1.\" $NetBSD: sysctl.3,v 1.189 2006/11/23 17:24:36 elad Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd November 23, 2006 33.Dt SYSCTL 3 34.Os 35.Sh NAME 36.Nm sysctl , 37.Nm sysctlbyname , 38.Nm sysctlgetmibinfo , 39.Nm sysctlnametomib 40.Nd get or set system information 41.Sh LIBRARY 42.Lb libc 43.Sh SYNOPSIS 44.In sys/param.h 45.In sys/sysctl.h 46.Ft int 47.Fn sysctl "const int *name" "u_int namelen" "void *oldp" "size_t *oldlenp" \ 48"const void *newp" "size_t newlen" 49.Ft int 50.Fn sysctlbyname "const char *sname" "void *oldp" "size_t *oldlenp" \ 51"void *newp" "size_t newlen" 52.Ft int 53.Fn sysctlgetmibinfo "const char *sname" "int *name" "u_int *namelenp" \ 54"char *cname" "size_t *csz" "struct sysctlnode **rnode" "int v" 55.Ft int 56.Fn sysctlnametomib "const char *sname" "int *name" "size_t *namelenp" 57.Sh DESCRIPTION 58The 59.Nm 60function retrieves system information and allows processes with 61appropriate privileges to set system information. 62The information available from 63.Nm 64consists of integers, strings, and tables. 65Information may be retrieved and set from the command interface 66using the 67.Xr sysctl 8 68utility. 69.Pp 70Unless explicitly noted below, 71.Nm 72returns a consistent snapshot of the data requested. 73Consistency is obtained by locking the destination 74buffer into memory so that the data may be copied out without blocking. 75Calls to 76.Nm 77are serialized to avoid deadlock. 78.Pp 79The state is described using a ``Management Information Base'' (MIB) 80style name, listed in 81.Fa name , 82which is a 83.Fa namelen 84length array of integers. 85.Pp 86The 87.Fn sysctlbyname 88function accepts a string representation of a MIB entry and internally 89maps it to the appropriate numeric MIB representation. 90Its semantics are otherwise no different from 91.Fn sysctl . 92.Pp 93The information is copied into the buffer specified by 94.Fa oldp . 95The size of the buffer is given by the location specified by 96.Fa oldlenp 97before the call, 98and that location gives the amount of data copied after a successful call. 99If the amount of data available is greater 100than the size of the buffer supplied, 101the call supplies as much data as fits in the buffer provided 102and returns with the error code ENOMEM. 103If the old value is not desired, 104.Fa oldp 105and 106.Fa oldlenp 107should be set to 108.Dv NULL . 109.Pp 110The size of the available data can be determined by calling 111.Nm 112with a 113.Dv NULL 114parameter for 115.Fa oldp . 116The size of the available data will be returned in the location pointed to by 117.Fa oldlenp . 118For some operations, the amount of space may change often. 119For these operations, 120the system attempts to round up so that the returned size is 121large enough for a call to return the data shortly thereafter. 122.Pp 123To set a new value, 124.Fa newp 125is set to point to a buffer of length 126.Fa newlen 127from which the requested value is to be taken. 128If a new value is not to be set, 129.Fa newp 130should be set to 131.Dv NULL 132and 133.Fa newlen 134set to 0. 135.Pp 136The 137.Fn sysctlnametomib 138function can be used to map the string representation of a MIB entry 139to the numeric version. 140The 141.Fa name 142argument should point to an array of integers large enough to hold the 143MIB, and 144.Fa namelenp 145should indicate the number of integer slots available. 146Following a successful translation, the size_t indicated by 147.Fa namelenp 148will be changed to show the number of slots consumed. 149.Pp 150The 151.Fn sysctlgetmibinfo 152function performs name translation similar to 153.Fn sysctlnametomib , 154but also canonicalizes the name (or returns the first erroneous token 155from the string being parsed) into the space indicated by 156.Fa cname 157and 158.Fa csz . 159.Fa csz 160should indicate the size of the buffer pointed to by 161.Fa cname 162and on return, will indicate the size of the returned string including 163the trailing 164.Sq nul 165character. 166.Pp 167The 168.Fa rnode 169and 170.Fa v 171arguments to 172.Fn sysctlgetmibinfo 173are used to provide a tree for it to parse into, and to get back 174either a pointer to, or a copy of, the terminal node. 175If 176.Fa rnode 177is 178.Dv NULL , 179.Fn sysctlgetmibinfo 180uses its own internal tree for parsing, and checks it against the 181kernel at each call, to make sure that the name-to-number mapping is 182kept up to date. 183The 184.Fa v 185argument is ignored in this case. 186If 187.Fa rnode 188is not 189.Dv NULL 190but the pointer it references is, on a successful return, 191.Fa rnode 192will be adjusted to point to a copy of the terminal node. 193The 194.Fa v 195argument indicates which version of the 196.Nm 197node structure the caller wants. 198The application must later 199.Fn free 200this copy. 201If neither 202.Fa rnode 203nor the pointer it references are 204.Dv NULL , 205the pointer is used as the address of a tree over which the parsing is 206done. 207In this last case, the tree is not checked against the kernel, no 208refreshing of the mappings is performed, and the value given by 209.Fa v 210must agree with the version indicated by the tree. 211It is recommended that applications always use 212.Dv SYSCTL_VERSION 213as the value for 214.Fa v , 215as defined in the include file 216.Pa sys/sysctl.h . 217.Pp 218The top level names are defined with a CTL_ prefix in 219.Aq Pa sys/sysctl.h , 220and are as follows. 221The next and subsequent levels down are found in the include files 222listed here, and described in separate sections below. 223.Pp 224.Bl -column CTLXMACHDEPXXX "Next level namesXXXXXX" -offset indent 225.It Sy Name Next level names Description 226.It CTL\_KERN sys/sysctl.h High kernel limits 227.It CTL\_VM uvm/uvm_param.h Virtual memory 228.It CTL\_VFS sys/mount.h Filesystem 229.It CTL\_NET sys/socket.h Networking 230.It CTL\_DEBUG sys/sysctl.h Debugging 231.It CTL\_HW sys/sysctl.h Generic CPU, I/O 232.It CTL\_MACHDEP sys/sysctl.h Machine dependent 233.It CTL\_USER sys/sysctl.h User-level 234.It CTL\_DDB sys/sysctl.h In-kernel debugger 235.It CTL\_PROC sys/sysctl.h Per-process 236.It CTL\_VENDOR ? Vendor specific 237.It CTL\_EMUL sys/sysctl.h Emulation settings 238.It CTL\_SECURITY sys/sysctl.h Security settings 239.El 240.Pp 241For example, the following retrieves the maximum number of processes allowed 242in the system: 243.Bd -literal -offset indent -compact 244int mib[2], maxproc; 245size_t len; 246.sp 247mib[0] = CTL_KERN; 248mib[1] = KERN_MAXPROC; 249len = sizeof(maxproc); 250sysctl(mib, 2, \*[Am]maxproc, \*[Am]len, NULL, 0); 251.Ed 252.sp 253To retrieve the standard search path for the system utilities: 254.Bd -literal -offset indent -compact 255int mib[2]; 256size_t len; 257char *p; 258.sp 259mib[0] = CTL_USER; 260mib[1] = USER_CS_PATH; 261sysctl(mib, 2, NULL, \*[Am]len, NULL, 0); 262p = malloc(len); 263sysctl(mib, 2, p, \*[Am]len, NULL, 0); 264.Ed 265.Sh CTL_DEBUG 266The debugging variables vary from system to system. 267A debugging variable may be added or deleted without need to recompile 268.Nm 269to know about it. 270Each time it runs, 271.Nm 272gets the list of debugging variables from the kernel and 273displays their current values. 274The system defines twenty 275.Va ( struct ctldebug ) 276variables named 277.Dv debug0 278through 279.Dv debug19 . 280They are declared as separate variables so that they can be 281individually initialized at the location of their associated variable. 282The loader prevents multiple use of the same variable by issuing errors 283if a variable is initialized in more than one place. 284For example, to export the variable 285.Dv dospecialcheck 286as a debugging variable, the following declaration would be used: 287.Bd -literal -offset indent -compact 288int dospecialcheck = 1; 289struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 290.Ed 291.Pp 292Note that the dynamic implementation of 293.Nm 294currently in use largely makes this particular 295.Nm 296interface obsolete. 297See 298.Xr sysctl 8 299.\" and 300.\" .Xr sysctl 9 301for more information. 302.Sh CTL_VFS 303A distinguished second level name, VFS_GENERIC, 304is used to get general information about all filesystems. 305One of its third level identifiers is VFS_MAXTYPENUM 306that gives the highest valid filesystem type number. 307Its other third level identifier is VFS_CONF that 308returns configuration information about the filesystem 309type given as a fourth level identifier. 310The remaining second level identifiers are the 311filesystem type number returned by a 312.Xr statvfs 2 313call or from VFS_CONF. 314The third level identifiers available for each filesystem 315are given in the header file that defines the mount 316argument structure for that filesystem. 317.Sh CTL_HW 318The string and integer information available for the CTL_HW level 319is detailed below. 320The changeable column shows whether a process with appropriate 321privilege may change the value. 322.Bl -column "Second level nameXXXXXX" "struct disk_sysctlXXX" -offset indent 323.It Sy Second level name Type Changeable 324.It HW\_ALIGNBYTES integer no 325.It HW\_BYTEORDER integer no 326.It HW\_CNMAGIC string yes 327.It HW\_DISKNAMES string no 328.It HW\_DISKSTATS struct no 329.It HW\_MACHINE string no 330.It HW\_MACHINE\_ARCH string no 331.It HW\_MODEL string no 332.It HW\_NCPU integer no 333.It HW\_PAGESIZE integer no 334.It HW\_PHYSMEM integer no 335.It HW\_PHYSMEM64 quad no 336.It HW\_USERMEM integer no 337.It HW\_USERMEM64 quad no 338.El 339.Pp 340.Bl -tag -width "123456" 341.It Li HW_ALIGNBYTES 342Alignment constraint for all possible data types. 343This shows the value 344.Dv ALIGNBYTES 345in 346.Pa /usr/include/machine/param.h , 347at the kernel compilation time. 348.It Li HW_BYTEORDER 349The byteorder (4,321, or 1,234). 350.It Li HW_CNMAGIC 351The console magic key sequence. 352.It Li HW_DISKNAMES 353The list of (space separated) disk device and NFS mount names on the system. 354.It Li HW_IOSTATNAMES 355A space separated list of devices that will have I/O statistics 356collected on them. 357.It Li HW_IOSTATS 358Return statistical information on the NFS mounts, disk and tape 359devices on the system. 360An array of 361.Va struct io_sysctl 362structures is returned, 363whose size depends on the current number of such objects in the system. 364The third level name is the size of the 365.Va struct io_sysctl . 366The type of object can be determined by examining the 367.Va type 368element of 369.Va struct io_sysctl . 370Which can be 371.Dv IOSTAT_DISK 372(disk drive), 373.Dv IOSTAT_TAPE 374(tape drive), or 375.Dv IOSTAT_NFS 376(NFS mount). 377.It Li HW_MACHINE 378The machine class. 379.It Li HW_MACHINE_ARCH 380The machine CPU class. 381.It Li HW_MODEL 382The machine model. 383.It Li HW_NCPU 384The number of CPUs. 385.ne 1i 386.It Li HW_PAGESIZE 387The software page size. 388.It Li HW_PHYSMEM 389The bytes of physical memory as a 32-bit integer. 390.It Li HW_PHYSMEM64 391The bytes of physical memory as a 64-bit integer. 392.It Li HW_USERMEM 393The bytes of non-kernel memory as a 32-bit integer. 394.It Li HW_USERMEM64 395The bytes of non-kernel memory as a 64-bit integer. 396.El 397.Sh CTL_KERN 398The string and integer information available for the CTL_KERN level 399is detailed below. 400The changeable column shows whether a process with appropriate 401privilege may change the value. 402The types of data currently available are process information, 403system vnodes, the open file entries, routing table entries, 404virtual memory statistics, load average history, and clock rate 405information. 406.Bl -column "KERNXPOSIXXREADERXWRITERXLOCKS" "struct clockrateXXX" -offset indent 407.It Sy Second level name Type Changeable 408.It KERN\_ARGMAX integer no 409.It KERN\_AUTONICETIME integer yes 410.It KERN\_AUTONICEVAL integer yes 411.It KERN\_BOOTTIME struct timeval no 412.It KERN\_BUFQ node not applicable 413.It KERN\_CCPU integer no 414.It KERN\_CLOCKRATE struct clockinfo no 415.It KERN\_CONSDEV integer no 416.It KERN\_CP\_ID struct no 417.It KERN\_CP\_TIME uint64_t[\|] no 418.It KERN\_DEFCORENAME string yes 419.It KERN\_DOMAINNAME string yes 420.It KERN\_DRIVERS struct kinfo_drivers no 421.It KERN\_FILE struct file no 422.It KERN\_FORKFSLEEP integer yes 423.It KERN\_FSCALE integer no 424.It KERN\_FSYNC integer no 425.It KERN\_HARDCLOCK\_TICKS integer no 426.It KERN\_HOSTID integer yes 427.It KERN\_HOSTNAME string yes 428.It KERN\_IOV\_MAX integer no 429.It KERN\_JOB\_CONTROL integer no 430.It KERN\_LABELOFFSET integer no 431.It KERN\_LABELSECTOR integer no 432.It KERN\_LOGIN\_NAME\_MAX integer no 433.It KERN\_LOGSIGEXIT integer yes 434.It KERN\_MAPPED\_FILES integer no 435.It KERN\_MAXFILES integer yes 436.It KERN\_MAXPARTITIONS integer no 437.It KERN\_MAXPHYS integer no 438.It KERN\_MAXPROC integer yes 439.It KERN\_MAXPTYS integer yes 440.It KERN\_MAXVNODES integer yes 441.It KERN\_MBUF node not applicable 442.It KERN\_MEMLOCK integer no 443.It KERN\_MEMLOCK\_RANGE integer no 444.It KERN\_MEMORY\_PROTECTION integer no 445.It KERN\_MONOTONIC\_CLOCK integer no 446.It KERN\_MSGBUF integer no 447.It KERN\_MSGBUFSIZE integer no 448.It KERN\_NGROUPS integer no 449.It KERN\_NTPTIME struct ntptimeval no 450.It KERN\_OSRELEASE string no 451.It KERN\_OSREV integer no 452.It KERN\_OSTYPE string no 453.It KERN\_PIPE node not applicable 454.It KERN\_POSIX1 integer no 455.It KERN\_POSIX\_BARRIERS integer no 456.It KERN\_POSIX\_READER\_WRITER\_LOCKS integer no 457.It KERN\_POSIX\_SEMAPHORES integer no 458.It KERN\_POSIX\_SPIN\_LOCKS integer no 459.It KERN\_POSIX\_THREADS integer no 460.It KERN\_POSIX\_TIMERS integer no 461.It KERN\_PROC struct kinfo_proc no 462.It KERN\_PROC2 struct kinfo_proc2 no 463.It KERN\_PROC\_ARGS string no 464.It KERN\_PROF node not applicable 465.It KERN\_RAWPARTITION integer no 466.It KERN\_ROOT\_DEVICE string no 467.It KERN\_ROOT\_PARTITION integer no 468.It KERN\_RTC\_OFFSET integer yes 469.It KERN\_SAVED\_IDS integer no 470.It KERN\_SECURELVL integer raise only 471.It KERN\_SYNCHRONIZED\_IO integer no 472.It KERN\_SYSVIPC\_INFO node not applicable 473.It KERN\_SYSVMSG integer no 474.It KERN\_SYSVSEM integer no 475.It KERN\_SYSVSHM integer no 476.It KERN\_TIMEX struct no 477.It KERN\_TKSTAT node not applicable 478.It KERN\_URANDOM integer no 479.It KERN\_VERIEXEC node not applicable 480.It KERN\_VERSION string no 481.It KERN\_VNODE struct vnode no 482.El 483.ne 1i 484.Pp 485.Bl -tag -width "123456" 486.It Li KERN_ARGMAX 487The maximum bytes of argument to 488.Xr execve 2 . 489.It Li KERN_AUTONICETIME 490The number of seconds of CPU-time a non-root process may accumulate before 491having its priority lowered from the default to the value of KERN_AUTONICEVAL. 492If set to 0, automatic lowering of priority is not performed, and if set to \-1 493all non-root processes are immediately lowered. 494.It Li KERN_AUTONICEVAL 495The priority assigned for automatically niced processes. 496.It Li KERN_BOOTTIME 497A 498.Va struct timeval 499structure is returned. 500This structure contains the time that the system was booted. 501.It Li KERN_CCPU 502The scheduler exponential decay value. 503.It Li KERN_CLOCKRATE 504A 505.Va struct clockinfo 506structure is returned. 507This structure contains the clock, statistics clock and profiling clock 508frequencies, the number of micro-seconds per hz tick, and the clock 509skew rate. 510.It Li KERN_CONSDEV 511Console device. 512.It Li KERN_CP_ID 513Mapping of CPU number to CPU id. 514.It Li KERN_CP_TIME 515Returns an array of CPUSTATES uint64_ts. 516This array contains the 517number of clock ticks spent in different CPU states. 518On multi-processor systems, the sum across all CPUs is returned unless 519appropriate space is given for one data set for each CPU. 520Data for a specific CPU can also be obtained by adding the number of the 521CPU at the end of the MIB, enlarging it by one. 522.It Li KERN_DEFCORENAME 523Default template for the name of core dump files (see also PROC_PID_CORENAME 524in the per-process variables CTL_PROC, and 525.Xr core 5 526for format of this template). 527The default value is 528.Nm %n.core 529and can be changed with the kernel configuration option 530.Cd options DEFCORENAME 531(see 532.Xr options 4 533). 534.It Li KERN_DOMAINNAME 535Get or set the YP domain name. 536.It Li KERN_DUMP_ON_PANIC 537Perform a crash dump on system panic. 538.It Li KERN_DRIVERS 539Return an array of 540.Va struct kinfo_drivers 541that contains the name and major device numbers of all the device drivers 542in the current kernel. 543The 544.Va d_name 545field is always a NUL terminated string. 546The 547.Va d_bmajor 548field will be set to \-1 if the driver doesn't have a block device. 549.It Li KERN_FILE 550Return the entire file table. 551The returned data consists of a single 552.Va struct filelist 553followed by an array of 554.Va struct file , 555whose size depends on the current number of such objects in the system. 556.It Li KERN_FORKFSLEEP 557If 558.Xr fork 2 559system call fails due to limit on number of processes (either 560the global maxproc limit or user's one), wait for this many 561milliseconds before returning 562.Er EAGAIN 563error to process. 564Useful to keep heavily forking runaway processes in bay. 565Default zero (no sleep). 566Maximum is 20 seconds. 567.It Li KERN_FSCALE 568The kernel fixed-point scale factor. 569.It Li KERN_FSYNC 570Return 1 if the POSIX 1003.1b File Synchronization Option is available 571on this system, 572otherwise 0. 573.It Li KERN_HARDCLOCK_TICKS 574Returns the number of 575.Xr hardclock 9 576ticks. 577.It Li KERN_HOSTID 578Get or set the host id. 579.It Li KERN_HOSTNAME 580Get or set the hostname. 581.It Li KERN_IOV_MAX 582Return the maximum number of 583.Va iovec 584structures that a process has available for use with 585.Xr preadv 2 , 586.Xr pwritev 2 , 587.Xr readv 2 , 588.Xr recvmsg 2 , 589.Xr sendmsg 2 590and 591.Xr writev 2 . 592.It Li KERN_JOB_CONTROL 593Return 1 if job control is available on this system, otherwise 0. 594.It Li KERN_LABELOFFSET 595The offset within the sector specified by KERN_LABELSECTOR of the 596.Xr disklabel 5 . 597.It Li KERN_LABELSECTOR 598The sector number containing the 599.Xr disklabel 5 . 600.It Li KERN_LOGIN_NAME_MAX 601The size of the storage required for a login name, in bytes, 602including the terminating NUL. 603.It Li KERN_LOGSIGEXIT 604If this flag is non-zero, the kernel will 605.Xr log 9 606all process exits due to signals which create a 607.Xr core 5 608file, and whether the coredump was created. 609.It Li KERN_MAPPED_FILES 610Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available 611on this system, 612otherwise 0. 613.It Li KERN_MAXFILES 614The maximum number of open files that may be open in the system. 615.It Li KERN_MAXPARTITIONS 616The maximum number of partitions allowed per disk. 617.It Li KERN_MAXPHYS 618Maximum raw I/O transfer size. 619.It Li KERN_MAXPROC 620The maximum number of simultaneous processes the system will allow. 621.It Li KERN_MAXPTYS 622The maximum number of pseudo terminals. 623This value can be both raised and lowered, though it cannot 624be set lower than number of currently used ptys. 625See also 626.Xr pty 4 . 627.It Li KERN_MAXVNODES 628The maximum number of vnodes available on the system. 629This can only be raised. 630.It Li KERN_MBUF 631Return information about the mbuf control variables. 632the third level names for the mbuf variables are detailed below. 633The changeable column shows whether a process with appropriate 634privilege may change the value. 635.Bl -column "MBUFXNMBCLUSTERSXXX" "struct integerXXX" -offset indent 636.It Sy Third level name Type Changeable 637.It MBUF\_MBLOWAT integer yes 638.It MBUF\_MCLBYTES integer yes 639.It MBUF\_MCLLOWAT integer yes 640.It MBUF\_MSIZE integer yes 641.It MBUF\_NMBCLUSTERS integer yes 642.El 643.Pp 644The variables are as follows: 645.Bl -tag -width "123456" 646.It Li MBUF_MBLOWAT 647The mbuf low water mark. 648.It Li MBUF_MCLBYTES 649The mbuf cluster size. 650.It Li MBUF_MCLLOWAT 651The mbuf cluster low water mark. 652.It Li MBUF_MSIZE 653The mbuf base size. 654.It Li MBUF_NMBCLUSTERS 655The limit on the number of mbuf clusters. 656The variable can only be increased, and only increased on machines with 657direct-mapped pool pages. 658.El 659.It Li KERN_MEMLOCK 660Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available 661on this system, 662otherwise 0. 663.It Li KERN_MEMLOCK_RANGE 664Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available 665on this system, 666otherwise 0. 667.It Li KERN_MEMORY_PROTECTION 668Returns 1 if the POSIX 1003.1b Memory Protection Option is available 669on this system, 670otherwise 0. 671.It Li KERN_MONOTONIC_CLOCK 672Returns the standard version the implementation of the POSIX 1003.1b 673Monotonic Clock Option conforms to, 674otherwise 0. 675.It Li KERN_MSGBUF 676The kernel message buffer, rotated so that the head of the circular kernel 677message buffer is returned at the start of the buffer specified by 678.Fa oldp . 679The returned data may contain NUL bytes. 680.It Li KERN_MSGBUFSIZE 681The maximum number of characters that the kernel message buffer can hold. 682.It Li KERN_NGROUPS 683The maximum number of supplemental groups. 684.It Li KERN_NTPTIME 685A 686.Va struct ntptimeval 687structure is returned. 688This structure contains data used by the 689.Xr ntpd 8 690program. 691.It Li KERN_OSRELEASE 692The system release string. 693.It Li KERN_OSREV 694The system revision string. 695.It Li KERN_OSTYPE 696The system type string. 697.It Li KERN_PIPE 698Pipe settings. 699The third level names for the integer pipe settings is detailed below. 700The changeable column shows whether a process with appropriate 701privilege may change the value. 702.Bl -column "KERNXPIPEXFOOXXX" "integerXXX" -offset indent 703.It Sy Third level name Type Changeable 704.It KERN\_PIPE\_KVASIZ integer yes 705.It KERN\_PIPE\_MAXBIGPIPES integer yes 706.It KERN\_PIPE\_MAXKVASZ integer yes 707.It KERN\_PIPE\_LIMITKVA integer yes 708.It KERN\_PIPE\_NBIGPIPES integer yes 709.El 710.Pp 711The variables are as follows: 712.Bl -tag -width "123456" 713.It Li KERN_PIPE_KVASIZ 714Amount of kernel memory consumed by pipe buffers. 715.It Li KERN_PIPE_MAXBIGPIPES 716Maximum number of "big" pipes. 717.It Li KERN_PIPE_MAXKVASZ 718Maximum amount of kernel memory to be used for pipes. 719.It Li KERN_PIPE_LIMITKVA 720Limit for direct transfers via page loan. 721.It Li KERN_PIPE_NBIGPIPES 722Number of "big" pipes. 723.El 724.It Li KERN_POSIX1 725The version of ISO/IEC 9945 (POSIX 1003.1) with which the system 726attempts to comply. 727.It Li KERN_POSIX_BARRIERS 728The version of 729.St -p1003.1 730and its 731Barriers 732option to which the system attempts to conform, 733otherwise 0. 734.It Li KERN_POSIX_READER_WRITER_LOCKS 735The version of 736.St -p1003.1 737and its 738Read-Write Locks 739option to which the system attempts to conform, 740otherwise 0. 741.It Li KERN_POSIX_SEMAPHORES 742The version of 743.St -p1003.1 744and its 745Semaphores 746option to which the system attempts to conform, 747otherwise 0. 748.It Li KERN_POSIX_SPIN_LOCKS 749The version of 750.St -p1003.1 751and its 752Spin Locks 753option to which the system attempts to conform, 754otherwise 0. 755.It Li KERN_POSIX_THREADS 756The version of 757.St -p1003.1 758and its 759Threads 760option to which the system attempts to conform, 761otherwise 0. 762.It Li KERN_POSIX_TIMERS 763The version of 764.St -p1003.1 765and its 766Timers 767option to which the system attempts to conform, 768otherwise 0. 769.It Li KERN_PROC 770Return the entire process table, or a subset of it. 771An array of 772.Va struct kinfo_proc 773structures is returned, 774whose size depends on the current number of such objects in the system. 775The third and fourth level names are as follows: 776.Bl -column "Third level nameXXXXXX" "Fourth level is:XXXXXX" -offset indent 777.It Sy Third level name Fourth level is: 778.It KERN\_PROC\_ALL None 779.It KERN\_PROC\_GID A group ID 780.It KERN\_PROC\_PID A process ID 781.It KERN\_PROC\_PGRP A process group 782.It KERN\_PROC\_RGID A real group ID 783.It KERN\_PROC\_RUID A real user ID 784.It KERN\_PROC\_SESSION A session ID 785.It KERN\_PROC\_TTY A tty device 786.It KERN\_PROC\_UID A user ID 787.El 788.It Li KERN_PROC2 789As for KERN_PROC, but an array of 790.Va struct kinfo_proc2 791structures are returned. 792The fifth level name is the size of the 793.Va struct kinfo_proc2 794and the sixth level name is the number of structures to return. 795.It Li KERN_PROC_ARGS 796Return the argv or environment strings (or the number thereof) 797of a process. 798Multiple strings are returned separated by NUL characters. 799The third level name is the process ID. 800The fourth level name is as follows: 801.Bl -column "Third level nameXXXXXX" -offset indent 802.It KERN\_PROC\_ARGV The argv strings 803.It KERN\_PROC\_ENV The environ strings 804.It KERN\_PROC\_NARGV The number of argv strings 805.It KERN\_PROC\_NENV The number of environ strings 806.El 807.It Li KERN_PROF 808Return profiling information about the kernel. 809If the kernel is not compiled for profiling, 810attempts to retrieve any of the KERN_PROF values will 811fail with EOPNOTSUPP. 812The third level names for the string and integer profiling information 813is detailed below. 814The changeable column shows whether a process with appropriate 815privilege may change the value. 816.Bl -column "GPROFXGMONPARAMXXX" "struct gmonparamXXX" -offset indent 817.It Sy Third level name Type Changeable 818.It GPROF\_COUNT u_short[\|] yes 819.It GPROF\_FROMS u_short[\|] yes 820.It GPROF\_GMONPARAM struct gmonparam no 821.It GPROF\_STATE integer yes 822.It GPROF\_TOS struct tostruct yes 823.El 824.Pp 825The variables are as follows: 826.Bl -tag -width "123456" 827.It Li GPROF_COUNT 828Array of statistical program counter counts. 829.It Li GPROF_FROMS 830Array indexed by program counter of call-from points. 831.It Li GPROF_GMONPARAM 832Structure giving the sizes of the above arrays. 833.It Li GPROF_STATE 834Profiling state. 835If set to GMON_PROF_ON, starts profiling. 836If set to GMON_PROF_OFF, stops profiling. 837.It Li GPROF_TOS 838Array of 839.Va struct tostruct 840describing destination of calls and their counts. 841.El 842.It Li KERN_RAWPARTITION 843The raw partition of a disk (a == 0). 844.It Li KERN_ROOT_DEVICE 845The name of the root device (e.g., 846.Dq wd0 ) . 847.It Li KERN_ROOT_PARTITION 848The root partition on the root device (a == 0). 849.It Li KERN_RTC_OFFSET 850Return the offset of real time clock from UTC in minutes. 851.It Li KERN_SAVED_IDS 852Returns 1 if saved set-group and saved set-user ID is available. 853.It Li KERN_SBMAX 854Maximum socket buffer size. 855.It Li KERN_SECURELVL 856The system security level. 857This level may be raised by processes with appropriate privilege. 858It may only be lowered by process 1. 859.It Li KERN_SOMAXKVA 860Maximum amount of kernel memory to be used for socket buffers. 861.It Li KERN_SYNCHRONIZED_IO 862Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available 863on this system, 864otherwise 0. 865.It Li KERN_SYSVIPC_INFO 866Return System V style IPC configuration and run-time information. 867The third level name selects the System V style IPC facility. 868.Bl -column "KERN_SYSVIPC_MSG_INFOXXX" "struct shm_sysctl_infoXXX" -offset indent 869.It Sy Third level name Type 870.It KERN\_SYSVIPC\_MSG\_INFO struct msg_sysctl_info 871.It KERN\_SYSVIPC\_SEM\_INFO struct sem_sysctl_info 872.It KERN\_SYSVIPC\_SHM\_INFO struct shm_sysctl_info 873.El 874.Pp 875.Bl -tag -width "123456" 876.It Li KERN_SYSVIPC_MSG_INFO 877Return information on the System V style message facility. 878The 879.Sy msg_sysctl_info 880structure is defined in 881.Aq Pa sys/msg.h . 882.It Li KERN_SYSVIPC_SEM_INFO 883Return information on the System V style semaphore facility. 884The 885.Sy sem_sysctl_info 886structure is defined in 887.Aq Pa sys/sem.h . 888.It Li KERN_SYSVIPC_SHM_INFO 889Return information on the System V style shared memory facility. 890The 891.Sy shm_sysctl_info 892structure is defined in 893.Aq Pa sys/shm.h . 894.El 895.It Li KERN_SYSVMSG 896Returns 1 if System V style message queue functionality is available 897on this system, 898otherwise 0. 899.It Li KERN_SYSVSEM 900Returns 1 if System V style semaphore functionality is available 901on this system, 902otherwise 0. 903.It Li KERN_SYSVSHM 904Returns 1 if System V style share memory functionality is available 905on this system, 906otherwise 0. 907.It Li KERN_TIMEX 908Not available. 909.It Li KERN_TKSTAT 910Return information about the number of characters sent and received 911on ttys. 912The third level names for the tty statistic variables are detailed below. 913The changeable column shows whether a process 914with appropriate privilege may change the value. 915.Bl -column "KERNXTKSTATXRAWCCXXX" "struct integerXXX" -offset indent 916.It Sy Third level name Type Changeable 917.It KERN\_TKSTAT\_CANCC quad no 918.It KERN\_TKSTAT\_NIN quad no 919.It KERN\_TKSTAT\_NOUT quad no 920.It KERN\_TKSTAT\_RAWCC quad no 921.El 922.Pp 923The variables are as follows: 924.Bl -tag -width "123456" 925.It Li KERN_TKSTAT_CANCC 926The number of canonical input characters. 927.It Li KERN_TKSTAT_NIN 928The total number of input characters. 929.It Li KERN_TKSTAT_NOUT 930The total number of output characters. 931.It Li KERN_TKSTAT_RAWCC 932The number of raw input characters. 933.El 934.It Li KERN_URND 935Random integer value. 936.It Li KERN_VERIEXEC 937Tunings for Verixec. 938Third level names for the Veriexec variables are detailed below. 939The changeable column shows whether a process with appropriate privilege may 940change the value or only raise it. 941Only the superuser can modify these variables. 942.Bl -column "VERIEXECXALGORITHMSXXX" "struct integerXXX" -offset indent 943.It Sy Third level name Type Changeable 944.It VERIEXEC\_ALGORITHMS string no 945.It VERIEXEC\_COUNT node not applicable 946.It VERIEXEC\_STRICT integer raise only 947.It VERIEXEC\_VERBOSE integer yes 948.El 949.Pp 950The variables are as follows: 951.Bl -tag -width "123456" 952.It Li VERIEXEC_ALGORITHMS 953Returns a string with the supported algorithms in Veriexec. 954.It Li VERIEXEC_COUNT 955Sub-nodes are added to this node as new mounts are monitored by Veriexec. 956Each mount will be under its own 957.No tableN 958node. 959Under each node there will be three variables, indicating the mount 960point, the file-system type, and the number of entries. 961.It Li VERIEXEC_STRICT 962Controls the strict level of Veriexec. 963The strict level defines how Veriexec will treat various situations. 964.Pp 965In strict level 0, the system is in learning mode and will only warn about 966fingerprint mismatches, as well as allow removal of fingerprinted files. 967It is the only level where fingerprints can be loaded. 968.Pp 969In strict level 1, the system is in IDS mode. 970It will deny access to files with mismatched fingerprints. 971Write access to monitored files will be permitted, but once modified, further 972access to them will be denied. 973Monitored files cannot be removed. 974If a disk will be opened for raw writing, Veriexec will invalidate all 975fingerprints on that disk, if it is monitored. 976.Pp 977In strict level 2, the system is in IPS mode. 978It has all effects of 979strict level 1, plus it will deny write access to monitored files and enforce 980access type (direct, indirect, file). 981Execution of non-monitored files is denied. 982Opening of raw disks for writing will be denied if the disk is monitored. 983Attempts to write to kernel memory, either via 984.Pa /dev/mem 985or 986.Pa /dev/kmem , 987will be denied to protect Veriexec's internal data-structures. 988.Pp 989Strict level 3 operates as lockdown mode. 990It will have all effects of 991strict level 2, but it will also prevent access to non-monitored files. 992Furthermore, it will prevent addition of new files to the system, and 993allow writing only to files opened before the strict level was raised. 994All attempts to open a disk for raw writing will be denied. 995.It Li VERIEXEC_VERBOSE 996Controls the verbosity level of Veriexec. 997If 0, only the minimal 998indication required will be given about what's happening - fingerprint 999mismatches, removal of entries from the tables, modification of a 1000fingerprinted file. 1001If 1, more messages will be printed (ie., when a file with a valid 1002fingerprint is accessed). 1003Verbose level 2 is debug mode. 1004.El 1005.It Li KERN_VERSION 1006The system version string. 1007.It Li KERN_VNODE 1008Return the entire vnode table. 1009Note, the vnode table is not necessarily a consistent snapshot of 1010the system. 1011The returned data consists of an array whose size depends on the 1012current number of such objects in the system. 1013Each element of the array contains the kernel address of a vnode 1014.Va struct vnode * 1015followed by the vnode itself 1016.Va struct vnode . 1017.It Li kern.coredump.setid 1018Settings related to set-id processes coredumps. 1019By default, set-id processes do not dump core in situations where 1020other processes would. 1021The settings in this node allows an administrator to change this 1022behavior. 1023.Pp 1024.Bl -tag -width "123456" 1025.It Li kern.coredump.setid.dump 1026If non-zero, set-id processes will dump core. 1027.It Li kern.coredump.setid.group 1028The group-id for the set-id processes' coredump. 1029.It Li kern.coredump.setid.mode 1030The mode for the set-id processes' coredump. 1031See 1032.Xr chmod 1 . 1033.It Li kern.coredump.setid.owner 1034The user-id that will be used as the owner of the set-id processes' 1035coredump. 1036.It Li kern.coredump.setid.path 1037The path to which set-id processes' coredumps will be saved to. 1038Same syntax as kern.defcorename. 1039.El 1040.El 1041.Sh CTL_MACHDEP 1042The set of variables defined is architecture dependent. 1043Most architectures define at least the following variables. 1044.Bl -column "CONSOLE_DEVICEXXX" "integerXXX" -offset indent 1045.It Sy Second level name Type Changeable 1046.It Li CPU_CONSDEV dev_t no 1047.El 1048.Sh CTL_NET 1049The string and integer information available for the CTL_NET level 1050is detailed below. 1051The changeable column shows whether a process with appropriate 1052privilege may change the value. 1053The second and third levels are typically the protocol family and 1054protocol number, though this is not always the case. 1055.Bl -column "Second level nameXXXXXX" "routing messagesXXX" -offset indent 1056.It Sy Second level name Type Changeable 1057.It PF\_ROUTE routing messages no 1058.It PF\_INET IPv4 values yes 1059.It PF\_INET6 IPv6 values yes 1060.It PF\_KEY IPsec key management values yes 1061.El 1062.Pp 1063.Bl -tag -width "123456" 1064.It Li PF_ROUTE 1065Return the entire routing table or a subset of it. 1066The data is returned as a sequence of routing messages (see 1067.Xr route 4 1068for the header file, format and meaning). 1069The length of each message is contained in the message header. 1070.Pp 1071The third level name is a protocol number, which is currently always 0. 1072The fourth level name is an address family, which may be set to 0 to 1073select all address families. 1074The fifth and sixth level names are as follows: 1075.Bl -column "Fifth level nameXXXXXX" "Sixth level is:XXX" -offset indent 1076.It Sy Fifth level name Sixth level is: 1077.It NET\_RT\_FLAGS rtflags 1078.It NET\_RT\_DUMP None 1079.It NET\_RT\_IFLIST None 1080.El 1081.It Li PF_INET 1082Get or set various global information about the IPv4 1083.Pq Internet Protocol version 4 . 1084The third level name is the protocol. 1085The fourth level name is the variable name. 1086The currently defined protocols and names are: 1087.Bl -column "Protocol name" "Variable nameXX" "integer" "yes" -offset indent 1088.It Sy Protocol name Variable name Type Changeable 1089.It arp down integer yes 1090.It arp keep integer yes 1091.It arp prune integer yes 1092.It arp refresh integer yes 1093.It carp allow integer yes 1094.It carp preempt integer yes 1095.It carp log integer yes 1096.It carp arpbalance integer yes 1097.It icmp errppslimit integer yes 1098.It icmp maskrepl integer yes 1099.It icmp rediraccept integer yes 1100.It icmp redirtimeout integer yes 1101.It ip allowsrcrt integer yes 1102.It ip anonportmax integer yes 1103.It ip anonportmin integer yes 1104.It ip checkinterface integer yes 1105.It ip directed-broadcast integer yes 1106.It ip do_loopback_cksum integer yes 1107.It ip forwarding integer yes 1108.It ip forwsrcrt integer yes 1109.It ip gifttl integer yes 1110.It ip grettl integer yes 1111.It ip hostzerobroadcast integer yes 1112.It ip lowportmin integer yes 1113.It ip lowportmax integer yes 1114.It ip maxflows integer yes 1115.It ip maxfragpackets integer yes 1116.It ip mtudisc integer yes 1117.It ip mtudisctimeout integer yes 1118.It ip random_id integer yes 1119.It ip redirect integer yes 1120.It ip subnetsarelocal integer yes 1121.It ip ttl integer yes 1122.It tcp rfc1323 integer yes 1123.It tcp sendspace integer yes 1124.It tcp recvspace integer yes 1125.It tcp mssdflt integer yes 1126.It tcp syn_cache_limit integer yes 1127.It tcp syn_bucket_limit integer yes 1128.It tcp syn_cache_interval integer yes 1129.It tcp init_win integer yes 1130.It tcp init_win_local integer yes 1131.It tcp mss_ifmtu integer yes 1132.It tcp win_scale integer yes 1133.It tcp timestamps integer yes 1134.It tcp compat_42 integer yes 1135.It tcp cwm integer yes 1136.It tcp cwm_burstsize integer yes 1137.It tcp ack_on_push integer yes 1138.It tcp keepidle integer yes 1139.It tcp keepintvl integer yes 1140.It tcp keepcnt integer yes 1141.It tcp slowhz integer no 1142.It tcp log_refused integer yes 1143.It tcp rstppslimit integer yes 1144.It tcp ident struct no 1145.It tcp sack.enable integer yes 1146.It tcp sack.globalholes integer no 1147.It tcp sack.globalmaxholes integer yes 1148.It tcp sack.maxholes integer yes 1149.It tcp ecn.enable integer yes 1150.It tcp ecn.maxretries integer yes 1151.It tcp congctl.selected string yes 1152.It tcp congctl.available string yes 1153.It tcp abc.enable integer yes 1154.It tcp abc.aggressive integer yes 1155.It udp checksum integer yes 1156.It udp do_loopback_cksum integer yes 1157.It udp recvspace integer yes 1158.It udp sendspace integer yes 1159.El 1160.Pp 1161The variables are as follows: 1162.Bl -tag -width "123456" 1163.It Li arp.down 1164Failed ARP entry lifetime. 1165.It Li arp.keep 1166Valid ARP entry lifetime. 1167.It Li arp.prune 1168ARP cache pruning interval. 1169.It Li arp.refresh 1170ARP entry refresh interval. 1171.It Li carp.allow 1172If set to 0, incoming 1173.Xr carp 4 1174packets will not be processed. 1175If set to any other value, processing will occur. 1176Enabled by default. 1177.It Li carp.arpbalance 1178If set to any value other than 0, the ARP balancing functionality of 1179.Xr carp 4 1180is enabled. 1181When ARP requests are received for an IP address which is part of any virtual 1182host, carp will hash the source IP in the ARP request to select one of the 1183virtual hosts from the set of all the virtual hosts which have that IP address. 1184The master of that host will respond with the correct virtual MAC address. 1185Disabled by default. 1186.It Li carp.log 1187If set to any value other than 0, 1188.Xr carp 4 1189will log errors. 1190Disabled by default. 1191.It Li carp.preempt 1192If set to 0, 1193.Xr carp 4 1194will not attempt to become master if it is receiving advertisements from 1195another active master. 1196If set to any other value, carp will become master of the virtual host if it 1197believes it can send advertisements more frequently than the current master. 1198Disabled by default. 1199.It Li ip.allowsrcrt 1200If set to 1, the host accepts source routed packets. 1201.It Li ip.anonportmax 1202The highest port number to use for TCP and UDP ephemeral port allocation. 1203This cannot be set to less than 1024 or greater than 65535, and must 1204be greater than 1205.Li ip.anonportmin . 1206.It Li ip.anonportmin 1207The lowest port number to use for TCP and UDP ephemeral port allocation. 1208This cannot be set to less than 1024 or greater than 65535. 1209.It Li ip.checkinterface 1210If set to non-zero, the host will reject packets addressed to it 1211that arrive on an interface not bound to that address. 1212Currently, this must be disabled if ipnat is used to translate the 1213destination address to another local interface, or if addresses 1214are added to the loopback interface instead of the interface where 1215the packets for those packets are received. 1216.It Li ip.directed-broadcast 1217If set to 1, enables directed broadcast behavior for the host. 1218.It Li ip.do_loopback_cksum 1219Perform IP checksum on loopback. 1220.It Li ip.forwarding 1221If set to 1, enables IP forwarding for the host, 1222meaning that the host is acting as a router. 1223.It Li ip.forwsrcrt 1224If set to 1, enables forwarding of source-routed packets for the host. 1225This value may only be changed if the kernel security level is less than 1. 1226.It Li ip.gifttl 1227The maximum time-to-live (hop count) value for an IPv4 packet generated by 1228.Xr gif 4 1229tunnel interface. 1230.It Li ip.grettl 1231The maximum time-to-live (hop count) value for an IPv4 packet generated by 1232.Xr gre 4 1233tunnel interface. 1234.It Li ip.hostzerobroadcast 1235All zeroes address is broadcast address. 1236.It Li ip.lowportmax 1237The highest port number to use for TCP and UDP reserved port allocation. 1238This cannot be set to less than 0 or greater than 1024, and must 1239be greater than 1240.Li ip.lowportmin . 1241.It Li ip.lowportmin 1242The lowest port number to use for TCP and UDP reserved port allocation. 1243This cannot be set to less than 0 or greater than 1024, and must 1244be smaller than 1245.Li ip.lowportmax . 1246.It Li ip.maxflows 1247IP Fast Forwarding is enabled by default. 1248If set to 0, IP Fast Forwarding is disabled. 1249.Li ip.maxflows 1250controls the maximum amount of flows which can be created. 1251The default value is 256. 1252.It Li ip.maxfragpackets 1253The maximum number of fragmented packets the node will accept. 12540 means that the node will not accept any fragmented packets. 1255\-1 means that the node will accept as many fragmented packets as it receives. 1256The flag is provided basically for avoiding possible DoS attacks. 1257.It Li ip.mtudisc 1258If set to 1, enables Path MTU Discovery (RFC 1191). 1259When Path MTU Discovery is enabled, the transmitted TCP segment 1260size will be determined by the advertised maximum segment size 1261(MSS) from the remote end, as constrained by the path MTU. 1262If MTU Discovery is disabled, the transmitted segment size will 1263never be greater than 1264.Li tcp.mssdflt 1265(the local maximum segment size). 1266.It Li ip.mtudisctimeout 1267The number of seconds in which a route added by the Path MTU 1268Discovery engine will time out. 1269When the route times out, the Path 1270MTU Discovery engine will attempt to probe a larger path MTU. 1271.It Li ip.random_id 1272Assign random ip_id values. 1273.It Li ip.redirect 1274If set to 1, ICMP redirects may be sent by the host. 1275This option is ignored unless the host is routing IP packets, 1276and should normally be enabled on all systems. 1277.It Li ip.subnetsarelocal 1278If set to 1, subnets are to be considered local addresses. 1279.It Li ip.ttl 1280The maximum time-to-live (hop count) value for an IP packet sourced by 1281the system. 1282This value applies to normal transport protocols, not to ICMP. 1283.It Li icmp.errppslimit 1284The variable specifies the maximum number of outgoing ICMP error messages, 1285per second. 1286ICMP error messages that exceeded the value are subject to rate limitation 1287and will not go out from the node. 1288Negative value disables rate limitation. 1289.It Li icmp.maskrepl 1290If set to 1, ICMP network mask requests are to be answered. 1291.It Li icmp.rediraccept 1292If set to non-zero, the host will accept ICMP redirect packets. 1293Note that routers will never accept ICMP redirect packets, 1294and the variable is meaningful on IP hosts only. 1295.It Li icmp.redirtimeout 1296The variable specifies lifetime of routing entries generated by incoming 1297ICMP redirect. 1298This defaults to 600 seconds. 1299.It Li icmp.returndatabytes 1300Number of bytes to return in an ICMP error message. 1301.It Li tcp.ack_on_push 1302If set to 1, TCP is to immediately transmit an ACK upon reception of 1303a packet with PUSH set. 1304This can avoid losing a round trip time in some rare situations, 1305but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1306Use of this option is generally not recommended, but 1307the variable exists in case your configuration really needs it. 1308.It Li tcp.compat_42 1309If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1310Use of this option is not recommended, although it may be 1311required in order to communicate with extremely old TCP implementations. 1312.It Li tcp.cwm 1313If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1314Monitoring algorithm. 1315This algorithm prevents line-rate bursts of packets that could 1316otherwise occur when data begins flowing on an idle TCP connection. 1317These line-rate bursts can contribute to network and router congestion. 1318This can be particularly useful on World Wide Web servers 1319which support HTTP/1.1, which has lingering connections. 1320.It Li tcp.cwm_burstsize 1321The Congestion Window Monitoring allowed burst size, in terms 1322of packet count. 1323.It Li tcp.delack_ticks 1324Number of ticks to delay sending an ACK. 1325.It Li tcp.do_loopback_cksum 1326Perform TCP checksum on loopback. 1327.It Li tcp.init_win 1328A value indicating the TCP initial congestion window. 1329If this value is 0, an auto-tuning algorithm designed to use an initial 1330window of approximately 4K bytes is in use. 1331Otherwise, this value indicates a fixed number of packets. 1332.It Li tcp.init_win_local 1333Like 1334.Li tcp.init_win , 1335but used when communicating with hosts on a local network. 1336.It Li tcp.keepcnt 1337Number of keepalive probes sent before declaring a connection dead. 1338If set to zero, there is no limit; 1339keepalives will be sent until some kind of 1340response is received from the peer. 1341.It Li tcp.keepidle 1342Time a connection must be idle before keepalives are sent (if keepalives 1343are enabled for the connection). 1344See also tcp.slowhz. 1345.It Li tcp.keepintvl 1346Time after a keepalive probe is sent until, in the absence of any response, 1347another probe is sent. 1348See also tcp.slowhz. 1349.It Li tcp.log_refused 1350If set to 1, refused TCP connections to the host will be logged. 1351.It Li tcp.mss_ifmtu 1352If set to 1, TCP calculates the outgoing maximum segment size based on 1353the MTU of the appropriate interface. 1354If set to 0, it is calculated based on the greater of the MTU of the 1355interface, and the largest (non-loopback) interface MTU on the system. 1356.It Li tcp.mssdflt 1357The default maximum segment size both advertised to the peer 1358and to use when either the peer does not advertise a maximum segment size to 1359us during connection setup or Path MTU Discovery 1360.Li ( ip.mtudisc ) 1361is disabled. 1362Do not change this value unless you really know what you are doing. 1363.It Li tcp.newreno 1364If set to 1, enables the use of J. 1365Hoe's NewReno congestion control algorithm. 1366This algorithm improves the start-up behavior of TCP connections. 1367.It Li tcp.recvspace 1368The default TCP receive buffer size. 1369.It Li tcp.rfc1323 1370If set to 1, enables RFC 1323 extensions to TCP. 1371.It Li tcp.rstppslimit 1372The variable specifies the maximum number of outgoing TCP RST packets, 1373per second. 1374TCP RST packet that exceeded the value are subject to rate limitation 1375and will not go out from the node. 1376Negative value disables rate limitation. 1377.It Li tcp.sack.enable 1378If set to 1, enables RFC 2018 Selective ACKnowledgement. 1379.It Li tcp.sack.globalholes 1380Global number of TCP SACK holes. 1381.It Li tcp.sack.globalmaxholes 1382Global maximum number of TCP SACK holes. 1383.It Li tcp.sack.maxholes 1384Maximum number of TCP SACK holes allowed per connection. 1385.It Li tcp.ecn.enable 1386If set to 1, enables RFC 3168 Explicit Congestion Notification. 1387.It Li tcp.ecn.maxretries 1388Number of times to retry sending the ECN-setup packet. 1389.It Li tcp.sendspace 1390The default TCP send buffer size. 1391.It Li tcp.slowhz 1392The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1393of a clock that ticks tcp.slowhz times per second. 1394(That is, their values 1395must be divided by the tcp.slowhz value to get times in seconds.) 1396.It Li tcp.syn_bucket_limit 1397The maximum number of entries allowed per hash bucket in the TCP 1398compressed state engine. 1399.It Li tcp.syn_cache_limit 1400The maximum number of entries allowed in the TCP compressed state 1401engine. 1402.It Li tcp.timestamps 1403If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1404used for measuring TCP round trip times, are enabled. 1405.It Li tcp.win_scale 1406If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1407for increasing the TCP window size, are enabled. 1408.It Li tcp.congctl.available 1409The available TCP congestion control algorithms. 1410.It Li tcp.congctl.selected 1411The currently selected TCP congestion control algorithm. 1412.It Li tcp.abc.enable 1413If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1414If set to 0, use traditional Packet Counting. 1415.It Li tcp.abc.aggressive 1416Choose the L parameter found in RFC 3465. 1417L is the maximum cwnd increase for an ack during slow start. 1418If set to 1, use L=2*SMSS. 1419If set to 0, use L=1*SMSS. 1420It has no effect unless tcp.abc.enable is set to 1. 1421.It Li udp.checksum 1422If set to 1, UDP checksums are being computed. 1423Received non-zero UDP checksums are always checked. 1424Disabling UDP checksums is strongly discouraged. 1425.It Li udp.sendspace 1426The default UDP send buffer size. 1427.It Li udp.recvspace 1428The default UDP receive buffer size. 1429.El 1430.Pp 1431For variables net.*.ipsec, please refer to 1432.Xr ipsec 4 . 1433.It Li PF_INET6 1434Get or set various global information about the IPv6 1435.Pq Internet Protocol version 6 . 1436The third level name is the protocol. 1437The fourth level name is the variable name. 1438The currently defined protocols and names are: 1439.Bl -column "Protocol name" "Variable nameXX" "integer" "yes" -offset indent 1440.It Sy Protocol name Variable name Type Changeable 1441.It icmp6 errppslimit integer yes 1442.It icmp6 mtudisc_hiwat integer yes 1443.It icmp6 mtudisc_lowat integer yes 1444.It icmp6 nd6_debug integer yes 1445.It icmp6 nd6_delay integer yes 1446.It icmp6 nd6_maxnudhint integer yes 1447.It icmp6 nd6_mmaxtries integer yes 1448.It icmp6 nd6_prune integer yes 1449.It icmp6 nd6_umaxtries integer yes 1450.It icmp6 nd6_useloopback integer yes 1451.It icmp6 nodeinfo integer yes 1452.It icmp6 rediraccept integer yes 1453.It icmp6 redirtimeout integer yes 1454.It ip6 accept_rtadv integer yes 1455.It ip6 anonportmax integer yes 1456.It ip6 anonportmin integer yes 1457.It ip6 auto_flowlabel integer yes 1458.It ip6 dad_count integer yes 1459.It ip6 defmcasthlim integer yes 1460.It ip6 forwarding integer yes 1461.It ip6 gifhlim integer yes 1462.It ip6 hlim integer yes 1463.It ip6 hdrnestlimit integer yes 1464.It ip6 kame_version string no 1465.It ip6 keepfaith integer yes 1466.It ip6 log_interval integer yes 1467.It ip6 lowportmax integer yes 1468.It ip6 lowportmin integer yes 1469.It ip6 maxfragpackets integer yes 1470.It ip6 maxfrags integer yes 1471.It ip6 redirect integer yes 1472.It ip6 rr_prune integer yes 1473.It ip6 use_deprecated integer yes 1474.It ip6 v6only integer yes 1475.It udp6 do_loopback_cksum integer yes 1476.It udp6 recvspace integer yes 1477.It udp6 sendspace integer yes 1478.El 1479.Pp 1480The variables are as follows: 1481.Bl -tag -width "123456" 1482.It Li ip6.accept_rtadv 1483If set to non-zero, the node will accept ICMPv6 router advertisement packets 1484and autoconfigures address prefixes and default routers. 1485The node must be a host 1486.Pq not a router 1487for the option to be meaningful. 1488.It Li ip6.anonportmax 1489The highest port number to use for TCP and UDP ephemeral port allocation. 1490This cannot be set to less than 1024 or greater than 65535, and must 1491be greater than 1492.Li ip6.anonportmin . 1493.It Li ip6.anonportmin 1494The lowest port number to use for TCP and UDP ephemeral port allocation. 1495This cannot be set to less than 1024 or greater than 65535. 1496.It Li ip6.auto_flowlabel 1497On connected transport protocol packets, 1498fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1499.It Li ip6.dad_count 1500The variable configures number of IPv6 DAD 1501.Pq duplicated address detection 1502probe packets. 1503The packets will be generated when IPv6 interface addresses are configured. 1504.It Li ip6.defmcasthlim 1505The default hop limit value for an IPv6 multicast packet sourced by the node. 1506This value applies to all the transport protocols on top of IPv6. 1507There are APIs to override the value, as documented in 1508.Xr ip6 4 . 1509.It Li ip6.forwarding 1510If set to 1, enables IPv6 forwarding for the node, 1511meaning that the node is acting as a router. 1512If set to 0, disables IPv6 forwarding for the node, 1513meaning that the node is acting as a host. 1514IPv6 specification defines node behavior for 1515.Dq router 1516case and 1517.Dq host 1518case quite differently, and changing this variable during operation 1519may cause serious trouble. 1520It is recommended to configure the variable at bootstrap time, 1521and bootstrap time only. 1522.It Li ip6.gifhlim 1523The maximum hop limit value for an IPv6 packet generated by 1524.Xr gif 4 1525tunnel interface. 1526.It Li ip6.hdrnestlimit 1527The number of IPv6 extension headers permitted on incoming IPv6 packets. 1528If set to 0, the node will accept as many extension headers as possible. 1529.It Li ip6.hlim 1530The default hop limit value for an IPv6 unicast packet sourced by the node. 1531This value applies to all the transport protocols on top of IPv6. 1532There are APIs to override the value, as documented in 1533.Xr ip6 4 . 1534.It Li ip6.kame_version 1535The string identifies the version of KAME IPv6 stack implemented in the kernel. 1536.It Li ip6.keepfaith 1537If set to non-zero, it enables 1538.Dq FAITH 1539TCP relay IPv6-to-IPv4 translator code in the kernel. 1540Refer 1541.Xr faith 4 1542and 1543.Xr faithd 8 1544for detail. 1545.It Li ip6.log_interval 1546The variable controls amount of logs generated by IPv6 packet 1547forwarding engine, by setting interval between log output 1548.Pq in seconds . 1549.It Li ip6.lowportmax 1550The highest port number to use for TCP and UDP reserved port allocation. 1551This cannot be set to less than 0 or greater than 1024, and must 1552be greater than 1553.Li ip6.lowportmin . 1554.It Li ip6.lowportmin 1555The lowest port number to use for TCP and UDP reserved port allocation. 1556This cannot be set to less than 0 or greater than 1024, and must 1557be smaller than 1558.Li ip6.lowportmax . 1559.It Li ip6.maxfragpackets 1560The maximum number of fragmented packets the node will accept. 15610 means that the node will not accept any fragmented packets. 1562\-1 means that the node will accept as many fragmented packets as it receives. 1563The flag is provided basically for avoiding possible DoS attacks. 1564.It Li ip6.maxfrags 1565The maximum number of fragments the node will accept. 15660 means that the node will not accept any fragments. 1567\-1 means that the node will accept as many fragments as it receives. 1568The flag is provided basically for avoiding possible DoS attacks. 1569.It Li ip6.redirect 1570If set to 1, ICMPv6 redirects may be sent by the node. 1571This option is ignored unless the node is routing IP packets, 1572and should normally be enabled on all systems. 1573.It Li ip6.rr_prune 1574The variable specifies interval between IPv6 router renumbering prefix 1575babysitting, in seconds. 1576.It Li ip6.use_deprecated 1577The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1578.It Li ip6.v6only 1579The variable specifies initial value for 1580.Dv IPV6_V6ONLY 1581socket option for 1582.Dv AF_INET6 1583socket. 1584Please refer to 1585.Xr ip6 4 1586for detail. 1587.It Li icmp6.errppslimit 1588The variable specifies the maximum number of outgoing ICMPv6 error messages, 1589per second. 1590ICMPv6 error messages that exceeded the value are subject to rate limitation 1591and will not go out from the node. 1592Negative value disables rate limitation. 1593.It Li icmp6.mtudisc_hiwat 1594.It Li icmp6.mtudisc_lowat 1595The variables define the maximum number of routing table entries, 1596created due to path MTU discovery 1597.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1598When IPv6 path MTU discovery happens, we keep path MTU information into 1599the routing table. 1600If the number of routing table entries exceed the value, 1601the kernel will not attempt to keep the path MTU information. 1602.Li icmp6.mtudisc_hiwat 1603is used when we have verified ICMPv6 too big messages. 1604.Li icmp6.mtudisc_lowat 1605is used when we have unverified ICMPv6 too big messages. 1606Verification is performed by using address/port pairs kept in connected pcbs. 1607Negative value disables the upper limit. 1608.It Li icmp6.nd6_debug 1609If set to non-zero, kernel IPv6 neighbor discovery code will generate 1610debugging messages. 1611The debug outputs are useful to diagnose IPv6 interoperability issues. 1612The flag must be set to 0 for normal operation. 1613.It Li icmp6.nd6_delay 1614The variable specifies 1615.Dv DELAY_FIRST_PROBE_TIME 1616timing constant in IPv6 neighbor discovery specification 1617.Pq RFC 2461 , 1618in seconds. 1619.It Li icmp6.nd6_maxnudhint 1620IPv6 neighbor discovery permits upper layer protocols to supply reachability 1621hints, to avoid unnecessary neighbor discovery exchanges. 1622The variable defines the number of consecutive hints the neighbor discovery 1623layer will take. 1624For example, by setting the variable to 3, neighbor discovery layer 1625will take 3 consecutive hints in maximum. 1626After receiving 3 hints, neighbor discovery layer will perform 1627normal neighbor discovery process. 1628.It Li icmp6.nd6_mmaxtries 1629The variable specifies 1630.Dv MAX_MULTICAST_SOLICIT 1631constant in IPv6 neighbor discovery specification 1632.Pq RFC 2461 . 1633.It Li icmp6.nd6_prune 1634The variable specifies interval between IPv6 neighbor cache babysitting, 1635in seconds. 1636.It Li icmp6.nd6_umaxtries 1637The variable specifies 1638.Dv MAX_UNICAST_SOLICIT 1639constant in IPv6 neighbor discovery specification 1640.Pq RFC 2461 . 1641.It Li icmp6.nd6_useloopback 1642If set to non-zero, kernel IPv6 stack will use loopback interface for 1643local traffic. 1644.It Li icmp6.nodeinfo 1645The variable enables responses to ICMPv6 node information queries. 1646If you set the variable to 0, responses will not be generated for 1647ICMPv6 node information queries. 1648Since node information queries can have a security impact, it is 1649possible to fine tune which responses should be answered. 1650Two separate bits can be set. 1651.Bl -tag -width "12345" 1652.It 1 1653Respond to ICMPv6 FQDN queries, e.g. 1654.Li ping6 -w . 1655.It 2 1656Respond to ICMPv6 node addresses queries, e.g. 1657.Li ping6 -a . 1658.El 1659.It Li icmp6.rediraccept 1660If set to non-zero, the host will accept ICMPv6 redirect packets. 1661Note that IPv6 routers will never accept ICMPv6 redirect packets, 1662and the variable is meaningful on IPv6 hosts 1663.Pq non-router 1664only. 1665.It Li icmp6.redirtimeout 1666The variable specifies lifetime of routing entries generated by incoming 1667ICMPv6 redirect. 1668.It Li udp6.do_loopback_cksum 1669Perform UDP checksum on loopback. 1670.It Li udp6.recvspace 1671Default UDP receive buffer size. 1672.It Li udp6.sendspace 1673Default UDP send buffer size. 1674.El 1675.Pp 1676We reuse net.*.tcp for 1677.Tn TCP 1678over 1679.Tn IPv6 , 1680and therefore we do not have variables net.*.tcp6. 1681Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1682Please refer to 1683.Li PF_INET 1684section above. 1685For variables net.*.ipsec6, please refer to 1686.Xr ipsec 4 . 1687.It Li PF_KEY 1688Get or set various global information about the IPsec key management. 1689The third level name is the variable name. 1690The currently defined variable and names are: 1691.Bl -column "blockacq_lifetime" "integer" "yes" -offset indent 1692.It Sy Variable name Type Changeable 1693.It debug integer yes 1694.It spi_try integer yes 1695.It spi_min_value integer yes 1696.It spi_max_value integer yes 1697.It larval_lifetime integer yes 1698.It blockacq_count integer yes 1699.It blockacq_lifetime integer yes 1700.It esp_keymin integer yes 1701.It esp_auth integer yes 1702.It ah_keymin integer yes 1703.El 1704The variables are as follows: 1705.Bl -tag -width "123456" 1706.It Li debug 1707Turn on debugging message from within the kernel. 1708The value is a bitmap, as defined in 1709.Pa /usr/include/netkey/key_debug.h . 1710.It Li spi_try 1711The number of times the kernel will try to obtain an unique SPI 1712when it generates it from random number generator. 1713.It Li spi_min_value 1714Minimum SPI value when generating it within the kernel. 1715.It Li spi_max_value 1716Maximum SPI value when generating it within the kernel. 1717.It Li larval_lifetime 1718Lifetime for LARVAL SAD entries, in seconds. 1719.It Li blockacq_count 1720Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1721It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1722key management daemon. 1723.It Li blockacq_lifetime 1724Lifetime of ACQUIRE PF_KEY message. 1725.It Li esp_keymin 1726Minimum ESP key length, in bits. 1727The value is used when the kernel creates proposal payload 1728on ACQUIRE PF_KEY message. 1729.It Li esp_auth 1730Whether ESP authentication should be used or not. 1731Non-zero value indicates that ESP authentication should be used. 1732The value is used when the kernel creates proposal payload 1733on ACQUIRE PF_KEY message. 1734.It Li ah_keymin 1735Minimum AH key length, in bits, 1736The value is used when the kernel creates proposal payload 1737on ACQUIRE PF_KEY message. 1738.El 1739.El 1740.Sh CTL_PROC 1741The string and integer information available for the CTL_PROC 1742is detailed below. 1743The changeable column shows whether a process with appropriate 1744privilege may change the value. 1745These values are per-process, 1746and as such may change from one process to another. 1747When a process is created, 1748the default values are inherited from its parent. 1749When a set-user-ID or set-group-ID binary is executed, the 1750value of PROC_PID_CORENAME is reset to the system default value. 1751The second level name is either the magic value PROC_CURPROC, which 1752points to the current process, or the PID of the target process. 1753.Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" "yes" -offset indent 1754.It Sy Third level name Type Changeable 1755.It PROC\_PID\_CORENAME string yes 1756.It PROC\_PID\_LIMIT node not applicable 1757.It PROC\_PID\_STOPFORK int yes 1758.It PROC\_PID\_STOPEXEC int yes 1759.It PROC\_PID\_STOPEXIT int yes 1760.El 1761.Bl -tag -width "123456" 1762.Pp 1763.It Li PROC_PID_CORENAME 1764The template used for the core dump file name (see 1765.Xr core 5 1766for details). 1767The base name must either be 1768.Nm core 1769or end with the suffix ``.core'' (the super-user may set arbitrary names). 1770By default it points to KERN_DEFCORENAME. 1771.It Li PROC_PID_LIMIT 1772Return resources limits, as defined for the 1773.Xr getrlimit 2 1774and 1775.Xr setrlimit 2 1776system calls. 1777The fourth level name is one of: 1778.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA 1779.It Li PROC_PID_LIMIT_CPU 1780The maximum amount of CPU time (in seconds) to be used by each process. 1781.It Li PROC_PID_LIMIT_FSIZE 1782The largest size (in bytes) file that may be created. 1783.It Li PROC_PID_LIMIT_DATA 1784The maximum size (in bytes) of the data segment for a process; 1785this defines how far a program may extend its break with the 1786.Xr sbrk 2 1787system call. 1788.It Li PROC_PID_LIMIT_STACK 1789The maximum size (in bytes) of the stack segment for a process; 1790this defines how far a program's stack segment may be extended. 1791Stack extension is performed automatically by the system. 1792.It Li PROC_PID_LIMIT_CORE 1793The largest size (in bytes) 1794.Pa core 1795file that may be created. 1796.It Li PROC_PID_LIMIT_RSS 1797The maximum size (in bytes) to which a process's resident set size may 1798grow. 1799This imposes a limit on the amount of physical memory to be given to 1800a process; if memory is tight, the system will prefer to take memory 1801from processes that are exceeding their declared resident set size. 1802.It Li PROC_PID_LIMIT_MEMLOCK 1803The maximum size (in bytes) which a process may lock into memory 1804using the 1805.Xr mlock 2 1806function. 1807.It Li PROC_PID_LIMIT_NPROC 1808The maximum number of simultaneous processes for this user id. 1809.It Li PROC_PID_LIMIT_NOFILE 1810The maximum number of open files for this process. 1811.El 1812.Pp 1813The fifth level name is one of PROC_PID_LIMIT_TYPE_SOFT or 1814PROC_PID_LIMIT_TYPE_HARD, to select respectively the soft or hard limit. 1815Both are of type integer. 1816.It Li PROC_PID_STOPFORK 1817If non zero, the process' children will be stopped after 1818.Xr fork 2 1819calls. 1820The children is created in the SSTOP state and is never scheduled 1821for running before being stopped. 1822This feature helps attaching a process with a debugger such as 1823.Xr gdb 1 1824before it had the opportunity to actually do anything. 1825.Pp 1826This value is inherited by the process's children, and it also 1827apply to emulation specific system calls that fork a new process, such as 1828.Fn sproc 1829or 1830.Fn clone . 1831.It Li PROC_PID_STOPEXEC 1832If non zero, the process will be stopped on next 1833.Xr exec 3 1834call. 1835The process created by 1836.Xr exec 3 1837is created in the SSTOP state and is never scheduled for running 1838before being stopped. 1839This feature helps attaching a process with a debugger such as 1840.Xr gdb 1 1841before it had the opportunity to actually do anything. 1842.Pp 1843This value is inherited by the process's children. 1844.It Li PROC_PID_STOPEXIT 1845If non zero, the process will be stopped on when it has cause to exit, 1846either by way of calling 1847.Xr exit 3 , 1848.Xr _exit 2 , 1849or by the receipt of a specific signal. 1850The process is stopped before any of its resources or vm space is 1851released allowing examination of the termination state of a process 1852before it disappears. 1853This feature can be used to examine the final conditions of the 1854process's vmspace via 1855.Xr pmap 1 1856or its resource settings with 1857.Xr sysctl 8 1858before it disappears. 1859.Pp 1860This value is also inherited by the process's children. 1861.El 1862.Sh CTL_USER 1863The string and integer information available for the CTL_USER level 1864is detailed below. 1865The changeable column shows whether a process with appropriate 1866privilege may change the value. 1867.Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" -offset indent 1868.It Sy Second level name Type Changeable 1869.It USER\_BC\_BASE\_MAX integer no 1870.It USER\_BC\_DIM\_MAX integer no 1871.It USER\_BC\_SCALE\_MAX integer no 1872.It USER\_BC\_STRING\_MAX integer no 1873.It USER\_COLL\_WEIGHTS\_MAX integer no 1874.It USER\_CS\_PATH string no 1875.It USER\_EXPR\_NEST\_MAX integer no 1876.It USER\_LINE\_MAX integer no 1877.It USER\_POSIX2\_CHAR\_TERM integer no 1878.It USER\_POSIX2\_C\_BIND integer no 1879.It USER\_POSIX2\_C\_DEV integer no 1880.It USER\_POSIX2\_FORT\_DEV integer no 1881.It USER\_POSIX2\_FORT\_RUN integer no 1882.It USER\_POSIX2\_LOCALEDEF integer no 1883.It USER\_POSIX2\_SW\_DEV integer no 1884.It USER\_POSIX2\_UPE integer no 1885.It USER\_POSIX2\_VERSION integer no 1886.It USER\_RE\_DUP\_MAX integer no 1887.It USER\_STREAM\_MAX integer no 1888.It USER\_TZNAME\_MAX integer no 1889.It USER\_ATEXIT\_MAX integer no 1890.El 1891.Bl -tag -width "123456" 1892.Pp 1893.It Li USER_BC_BASE_MAX 1894The maximum ibase/obase values in the 1895.Xr bc 1 1896utility. 1897.It Li USER_BC_DIM_MAX 1898The maximum array size in the 1899.Xr bc 1 1900utility. 1901.It Li USER_BC_SCALE_MAX 1902The maximum scale value in the 1903.Xr bc 1 1904utility. 1905.It Li USER_BC_STRING_MAX 1906The maximum string length in the 1907.Xr bc 1 1908utility. 1909.It Li USER_COLL_WEIGHTS_MAX 1910The maximum number of weights that can be assigned to any entry of 1911the LC_COLLATE order keyword in the locale definition file. 1912.It Li USER_CS_PATH 1913Return a value for the 1914.Ev PATH 1915environment variable that finds all the standard utilities. 1916.It Li USER_EXPR_NEST_MAX 1917The maximum number of expressions that can be nested within 1918parenthesis by the 1919.Xr expr 1 1920utility. 1921.It Li USER_LINE_MAX 1922The maximum length in bytes of a text-processing utility's input 1923line. 1924.It Li USER_POSIX2_CHAR_TERM 1925Return 1 if the system supports at least one terminal type capable of 1926all operations described in POSIX 1003.2, otherwise 0. 1927.It Li USER_POSIX2_C_BIND 1928Return 1 if the system's C-language development facilities support the 1929C-Language Bindings Option, otherwise 0. 1930.It Li USER_POSIX2_C_DEV 1931Return 1 if the system supports the C-Language Development Utilities Option, 1932otherwise 0. 1933.It Li USER_POSIX2_FORT_DEV 1934Return 1 if the system supports the FORTRAN Development Utilities Option, 1935otherwise 0. 1936.It Li USER_POSIX2_FORT_RUN 1937Return 1 if the system supports the FORTRAN Runtime Utilities Option, 1938otherwise 0. 1939.It Li USER_POSIX2_LOCALEDEF 1940Return 1 if the system supports the creation of locales, otherwise 0. 1941.It Li USER_POSIX2_SW_DEV 1942Return 1 if the system supports the Software Development Utilities Option, 1943otherwise 0. 1944.It Li USER_POSIX2_UPE 1945Return 1 if the system supports the User Portability Utilities Option, 1946otherwise 0. 1947.It Li USER_POSIX2_VERSION 1948The version of POSIX 1003.2 with which the system attempts to comply. 1949.It Li USER_RE_DUP_MAX 1950The maximum number of repeated occurrences of a regular expression 1951permitted when using interval notation. 1952.ne 1i 1953.It Li USER_STREAM_MAX 1954The minimum maximum number of streams that a process may have open 1955at any one time. 1956.It Li USER_TZNAME_MAX 1957The minimum maximum number of types supported for the name of a 1958timezone. 1959.It Li USER_ATEXIT_MAX 1960The maximum number of functions that may be registered with 1961.Xr atexit 3 . 1962.El 1963.Sh CTL_VM 1964The string and integer information available for the CTL_VM level 1965is detailed below. 1966The changeable column shows whether a process with appropriate 1967privilege may change the value. 1968.Bl -column "Second level nameXXXXXX" "struct loadavgXXX" -offset indent 1969.It Sy Second level name Type Changeable 1970.It VM\_ANONMAX int yes 1971.It VM\_ANONMIN int yes 1972.It VM\_BUFCACHE int yes 1973.It VM\_BUFMEM int no 1974.It VM\_BUFMEM_HIWATER int yes 1975.It VM\_BUFMEM_LOWATER int yes 1976.It VM\_EXECMAX int yes 1977.It VM\_EXECMIN int yes 1978.It VM\_FILEMAX int yes 1979.It VM\_FILEMIN int yes 1980.It VM\_LOADAVG struct loadavg no 1981.It VM\_MAXSLP int no 1982.It VM\_METER struct vmtotal no 1983.It VM\_NKMEMPAGES int no 1984.It VM\_USPACE int no 1985.It VM\_UVMEXP struct uvmexp no 1986.It VM\_UVMEXP2 struct uvmexp_sysctl no 1987.El 1988.Pp 1989.Bl -tag -width "123456" 1990.It Li VM_ANONMAX 1991The percentage of physical memory which will be reclaimed 1992from other types of memory usage to store anonymous application data. 1993.It Li VM_ANONMIN 1994The percentage of physical memory which will be always be available for 1995anonymous application data. 1996.It Li VM_BUFCACHE 1997The percentage of physical memory which will be available 1998for the buffer cache. 1999.It Li VM_BUFMEM 2000The amount of kernel memory that is being used by the buffer cache. 2001.It Li VM_BUFMEM_LOWATER 2002The minimum amount of kernel memory to reserve for the 2003buffer cache. 2004.It Li VM_BUFMEM_HIWATER 2005The maximum amount of kernel memory to be used for the 2006buffer cache. 2007.It Li VM_EXECMAX 2008The percentage of physical memory which will be reclaimed 2009from other types of memory usage to store cached executable data. 2010.It Li VM_EXECMIN 2011The percentage of physical memory which will be always be available for 2012cached executable data. 2013.It Li VM_FILEMAX 2014The percentage of physical memory which will be reclaimed 2015from other types of memory usage to store cached file data. 2016.It Li VM_FILEMIN 2017The percentage of physical memory which will be always be available for 2018cached file data. 2019.It Li VM_LOADAVG 2020Return the load average history. 2021The returned data consists of a 2022.Va struct loadavg . 2023.It Li VM_MAXSLP 2024The value of the maxslp kernel global variable. 2025.It Li VM_METER 2026Return system wide virtual memory statistics. 2027The returned data consists of a 2028.Va struct vmtotal . 2029.It Li VM_USPACE 2030The number of bytes allocated for each kernel stack. 2031.It Li VM_UVMEXP 2032Return system wide virtual memory statistics. 2033The returned data consists of a 2034.Va struct uvmexp . 2035.It Li VM_UVMEXP2 2036Return system wide virtual memory statistics. 2037The returned data consists of a 2038.Va struct uvmexp_sysctl . 2039.El 2040.Sh CTL_DDB 2041The integer information available for the CTL_DDB level is detailed below. 2042The changeable column shows whether a process with appropriate 2043privilege may change the value. 2044.Bl -column "DBCTL_TABSTOPSXXX" "integerXXX" -offset indent 2045.It Sy Second level name Type Changeable 2046.It DBCTL\_RADIX integer yes 2047.It DBCTL\_MAXOFF integer yes 2048.It DBCTL\_LINES integer yes 2049.It DBCTL\_TABSTOPS integer yes 2050.It DBCTL\_ONPANIC integer yes 2051.It DBCTL\_FROMCONSOLE integer yes 2052.El 2053.Pp 2054.Bl -tag -width "123456" 2055.It Li DBCTL_RADIX 2056The input and output radix. 2057.It Li DBCTL_MAXOFF 2058The maximum symbol offset. 2059.It Li DBCTL_LINES 2060Number of display lines. 2061.It Li DBCTL_TABSTOPS 2062Tab width. 2063.It Li DBCTL_ONPANIC 2064If non-zero, DDB will be entered when the kernel panics. 2065.It Li DBCTL_FROMCONSOLE 2066If not zero, DDB may be entered by sending a break on a serial 2067console or by a special key sequence on a graphics console. 2068.El 2069.Pp 2070These MIB nodes are also available as variables from within the DDB. 2071See 2072.Xr ddb 4 2073for more details. 2074.Sh CTL_SECURITY 2075The security level contains various security-related settings for 2076the system. Available settings are detailed below. 2077.Pp 2078.Bl -tag -width "123456" 2079.It Li security.curtain 2080If non-zero, will filter return objects according to the user-id 2081requesting information about them, preventing from users any 2082access to objects they don't own. 2083.Pp 2084At the moment, it affects 2085.Xr ps 1 , 2086.Xr netstat 1 2087(for 2088.Dv PF_INET , 2089.Dv PF_INET6 , 2090and 2091.Dv PF_UNIX 2092PCBs), and 2093.Xr w 1 . 2094.It Li security.pax 2095Settings for PaX -- exploit mitigation features. 2096.Pp 2097.Bl -tag -width "123456" 2098.It Li security.pax.mprotect.enable 2099Enable PaX MPROTECT restrictions. 2100.Pp 2101These are 2102.Xr mprotect 2 2103restrictions to better enforce a W^X policy. The value of this 2104knob must be non-zero for PaX MPROTECT to be enabled, even if a 2105program is set to explicit enable. 2106.It Li security.pax.mprotect.global 2107Specifies the default global policy for programs without an 2108explicit enable/disable flag. 2109.Pp 2110When non-zero, all programs will get the PaX MPROTECT restrictions, 2111except those exempted with 2112.Xr paxctl 1 . 2113Otherwise, all programs will not get the PaX MPROTECT restrictions, 2114except those specifically marked as such with 2115.Xr paxctl 1 . 2116.It Li security.pax.segvguard.enable 2117Enable PaX Segvguard. 2118.Pp 2119Please see 2120.Xr security 8 2121for more information. 2122.Pp 2123PaX Segvguard can detect and prevent certain exploitation attempts, where 2124an attacker may try for example to brute-force function return addresses 2125of respawning daemons. 2126.Pp 2127.Em Note : 2128The 2129.Nx 2130interface and implementation of the Segvguard is still experimental, and may 2131change in future releases. 2132.It Li security.pax.segvguard.global 2133Specifies the default global policy for programs without an 2134explicit enable/disable flag. 2135.Pp 2136When non-zero, all programs will get the PaX Segvguard, 2137except those exempted with 2138.Xr paxctl 1 . 2139Otherwise, all programs will not get the PaX Segvguard restrictions, 2140except those specifically marked as such with 2141.Xr paxctl 1 . 2142.It Li security.pax.segvguard.expiry_timeout 2143If the max number was not reached within this timeout (in seconds), the entry 2144will expire. 2145.It Li security.pax.segvguard.suspend_timeout 2146Number of seconds to suspend a user from running a faulting program when the 2147limit was exceeded. 2148.It Li security.pax.segvguard.max_crashes 2149Max number of segfaults a program can receive before suspension. 2150.El 2151.El 2152.Sh CTL_VENDOR 2153The "vendor" toplevel name is reserved to be used by vendors who wish to 2154have their own private MIB tree. 2155Intended use is to store values under 2156.Dq vendor.\*[Lt]yourname\*[Gt].* . 2157.Sh DYNAMIC OPERATIONS 2158Several meta-identifiers are provided to perform operations on the 2159.Nm 2160tree itself, or support alternate means of accessing the data 2161instrumented by the 2162.Nm 2163tree. 2164.Bl -column CTLXCREATESYMXXX 2165.It Sy Name Description 2166.It CTL\_QUERY Retrieve a mapping of names to numbers below a given node 2167.It CTL\_CREATE Create a new node 2168.It CTL\_CREATESYM Create a new node by its kernel symbol 2169.It CTL\_DESTROY Destroy a node 2170.It CTL\_DESCRIBE Retrieve node descriptions 2171.El 2172.Pp 2173The core interface to all of these meta-functions is the structure 2174that the kernel uses to describe the tree internally, as defined in 2175.Aq Pa sys/sysctl.h 2176as: 2177.Pp 2178.Bd -literal 2179struct sysctlnode { 2180 uint32_t sysctl_flags; /* flags and type */ 2181 int32_t sysctl_num; /* mib number */ 2182 char sysctl_name[SYSCTL_NAMELEN]; /* node name */ 2183 uint32_t sysctl_ver; /* node's version vs. rest of tree */ 2184 uint32_t __rsvd; 2185 union { 2186 struct { 2187 uint32_t suc_csize; /* size of child node array */ 2188 uint32_t suc_clen; /* number of valid children */ 2189 struct sysctlnode* suc_child; /* array of child nodes */ 2190 } scu_child; 2191 struct { 2192 void *sud_data; /* pointer to external data */ 2193 size_t sud_offset; /* offset to data */ 2194 } scu_data; 2195 int32_t scu_alias; /* node this node refers to */ 2196 int32_t scu_idata; /* immediate "int" data */ 2197 u_quad_t scu_qdata; /* immediate "u_quad_t" data */ 2198 } sysctl_un; 2199 size_t _sysctl_size; /* size of instrumented data */ 2200 sysctlfn _sysctl_func; /* access helper function */ 2201 struct sysctlnode *sysctl_parent; /* parent of this node */ 2202 const char *sysctl_desc; /* description of node */ 2203}; 2204 2205#define sysctl_csize sysctl_un.scu_child.suc_csize 2206#define sysctl_clen sysctl_un.scu_child.suc_clen 2207#define sysctl_child sysctl_un.scu_child.suc_child 2208#define sysctl_data sysctl_un.scu_data.sud_data 2209#define sysctl_offset sysctl_un.scu_data.sud_offset 2210#define sysctl_alias sysctl_un.scu_alias 2211#define sysctl_idata sysctl_un.scu_idata 2212#define sysctl_qdata sysctl_un.scu_qdata 2213.Ed 2214.Pp 2215Querying the tree to discover the name to number mapping permits 2216dynamic discovery of all the data that the tree currently has 2217instrumented. 2218For example, to discover all the nodes below the 2219CTL_VFS node: 2220.Pp 2221.Bd -literal -offset indent -compact 2222struct sysctlnode query, vfs[128]; 2223int mib[2]; 2224size_t len; 2225.sp 2226mib[0] = CTL_VFS; 2227mib[1] = CTL_QUERY; 2228memset(\*[Am]query, 0, sizeof(query)); 2229query.sysctl_flags = SYSCTL_VERSION; 2230len = sizeof(vfs); 2231sysctl(mib, 2, \*[Am]vfs[0], \*[Am]len, \*[Am]query, sizeof(query)); 2232.Ed 2233.Pp 2234Note that a reference to an empty node with 2235.Fa sysctl_flags 2236set to 2237.Dv SYSCTL_VERSION 2238is passed to sysctl in order to indicate the version that the program 2239is using. 2240All dynamic operations passing nodes into sysctl require that the 2241version be explicitly specified. 2242.Pp 2243Creation and destruction of nodes works by constructing part of a new 2244node description (or a description of the existing node) and invoking 2245CTL_CREATE (or CTL_CREATESYM) or CTL_DESTROY at the parent of the new 2246node, with a pointer to the new node passed via the 2247.Fa new 2248and 2249.Fa newlen 2250arguments. 2251If valid values for 2252.Fa old 2253and 2254.Fa oldlenp 2255are passed, a copy of the new node once in the tree will be returned. 2256If the create operation fails because a node with the same name or MIB 2257number exists, a copy of the conflicting node will be returned. 2258.Pp 2259The minimum requirements for creating a node are setting the 2260.Fa sysctl_flags 2261to indicate the new node's type, 2262.Fa sysctl_num 2263to either the new node's number (or CTL_CREATE or CTL_CREATESYM if a 2264dynamically allocated MIB number is acceptable), 2265.Fa sysctl_size 2266to the size of the data to be instrumented (which must agree with the 2267given type), and 2268.Fa sysctl_name 2269must be set to the new node's name. 2270Nodes that are not of type 2271.Dq node 2272must also have some description of the data to be instrumented, which 2273will vary depending on what is to be instrumented. 2274.Pp 2275If existing kernel data is to be covered by this new node, its address 2276should be given in 2277.Fa sysctl_data 2278or, if CTL_CREATESYM is used, 2279.Fa sysctl_data 2280should be set to a string containing its name from the kernel's symbol 2281table. 2282If new data is to be instrumented and an initial value is available, 2283the new integer or quad type data should be placed into either 2284.Fa sysctl_idata 2285or 2286.Fa sysctl_qdata , 2287respectively, along with the SYSCTL_IMMEDIATE flag being set, or 2288.Fa sysctl_data 2289should be set to point to a copy of the new data, and the 2290SYSCTL_OWNDATA flag must be set. 2291This latter method is the only way that new string and struct type 2292nodes can be initialized. 2293Invalid kernel addresses are accepted, but any attempt to access those 2294nodes will return an error. 2295.Pp 2296The 2297.Fa sysctl_csize , 2298.Fa sysctl_clen , 2299.Fa sysctl_child , 2300.Fa sysctl_parent , 2301and 2302.Fa sysctl_alias 2303members are used by the kernel to link the tree together and must be 2304.Dv NULL 2305or 0. 2306Nodes created in this manner cannot have helper functions, so 2307.Fa sysctl_func 2308must also be 2309.Dv NULL . 2310If the 2311.Fa sysctl_ver 2312member is non-zero, it must match either the version of the parent or 2313the version at the root of the MIB or an error is returned. 2314This can be used to ensure that nodes are only added or removed from a 2315known state of the tree. 2316Note: It may not be possible to determine the version at the root 2317of the tree. 2318.Pp 2319This example creates a new subtree and adds a node to it that controls the 2320.Fa audiodebug 2321kernel variable, thereby making it tunable at at any time, without 2322needing to use 2323.Xr ddb 4 2324or 2325.Xr kvm 3 2326to alter the kernel's memory directly. 2327.Pp 2328.Bd -literal -offset indent -compact 2329struct sysctlnode node; 2330int mib[2]; 2331size_t len; 2332.sp 2333mib[0] = CTL_CREATE; /* create at top-level */ 2334len = sizeof(node); 2335memset(\*[Am]node, 0, len); 2336node.sysctl_flags = SYSCTL_VERSION|CTLFLAG_READWRITE|CTLTYPE_NODE; 2337snprintf(node.sysctl_name, sizeof(node.sysctl_name), "local"); 2338node.sysctl_num = CTL_CREATE; /* request dynamic MIB number */ 2339sysctl(\*[Am]mib[0], 1, \*[Am]node, \*[Am]len, \*[Am]node, len); 2340.sp 2341mib[0] = node.sysctl_num; /* use new MIB number */ 2342mib[1] = CTL_CREATESYM; /* create at second level */ 2343len = sizeof(node); 2344memset(\*[Am]node, 0, len); 2345node.sysctl_flags = SYSCTL_VERSION|CTLFLAG_READWRITE|CTLTYPE_INT; 2346snprintf(node.sysctl_name, sizeof(node.sysctl_name), "audiodebug"); 2347node.sysctl_num = CTL_CREATE; 2348node.sysctl_data = "audiodebug"; /* kernel symbol to be used */ 2349sysctl(\*[Am]mib[0], 2, NULL, NULL, \*[Am]node, len); 2350.Ed 2351.Pp 2352The process for deleting nodes is similar, but less data needs to 2353be supplied. 2354Only the 2355.Fa sysctl_num 2356field 2357needs to be filled in; almost all other fields must be left blank. 2358The 2359.Fa sysctl_name 2360and/or 2361.Fa sysctl_ver 2362fields can be filled in with the name and version of the existing node 2363as additional checks on what will be deleted. 2364If all the given data fail to match any node, nothing will be deleted. 2365If valid values for 2366.Fa old 2367and 2368.Fa oldlenp 2369are supplied and a node is deleted, a copy of what was in the MIB tree 2370will be returned. 2371.Pp 2372This sample code shows the deletion of the two nodes created in the 2373above example: 2374.Pp 2375.Bd -literal -offset indent -compact 2376int mib[2]; 2377.sp 2378len = sizeof(node); 2379memset(\*[Am]node, 0, len); 2380node.sysctl_flags = SYSCTL_VERSION; 2381.sp 2382mib[0] = 3214; /* assumed number for "local" */ 2383mib[1] = CTL_DESTROY; 2384node.sysctl_num = 3215; /* assumed number for "audiodebug" */ 2385sysctl(\*[Am]mib[0], 2, NULL, NULL, \*[Am]node, len); 2386.sp 2387mib[0] = CTL_DESTROY; 2388node.sysctl_num = 3214; /* now deleting "local" */ 2389sysctl(\*[Am]mib[0], 1, NULL, NULL, \*[Am]node, len); 2390.Ed 2391.Pp 2392Descriptions of each of the nodes can also be retrieved, if they are 2393available. 2394Descriptions can be retrieved in bulk at each level or on a per-node 2395basis. 2396The layout of the buffer into which the descriptions are returned is a 2397series of variable length structures, each of which describes its own 2398size. 2399The length indicated includes the terminating 2400.Sq nul 2401character. 2402Nodes that have no description or where the description is not 2403available are indicated by an empty string. 2404The 2405.Fa descr_ver 2406will match the 2407.Fa sysctl_ver 2408value for a given node, so that descriptions for nodes whose number 2409have been recycled can be detected and ignored or discarded. 2410.Pp 2411.Bd -literal 2412struct sysctldesc { 2413 int32_t descr_num; /* mib number of node */ 2414 uint32_t descr_ver; /* version of node */ 2415 uint32_t descr_len; /* length of description string */ 2416 char descr_str[1]; /* not really 1...see above */ 2417}; 2418.Ed 2419.Pp 2420The 2421.Fn NEXT_DESCR 2422macro can be used to skip to the next description in the retrieved 2423list. 2424.Pp 2425.Bd -literal -offset indent -compact 2426struct sysctlnode desc; 2427struct sysctldesc *d; 2428char buf[1024]; 2429int mib[2]; 2430size_t len; 2431.sp 2432/* retrieve kern-level descriptions */ 2433mib[0] = CTL_KERN; 2434mib[1] = CTL_DESCRIBE; 2435d = (struct sysctldesc *)\*[Am]buf[0]; 2436len = sizeof(buf); 2437sysctl(mib, 2, d, \*[Am]len, NULL, 0); 2438while ((caddr_t)d \*[Lt] (caddr_t)\*[Am]buf[len]) { 2439 printf("node %d: %.*s\\n", d-\*[Gt]descr_num, d-\*[Gt]descr_len, 2440 d-\*[Gt]descr_str); 2441 d = NEXT_DESCR(d); 2442} 2443.sp 2444/* retrieve description for kern.securelevel */ 2445memset(\*[Am]desc, 0, sizeof(desc)); 2446desc.sysctl_flags = SYSCTL_VERSION; 2447desc.sysctl_num = KERN_SECURELEVEL; 2448d = (struct sysctldesc *)\*[Am]buf[0]; 2449len = sizeof(buf); 2450sysctl(mib, 2, d, \*[Am]len, \*[Am]desc, sizeof(desc)); 2451printf("kern.securelevel: %.*s\\n", d-\*[Gt]descr_len, d-\*[Gt]descr_str); 2452.Ed 2453.Pp 2454Descriptions can also be set as follows, subject to the following rules: 2455.Pp 2456.Bl -bullet -compact 2457.It 2458The kernel securelevel is at zero or lower 2459.It 2460The caller has super-user privileges 2461.It 2462The node does not currently have a description 2463.It 2464The node is not marked as 2465.Dq permanent 2466.El 2467.Pp 2468.Bd -literal -offset indent -compact 2469struct sysctlnode desc; 2470int mib[2]; 2471.sp 2472/* presuming the given top-level node was just added... */ 2473mib[0] = 3214; /* mib numbers taken from previous examples */ 2474mib[1] = CTL_DESCRIBE; 2475memset(\*[Am]desc, 0, sizeof(desc)); 2476desc.sysctl_flags = SYSCTL_VERSION; 2477desc.sysctl_num = 3215; 2478desc.sysctl_desc = "audio debug control knob"; 2479sysctl(mib, 2, NULL, NULL, \*[Am]desc, sizeof(desc)); 2480.Ed 2481.Pp 2482Upon successfully setting a description, the new description will be 2483returned in the space indicated by the 2484.Fa oldp 2485and 2486.Fa oldlenp 2487arguments. 2488.Pp 2489The 2490.Fa sysctl_flags 2491field in the struct sysctlnode contains the sysctl version, node type 2492information, and a number of flags. 2493The macros 2494.Fn SYSCTL_VERS , 2495.Fn SYSCTL_TYPE , 2496and 2497.Fn SYSCTL_FLAGS 2498can be used to access the different fields. 2499Valid flags are: 2500.Bl -column CTLFLAGXPERMANENTXXX 2501.It Sy Name Description 2502.It CTLFLAG\_READONLY Node is read-only 2503.It CTLFLAG\_READONLY1 Node becomes read-only at securelevel 1 2504.It CTLFLAG\_READONLY2 Node becomes read-only at securelevel 2 2505.It CTLFLAG\_READWRITE Node is writable by the superuser 2506.It CTLFLAG\_ANYWRITE Node is writable by anyone 2507.It CTLFLAG\_PRIVATE Node is readable only by the superuser 2508.It CTLFLAG\_PERMANENT Node cannot be removed (cannot be set by 2509processes) 2510.It CTLFLAG\_OWNDATA Node owns data and does not instrument 2511existing data 2512.It CTLFLAG\_IMMEDIATE Node contains instrumented data and does not 2513instrument existing data 2514.It CTLFLAG\_HEX Node's contents should be displayed in a hexadecimal 2515form 2516.It CTLFLAG\_ROOT Node is the root of a tree (cannot be set at 2517any time) 2518.It CTLFLAG\_ANYNUMBER Node matches any MIB number (cannot be set by 2519processes) 2520.It CTLFLAG\_HIDDEN Node not displayed by default 2521.It CTLFLAG\_ALIAS Node refers to a sibling node (cannot be set 2522by processes) 2523.It CTLFLAG\_OWNDESC Node owns its own description string space 2524.El 2525.Sh RETURN VALUES 2526If the call to 2527.Nm 2528is successful, the number of bytes copied out is returned. 2529Otherwise \-1 is returned and 2530.Va errno 2531is set appropriately. 2532.Sh FILES 2533.Bl -tag -width \*[Lt]netinet6/udp6Xvar.h\*[Gt] -compact 2534.It Aq Pa sys/sysctl.h 2535definitions for top level identifiers, second level kernel and hardware 2536identifiers, and user level identifiers 2537.It Aq Pa sys/socket.h 2538definitions for second level network identifiers 2539.It Aq Pa sys/gmon.h 2540definitions for third level profiling identifiers 2541.It Aq Pa uvm/uvm_param.h 2542definitions for second level virtual memory identifiers 2543.It Aq Pa netinet/in.h 2544definitions for third level IPv4/v6 identifiers and 2545fourth level IPv4/v6 identifiers 2546.It Aq Pa netinet/icmp_var.h 2547definitions for fourth level ICMP identifiers 2548.It Aq Pa netinet/icmp6.h 2549definitions for fourth level ICMPv6 identifiers 2550.It Aq Pa netinet/tcp_var.h 2551definitions for fourth level TCP identifiers 2552.It Aq Pa netinet/udp_var.h 2553definitions for fourth level UDP identifiers 2554.It Aq Pa netinet6/udp6_var.h 2555definitions for fourth level IPv6 UDP identifiers 2556.It Aq Pa netinet6/ipsec.h 2557definitions for fourth level IPsec identifiers 2558.It Aq Pa netkey/key_var.h 2559definitions for third level PF_KEY identifiers 2560.It Aq Pa machine/cpu.h 2561definitions for second level machdep identifiers 2562.El 2563.Sh ERRORS 2564The following errors may be reported: 2565.Bl -tag -width Er 2566.It Bq Er EFAULT 2567The buffer 2568.Fa name , 2569.Fa oldp , 2570.Fa newp , 2571or length pointer 2572.Fa oldlenp 2573contains an invalid address, or the requested value is temporarily 2574unavailable. 2575.It Bq Er EINVAL 2576The 2577.Fa name 2578array is zero or greater than CTL_MAXNAME. 2579.It Bq Er EINVAL 2580A non-null 2581.Fa newp 2582is given and its specified length in 2583.Fa newlen 2584is too large or too small, or the given value is not acceptable for 2585the given node. 2586.It Bq Er ENOMEM 2587The length pointed to by 2588.Fa oldlenp 2589is too short to hold the requested value. 2590.It Bq Er EISDIR 2591The 2592.Fa name 2593array specifies an intermediate rather than terminal name. 2594.It Bq Er ENOTDIR 2595The 2596.Fa name 2597array specifies a node below a node that addresses data. 2598.It Bq Er ENOENT 2599The 2600.Fa name 2601array specifies a node that does not exist in the tree. 2602.It Bq Er ENOENT 2603An attempt was made to destroy a node that does not exist, or to 2604create or destroy a node below a node that does not exist. 2605.It Bq Er ENOTEMPTY 2606An attempt was made to destroy a node that still has children. 2607.It Bq Er EOPNOTSUPP 2608The 2609.Fa name 2610array specifies a value that is unknown or a meta-operation was 2611attempted that the requested node does not support. 2612.It Bq Er EPERM 2613An attempt is made to set a read-only value. 2614.It Bq Er EPERM 2615A process without appropriate privilege attempts to set a value or to 2616create or destroy a node. 2617.It Bq Er EPERM 2618An attempt to change a value protected by the current kernel security 2619level is made. 2620.El 2621.Sh SEE ALSO 2622.Xr ipsec 4 , 2623.Xr tcp 4 , 2624.Xr sysctl 8 2625.\" .Xr sysctl 9 2626.Sh HISTORY 2627The 2628.Nm 2629function first appeared in 2630.Bx 4.4 . 2631