlock integer no 321.It kern.memlock_range integer no 322.It kern.memory_protection integer no 323.It kern.module node not applicable 324.It kern.monotonic_clock integer no 325.It kern.mqueue node not applicable 326.It kern.msgbuf integer no 327.It kern.msgbufsize integer no 328.It kern.ngroups integer no 329.\".It kern.no_sa_support integer yes 330.It kern.ntptime struct ntptimeval no 331.It kern.osrelease string no 332.It kern.osrevision integer no 333.It kern.ostype string no 334.\".It kern.panic_now integer yes 335.It kern.pipe node not applicable 336.It kern.pool struct pool_sysctl no 337.\" .It kern.posix node not applicable 338.It kern.posix1version integer no 339.It kern.posix_aio integer no 340.It kern.posix_barriers integer no 341.It kern.posix_reader_writer_locks integer no 342.\".It kern.posix_sched integer yes 343.It kern.posix_semaphores integer no 344.It kern.posix_spin_locks integer no 345.It kern.posix_threads integer no 346.It kern.posix_timers integer no 347.It kern.proc struct kinfo_proc no 348.It kern.proc2 struct kinfo_proc2 no 349.It kern.proc_args string no 350.It kern.profiling node not applicable 351.\".It kern.pset node not applicable 352.It kern.rawpartition integer no 353.It kern.root_device string no 354.It kern.root_partition integer no 355.It kern.rtc_offset integer yes 356.It kern.saved_ids integer no 357.It kern.sbmax integer yes 358.\".It kern.sched node not applicable 359.It kern.securelevel integer raise only 360.It kern.somaxkva integer yes 361.It kern.synchronized_io integer no 362.It kern.timecounter node not applicable 363.It kern.timex struct no 364.It kern.tkstat node not applicable 365.It kern.tty node not applicable 366.It kern.urandom integer no 367.It kern.usercrypto integer yes 368.It kern.userasymcrypto integer yes 369.It kern.veriexec node not applicable 370.It kern.version string no 371.It kern.vnode struct vnode no 372.El 373.Bl -tag -width "123456" 374.It Li kern.aio_listio_max 375The maximum number of asynchronous 376.Tn I/O 377operations in a single list I/O call. 378Like with all variables related to 379.Xr aio 3 , 380the variable may be created and removed dynamically 381upon loading or unloading the corresponding kernel module. 382.It Li kern.aio_max 383The maximum number of asynchronous I/O operations. 384.It Li kern.arandom 385This variable picks a random number each time it is queried. 386The used random number generator 387.Pf ( Tn RNG ) 388is based on 389.Xr arc4random 3 . 390.It Li kern.argmax ( KERN_ARGMAX ) 391The maximum bytes of argument to 392.Xr execve 2 . 393.It Li kern.boothowto 394Flags passed from the boot loader; see 395.Xr reboot 2 396for the meanings of the flags. 397.It Li kern.boottime ( KERN_BOOTTIME ) 398A 399.Vt struct timeval 400structure is returned. 401This structure contains the time that the system was booted. 402.It Li kern.buildinfo 403When the kernel is built, the build environment may optionally provide 404arbitrary information to be stored in this variable. 405.\" .It Li kern.bufq 406.\" XXX: Undocumented. 407.It Li kern.ccpu ( KERN_CCPU ) 408The scheduler exponential decay value. 409.It Li kern.clockrate ( KERN_CLOCKRATE ) 410A 411.Vt struct clockinfo 412structure is returned. 413This structure contains the clock, statistics clock and profiling clock 414frequencies, the number of micro-seconds per hz tick, and the clock 415skew rate. 416Refer to 417.Xr hz 9 418for additional details. 419.It Li kern.consdev ( KERN_CONSDEV ) 420Console device. 421.It Li kern.coredump 422Settings related to set-id processes coredumps. 423By default, set-id processes do not dump core in situations where 424other processes would. 425The settings in this node allows an administrator to change this 426behavior. 427.Pp 428The third level name is 429.Dv kern.coredump.setid 430and fourth level variables are described below. 431.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent 432.It Sy Fourth level name Type Changeable 433.It kern.coredump.setid.dump integer yes 434.It kern.coredump.setid.group integer yes 435.It kern.coredump.setid.mode integer yes 436.It kern.coredump.setid.owner integer yes 437.It kern.coredump.setid.path string yes 438.El 439.Bl -tag -width "123456" 440.It Li kern.coredump.setid.dump 441If non-zero, set-id processes will dump core. 442.It Li kern.coredump.setid.group 443The group-id for the set-id processes' coredump. 444.It Li kern.coredump.setid.mode 445The mode for the set-id processes' coredump. 446See 447.Xr chmod 1 . 448.It Li kern.coredump.setid.owner 449The user-id that will be used as the owner of the set-id processes' 450coredump. 451.It Li kern.coredump.setid.path 452The path to which set-id processes' coredumps will be saved to. 453Same syntax as kern.defcorename. 454.El 455.It Li kern.cp_id ( KERN_CP_ID ) 456Mapping of CPU number to CPU id. 457.It Li kern.cp_time ( KERN_CP_TIME ) 458Returns an array of 459.Dv CPUSTATES 460.Vt uint64_t Ns s. 461This array contains the 462number of clock ticks spent in different CPU states. 463On multi-processor systems, the sum across all CPUs is returned unless 464appropriate space is given for one data set for each CPU. 465Data for a specific CPU can also be obtained by adding the number of the 466CPU at the end of the MIB, enlarging it by one. 467.It Li kern.cryptodevallowsoft 468This variable controls userland access to hardware versus software transforms 469in the 470.Xr crypto 4 471system. 472The available values are as follows: 473.Bl -tag -width XX0 -offset indent 474.It Dv \*[Lt] 0 475Always force userlevel requests to use software transforms. 476.It Dv = 0 477If present, use hardware and grant userlevel requests for 478non-accelerated transforms (handling the latter in software). 479.It Dv \*[Gt] 0 480Allow user requests only for transforms which are hardware-accelerated. 481.El 482.It Li kern.defcorename ( KERN_DEFCORENAME ) 483Default template for the name of core dump files (see also 484.Li proc.pid.corename 485in the per-process variables 486.Li proc.* , 487and 488.Xr core 5 489for format of this template). 490The default value is 491.Pa %n.core 492and can be changed with the kernel configuration option 493.Cd options DEFCORENAME 494(see 495.Xr options 4 496). 497.It Li kern.detachall 498Detach all devices at shutdown. 499.It Li kern.domainname ( KERN_DOMAINNAME ) 500Get or set the YP domain name. 501.It Li kern.drivers ( KERN_DRIVERS ) 502Return an array of 503.Vt struct kinfo_drivers 504that contains the name and major device numbers of all the device drivers 505in the current kernel. 506The 507.Va d_name 508field is always a NUL terminated string. 509The 510.Va d_bmajor 511field will be set to \-1 if the driver doesn't have a block device. 512.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 513Perform a crash dump on system 514.Xr panic 9 . 515.It Li kern.file ( KERN_FILE ) 516Return the entire file table. 517The returned data consists of a single 518.Vt struct filelist 519followed by an array of 520.Vt struct file , 521whose size depends on the current number of such objects in the system. 522.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 523If 524.Xr fork 2 525system call fails due to limit on number of processes (either 526the global maxproc limit or user's one), wait for this many 527milliseconds before returning 528.Er EAGAIN 529error to process. 530Useful to keep heavily forking runaway processes in bay. 531Default zero (no sleep). 532Maximum is 20 seconds. 533.It Li kern.fscale ( KERN_FSCALE ) 534The kernel fixed-point scale factor. 535.It Li kern.fsync ( KERN_FSYNC ) 536Return 1 if the 537.St -p1003.1b-93 538File Synchronization Option is available 539on this system, 540otherwise\ 0. 541.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 542Returns the number of 543.Xr hardclock 9 544ticks. 545.It Li kern.hostid ( KERN_HOSTID ) 546Get or set the host identifier. 547This is aimed to replace the legacy 548.Xr gethostid 3 549and 550.Xr sethostid 3 551system calls. 552.It Li kern.hostname ( KERN_HOSTNAME ) 553Get or set the 554.Xr hostname 1 . 555.It Li kern.iov_max ( KERN_IOV_MAX ) 556Return the maximum number of 557.Vt iovec 558structures that a process has available for use with 559.Xr preadv 2 , 560.Xr pwritev 2 , 561.Xr readv 2 , 562.Xr recvmsg 2 , 563.Xr sendmsg 2 564and 565.Xr writev 2 . 566.It Li kern.ipc ( KERN_SYSVIPC ) 567Return information about the SysV IPC parameters. 568The third level names for the ipc variables are detailed below. 569.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 570.It Sy Third level name Type Changeable 571.It kern.ipc.sysvmsg integer no 572.It kern.ipc.sysvsem integer no 573.It kern.ipc.sysvshm integer no 574.It kern.ipc.sysvipc_info struct no 575.It kern.ipc.shmmax integer yes 576.It kern.ipc.shmmni integer yes 577.It kern.ipc.shmseg integer yes 578.It kern.ipc.shmmaxpgs integer yes 579.It kern.ipc.shm_use_phys integer yes 580.It kern.ipc.msgmni integer yes 581.It kern.ipc.msgseg integer yes 582.It kern.ipc.semmni integer yes 583.It kern.ipc.semmns integer yes 584.It kern.ipc.semmnu integer yes 585.El 586.Bl -tag -width "123456" 587.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 588Returns 1 if System V style message queue functionality is available 589on this system, 590otherwise\ 0. 591.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 592Returns 1 if System V style semaphore functionality is available 593on this system, 594otherwise\ 0. 595.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 596Returns 1 if System V style share memory functionality is available 597on this system, 598otherwise\ 0. 599.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 600Return System V style IPC configuration and run-time information. 601The fourth level name selects the System V style IPC facility. 602.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 603.It Sy Fourth level name Type 604.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 605.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 606.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 607.El 608.Pp 609.Bl -tag -width "123456" 610.It Li KERN_SYSVIPC_MSG_INFO 611Return information on the System V style message facility. 612The 613.Sy msg_sysctl_info 614structure is defined in 615.In sys/msg.h . 616.It Li KERN_SYSVIPC_SEM_INFO 617Return information on the System V style semaphore facility. 618The 619.Sy sem_sysctl_info 620structure is defined in 621.In sys/sem.h . 622.It Li KERN_SYSVIPC_SHM_INFO 623Return information on the System V style shared memory facility. 624The 625.Sy shm_sysctl_info 626structure is defined in 627.In sys/shm.h . 628.El 629.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 630Max shared memory segment size in bytes. 631.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 632Max number of shared memory identifiers. 633.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 634Max shared memory segments per process. 635.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 636Max amount of shared memory in pages. 637.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 638Locking of shared memory in physical memory. 639If 0, memory can be swapped 640out, otherwise it will be locked in physical memory. 641.It Li kern.ipc.msgmni 642Max number of message queue identifiers. 643.It Li kern.ipc.msgseg 644Max number of number of message segments. 645.It Li kern.ipc.semmni 646Max number of number of semaphore identifiers. 647.It Li kern.ipc.semmns 648Max number of number of semaphores in system. 649.It Li kern.ipc.semmnu 650Max number of undo structures in system. 651.El 652.It Li kern.job_control ( KERN_JOB_CONTROL ) 653Return 1 if job control is available on this system, otherwise\ 0. 654.It Li kern.labeloffset ( KERN_LABELOFFSET ) 655The offset within the sector specified by 656.Dv KERN_LABELSECTOR 657of the 658.Xr disklabel 5 . 659.It Li kern.labelsector ( KERN_LABELSECTOR ) 660The sector number containing the 661.Xr disklabel 5 . 662.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 663The size of the storage required for a login name, in bytes, 664including the terminating NUL. 665.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 666If this flag is non-zero, the kernel will 667.Xr log 9 668all process exits due to signals which create a 669.Xr core 5 670file, and whether the coredump was created. 671.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 672Returns 1 if the 673.St -p1003.1b-93 674Memory Mapped Files Option is available on this system, 675otherwise\ 0. 676.It Li kern.maxfiles ( KERN_MAXFILES ) 677The maximum number of open files that may be open in the system. 678.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 679The maximum number of partitions allowed per disk. 680.It Li kern.maxlwp 681The maximum number of Lightweight Processes (threads) the system allows 682per uid. 683.It Li kern.maxphys ( KERN_MAXPHYS ) 684Maximum raw I/O transfer size. 685.It Li kern.maxproc ( KERN_MAXPROC ) 686The maximum number of simultaneous processes the system will allow. 687.It Li kern.maxptys ( KERN_MAXPTYS ) 688The maximum number of pseudo terminals. 689This value can be both raised and lowered, though it cannot 690be set lower than number of currently used ptys. 691See also 692.Xr pty 4 . 693.It Li kern.maxvnodes ( KERN_MAXVNODES ) 694The maximum number of vnodes available on the system. 695This can only be raised. 696.It Li kern.mbuf ( KERN_MBUF ) 697Return information about the mbuf control variables. 698Mbufs are data structures which store network packets and other data 699structures in the networking code, see 700.Xr mbuf 9 . 701The third level names for the mbuf variables are detailed below. 702The changeable column shows whether a process with appropriate 703privilege may change the value. 704.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent 705.It Sy Third level name Type Changeable 706.\" XXX Changeable? really? 707.It kern.mbuf.mblowat integer yes 708.It kern.mbuf.mclbytes integer yes 709.It kern.mbuf.mcllowat integer yes 710.It kern.mbuf.msize integer yes 711.It kern.mbuf.nmbclusters integer yes 712.El 713.Pp 714The variables are as follows: 715.Bl -tag -width "123456" 716.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 717The mbuf low water mark. 718.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 719The mbuf cluster size. 720.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 721The mbuf cluster low water mark. 722.It Li kern.mbuf.msize ( MBUF_MSIZE ) 723The mbuf base size. 724.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 725The limit on the number of mbuf clusters. 726The variable can only be increased, and only increased on machines with 727direct-mapped pool pages. 728.El 729.It Li kern.memlock ( KERN_MEMLOCK ) 730Returns 1 if the 731.St -p1003.1b-93 732Process Memory Locking Option is available on this system, 733otherwise\ 0. 734.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 735Returns 1 if the 736.St -p1003.1b-93 737Range Memory Locking Option is available on this system, 738otherwise\ 0. 739.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 740Returns 1 if the 741.St -p1003.1b-93 742Memory Protection Option is available on this system, 743otherwise\ 0. 744.It Li kern.module 745Settings related to kernel modules. 746The third level names for the settings are described below. 747.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent 748.It Sy Third level name Type Changeable 749.It kern.module.autoload integer yes 750.It kern.module.autotime integer yes 751.It kern.module.verbose integer yes 752.El 753.Pp 754The variables are as follows: 755.Bl -tag -width "123456" 756.It Li kern.module.autoload 757A boolean that controls whether kernel modules are loaded automatically. 758See 759.Xr module 7 760for additional details. 761.It Li kern.module.autotime 762An integer that controls the delay before an attempt is made to 763automatically unload a module that was auto-loaded. 764Setting this value to zero disables the auto-unload function. 765.It Li kern.module.verbose 766A boolean that enables or disables verbose 767debug messages related to kernel modules. 768.El 769.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 770Returns the standard version the implementation of the 771.St -p1003.1b-93 772Monotonic Clock Option conforms to, 773otherwise\ 0. 774.It Li kern.mqueue 775Settings related to 776.Tn POSIX 777message queues; see 778.Xr mqueue 3 . 779This node is created dynamically when 780the corresponding kernel module is loaded. 781The third level names for the settings are described below. 782.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent 783.It Sy Third level name Type Changeable 784.It kern.mqueue.mq_open_max integer yes 785.It kern.mqueue.mq_prio_max integer yes 786.It kern.mqueue.mq_max_msgsize integer yes 787.It kern.mqueue.mq_def_maxmsg integer yes 788.It kern.mqueue.mq_max_maxmsg integer yes 789.El 790.Pp 791The variables are: 792.Bl -tag -width "123456" 793.It Li kern.mqueue.mq_open_max 794The maximum number of message queue descriptors any single process can open. 795.It Li kern.mqueue.mq_prio_max 796The maximum priority of a message. 797.It Li kern.mqueue.mq_max_msgsize 798The maximum size of a message in a message queue. 799.It Li kern.mqueue.mq_def_maxmsg 800The default maximum message count. 801.It Li kern.mqueue.mq_max_maxmsg 802The maximum number of messages in a message queue. 803.El 804.It Li kern.msgbuf ( KERN_MSGBUF ) 805The kernel message buffer, rotated so that the head of the circular kernel 806message buffer is at the start of the returned data. 807The returned data may contain NUL bytes. 808.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 809The maximum number of characters that the kernel message buffer can hold. 810.It Li kern.ngroups ( KERN_NGROUPS ) 811The maximum number of supplemental groups. 812.\" .It Li kern.no_sa_support 813.\" XXX: Undocumented. 814.It Li kern.ntptime ( KERN_NTPTIME ) 815A 816.Vt struct ntptimeval 817structure is returned. 818This structure contains data used by the 819.Xr ntpd 8 820program. 821.It Li kern.osrelease ( KERN_OSRELEASE ) 822The system release string. 823.It Li kern.osrevision ( KERN_OSREV ) 824The system revision string. 825.It Li kern.ostype ( KERN_OSTYPE ) 826The system type string. 827.\".It Li kern.panic_now 828.\" XXX: Undocumented. 829.It Li kern.pipe ( KERN_PIPE ) 830Pipe settings. 831The third level names for the integer pipe settings is detailed below. 832The changeable column shows whether a process with appropriate 833privilege may change the value. 834.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 835.It Sy Third level name Type Changeable 836.It kern.pipe.kvasiz integer yes 837.It kern.pipe.maxbigpipes integer yes 838.It kern.pipe.maxkvasz integer yes 839.It kern.pipe.limitkva integer yes 840.It kern.pipe.nbigpipes integer yes 841.El 842.Pp 843The variables are as follows: 844.Bl -tag -width "123456" 845.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 846Amount of kernel memory consumed by pipe buffers. 847.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 848Maximum number of 849.Dq big 850pipes. 851.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 852Maximum amount of kernel memory to be used for pipes. 853.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 854Limit for direct transfers via page loan. 855.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 856Number of 857.Dq big 858pipes. 859.El 860.It Li kern.pool 861Provides statistics about the 862.Xr pool 9 863and 864.Xr pool_cache 9 865subsystems. 866.\" XXX: Undocumented .It Li kern.posix ( ? ) 867.\" This is a node in which the only variable is semmax. 868.It Li kern.posix1version ( KERN_POSIX1 ) 869The version of ISO/IEC 9945 870.Pq St -p1003.1 871with which the system attempts to comply. 872.It Li kern.posix_aio 873The version of 874.St -p1003.1 875and its Asynchronous I/O option to which the system attempts to conform. 876.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 877The version of 878.St -p1003.1 879and its 880Barriers 881option to which the system attempts to conform, 882otherwise\ 0. 883.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 884The version of 885.St -p1003.1 886and its 887Read-Write Locks 888option to which the system attempts to conform, 889otherwise\ 0. 890.\".It Li kern.posix_sched 891.\" XXX: Undocumented. 892.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 893The version of 894.St -p1003.1 895and its 896Semaphores 897option to which the system attempts to conform, 898otherwise\ 0. 899.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 900The version of 901.St -p1003.1 902and its 903Spin Locks 904option to which the system attempts to conform, 905otherwise\ 0. 906.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 907The version of 908.St -p1003.1 909and its 910Threads 911option to which the system attempts to conform, 912otherwise\ 0. 913.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 914The version of 915.St -p1003.1 916and its 917Timers 918option to which the system attempts to conform, 919otherwise\ 0. 920.It Li kern.proc ( KERN_PROC ) 921Return the entire process table, or a subset of it. 922An array of 923.Vt struct kinfo_proc 924structures is returned, 925whose size depends on the current number of such objects in the system. 926The third and fourth level numeric names are as follows: 927.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 928.It Sy Third level name Fourth level is: 929.It KERN_PROC_ALL None 930.It KERN_PROC_GID A group ID 931.It KERN_PROC_PID A process ID 932.It KERN_PROC_PGRP A process group 933.It KERN_PROC_RGID A real group ID 934.It KERN_PROC_RUID A real user ID 935.It KERN_PROC_SESSION A session ID 936.It KERN_PROC_TTY A tty device 937.It KERN_PROC_UID A user ID 938.El 939.It Li kern.proc2 ( KERN_PROC2 ) 940As for 941.Dv KERN_PROC , 942but an array of 943.Vt struct kinfo_proc2 944structures are returned. 945The fifth level name is the size of the 946.Vt struct kinfo_proc2 947and the sixth level name is the number of structures to return. 948.It Li kern.proc_args ( KERN_PROC_ARGS ) 949Return the argv or environment strings (or the number thereof) 950of a process. 951Multiple strings are returned separated by NUL characters. 952The third level name is the process ID. 953The fourth level name is as follows: 954.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent 955.It KERN_PROC_ARGV The argv strings 956.It KERN_PROC_ENV The environ strings 957.It KERN_PROC_NARGV The number of argv strings 958.It KERN_PROC_NENV The number of environ strings 959.El 960.It Li kern.profiling ( KERN_PROF ) 961Return profiling information about the kernel. 962If the kernel is not compiled for profiling, 963attempts to retrieve any of the 964.Dv KERN_PROF 965values will fail with 966.Er EOPNOTSUPP . 967The third level names for the string and integer profiling information 968is detailed below. 969The changeable column shows whether a process with appropriate 970privilege may change the value. 971.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 972.It Sy Third level name Type Changeable 973.It kern.profiling.count u_short[\|] yes 974.It kern.profiling.froms u_short[\|] yes 975.It kern.profiling.gmonparam struct gmonparam no 976.It kern.profiling.state integer yes 977.It kern.profiling.tos struct tostruct yes 978.El 979.Pp 980The variables are as follows: 981.Bl -tag -width "123456" 982.It Li kern.profiling.count ( GPROF_COUNT ) 983Array of statistical program counter counts. 984.It Li kern.profiling.froms ( GPROF_FROMS ) 985Array indexed by program counter of call-from points. 986.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 987Structure giving the sizes of the above arrays. 988.It Li kern.profiling.state ( GPROF_STATE ) 989Profiling state. 990If set to 991.Dv GMON_PROF_ON , 992starts profiling. 993If set to 994.Dv GMON_PROF_OFF , 995stops profiling. 996.It Li kern.profiling.tos ( GPROF_TOS ) 997Array of 998.Vt struct tostruct 999describing destination of calls and their counts. 1000.El 1001.\" .It Li kern.pset 1002.\" XXX: Undocumented. 1003.It Li kern.rawpartition ( KERN_RAWPARTITION ) 1004The raw partition of a disk (a == 0). 1005.It Li kern.root_device ( KERN_ROOT_DEVICE ) 1006The name of the root device (e.g., 1007.Dq wd0 ) . 1008.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 1009The root partition on the root device (a == 0). 1010.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 1011Return the offset of real time clock from UTC in minutes. 1012.It Li kern.saved_ids ( KERN_SAVED_IDS ) 1013Returns 1 if saved set-group and saved set-user ID is available. 1014.It Li kern.sbmax ( KERN_SBMAX ) 1015Maximum socket buffer size. 1016.\" XXX units? 1017.It Li kern.securelevel ( KERN_SECURELVL ) 1018See 1019.Xr secmodel_securelevel 9 . 1020.\" .It Li kern.sched 1021.\" XXX: Undocumented. 1022.It Li kern.somaxkva ( KERN_SOMAXKVA ) 1023Maximum amount of kernel memory to be used for socket buffers. 1024.\" XXX units? 1025.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 1026Returns 1 if the 1027.St -p1003.1b-93 1028Synchronized I/O Option is available on this system, 1029otherwise\ 0. 1030.It Li kern.timecounter ( dynamic ) 1031Display and control the timecounter source of the system. 1032.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 1033.It Sy Third level name Type Changeable 1034.It kern.timecounter.choice string no 1035.It kern.timecounter.hardware string yes 1036.It kern.timecounter.timestepwarnings integer yes 1037.El 1038.Pp 1039The variables are as follows: 1040.Bl -tag -width "123456" 1041.It Li kern.timecounter.choice ( dynamic ) 1042The list of available timecounters with their quality and frequency. 1043.It Li kern.timecounter.hardware ( dynamic ) 1044The currently selected timecounter source. 1045.It Li kern.timecounter.timestepwarnings ( dynamic ) 1046If non-zero display a message each time the time is stepped. 1047.El 1048.It Li kern.timex ( KERN_TIMEX ) 1049Not available. 1050.It Li kern.tkstat ( KERN_TKSTAT ) 1051Return information about the number of characters sent and received 1052on ttys. 1053The third level names for the tty statistic variables are detailed below. 1054The changeable column shows whether a process 1055with appropriate privilege may change the value. 1056.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 1057.It Sy Third level name Type Changeable 1058.It kern.tkstat.cancc quad no 1059.It kern.tkstat.nin quad no 1060.It kern.tkstat.nout quad no 1061.It kern.tkstat.rawcc quad no 1062.El 1063.Pp 1064The variables are as follows: 1065.Bl -tag -width "123456" 1066.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 1067The number of canonical input characters. 1068.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 1069The total number of input characters. 1070.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 1071The total number of output characters. 1072.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 1073The number of raw input characters. 1074.El 1075.It Li kern.tty 1076The third level names for the tty setup variables are detailed below. 1077The changeable column shows whether a process 1078with appropriate privilege may change the value. 1079.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent 1080.It Sy Third level name Type Changeable 1081.It kern.tty.qsize int yes 1082.El 1083.Pp 1084The variables are as follows: 1085.Bl -tag -width "123456" 1086.It Li kern.tty.qsize 1087Control/display the size of the default input and output queues selected 1088during tty creation. 1089Is converted to a power of two and its range is between 1090.Dv 1024 1091and 1092.Dv 65536 . 1093.El 1094.It Li kern.uidinfo 1095Resource usage for the current user. 1096.Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent 1097.It Sy Third level name Type Changeable 1098.It kern.uidinfo.proccnt integer no 1099.It kern.uidinfo.lwpcnt integer no 1100.It kern.uidinfo.lockcnt integer no 1101.It kern.uidinfo.sbsize integer no 1102.El 1103.Bl -tag -width "123456" 1104.It Li kern.uidinfo.proccnt 1105Returns the number of active processes for the current user. 1106.It Li kern.uidinfo.lwpcnt 1107Returns the number of active threads for the current user; the first thread 1108of each process is not counted. 1109.It Li kern.uidinfo.lockcnt 1110Number of locks held by the current user. 1111.It Li kern.uidinfo.sbsize 1112Number of bytes in socket buffers allocated to the current user. 1113.El 1114.It Li kern.urandom ( KERN_URND ) 1115Random integer value. 1116.It Li kern.usercrypto 1117When enabled, allows userland to 1118.Xr open 2 1119the 1120.Pa /dev/crypto 1121special device, used by the 1122.Xr crypto 4 1123system. 1124.It Li kern.userasymcrypto 1125Enables or disables the use of software asymmetric crypto support in the 1126.Xr crypto 4 1127system. 1128.It Li kern.veriexec 1129Runtime information for 1130.Xr veriexec 8 . 1131.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent 1132.It Sy Third level name Type Changeable 1133.It kern.veriexec.algorithms string no 1134.It kern.veriexec.count node not applicable 1135.It kern.veriexec.strict integer yes 1136.It kern.veriexec.verbose integer yes 1137.El 1138.Bl -tag -width "123456" 1139.It Li kern.veriexec.algorithms 1140Returns a string with the supported algorithms in Veriexec. 1141.It Li kern.veriexec.count 1142Sub-nodes are added to this node as new mounts are monitored by Veriexec. 1143Each mount will be under its own 1144.No tableN 1145node. 1146Under each node there will be three variables, indicating the mount 1147point, the file system type, and the number of entries. 1148.It Li kern.veriexec.strict 1149Controls the strict level of Veriexec. 1150See 1151.Xr security 7 1152for more information on each level's implications. 1153.It Li kern.veriexec.verbose 1154Controls the verbosity level of Veriexec. 1155If 0, only the minimal 1156indication required will be given about what's happening - fingerprint 1157mismatches, removal of entries from the tables, modification of a 1158fingerprinted file. 1159If 1, more messages will be printed (ie., when a file with a valid 1160fingerprint is accessed). 1161Verbose level 2 is debug mode. 1162.El 1163.It Li kern.version ( KERN_VERSION ) 1164The system version string. 1165.It Li kern.vnode ( KERN_VNODE ) 1166Return the entire vnode table. 1167Note, the vnode table is not necessarily a consistent snapshot of 1168the system. 1169The returned data consists of an array whose size depends on the 1170current number of such objects in the system. 1171Each element of the array contains the kernel address of a vnode 1172.Vt struct vnode * 1173followed by the vnode itself 1174.Vt struct vnode . 1175.\" XXX: Undocumented: kern.lwp: no children? 1176.El 1177.Ss The machdep.* subtree 1178The set of variables defined is architecture dependent. 1179Most architectures define at least the following variables. 1180.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent 1181.It Sy Second level name Type Changeable 1182.It Li machdep.booted_kernel string no 1183.El 1184.\" XXX: Document the above. 1185.Ss The net.* subtree 1186The string and integer information available for the 1187.Li net 1188level is detailed below. 1189The changeable column shows whether a process with appropriate 1190privilege may change the value. 1191The second and third levels are typically the protocol family and 1192protocol number, though this is not always the case. 1193.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 1194.It Sy Second level name Type Changeable 1195.It net.route routing messages no 1196.It net.inet IPv4 values yes 1197.It net.inet6 IPv6 values yes 1198.It net.key IPsec key management values yes 1199.El 1200.Pp 1201.Bl -tag -width "123456" 1202.It Li net.route ( PF_ROUTE ) 1203.\" XXX really? 1204Return the entire routing table or a subset of it. 1205The data is returned as a sequence of routing messages (see 1206.Xr route 4 1207for the header file, format and meaning). 1208The length of each message is contained in the message header. 1209.Pp 1210The third level name is a protocol number, which is currently always\ 0. 1211The fourth level name is an address family, which may be set to 0 to 1212select all address families. 1213The fifth and sixth level names are as follows: 1214.Bl -column "Fifth level name" "Sixth level is:" -offset indent 1215.It Sy Fifth level name Sixth level is: 1216.It NET_RT_FLAGS rtflags 1217.It NET_RT_DUMP None 1218.It NET_RT_IFLIST None 1219.El 1220.It Li net.inet ( PF_INET ) 1221Get or set various global information about the IPv4 1222.Pq Internet Protocol version 4 . 1223The third level name is the protocol. 1224The fourth level name is the variable name. 1225The currently defined protocols and names are: 1226.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n 1227.It Sy Protocol name Variable name Type Changeable 1228.It arp down integer yes 1229.It arp keep integer yes 1230.It arp log_movements integer yes 1231.It arp log_permanent_modify integer yes 1232.It arp log_unknown_network integer yes 1233.It arp log_wrong_iface integer yes 1234.It arp prune integer yes 1235.It arp refresh integer yes 1236.It carp allow integer yes 1237.It carp preempt integer yes 1238.It carp log integer yes 1239.It carp arpbalance integer yes 1240.It icmp errppslimit integer yes 1241.It icmp maskrepl integer yes 1242.It icmp rediraccept integer yes 1243.It icmp redirtimeout integer yes 1244.It icmp bmcastecho integer yes 1245.It ip allowsrcrt integer yes 1246.It ip anonportalgo.selected string yes 1247.It ip anonportalgo.available string yes 1248.It ip anonportalgo.reserve struct yes 1249.It ip anonportmax integer yes 1250.It ip anonportmin integer yes 1251.It ip checkinterface integer yes 1252.It ip directed-broadcast integer yes 1253.It ip do_loopback_cksum integer yes 1254.It ip forwarding integer yes 1255.It ip forwsrcrt integer yes 1256.It ip gifttl integer yes 1257.It ip grettl integer yes 1258.It ip hashsize integer yes 1259.It ip hostzerobroadcast integer yes 1260.It ip lowportmin integer yes 1261.It ip lowportmax integer yes 1262.It ip maxflows integer yes 1263.It ip maxfragpackets integer yes 1264.It ip mtudisc integer yes 1265.It ip mtudisctimeout integer yes 1266.It ip random_id integer yes 1267.It ip redirect integer yes 1268.It ip subnetsarelocal integer yes 1269.It ip ttl integer yes 1270.It tcp rfc1323 integer yes 1271.It tcp sendspace integer yes 1272.It tcp recvspace integer yes 1273.It tcp mssdflt integer yes 1274.It tcp syn_cache_limit integer yes 1275.It tcp syn_bucket_limit integer yes 1276.It tcp syn_cache_interval integer yes 1277.It tcp init_win integer yes 1278.It tcp init_win_local integer yes 1279.It tcp mss_ifmtu integer yes 1280.It tcp win_scale integer yes 1281.It tcp timestamps integer yes 1282.It tcp compat_42 integer yes 1283.It tcp cwm integer yes 1284.It tcp cwm_burstsize integer yes 1285.It tcp ack_on_push integer yes 1286.It tcp keepidle integer yes 1287.It tcp keepintvl integer yes 1288.It tcp keepcnt integer yes 1289.It tcp slowhz integer no 1290.It tcp keepinit integer yes 1291.It tcp log_refused integer yes 1292.It tcp rstppslimit integer yes 1293.It tcp ident struct no 1294.It tcp drop struct no 1295.It tcp sack.enable integer yes 1296.It tcp sack.globalholes integer no 1297.It tcp sack.globalmaxholes integer yes 1298.It tcp sack.maxholes integer yes 1299.It tcp ecn.enable integer yes 1300.It tcp ecn.maxretries integer yes 1301.It tcp congctl.selected string yes 1302.It tcp congctl.available string yes 1303.It tcp abc.enable integer yes 1304.It tcp abc.aggressive integer yes 1305.It udp checksum integer yes 1306.It udp do_loopback_cksum integer yes 1307.It udp recvspace integer yes 1308.It udp sendspace integer yes 1309.El 1310.Pp 1311The variables are as follows: 1312.Bl -tag -width "123456" 1313.It Li arp.down 1314Failed ARP entry lifetime. 1315.It Li arp.keep 1316Valid ARP entry lifetime. 1317.It Li arp.prune 1318ARP cache pruning interval. 1319.It Li arp.refresh 1320ARP entry refresh interval. 1321.It Li carp.allow 1322If set to 0, incoming 1323.Xr carp 4 1324packets will not be processed. 1325If set to any other value, processing will occur. 1326Enabled by default. 1327.It Li carp.arpbalance 1328If set to any value other than 0, the ARP balancing functionality of 1329.Xr carp 4 1330is enabled. 1331When ARP requests are received for an IP address which is part of any virtual 1332host, carp will hash the source IP in the ARP request to select one of the 1333virtual hosts from the set of all the virtual hosts which have that IP address. 1334The master of that host will respond with the correct virtual MAC address. 1335Disabled by default. 1336.It Li carp.log 1337If set to any value other than 0, 1338.Xr carp 4 1339will log errors. 1340Disabled by default. 1341.It Li carp.preempt 1342If set to 0, 1343.Xr carp 4 1344will not attempt to become master if it is receiving advertisements from 1345another active master. 1346If set to any other value, carp will become master of the virtual host if it 1347believes it can send advertisements more frequently than the current master. 1348Disabled by default. 1349.It Li ip.allowsrcrt 1350If set to 1, the host accepts source routed packets. 1351.It Li ip.anonportalgo.available 1352The available RFC 6056 port randomization algorithms. 1353.It Li ip.anonportalgo.reserve 1354A bitmask of ports that will not be used during anonymous or privileged 1355port selection. 1356.It Li ip.anonportalgo.selected 1357The currently selected RFC 6056 port randomization algorithm. 1358.It Li ip.anonportmax 1359The highest port number to use for TCP and UDP ephemeral port allocation. 1360This cannot be set to less than 1024 or greater than 65535, and must 1361be greater than 1362.Li ip.anonportmin . 1363.It Li ip.anonportmin 1364The lowest port number to use for TCP and UDP ephemeral port allocation. 1365This cannot be set to less than 1024 or greater than 65535. 1366.It Li ip.checkinterface 1367If set to non-zero, the host will reject packets addressed to it 1368that arrive on an interface not bound to that address. 1369Currently, this must be disabled if ipnat is used to translate the 1370destination address to another local interface, or if addresses 1371are added to the loopback interface instead of the interface where 1372the packets for those packets are received. 1373.It Li ip.directed-broadcast 1374If set to 1, enables directed broadcast behavior for the host. 1375.It Li ip.do_loopback_cksum 1376Perform IP checksum on loopback. 1377.It Li ip.forwarding 1378If set to 1, enables IP forwarding for the host, 1379meaning that the host is acting as a router. 1380.It Li ip.forwsrcrt 1381If set to 1, enables forwarding of source-routed packets for the host. 1382This value may only be changed if the kernel security level is less than 1. 1383.It Li ip.gifttl 1384The maximum time-to-live (hop count) value for an IPv4 packet generated by 1385.Xr gif 4 1386tunnel interface. 1387.It Li ip.grettl 1388The maximum time-to-live (hop count) value for an IPv4 packet generated by 1389.Xr gre 4 1390tunnel interface. 1391.It Li ip.hashsize 1392The size of IPv4 Fast Forward hash table. 1393This value must be a power of 2 (64, 256...). 1394A larger hash table size results in fewer collisions. 1395Also see 1396.Li ip.maxflows . 1397.It Li ip.hostzerobroadcast 1398All zeroes address is broadcast address. 1399.It Li ip.lowportmax 1400The highest port number to use for TCP and UDP reserved port allocation. 1401This cannot be set to less than 0 or greater than 1024, and must 1402be greater than 1403.Li ip.lowportmin . 1404.It Li ip.lowportmin 1405The lowest port number to use for TCP and UDP reserved port allocation. 1406This cannot be set to less than 0 or greater than 1024, and must 1407be smaller than 1408.Li ip.lowportmax . 1409.It Li ip.maxflows 1410IPv4 Fast Forwarding is enabled by default. 1411If set to 0, IPv4 Fast Forwarding is disabled. 1412.Li ip.maxflows 1413controls the maximum amount of flows which can be created. 1414The default value is 256. 1415.It Li ip.maxfragpackets 1416The maximum number of fragmented packets the node will accept. 14170 means that the node will not accept any fragmented packets. 1418\-1 means that the node will accept as many fragmented packets as it receives. 1419The flag is provided basically for avoiding possible DoS attacks. 1420.It Li ip.mtudisc 1421If set to 1, enables Path MTU Discovery (RFC 1191). 1422When Path MTU Discovery is enabled, the transmitted TCP segment 1423size will be determined by the advertised maximum segment size 1424(MSS) from the remote end, as constrained by the path MTU. 1425If MTU Discovery is disabled, the transmitted segment size will 1426never be greater than 1427.Li tcp.mssdflt 1428(the local maximum segment size). 1429.It Li ip.mtudisctimeout 1430The number of seconds in which a route added by the Path MTU 1431Discovery engine will time out. 1432When the route times out, the Path 1433MTU Discovery engine will attempt to probe a larger path MTU. 1434.It Li ip.random_id 1435Assign random ip_id values. 1436.It Li ip.redirect 1437If set to 1, ICMP redirects may be sent by the host. 1438This option is ignored unless the host is routing IP packets, 1439and should normally be enabled on all systems. 1440.It Li ip.subnetsarelocal 1441If set to 1, subnets are to be considered local addresses. 1442.It Li ip.ttl 1443The maximum time-to-live (hop count) value for an IP packet sourced by 1444the system. 1445This value applies to normal transport protocols, not to ICMP. 1446.It Li icmp.errppslimit 1447The variable specifies the maximum number of outgoing ICMP error messages, 1448per second. 1449ICMP error messages that exceeded the value are subject to rate limitation 1450and will not go out from the node. 1451Negative value disables rate limitation. 1452.It Li icmp.maskrepl 1453If set to 1, ICMP network mask requests are to be answered. 1454.It Li icmp.rediraccept 1455If set to non-zero, the host will accept ICMP redirect packets. 1456Note that routers will never accept ICMP redirect packets, 1457and the variable is meaningful on IP hosts only. 1458.It Li icmp.redirtimeout 1459The variable specifies lifetime of routing entries generated by incoming 1460ICMP redirect. 1461This defaults to 600 seconds. 1462.It Li icmp.returndatabytes 1463Number of bytes to return in an ICMP error message. 1464.It Li icmp.bmcastecho 1465If set to 1, enables responding to ICMP echo or timestamp request to the 1466broadcast address. 1467.It Li tcp.ack_on_push 1468If set to 1, TCP is to immediately transmit an ACK upon reception of 1469a packet with PUSH set. 1470This can avoid losing a round trip time in some rare situations, 1471but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1472Use of this option is generally not recommended, but 1473the variable exists in case your configuration really needs it. 1474.It Li tcp.compat_42 1475If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1476Use of this option is not recommended, although it may be 1477required in order to communicate with extremely old TCP implementations. 1478.It Li tcp.cwm 1479If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1480Monitoring algorithm. 1481This algorithm prevents line-rate bursts of packets that could 1482otherwise occur when data begins flowing on an idle TCP connection. 1483These line-rate bursts can contribute to network and router congestion. 1484This can be particularly useful on World Wide Web servers 1485which support HTTP/1.1, which has lingering connections. 1486.It Li tcp.cwm_burstsize 1487The Congestion Window Monitoring allowed burst size, in terms 1488of packet count. 1489.It Li tcp.delack_ticks 1490Number of ticks to delay sending an ACK. 1491.It Li tcp.do_loopback_cksum 1492Perform TCP checksum on loopback. 1493.It Li tcp.init_win 1494A value indicating the TCP initial congestion window. 1495The valid range 1496is 0 to 10 (maximum specified by draft-ietf-tcpm-initcwnd-08.txt), 1497with a default of 4 (approximately 4K per RFC3390). 1498.It Li tcp.init_win_local 1499Like 1500.Li tcp.init_win , 1501but used when communicating with hosts on a local network. 1502.It Li tcp.keepcnt 1503Number of keepalive probes sent before declaring a connection dead. 1504If set to zero, there is no limit; 1505keepalives will be sent until some kind of 1506response is received from the peer. 1507.It Li tcp.keepidle 1508Time a connection must be idle before keepalives are sent (if keepalives 1509are enabled for the connection). 1510See also tcp.slowhz. 1511.It Li tcp.keepintvl 1512Time after a keepalive probe is sent until, in the absence of any response, 1513another probe is sent. 1514See also tcp.slowhz. 1515.It Li tcp.log_refused 1516If set to 1, refused TCP connections to the host will be logged. 1517.It Li tcp.keepinit 1518Timeout in seconds during connection establishment. 1519.It Li tcp.mss_ifmtu 1520If set to 1, TCP calculates the outgoing maximum segment size based on 1521the MTU of the appropriate interface. 1522If set to 0, it is calculated based on the greater of the MTU of the 1523interface, and the largest (non-loopback) interface MTU on the system. 1524.It Li tcp.mssdflt 1525The default maximum segment size both advertised to the peer 1526and to use when either the peer does not advertise a maximum segment size to 1527us during connection setup or Path MTU Discovery 1528.Li ( ip.mtudisc ) 1529is disabled. 1530Do not change this value unless you really know what you are doing. 1531.It Li tcp.recvspace 1532The default TCP receive buffer size. 1533.It Li tcp.rfc1323 1534If set to 1, enables RFC 1323 extensions to TCP. 1535.It Li tcp.rstppslimit 1536The variable specifies the maximum number of outgoing TCP RST packets, 1537per second. 1538TCP RST packet that exceeded the value are subject to rate limitation 1539and will not go out from the node. 1540Negative value disables rate limitation. 1541.It Li tcp.ident 1542Return the user ID of a connected socket pair. 1543(RFC1413 Identification Protocol lookups.) 1544.It Li tcp.drop 1545Drop a TCP socket pair connection. 1546.It Li tcp.sack.enable 1547If set to 1, enables RFC 2018 Selective ACKnowledgement. 1548.It Li tcp.sack.globalholes 1549Global number of TCP SACK holes. 1550.It Li tcp.sack.globalmaxholes 1551Global maximum number of TCP SACK holes. 1552.It Li tcp.sack.maxholes 1553Maximum number of TCP SACK holes allowed per connection. 1554.It Li tcp.ecn.enable 1555If set to 1, enables RFC 3168 Explicit Congestion Notification. 1556.It Li tcp.ecn.maxretries 1557Number of times to retry sending the ECN-setup packet. 1558.It Li tcp.sendspace 1559The default TCP send buffer size. 1560.It Li tcp.slowhz 1561The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1562of a clock that ticks tcp.slowhz times per second. 1563(That is, their values 1564must be divided by the tcp.slowhz value to get times in seconds.) 1565.It Li tcp.syn_bucket_limit 1566The maximum number of entries allowed per hash bucket in the TCP 1567compressed state engine. 1568.It Li tcp.syn_cache_limit 1569The maximum number of entries allowed in the TCP compressed state 1570engine. 1571.It Li tcp.timestamps 1572If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1573used for measuring TCP round trip times, are enabled. 1574.It Li tcp.win_scale 1575If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1576for increasing the TCP window size, are enabled. 1577.It Li tcp.congctl.available 1578The available TCP congestion control algorithms. 1579.It Li tcp.congctl.selected 1580The currently selected TCP congestion control algorithm. 1581.It Li tcp.abc.enable 1582If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1583If set to 0, use traditional Packet Counting. 1584.It Li tcp.abc.aggressive 1585Choose the L parameter found in RFC 3465. 1586L is the maximum cwnd increase for an ack during slow start. 1587If set to 1, use L=2*SMSS. 1588If set to 0, use L=1*SMSS. 1589It has no effect unless tcp.abc.enable is set to 1. 1590.It Li udp.checksum 1591If set to 1, UDP checksums are being computed. 1592Received non-zero UDP checksums are always checked. 1593Disabling UDP checksums is strongly discouraged. 1594.It Li udp.recvspace 1595The default UDP receive buffer size. 1596.It Li udp.sendspace 1597The default UDP send buffer size. 1598.El 1599.Pp 1600For variables net.*.ipsec, please refer to 1601.Xr ipsec 4 . 1602.It Li net.inet6 ( PF_INET6 ) 1603Get or set various global information about the IPv6 1604.Pq Internet Protocol version 6 . 1605The third level name is the protocol. 1606The fourth level name is the variable name. 1607The currently defined protocols and names are: 1608.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent 1609.It Sy Protocol name Variable name Type Changeable 1610.It icmp6 errppslimit integer yes 1611.It icmp6 mtudisc_hiwat integer yes 1612.It icmp6 mtudisc_lowat integer yes 1613.It icmp6 nd6_debug integer yes 1614.It icmp6 nd6_delay integer yes 1615.It icmp6 nd6_maxnudhint integer yes 1616.It icmp6 nd6_mmaxtries integer yes 1617.It icmp6 nd6_prune integer yes 1618.It icmp6 nd6_umaxtries integer yes 1619.It icmp6 nd6_useloopback integer yes 1620.It icmp6 nodeinfo integer yes 1621.It icmp6 rediraccept integer yes 1622.It icmp6 redirtimeout integer yes 1623.It ip6 accept_rtadv integer yes 1624.It ip6 anonportalgo.selected string yes 1625.It ip6 anonportalgo.available string yes 1626.It ip6 anonportalgo.reserve struct yes 1627.It ip6 anonportmax integer yes 1628.It ip6 anonportmin integer yes 1629.It ip6 auto_flowlabel integer yes 1630.It ip6 dad_count integer yes 1631.It ip6 defmcasthlim integer yes 1632.It ip6 forwarding integer yes 1633.It ip6 gifhlim integer yes 1634.It ip6 hashsize integer yes 1635.It ip6 hlim integer yes 1636.It ip6 hdrnestlimit integer yes 1637.It ip6 kame_version string no 1638.It ip6 keepfaith integer yes 1639.It ip6 log_interval integer yes 1640.It ip6 lowportmax integer yes 1641.It ip6 lowportmin integer yes 1642.It ip6 maxdynroutes integer yes 1643.It ip6 maxifprefixes integer yes 1644.It ip6 maxifdefrouters integer yes 1645.It ip6 maxflows integer yes 1646.It ip6 maxfragpackets integer yes 1647.It ip6 maxfrags integer yes 1648.It ip6 neighborgcthresh integer yes 1649.It ip6 redirect integer yes 1650.It ip6 rr_prune integer yes 1651.It ip6 use_deprecated integer yes 1652.It ip6 v6only integer yes 1653.It udp6 do_loopback_cksum integer yes 1654.It udp6 recvspace integer yes 1655.It udp6 sendspace integer yes 1656.El 1657.Pp 1658The variables are as follows: 1659.Bl -tag -width "123456" 1660.It Li ip6.accept_rtadv 1661If set to non-zero, the node will accept ICMPv6 router advertisement packets 1662and autoconfigures address prefixes and default routers. 1663The node must be a host 1664.Pq not a router 1665for the option to be meaningful. 1666.It Li ip6.anonportalgo.available 1667The available RFC 6056 port randomization algorithms. 1668.It Li ip6.anonportalgo.reserve 1669A bitmask of ports that will not be used during anonymous or privileged 1670port selection. 1671.It Li ip6.anonportalgo.selected 1672The currently selected RFC 6056 port randomization algorithm. 1673.It Li ip6.anonportmax 1674The highest port number to use for TCP and UDP ephemeral port allocation. 1675This cannot be set to less than 1024 or greater than 65535, and must 1676be greater than 1677.Li ip6.anonportmin . 1678.It Li ip6.anonportmin 1679The lowest port number to use for TCP and UDP ephemeral port allocation. 1680This cannot be set to less than 1024 or greater than 65535. 1681.It Li ip6.auto_flowlabel 1682On connected transport protocol packets, 1683fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1684.It Li ip6.dad_count 1685The variable configures number of IPv6 DAD 1686.Pq duplicated address detection 1687probe packets. 1688The packets will be generated when IPv6 interface addresses are configured. 1689.It Li ip6.defmcasthlim 1690The default hop limit value for an IPv6 multicast packet sourced by the node. 1691This value applies to all the transport protocols on top of IPv6. 1692There are APIs to override the value, as documented in 1693.Xr ip6 4 . 1694.It Li ip6.forwarding 1695If set to 1, enables IPv6 forwarding for the node, 1696meaning that the node is acting as a router. 1697If set to 0, disables IPv6 forwarding for the node, 1698meaning that the node is acting as a host. 1699IPv6 specification defines node behavior for 1700.Dq router 1701case and 1702.Dq host 1703case quite differently, and changing this variable during operation 1704may cause serious trouble. 1705It is recommended to configure the variable at bootstrap time, 1706and bootstrap time only. 1707.It Li ip6.gifhlim 1708The maximum hop limit value for an IPv6 packet generated by 1709.Xr gif 4 1710tunnel interface. 1711.It Li ip6.hdrnestlimit 1712The number of IPv6 extension headers permitted on incoming IPv6 packets. 1713If set to 0, the node will accept as many extension headers as possible. 1714.It Li ip6.hashsize 1715The size of IPv6 Fast Forward hash table. 1716This value must be a power of 2 (64, 256, ...). 1717A larger hash table size results in fewer collisions. 1718Also see 1719.Li ip6.maxflows . 1720.It Li ip6.hlim 1721The default hop limit value for an IPv6 unicast packet sourced by the node. 1722This value applies to all the transport protocols on top of IPv6. 1723There are APIs to override the value, as documented in 1724.Xr ip6 4 . 1725.It Li ip6.kame_version 1726The string identifies the version of KAME IPv6 stack implemented in the kernel. 1727.It Li ip6.keepfaith 1728If set to non-zero, it enables 1729.Dq FAITH 1730TCP relay IPv6-to-IPv4 translator code in the kernel. 1731Refer 1732.Xr faith 4 1733and 1734.Xr faithd 8 1735for detail. 1736.It Li ip6.log_interval 1737The variable controls amount of logs generated by IPv6 packet 1738forwarding engine, by setting interval between log output 1739.Pq in seconds . 1740.It Li ip6.lowportmax 1741The highest port number to use for TCP and UDP reserved port allocation. 1742This cannot be set to less than 0 or greater than 1024, and must 1743be greater than 1744.Li ip6.lowportmin . 1745.It Li ip6.lowportmin 1746The lowest port number to use for TCP and UDP reserved port allocation. 1747This cannot be set to less than 0 or greater than 1024, and must 1748be smaller than 1749.Li ip6.lowportmax . 1750.It Li ip6.maxdynroutes 1751Maximum number of routes created by redirect. 1752Set it to negative to disable. 1753The default value is 4096. 1754.It Li ip6.maxifprefixes 1755Maximum number of prefixes created by route advertisements per interface. 1756Set it to negative to disable. 1757The default value is 16. 1758.It Li ip6.maxifdefrouters 16 1759Maximum number of default routers created by route advertisements per interface. 1760Set it to negative to disable. 1761The default value is 16. 1762.It Li ip6.maxflows 1763IPv6 Fast Forwarding is enabled by default. 1764If set to 0, IPv6 Fast Forwarding is disabled. 1765.Li ip6.maxflows 1766controls the maximum amount of flows which can be created. 1767The default value is 256. 1768.It Li ip6.maxfragpackets 1769The maximum number of fragmented packets the node will accept. 17700 means that the node will not accept any fragmented packets. 1771\-1 means that the node will accept as many fragmented packets as it receives. 1772The flag is provided basically for avoiding possible DoS attacks. 1773.It Li ip6.maxfrags 1774The maximum number of fragments the node will accept. 17750 means that the node will not accept any fragments. 1776\-1 means that the node will accept as many fragments as it receives. 1777The flag is provided basically for avoiding possible DoS attacks. 1778.It Li ip6.neighborgcthresh 1779Maximum number of entries in neighbor cache. 1780Set to negative to disable. 1781The default value is 2048. 1782.It Li ip6.redirect 1783If set to 1, ICMPv6 redirects may be sent by the node. 1784This option is ignored unless the node is routing IP packets, 1785and should normally be enabled on all systems. 1786.It Li ip6.rr_prune 1787The variable specifies interval between IPv6 router renumbering prefix 1788babysitting, in seconds. 1789.It Li ip6.use_deprecated 1790The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1791.It Li ip6.v6only 1792The variable specifies initial value for 1793.Dv IPV6_V6ONLY 1794socket option for 1795.Dv AF_INET6 1796socket. 1797Please refer to 1798.Xr ip6 4 1799for detail. 1800.It Li icmp6.errppslimit 1801The variable specifies the maximum number of outgoing ICMPv6 error messages, 1802per second. 1803ICMPv6 error messages that exceeded the value are subject to rate limitation 1804and will not go out from the node. 1805Negative value disables rate limitation. 1806.It Li icmp6.mtudisc_hiwat 1807.It Li icmp6.mtudisc_lowat 1808The variables define the maximum number of routing table entries, 1809created due to path MTU discovery 1810.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1811When IPv6 path MTU discovery happens, we keep path MTU information into 1812the routing table. 1813If the number of routing table entries exceed the value, 1814the kernel will not attempt to keep the path MTU information. 1815.Li icmp6.mtudisc_hiwat 1816is used when we have verified ICMPv6 too big messages. 1817.Li icmp6.mtudisc_lowat 1818is used when we have unverified ICMPv6 too big messages. 1819Verification is performed by using address/port pairs kept in connected pcbs. 1820Negative value disables the upper limit. 1821.It Li icmp6.nd6_debug 1822If set to non-zero, kernel IPv6 neighbor discovery code will generate 1823debugging messages. 1824The debug outputs are useful to diagnose IPv6 interoperability issues. 1825The flag must be set to 0 for normal operation. 1826.It Li icmp6.nd6_delay 1827The variable specifies 1828.Dv DELAY_FIRST_PROBE_TIME 1829timing constant in IPv6 neighbor discovery specification 1830.Pq RFC 2461 , 1831in seconds. 1832.It Li icmp6.nd6_maxnudhint 1833IPv6 neighbor discovery permits upper layer protocols to supply reachability 1834hints, to avoid unnecessary neighbor discovery exchanges. 1835The variable defines the number of consecutive hints the neighbor discovery 1836layer will take. 1837For example, by setting the variable to 3, neighbor discovery layer 1838will take 3 consecutive hints in maximum. 1839After receiving 3 hints, neighbor discovery layer will perform 1840normal neighbor discovery process. 1841.It Li icmp6.nd6_mmaxtries 1842The variable specifies 1843.Dv MAX_MULTICAST_SOLICIT 1844constant in IPv6 neighbor discovery specification 1845.Pq RFC 2461 . 1846.It Li icmp6.nd6_prune 1847The variable specifies interval between IPv6 neighbor cache babysitting, 1848in seconds. 1849.It Li icmp6.nd6_umaxtries 1850The variable specifies 1851.Dv MAX_UNICAST_SOLICIT 1852constant in IPv6 neighbor discovery specification 1853.Pq RFC 2461 . 1854.It Li icmp6.nd6_useloopback 1855If set to non-zero, kernel IPv6 stack will use loopback interface for 1856local traffic. 1857.It Li icmp6.nodeinfo 1858The variable enables responses to ICMPv6 node information queries. 1859If you set the variable to 0, responses will not be generated for 1860ICMPv6 node information queries. 1861Since node information queries can have a security impact, it is 1862possible to fine tune which responses should be answered. 1863Two separate bits can be set. 1864.Bl -tag -width "12345" 1865.It 1 1866Respond to ICMPv6 FQDN queries, e.g. 1867.Li ping6 -w . 1868.It 2 1869Respond to ICMPv6 node addresses queries, e.g. 1870.Li ping6 -a . 1871.El 1872.It Li icmp6.rediraccept 1873If set to non-zero, the host will accept ICMPv6 redirect packets. 1874Note that IPv6 routers will never accept ICMPv6 redirect packets, 1875and the variable is meaningful on IPv6 hosts 1876.Pq non-router 1877only. 1878.It Li icmp6.redirtimeout 1879The variable specifies lifetime of routing entries generated by incoming 1880ICMPv6 redirect. 1881.It Li udp6.do_loopback_cksum 1882Perform UDP checksum on loopback. 1883.It Li udp6.recvspace 1884Default UDP receive buffer size. 1885.It Li udp6.sendspace 1886Default UDP send buffer size. 1887.El 1888.Pp 1889We reuse net.*.tcp for 1890.Tn TCP 1891over 1892.Tn IPv6 , 1893and therefore we do not have variables net.*.tcp6. 1894Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1895Please refer to 1896.Li PF_INET 1897section above. 1898For variables net.*.ipsec6, please refer to 1899.Xr ipsec 4 . 1900.It Li net.key ( PF_KEY ) 1901Get or set various global information about the IPsec key management. 1902The third level name is the variable name. 1903The currently defined variable and names are: 1904.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 1905.It Sy Variable name Type Changeable 1906.It debug integer yes 1907.It enabled integer yes 1908.It used integer no 1909.It spi_try integer yes 1910.It spi_min_value integer yes 1911.It spi_max_value integer yes 1912.It larval_lifetime integer yes 1913.It blockacq_count integer yes 1914.It blockacq_lifetime integer yes 1915.It esp_keymin integer yes 1916.It esp_auth integer yes 1917.It ah_keymin integer yes 1918.El 1919.Pp 1920The variables are as follows: 1921.Bl -tag -width "123456" 1922.It Li debug 1923Turn on debugging message from within the kernel. 1924The value is a bitmap, as defined in 1925.In netkey/key_debug.h . 1926.It Li enabled 1927Control processing of IPsec control messages. 1928.Bl -tag -width indent 1929.It 0 1930Never allow IPsec processing 1931.It 1 1932Allow IPsec processing when SPD policies are present. 1933.It 2 1934Force IPsec processing even when SPD policies are not present. 1935.El 1936.It Li used 1937Based on if IPsec is enabled, and SPD rule existance, show if 1938IPsec is being used. 1939Note that currenly once IPsec is being used, it cannot be disabled. 1940.It Li spi_try 1941The number of times the kernel will try to obtain an unique SPI 1942when it generates it from random number generator. 1943.It Li spi_min_value 1944Minimum SPI value when generating it within the kernel. 1945.It Li spi_max_value 1946Maximum SPI value when generating it within the kernel. 1947.It Li larval_lifetime 1948Lifetime for LARVAL SAD entries, in seconds. 1949.It Li blockacq_count 1950Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1951It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1952key management daemon. 1953.It Li blockacq_lifetime 1954Lifetime of ACQUIRE PF_KEY message. 1955.It Li esp_keymin 1956Minimum ESP key length, in bits. 1957The value is used when the kernel creates proposal payload 1958on ACQUIRE PF_KEY message. 1959.It Li esp_auth 1960Whether ESP authentication should be used or not. 1961Non-zero value indicates that ESP authentication should be used. 1962The value is used when the kernel creates proposal payload 1963on ACQUIRE PF_KEY message. 1964.It Li ah_keymin 1965Minimum AH key length, in bits, 1966The value is used when the kernel creates proposal payload 1967on ACQUIRE PF_KEY message. 1968.El 1969.El 1970.Ss The proc.* subtree 1971The string and integer information available for the 1972.Li proc 1973level is detailed below. 1974The changeable column shows whether a process with appropriate 1975privilege may change the value. 1976These values are per-process, 1977and as such may change from one process to another. 1978When a process is created, 1979the default values are inherited from its parent. 1980When a set-user-ID or set-group-ID binary is executed, the 1981value of PROC_PID_CORENAME is reset to the system default value. 1982The second level name is either the magic value PROC_CURPROC, which 1983points to the current process, or the PID of the target process. 1984.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 1985.It Sy Third level name Type Changeable 1986.It proc.pid.corename string yes 1987.It proc.pid.rlimit node not applicable 1988.It proc.pid.stopfork int yes 1989.It proc.pid.stopexec int yes 1990.It proc.pid.stopexit int yes 1991.El 1992.Bl -tag -width "123456" 1993.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1994The template used for the core dump file name (see 1995.Xr core 5 1996for details). 1997The base name must either be 1998.Pa core 1999or end with the suffix 2000.Pa .core 2001(the super-user may set arbitrary names). 2002By default it points to 2003.Dv KERN_DEFCORENAME . 2004.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 2005Return resources limits, as defined for the 2006.Xr getrlimit 2 2007and 2008.Xr setrlimit 2 2009system calls. 2010The fourth level name is one of: 2011.Bl -tag -width "123456" 2012.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 2013The maximum amount of CPU time (in seconds) to be used by each process. 2014.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 2015The largest size (in bytes) file that may be created. 2016.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 2017The maximum size (in bytes) of the data segment for a process; 2018this defines how far a program may extend its break with the 2019.Xr sbrk 2 2020system call. 2021.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 2022The maximum size (in bytes) of the stack segment for a process; 2023this defines how far a program's stack segment may be extended. 2024Stack extension is performed automatically by the system. 2025.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 2026The largest size (in bytes) 2027.Pa core 2028file that may be created. 2029.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 2030The maximum size (in bytes) to which a process's resident set size may 2031grow. 2032This imposes a limit on the amount of physical memory to be given to 2033a process; if memory is tight, the system will prefer to take memory 2034from processes that are exceeding their declared resident set size. 2035.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 2036The maximum size (in bytes) which a process may lock into memory 2037using the 2038.Xr mlock 2 2039function. 2040.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 2041The maximum number of simultaneous processes for this user id. 2042.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 2043The maximum number of open files for this process. 2044.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE ) 2045The maximum size (in bytes) of the socket buffers 2046set by the 2047.Xr setsockopt 2 2048.Dv SO_RCVBUF 2049and 2050.Dv SO_SNDBUF 2051options. 2052.El 2053.Pp 2054The fifth level name is one of 2055.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) 2056or 2057.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 2058to select respectively the soft or hard limit. 2059Both are of type integer. 2060.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 2061If non zero, the process' children will be stopped after 2062.Xr fork 2 2063calls. 2064The children is created in the SSTOP state and is never scheduled 2065for running before being stopped. 2066This feature helps attaching a process with a debugger such as 2067.Xr gdb 1 2068before it had the opportunity to actually do anything. 2069.Pp 2070This value is inherited by the process's children, and it also 2071apply to emulation specific system calls that fork a new process, such as 2072.Fn sproc 2073or 2074.Fn clone . 2075.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 2076If non zero, the process will be stopped on next 2077.Xr exec 3 2078call. 2079The process created by 2080.Xr exec 3 2081is created in the SSTOP state and is never scheduled for running 2082before being stopped. 2083This feature helps attaching a process with a debugger such as 2084.Xr gdb 1 2085before it had the opportunity to actually do anything. 2086.Pp 2087This value is inherited by the process's children. 2088.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 2089If non zero, the process will be stopped on when it has cause to exit, 2090either by way of calling 2091.Xr exit 3 , 2092.Xr _exit 2 , 2093or by the receipt of a specific signal. 2094The process is stopped before any of its resources or vm space is 2095released allowing examination of the termination state of a process 2096before it disappears. 2097This feature can be used to examine the final conditions of the 2098process's vmspace via 2099.Xr pmap 1 2100or its resource settings with 2101.Xr sysctl 8 2102before it disappears. 2103.Pp 2104This value is also inherited by the process's children. 2105.El 2106.Ss The user.* subtree ( CTL_USER ) 2107The string and integer information available for the 2108.Li user 2109level is detailed below. 2110The changeable column shows whether a process with appropriate 2111privilege may change the value. 2112.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 2113.It Sy Second level name Type Changeable 2114.It user.atexit_max integer no 2115.It user.bc_base_max integer no 2116.It user.bc_dim_max integer no 2117.It user.bc_scale_max integer no 2118.It user.bc_string_max integer no 2119.It user.coll_weights_max integer no 2120.It user.cs_path string no 2121.It user.expr_nest_max integer no 2122.It user.line_max integer no 2123.It user.posix2_c_bind integer no 2124.It user.posix2_c_dev integer no 2125.It user.posix2_char_term integer no 2126.It user.posix2_fort_dev integer no 2127.It user.posix2_fort_run integer no 2128.It user.posix2_localedef integer no 2129.It user.posix2_sw_dev integer no 2130.It user.posix2_upe integer no 2131.It user.posix2_version integer no 2132.It user.re_dup_max integer no 2133.It user.stream_max integer no 2134.It user.stream_max integer no 2135.It user.tzname_max integer no 2136.El 2137.Bl -tag -width "123456" 2138.It Li user.atexit_max ( USER_ATEXIT_MAX ) 2139The maximum number of functions that may be registered with 2140.Xr atexit 3 . 2141.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 2142The maximum ibase/obase values in the 2143.Xr bc 1 2144utility. 2145.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 2146The maximum array size in the 2147.Xr bc 1 2148utility. 2149.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 2150The maximum scale value in the 2151.Xr bc 1 2152utility. 2153.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 2154The maximum string length in the 2155.Xr bc 1 2156utility. 2157.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 2158The maximum number of weights that can be assigned to any entry of 2159the LC_COLLATE order keyword in the locale definition file. 2160.It Li user.cs_path ( USER_CS_PATH ) 2161Return a value for the 2162.Ev PATH 2163environment variable that finds all the standard utilities. 2164.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 2165The maximum number of expressions that can be nested within 2166parenthesis by the 2167.Xr expr 1 2168utility. 2169.It Li user.line_max ( USER_LINE_MAX ) 2170The maximum length in bytes of a text-processing utility's input 2171line. 2172.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 2173Return 1 if the system supports at least one terminal type capable of 2174all operations described in 2175.St -p1003.2 , 2176otherwise\ 0. 2177.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 2178Return 1 if the system's C-language development facilities support the 2179C-Language Bindings Option, otherwise\ 0. 2180.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 2181Return 1 if the system supports the C-Language Development Utilities Option, 2182otherwise\ 0. 2183.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 2184Return 1 if the system supports the FORTRAN Development Utilities Option, 2185otherwise\ 0. 2186.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 2187Return 1 if the system supports the FORTRAN Runtime Utilities Option, 2188otherwise\ 0. 2189.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 2190Return 1 if the system supports the creation of locales, otherwise\ 0. 2191.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 2192Return 1 if the system supports the Software Development Utilities Option, 2193otherwise\ 0. 2194.It Li user.posix2_upe ( USER_POSIX2_UPE ) 2195Return 1 if the system supports the User Portability Utilities Option, 2196otherwise\ 0. 2197.It Li user.posix2_version ( USER_POSIX2_VERSION ) 2198The version of 2199.St -p1003.2 2200with which the system attempts to comply. 2201.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 2202The maximum number of repeated occurrences of a regular expression 2203permitted when using interval notation. 2204.It Li user.stream_max ( USER_STREAM_MAX ) 2205The minimum maximum number of streams that a process may have open 2206at any one time. 2207.It Li user.tzname_max ( USER_TZNAME_MAX ) 2208The minimum maximum number of types supported for the name of a 2209timezone. 2210.El 2211.Ss The vm.* subtree ( CTL_VM ) 2212The string and integer information available for the 2213.Li vm 2214level is detailed below. 2215The changeable column shows whether a process with appropriate 2216privilege may change the value. 2217.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 2218.It Sy Second level name Type Changeable 2219.It vm.anonmax int yes 2220.It vm.anonmin int yes 2221.It vm.bufcache int yes 2222.It vm.bufmem int no 2223.It vm.bufmem_hiwater int yes 2224.It vm.bufmem_lowater int yes 2225.It vm.execmax int yes 2226.It vm.execmin int yes 2227.It vm.filemax int yes 2228.It vm.filemin int yes 2229.It vm.loadavg struct loadavg no 2230.It vm.maxslp int no 2231.It vm.nkmempages int no 2232.It vm.uspace int no 2233.It vm.uvmexp struct uvmexp no 2234.It vm.uvmexp2 struct uvmexp_sysctl no 2235.It vm.vmmeter struct vmtotal no 2236.El 2237.Pp 2238.Bl -tag -width "123456" 2239.It Li vm.anonmax ( VM_ANONMAX ) 2240The percentage of physical memory which will be reclaimed 2241from other types of memory usage to store anonymous application data. 2242.It Li vm.anonmin ( VM_ANONMIN ) 2243The percentage of physical memory which will be always be available for 2244anonymous application data. 2245.It Li vm.bufcache ( VM_BUFCACHE ) 2246The percentage of physical memory which will be available 2247for the buffer cache. 2248.It Li vm.bufmem ( VM_BUFMEM ) 2249The amount of kernel memory that is being used by the buffer cache. 2250.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 2251The minimum amount of kernel memory to reserve for the 2252buffer cache. 2253.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 2254The maximum amount of kernel memory to be used for the 2255buffer cache. 2256.It Li vm.execmax ( VM_EXECMAX ) 2257The percentage of physical memory which will be reclaimed 2258from other types of memory usage to store cached executable data. 2259.It Li vm.execmin ( VM_EXECMIN ) 2260The percentage of physical memory which will be always be available for 2261cached executable data. 2262.It Li vm.filemax ( VM_FILEMAX ) 2263The percentage of physical memory which will be reclaimed 2264from other types of memory usage to store cached file data. 2265.It Li vm.filemin ( VM_FILEMIN ) 2266The percentage of physical memory which will be always be available for 2267cached file data. 2268.It Li vm.loadavg ( VM_LOADAVG ) 2269Return the load average history. 2270The returned data consists of a 2271.Vt struct loadavg . 2272.It Li vm.maxslp ( VM_MAXSLP ) 2273The value of the maxslp kernel global variable. 2274.It Li vm.vmmeter ( VM_METER ) 2275Return system wide virtual memory statistics. 2276The returned data consists of a 2277.Vt struct vmtotal . 2278.It vm.user_va0_disable 2279A flag which controls whether user processes can map virtual address\ 0. 2280.It Li vm.uspace ( VM_USPACE ) 2281The number of bytes allocated for each kernel stack. 2282.It Li vm.uvmexp ( VM_UVMEXP ) 2283Return system wide virtual memory statistics. 2284The returned data consists of a 2285.Vt struct uvmexp . 2286.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 2287Return system wide virtual memory statistics. 2288The returned data consists of a 2289.Vt struct uvmexp_sysctl . 2290.\" XXX vm.idlezero 2291.El 2292.Ss The ddb.* subtree ( CTL_DDB ) 2293The information available for the 2294.Li ddb 2295level is detailed below. 2296The changeable column shows whether a process with appropriate 2297privilege may change the value. 2298.\" XXX sort 2299.Bl -column "Second level name" "integer" "Changeable" -offset indent 2300.It Sy Second level name Type Changeable 2301.It ddb.radix integer yes 2302.It ddb.maxoff integer yes 2303.It ddb.maxwidth integer yes 2304.It ddb.lines integer yes 2305.It ddb.tabstops integer yes 2306.It ddb.onpanic integer yes 2307.It ddb.fromconsole integer yes 2308.It ddb.tee_msgbuf integer yes 2309.It ddb.commandonenter string yes 2310.El 2311.Pp 2312.Bl -tag -width "123456" 2313.It Li ddb.radix ( DDBCTL_RADIX ) 2314The input and output radix. 2315.It Li ddb.maxoff ( DDBCTL_MAXOFF ) 2316The maximum symbol offset. 2317.It Li ddb.maxwidth ( DDBCTL_MAXWIDTH ) 2318The maximum output line width. 2319.It Li ddb.lines ( DDBCTL_LINES ) 2320Number of display lines. 2321.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) 2322Tab width. 2323.It Li ddb.onpanic ( DDBCTL_ONPANIC ) 2324If greater than zero, DDB will be entered if the kernel panics. 2325A value of 1 causes the system to enter DDB on panic, while a value of 2 2326causes the kernel to attempt to print out a stack trace before entering DDB. 2327A value of 0 causes the kernel to attempt to print a stack trace, then 2328reboot, while a value of \-1 means neither a stack trace will be printed 2329nor DDB entered. 2330.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) 2331If not zero, DDB may be entered by sending a break on a serial 2332console or by a special key sequence on a graphics console. 2333.It Li ddb.tee_msgbuf 2334If not zero, DDB will output also to the kernel message buffer. 2335.It Li ddb.commandonenter 2336If not empty, a command to be executed on each enter to the 2337.Tn DDB . 2338.\" 2339.\" XXX: (a) ddb.commandonenter is missing in ddb(4); 2340.\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter. 2341.El 2342.Pp 2343Some of these 2344.Tn MIB 2345nodes are also available as variables from within the debugger. 2346See 2347.Xr ddb 4 2348for more details. 2349.Ss The security.* subtree ( CTL_SECURITY ) 2350The 2351.Li security 2352level contains various security-related settings for 2353the system. 2354The available second level names are: 2355.Bl -column "Second level name" "integer" "Changeable" -offset indent 2356.It Sy Second level name Type Changeable 2357.It Li security.curtain integer yes 2358.It Li security.models node not applicable 2359.It Li security.pax node not applicable 2360.El 2361.Pp 2362Available settings are detailed below. 2363.Pp 2364.Bl -tag -width "123456" 2365.It Li security.curtain 2366If non-zero, will filter return objects according to the user 2367.Tn ID 2368requesting information about them, preventing from users any 2369access to objects they do not own. 2370.Pp 2371At the moment, it affects 2372.Xr ps 1 , 2373.Xr netstat 1 2374(for 2375.Dv PF_INET , 2376.Dv PF_INET6 , 2377and 2378.Dv PF_UNIX 2379PCBs), and 2380.Xr w 1 . 2381.It Li security.models 2382.Nx 2383supports pluggable security models. 2384Every security model used, whether if loaded as a module or built with the system, 2385is required to add an entry to this node with at least one element, 2386.Dq name , 2387indicating the name of the security model. 2388.Pp 2389In addition to the name, any settings and other information private to the 2390security model will be available under this node. 2391See 2392.Xr secmodel 9 2393for more information. 2394.It Li security.pax 2395Settings for PaX -- exploit mitigation features. 2396For more information on any of the PaX features, please see 2397.Xr paxctl 8 2398and 2399.Xr security 7 . 2400The available third and fourth level names are: 2401.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ 2402-offset 2n 2403.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable 2404.It Li security.pax.aslr.enabled integer yes 2405.\".It Li security.pax.aslr.exec_len integer yes 2406.It Li security.pax.aslr.global integer yes 2407.\".It Li security.pax.aslr.mmap_len integer yes 2408.\".It Li security.pax.aslr.stack_len integer yes 2409.It Li security.pax.mprotect.enabled integer yes 2410.It Li security.pax.mprotect.global integer yes 2411.It Li security.pax.segvguard.enabled integer yes 2412.It Li security.pax.segvguard.expiry_timeout integer yes 2413.It Li security.pax.segvguard.global integer yes 2414.It Li security.pax.segvguard.max_crashes integer yes 2415.It Li security.pax.segvguard.suspend_timeout integer yes 2416.El 2417.Pp 2418.Bl -tag -width "123456" 2419.It Li security.pax.aslr.enabled 2420Enable PaX ASLR (Address Space Layout Randomization). 2421.Pp 2422The value of this 2423knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2424explicit enable. 2425.\".It Li security.pax.aslr.exec_len 2426.\" XXX: Undocumented. 2427.It Li security.pax.aslr.global 2428Specifies the default global policy for programs without an 2429explicit enable/disable flag. 2430.Pp 2431When non-zero, all programs will get PaX ASLR, except those exempted with 2432.Xr paxctl 8 . 2433Otherwise, all programs will not get PaX ASLR, except those specifically 2434marked as such with 2435.Xr paxctl 8 . 2436.\".It Li security.pax.aslr.mmap_len 2437.\" XXX: Undocumented. 2438.\" .It Li security.pax.aslr.stack_len 2439.\" XXX: Undocumented. 2440.It Li security.pax.mprotect.enabled 2441Enable PaX MPROTECT restrictions. 2442.Pp 2443These are 2444.Xr mprotect 2 2445restrictions to better enforce a W^X policy. 2446The value of this 2447knob must be non-zero for PaX MPROTECT to be enabled, even if a 2448program is set to explicit enable. 2449.It Li security.pax.mprotect.global 2450Specifies the default global policy for programs without an 2451explicit enable/disable flag. 2452.Pp 2453When non-zero, all programs will get the PaX MPROTECT restrictions, 2454except those exempted with 2455.Xr paxctl 8 . 2456Otherwise, all programs will not get the PaX MPROTECT restrictions, 2457except those specifically marked as such with 2458.Xr paxctl 8 . 2459.It Li security.pax.segvguard.enabled 2460Enable PaX Segvguard. 2461.Pp 2462PaX Segvguard can detect and prevent certain exploitation attempts, where 2463an attacker may try for example to brute-force function return addresses 2464of respawning daemons. 2465.Pp 2466.Em Note : 2467The 2468.Nx 2469interface and implementation of the Segvguard is still experimental, and may 2470change in future releases. 2471.It Li security.pax.segvguard.expiry_timeout 2472If the max number was not reached within this timeout (in seconds), the entry 2473will expire. 2474.It Li security.pax.segvguard.global 2475Specifies the default global policy for programs without an 2476explicit enable/disable flag. 2477.Pp 2478When non-zero, all programs will get the PaX Segvguard, 2479except those exempted with 2480.Xr paxctl 8 . 2481Otherwise, no program will get the PaX Segvguard restrictions, 2482except those specifically marked as such with 2483.Xr paxctl 8 . 2484.It Li security.pax.segvguard.max_crashes 2485The maximum number of segfaults a program can receive before suspension. 2486.It Li security.pax.segvguard.suspend_timeout 2487Number of seconds to suspend a user from running a faulting program when the 2488limit was exceeded. 2489.El 2490.El 2491.Ss The vendor.* subtree ( CTL_VENDOR ) 2492The 2493.Li vendor 2494toplevel name is reserved to be used by vendors who wish to 2495have their own private MIB tree. 2496Intended use is to store values under 2497.Dq vendor.\*[Lt]yourname\*[Gt].* . 2498.Sh SEE ALSO 2499.Xr sysctl 3 , 2500.Xr ipsec 4 , 2501.Xr tcp 4 , 2502.Xr security 7 , 2503.Xr sysctl 8 2504.Sh HISTORY 2505The 2506.Nm 2507variables first appeared in 2508.Bx 4.4 . 2509