1.\" $NetBSD: sysctl.3,v 1.159 2005/12/01 18:08:10 wiz Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd December 1, 2005 33.Dt SYSCTL 3 34.Os 35.Sh NAME 36.Nm sysctl , 37.Nm sysctlbyname , 38.Nm sysctlgetmibinfo , 39.Nm sysctlnametomib 40.Nd get or set system information 41.Sh LIBRARY 42.Lb libc 43.Sh SYNOPSIS 44.In sys/param.h 45.In sys/sysctl.h 46.Ft int 47.Fn sysctl "int *name" "u_int namelen" "void *oldp" "size_t *oldlenp" \ 48"void *newp" "size_t newlen" 49.Ft int 50.Fn sysctlbyname "const char *sname" "void *oldp" "size_t *oldlenp" \ 51"void *newp" "size_t newlen" 52.Ft int 53.Fn sysctlgetmibinfo "const char *sname" "int *name" "u_int *namelenp" \ 54"char *cname" "size_t *csz" "struct sysctlnode **rnode" "int v" 55.Ft int 56.Fn sysctlnametomib "const char *sname" "int *name" "size_t *namelenp" 57.Sh DESCRIPTION 58The 59.Nm 60function retrieves system information and allows processes with 61appropriate privileges to set system information. 62The information available from 63.Nm 64consists of integers, strings, and tables. 65Information may be retrieved and set from the command interface 66using the 67.Xr sysctl 8 68utility. 69.Pp 70Unless explicitly noted below, 71.Nm 72returns a consistent snapshot of the data requested. 73Consistency is obtained by locking the destination 74buffer into memory so that the data may be copied out without blocking. 75Calls to 76.Nm 77are serialized to avoid deadlock. 78.Pp 79The state is described using a ``Management Information Base'' (MIB) 80style name, listed in 81.Fa name , 82which is a 83.Fa namelen 84length array of integers. 85.Pp 86The 87.Fn sysctlbyname 88function accepts a string representation of a MIB entry and internally 89maps it to the appropriate numeric MIB representation. 90Its semantics are otherwise no different from 91.Fn sysctl . 92.Pp 93The information is copied into the buffer specified by 94.Fa oldp . 95The size of the buffer is given by the location specified by 96.Fa oldlenp 97before the call, 98and that location gives the amount of data copied after a successful call. 99If the amount of data available is greater 100than the size of the buffer supplied, 101the call supplies as much data as fits in the buffer provided 102and returns with the error code ENOMEM. 103If the old value is not desired, 104.Fa oldp 105and 106.Fa oldlenp 107should be set to 108.Dv NULL . 109.Pp 110The size of the available data can be determined by calling 111.Nm 112with a 113.Dv NULL 114parameter for 115.Fa oldp . 116The size of the available data will be returned in the location pointed to by 117.Fa oldlenp . 118For some operations, the amount of space may change often. 119For these operations, 120the system attempts to round up so that the returned size is 121large enough for a call to return the data shortly thereafter. 122.Pp 123To set a new value, 124.Fa newp 125is set to point to a buffer of length 126.Fa newlen 127from which the requested value is to be taken. 128If a new value is not to be set, 129.Fa newp 130should be set to 131.Dv NULL 132and 133.Fa newlen 134set to 0. 135.Pp 136The 137.Fn sysctlnametomib 138function can be used to map the string representation of a MIB entry 139to the numeric version. 140The 141.Fa name 142argument should point to an array of integers large enough to hold the 143MIB, and 144.Fa namelenp 145should indicate the number of integer slots available. 146Following a successful translation, the size_t indicated by 147.Fa namelenp 148will be changed to show the number of slots consumed. 149.Pp 150The 151.Fn sysctlgetmibinfo 152function performs name translation similar to 153.Fn sysctlnametomib , 154but also canonicalizes the name (or returns the first erroneous token 155from the string being parsed) into the space indicated by 156.Fa cname 157and 158.Fa csz . 159.Fa csz 160should indicate the size of the buffer pointed to by 161.Fa cname 162and on return, will indicate the size of the returned string including 163the trailing 164.Sq nul 165character. 166.Pp 167The 168.Fa rnode 169and 170.Fa v 171arguments to 172.Fn sysctlgetmibinfo 173are used to provide a tree for it to parse into, and to get back 174either a pointer to, or a copy of, the terminal node. 175If 176.Fa rnode 177is 178.Dv NULL , 179.Fn sysctlgetmibinfo 180uses its own internal tree for parsing, and checks it against the 181kernel at each call, to make sure that the name-to-number mapping is 182kept up to date. 183The 184.Fa v 185argument is ignored in this case. 186If 187.Fa rnode 188is not 189.Dv NULL 190but the pointer it references is, on a successful return, 191.Fa rnode 192will be adjusted to point to a copy of the terminal node. 193The 194.Fa v 195argument indicates which version of the 196.Nm 197node structure the caller wants. 198The application must later 199.Fn free 200this copy. 201If neither 202.Fa rnode 203nor the pointer it references are 204.Dv NULL , 205the pointer is used as the address of a tree over which the parsing is 206done. 207In this last case, the tree is not checked against the kernel, no 208refreshing of the mappings is performed, and the value given by 209.Fa v 210must agree with the version indicated by the tree. 211It is recommended that applications always use 212.Dv SYSCTL_VERSION 213as the value for 214.Fa v , 215as defined in the include file 216.Pa sys/sysctl.h . 217.Pp 218The top level names are defined with a CTL_ prefix in 219.Aq Pa sys/sysctl.h , 220and are as follows. 221The next and subsequent levels down are found in the include files 222listed here, and described in separate sections below. 223.Pp 224.Bl -column CTLXMACHDEPXXX "Next level namesXXXXXX" -offset indent 225.It Sy Name Next level names Description 226.It CTL\_KERN sys/sysctl.h High kernel limits 227.It CTL\_VM uvm/uvm_param.h Virtual memory 228.It CTL\_VFS sys/mount.h Filesystem 229.It CTL\_NET sys/socket.h Networking 230.It CTL\_DEBUG sys/sysctl.h Debugging 231.It CTL\_HW sys/sysctl.h Generic CPU, I/O 232.It CTL\_MACHDEP sys/sysctl.h Machine dependent 233.It CTL\_USER sys/sysctl.h User-level 234.It CTL\_DDB sys/sysctl.h In-kernel debugger 235.It CTL\_PROC sys/sysctl.h Per-process 236.It CTL\_VENDOR ? Vendor specific 237.It CTL\_EMUL sys/sysctl.h Emulation settings 238.It CTL\_SECURITY sys/sysctl.h Security settings 239.El 240.Pp 241For example, the following retrieves the maximum number of processes allowed 242in the system: 243.Bd -literal -offset indent -compact 244int mib[2], maxproc; 245size_t len; 246.sp 247mib[0] = CTL_KERN; 248mib[1] = KERN_MAXPROC; 249len = sizeof(maxproc); 250sysctl(mib, 2, \*[Am]maxproc, \*[Am]len, NULL, 0); 251.Ed 252.sp 253To retrieve the standard search path for the system utilities: 254.Bd -literal -offset indent -compact 255int mib[2]; 256size_t len; 257char *p; 258.sp 259mib[0] = CTL_USER; 260mib[1] = USER_CS_PATH; 261sysctl(mib, 2, NULL, \*[Am]len, NULL, 0); 262p = malloc(len); 263sysctl(mib, 2, p, \*[Am]len, NULL, 0); 264.Ed 265.Sh CTL_DEBUG 266The debugging variables vary from system to system. 267A debugging variable may be added or deleted without need to recompile 268.Nm 269to know about it. 270Each time it runs, 271.Nm 272gets the list of debugging variables from the kernel and 273displays their current values. 274The system defines twenty 275.Va ( struct ctldebug ) 276variables named 277.Dv debug0 278through 279.Dv debug19 . 280They are declared as separate variables so that they can be 281individually initialized at the location of their associated variable. 282The loader prevents multiple use of the same variable by issuing errors 283if a variable is initialized in more than one place. 284For example, to export the variable 285.Dv dospecialcheck 286as a debugging variable, the following declaration would be used: 287.Bd -literal -offset indent -compact 288int dospecialcheck = 1; 289struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 290.Ed 291.Pp 292Note that the dynamic implementation of 293.Nm 294currently in use largely makes this particular 295.Nm 296interface obsolete. 297See 298.Xr sysctl 8 299.\" and 300.\" .Xr sysctl 9 301for more information. 302.Sh CTL_VFS 303A distinguished second level name, VFS_GENERIC, 304is used to get general information about all filesystems. 305One of its third level identifiers is VFS_MAXTYPENUM 306that gives the highest valid filesystem type number. 307Its other third level identifier is VFS_CONF that 308returns configuration information about the filesystem 309type given as a fourth level identifier. 310The remaining second level identifiers are the 311filesystem type number returned by a 312.Xr statfs 2 313call or from VFS_CONF. 314The third level identifiers available for each filesystem 315are given in the header file that defines the mount 316argument structure for that filesystem. 317.Sh CTL_HW 318The string and integer information available for the CTL_HW level 319is detailed below. 320The changeable column shows whether a process with appropriate 321privilege may change the value. 322.Bl -column "Second level nameXXXXXX" "struct disk_sysctlXXX" -offset indent 323.It Sy Second level name Type Changeable 324.It HW\_MACHINE string no 325.It HW\_MODEL string no 326.It HW\_NCPU integer no 327.It HW\_BYTEORDER integer no 328.It HW\_PHYSMEM integer no 329.It HW\_PHYSMEM64 quad no 330.It HW\_USERMEM integer no 331.It HW\_USERMEM64 quad no 332.It HW\_PAGESIZE integer no 333.\".It HW\_DISKNAMES struct no 334.\".It HW\_DISKSTATS struct no 335.It HW\_MACHINE\_ARCH string no 336.It HW\_ALIGNBYTES integer no 337.It HW\_DISKNAMES string no 338.It HW\_DISKSTATS struct disk_sysctl no 339.It HW\_CNMAGIC string yes 340.El 341.Pp 342.Bl -tag -width "123456" 343.It Li HW_MACHINE 344The machine class. 345.It Li HW_MODEL 346The machine model. 347.It Li HW_NCPU 348The number of CPUs. 349.ne 1i 350.It Li HW_BYTEORDER 351The byteorder (4,321, or 1,234). 352.It Li HW_PHYSMEM 353The bytes of physical memory as a 32-bit integer. 354.It Li HW_PHYSMEM64 355The bytes of physical memory as a 64-bit integer. 356.It Li HW_USERMEM 357The bytes of non-kernel memory as a 32-bit integer. 358.It Li HW_USERMEM64 359The bytes of non-kernel memory as a 64-bit integer. 360.It Li HW_PAGESIZE 361The software page size. 362.It Li HW_MACHINE_ARCH 363The machine CPU class. 364.It Li HW_ALIGNBYTES 365Alignment constraint for all possible data types. 366This shows the value 367.Dv ALIGNBYTES 368in 369.Pa /usr/include/machine/param.h , 370at the kernel compilation time. 371.It Li HW_DISKNAMES 372The list of (space separated) disk device names on the system. 373.It Li HW_DISKSTATS 374Return statistical information on the disk devices on the system. 375An array of 376.Va struct disk_sysctl 377structures is returned, 378whose size depends on the current number of such objects in the system. 379The third level name is the size of the 380.Va struct disk_sysctl . 381.It Li HW_CNMAGIC 382The console magic key sequence. 383.El 384.Sh CTL_KERN 385The string and integer information available for the CTL_KERN level 386is detailed below. 387The changeable column shows whether a process with appropriate 388privilege may change the value. 389The types of data currently available are process information, 390system vnodes, the open file entries, routing table entries, 391virtual memory statistics, load average history, and clock rate 392information. 393.Bl -column "KERNXPOSIXXREADERXWRITERXLOCKS" "struct clockrateXXX" -offset indent 394.It Sy Second level name Type Changeable 395.It KERN\_ARGMAX integer no 396.It KERN\_AUTONICETIME integer yes 397.It KERN\_AUTONICEVAL integer yes 398.It KERN\_BOOTTIME struct timeval no 399.It KERN\_CCPU integer no 400.It KERN\_CLOCKRATE struct clockinfo no 401.It KERN\_CP\_TIME uint64_t[\|] no 402.It KERN\_DEFCORENAME string yes 403.It KERN\_DOMAINNAME string yes 404.It KERN\_DRIVERS struct kinfo_drivers no 405.It KERN\_FILE struct file no 406.It KERN\_FORKFSLEEP integer yes 407.It KERN\_FSCALE integer no 408.It KERN\_FSYNC integer no 409.It KERN\_HOSTID integer yes 410.It KERN\_HOSTNAME string yes 411.It KERN\_IOV\_MAX integer no 412.It KERN\_JOB\_CONTROL integer no 413.It KERN\_LABELOFFSET integer no 414.It KERN\_LABELSECTOR integer no 415.It KERN\_LOGIN\_NAME\_MAX integer no 416.It KERN\_LOGSIGEXIT integer yes 417.It KERN\_MAPPED\_FILES integer no 418.It KERN\_MAXFILES integer yes 419.It KERN\_MAXPARTITIONS integer no 420.It KERN\_MAXPROC integer yes 421.It KERN\_MAXPTYS integer yes 422.It KERN\_MAXVNODES integer yes 423.It KERN\_MBUF node not applicable 424.It KERN\_MEMLOCK integer no 425.It KERN\_MEMLOCK\_RANGE integer no 426.It KERN\_MEMORY\_PROTECTION integer no 427.It KERN\_MONOTONIC\_CLOCK integer no 428.It KERN\_MSGBUF char[\|] no 429.It KERN\_MSGBUFSIZE integer no 430.It KERN\_NGROUPS integer no 431.It KERN\_NTPTIME struct ntptimeval no 432.It KERN\_OSRELEASE string no 433.It KERN\_OSREV integer no 434.It KERN\_OSTYPE string no 435.It KERN\_POSIX1 integer no 436.It KERN\_POSIX\_BARRIERS integer no 437.It KERN\_POSIX\_READER\_WRITER\_LOCKS integer no 438.It KERN\_POSIX\_SEMAPHORES integer no 439.It KERN\_POSIX\_SPIN\_LOCKS integer no 440.It KERN\_POSIX\_THREADS integer no 441.It KERN\_POSIX\_TIMERS integer no 442.It KERN\_PROC struct kinfo_proc no 443.It KERN\_PROC2 struct kinfo_proc2 no 444.It KERN\_PROC\_ARGS string no 445.It KERN\_PROF node not applicable 446.It KERN\_RAWPARTITION integer no 447.It KERN\_ROOT\_DEVICE string no 448.It KERN\_ROOT\_PARTITION integer no 449.It KERN\_RTC\_OFFSET integer yes 450.It KERN\_SAVED\_IDS integer no 451.It KERN\_SECURELVL integer raise only 452.It KERN\_SYNCHRONIZED\_IO integer no 453.It KERN\_SYSVIPC\_INFO node not applicable 454.It KERN\_SYSVMSG integer no 455.It KERN\_SYSVSEM integer no 456.It KERN\_SYSVSHM integer no 457.It KERN\_TKSTAT node not applicable 458.It KERN\_VERIEXEC node not applicable 459.It KERN\_VERSION string no 460.It KERN\_VNODE struct vnode no 461.It KERN\_HARDCLOCK\_TICKS integer no 462.El 463.ne 1i 464.Pp 465.Bl -tag -width "123456" 466.It Li KERN_ARGMAX 467The maximum bytes of argument to 468.Xr execve 2 . 469.It Li KERN_AUTONICETIME 470The number of seconds of CPU-time a non-root process may accumulate before 471having its priority lowered from the default to the value of KERN_AUTONICEVAL. 472If set to 0, automatic lowering of priority is not performed, and if set to \-1 473all non-root processes are immediately lowered. 474.It Li KERN_AUTONICEVAL 475The priority assigned for automatically niced processes. 476.It Li KERN_BOOTTIME 477A 478.Va struct timeval 479structure is returned. 480This structure contains the time that the system was booted. 481.It Li KERN_CCPU 482The scheduler exponential decay value. 483.It Li KERN_CLOCKRATE 484A 485.Va struct clockinfo 486structure is returned. 487This structure contains the clock, statistics clock and profiling clock 488frequencies, the number of micro-seconds per hz tick, and the clock 489skew rate. 490.It Li KERN_CP_TIME 491Returns an array of CPUSTATES uint64_ts. 492This array contains the 493number of clock ticks spent in different CPU states. 494On multi-processor systems, the sum across all CPUs is returned unless 495appropriate space is given for one data set for each CPU. 496Data for a specific CPU can also be obtained by adding the number of the 497CPU at the end of the MIB, enlarging it by one. 498.It Li KERN_DEFCORENAME 499Default template for the name of core dump files (see also PROC_PID_CORENAME 500in the per-process variables CTL_PROC, and 501.Xr core 5 502for format of this template). 503The default value is 504.Nm %n.core 505and can be changed with the kernel configuration option 506.Cd options DEFCORENAME 507(see 508.Xr options 4 509). 510.It Li KERN_DOMAINNAME 511Get or set the YP domain name. 512.It Li KERN_DRIVERS 513Return an array of 514.Va struct kinfo_drivers 515that contains the name and major device numbers of all the device drivers 516in the current kernel. 517The 518.Va d_name 519field is always a NUL terminated string. 520The 521.Va d_bmajor 522field will be set to \-1 if the driver doesn't have a block device. 523.It Li KERN_FILE 524Return the entire file table. 525The returned data consists of a single 526.Va struct filelist 527followed by an array of 528.Va struct file , 529whose size depends on the current number of such objects in the system. 530.It Li KERN_FSCALE 531The kernel fixed-point scale factor. 532.It Li KERN_FORKFSLEEP 533If 534.Xr fork 2 535system call fails due to limit on number of processes (either 536the global maxproc limit or user's one), wait for this many 537milliseconds before returning 538.Er EAGAIN 539error to process. 540Useful to keep heavily forking runaway processes in bay. 541Default zero (no sleep). 542Maximum is 20 seconds. 543.It Li KERN_FSYNC 544Return 1 if the POSIX 1003.1b File Synchronization Option is available 545on this system, 546otherwise 0. 547.It Li KERN_HOSTID 548Get or set the host id. 549.It Li KERN_HOSTNAME 550Get or set the hostname. 551.It Li KERN_IOV_MAX 552Return the maximum number of 553.Va iovec 554structures that a process has available for use with 555.Xr preadv 2 , 556.Xr pwritev 2 , 557.Xr readv 2 , 558.Xr recvmsg 2 , 559.Xr sendmsg 2 560and 561.Xr writev 2 . 562.It Li KERN_JOB_CONTROL 563Return 1 if job control is available on this system, otherwise 0. 564.It Li KERN_LABELOFFSET 565The offset within the sector specified by KERN_LABELSECTOR of the 566.Xr disklabel 5 . 567.It Li KERN_LABELSECTOR 568The sector number containing the 569.Xr disklabel 5 . 570.It Li KERN_LOGIN_NAME_MAX 571The size of the storage required for a login name, in bytes, 572including the terminating NUL. 573.It Li KERN_LOGSIGEXIT 574If this flag is non-zero, the kernel will 575.Xr log 9 576all process exits due to signals which create a 577.Xr core 5 578file, and whether the coredump was created. 579.It Li KERN_MAPPED_FILES 580Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available 581on this system, 582otherwise 0. 583.It Li KERN_MAXFILES 584The maximum number of open files that may be open in the system. 585.It Li KERN_MAXPARTITIONS 586The maximum number of partitions allowed per disk. 587.It Li KERN_MAXPROC 588The maximum number of simultaneous processes the system will allow. 589.It Li KERN_MAXPTYS 590The maximum number of pseudo terminals. 591This value can be both raised and lowered, though it cannot 592be set lower than number of currently used ptys. 593See also 594.Xr pty 4 . 595.It Li KERN_MAXVNODES 596The maximum number of vnodes available on the system. 597This can only be raised. 598.It Li KERN_MBUF 599Return information about the mbuf control variables. 600the third level names for the mbuf variables are detailed below. 601The changeable column shows whether a process with appropriate 602privilege may change the value. 603.Bl -column "MBUFXNMBCLUSTERSXXX" "struct integerXXX" -offset indent 604.It Sy Third level name Type Changeable 605.It MBUF\_MSIZE integer yes 606.It MBUF\_MCLBYTES integer yes 607.It MBUF\_NMBCLUSTERS integer yes 608.It MBUF\_MBLOWAT integer yes 609.It MBUF\_MCLLOWAT integer yes 610.El 611.Pp 612The variables are as follows: 613.Bl -tag -width "123456" 614.It Li MBUF_MSIZE 615The mbuf base size. 616.It Li MBUF_MCLBYTES 617The mbuf cluster size. 618.It Li MBUF_NMBCLUSTERS 619The limit on the number of mbuf clusters. 620The variable can only be increased, and only increased on machines with 621direct-mapped pool pages. 622.It Li MBUF_MBLOWAT 623The mbuf low water mark. 624.It Li MBUF_MCLLOWAT 625The mbuf cluster low water mark. 626.El 627.It Li KERN_MEMLOCK 628Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available 629on this system, 630otherwise 0. 631.It Li KERN_MEMLOCK_RANGE 632Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available 633on this system, 634otherwise 0. 635.It Li KERN_MEMORY_PROTECTION 636Returns 1 if the POSIX 1003.1b Memory Protection Option is available 637on this system, 638otherwise 0. 639.It Li KERN_MONOTONIC_CLOCK 640Returns the standard version the implementation of the POSIX 1003.1b 641Monotonic Clock Option conforms to, 642otherwise 0. 643.It Li KERN_MSGBUF 644The kernel message buffer, rotated so that the head of the circular kernel 645message buffer is returned at the start of the buffer specified by 646.Fa oldp . 647The returned data may contain NUL bytes. 648.It Li KERN_MSGBUFSIZE 649The maximum number of characters that the kernel message buffer can hold. 650.It Li KERN_NGROUPS 651The maximum number of supplemental groups. 652.It Li KERN_NO_TRUNC 653Return 1 if file names longer than KERN_NAME_MAX are truncated. 654.It Li KERN_NTPTIME 655A 656.Va struct ntptimeval 657structure is returned. 658This structure contains data used by the 659.Xr ntpd 8 660program. 661.It Li KERN_OSRELEASE 662The system release string. 663.It Li KERN_OSREV 664The system revision string. 665.It Li KERN_OSTYPE 666The system type string. 667.It Li KERN_PATH_MAX 668The maximum number of bytes in a pathname. 669.It Li KERN_POSIX1 670The version of ISO/IEC 9945 (POSIX 1003.1) with which the system 671attempts to comply. 672.It Li KERN_POSIX_BARRIERS 673The version of 674.St -p1003.1 675and its 676Barriers 677option to which the system attempts to conform, 678otherwise 0. 679.It Li KERN_POSIX_READER_WRITER_LOCKS 680The version of 681.St -p1003.1 682and its 683Read-Write Locks 684option to which the system attempts to conform, 685otherwise 0. 686.It Li KERN_POSIX_SEMAPHORES 687The version of 688.St -p1003.1 689and its 690Semaphores 691option to which the system attempts to conform, 692otherwise 0. 693.It Li KERN_POSIX_SPIN_LOCKS 694The version of 695.St -p1003.1 696and its 697Spin Locks 698option to which the system attempts to conform, 699otherwise 0. 700.It Li KERN_POSIX_THREADS 701The version of 702.St -p1003.1 703and its 704Threads 705option to which the system attempts to conform, 706otherwise 0. 707.It Li KERN_POSIX_TIMERS 708The version of 709.St -p1003.1 710and its 711Timers 712option to which the system attempts to conform, 713otherwise 0. 714.It Li KERN_PROC 715Return the entire process table, or a subset of it. 716An array of 717.Va struct kinfo_proc 718structures is returned, 719whose size depends on the current number of such objects in the system. 720The third and fourth level names are as follows: 721.Bl -column "Third level nameXXXXXX" "Fourth level is:XXXXXX" -offset indent 722.It Sy Third level name Fourth level is: 723.It KERN\_PROC\_ALL None 724.It KERN\_PROC\_PID A process ID 725.It KERN\_PROC\_PGRP A process group 726.It KERN\_PROC\_SESSION A session ID 727.It KERN\_PROC\_TTY A tty device 728.It KERN\_PROC\_UID A user ID 729.It KERN\_PROC\_RUID A real user ID 730.It KERN\_PROC\_GID A group ID 731.It KERN\_PROC\_RGID A real group ID 732.El 733.It Li KERN_PROC2 734As for KERN_PROC, but an array of 735.Va struct kinfo_proc2 736structures are returned. 737The fifth level name is the size of the 738.Va struct kinfo_proc2 739and the sixth level name is the number of structures to return. 740.It Li KERN_PROC_ARGS 741Return the argv or environment strings (or the number thereof) 742of a process. 743Multiple strings are returned separated by NUL characters. 744The third level name is the process ID. 745The fourth level name is as follows: 746.Bl -column "Third level nameXXXXXX" -offset indent 747.It KERN\_PROC\_ARGV The argv strings 748.It KERN\_PROC\_NARGV The number of argv strings 749.It KERN\_PROC\_ENV The environ strings 750.It KERN\_PROC\_NENV The number of environ strings 751.El 752.It Li KERN_PROF 753Return profiling information about the kernel. 754If the kernel is not compiled for profiling, 755attempts to retrieve any of the KERN_PROF values will 756fail with EOPNOTSUPP. 757The third level names for the string and integer profiling information 758is detailed below. 759The changeable column shows whether a process with appropriate 760privilege may change the value. 761.Bl -column "GPROFXGMONPARAMXXX" "struct gmonparamXXX" -offset indent 762.It Sy Third level name Type Changeable 763.It GPROF\_STATE integer yes 764.It GPROF\_COUNT u_short[\|] yes 765.It GPROF\_FROMS u_short[\|] yes 766.It GPROF\_TOS struct tostruct yes 767.It GPROF\_GMONPARAM struct gmonparam no 768.El 769.Pp 770The variables are as follows: 771.Bl -tag -width "123456" 772.It Li GPROF_STATE 773Profiling state. 774If set to GMON_PROF_ON, starts profiling. 775If set to GMON_PROF_OFF, stops profiling. 776.It Li GPROF_COUNT 777Array of statistical program counter counts. 778.It Li GPROF_FROMS 779Array indexed by program counter of call-from points. 780.It Li GPROF_TOS 781Array of 782.Va struct tostruct 783describing destination of calls and their counts. 784.It Li GPROF_GMONPARAM 785Structure giving the sizes of the above arrays. 786.El 787.It Li KERN_RAWPARTITION 788The raw partition of a disk (a == 0). 789.It Li KERN_ROOT_DEVICE 790The name of the root device (e.g., 791.Dq wd0 ) . 792.It Li KERN_ROOT_PARTITION 793The root partition on the root device (a == 0). 794.It Li KERN_RTC_OFFSET 795Return the offset of real time clock from UTC in minutes. 796.It Li KERN_SAVED_IDS 797Returns 1 if saved set-group and saved set-user ID is available. 798.It Li KERN_SECURELVL 799The system security level. 800This level may be raised by processes with appropriate privilege. 801It may only be lowered by process 1. 802.It Li KERN_SYNCHRONIZED_IO 803Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available 804on this system, 805otherwise 0. 806.It Li KERN_SYSVIPC_INFO 807Return System V style IPC configuration and run-time information. 808The third level name selects the System V style IPC facility. 809.Bl -column "KERN_SYSVIPC_MSG_INFOXXX" "struct shm_sysctl_infoXXX" -offset indent 810.It Sy Third level name Type 811.It KERN\_SYSVIPC\_MSG\_INFO struct msg_sysctl_info 812.It KERN\_SYSVIPC\_SEM\_INFO struct sem_sysctl_info 813.It KERN\_SYSVIPC\_SHM\_INFO struct shm_sysctl_info 814.El 815.Pp 816.Bl -tag -width "123456" 817.It Li KERN_SYSVIPC_MSG_INFO 818Return information on the System V style message facility. 819The 820.Sy msg_sysctl_info 821structure is defined in 822.Aq Pa sys/msg.h . 823.It Li KERN_SYSVIPC_SEM_INFO 824Return information on the System V style semaphore facility. 825The 826.Sy sem_sysctl_info 827structure is defined in 828.Aq Pa sys/sem.h . 829.It Li KERN_SYSVIPC_SHM_INFO 830Return information on the System V style shared memory facility. 831The 832.Sy shm_sysctl_info 833structure is defined in 834.Aq Pa sys/shm.h . 835.El 836.It Li KERN_SYSVMSG 837Returns 1 if System V style message queue functionality is available 838on this system, 839otherwise 0. 840.It Li KERN_SYSVSEM 841Returns 1 if System V style semaphore functionality is available 842on this system, 843otherwise 0. 844.It Li KERN_SYSVSHM 845Returns 1 if System V style share memory functionality is available 846on this system, 847otherwise 0. 848.It Li KERN_TKSTAT 849Return information about the number of characters sent and received 850on ttys. 851The third level names for the tty statistic variables are detailed below. 852The changeable column shows whether a process 853with appropriate privilege may change the value. 854.Bl -column "KERNXTKSTATXRAWCCXXX" "struct integerXXX" -offset indent 855.It Sy Third level name Type Changeable 856.It KERN\_TKSTAT\_NIN quad no 857.It KERN\_TKSTAT\_NOUT quad no 858.It KERN\_TKSTAT\_CANCC quad no 859.It KERN\_TKSTAT\_RAWCC quad no 860.El 861.Pp 862The variables are as follows: 863.Bl -tag -width "123456" 864.It Li KERN_TKSTAT_NIN 865The total number of input characters. 866.It Li KERN_TKSTAT_NOUT 867The total number of output characters. 868.It Li KERN_TKSTAT_CANCC 869The number of canonical input characters. 870.It Li KERN_TKSTAT_RAWCC 871The number of raw input characters. 872.El 873.It Li KERN_VERIEXEC 874Tunings for Verified Exec. 875Third level names for the veriexec variables are detailed below. 876The changeable column shows whether a process with appropriate 877privilege may change the value or only raise it. 878Only the superuser can modify these variables. 879.Bl -column "VERIEXECXALGORITHMSXXX" "struct integerXXX" -offset indent 880.It Sy Third level name Type Changeable 881.It VERIEXEC\_VERBOSE integer yes 882.It VERIEXEC\_STRICT integer raise only 883.It VERIEXEC\_ALGORITHMS string no 884.It VERIEXEC\_COUNT node not applicable 885.El 886.Pp 887The variables are as follows: 888.Bl -tag -width "123456" 889.It Li VERIEXEC_VERBOSE 890Controls the verbosity level of Verified Exec. 891If 0, only the minimal 892indication required will be given about what's happening - fingerprint 893mismatches, removal of entries from the tables, modification of a 894fingerprinted file. 895If 1, more messages will be printed (ie., when a file with a valid 896fingerprint is accessed). 897Verbose level 2 is debug mode. 898.It Li VERIEXEC_STRICT 899Controls the strict level of Verified Exec. 900The strict level defines how 901Verified Exec will treat various situations. 902In strict level 0, the system is in learning mode and will only warn about 903fingerprint mismatches, aswell as allow removal of fingerprinted files. 904It is the only level where fingerprints can be loaded. 905In strict level 1, the system is in IDS mode. 906It will deny access to files with mismatched fingerprints. 907In strict level 2, the system is in IPS mode. 908It has all effects of 909strict level 1, plus it will deny write access to monitored files, 910prevent their removal, and enforce access type (direct, indirect, file). 911Strict level 3 operates as lockdown mode. 912It will have all effects of 913strict level 2, but it will also prevent access to non-monitored files. 914Furthermore, it will prevent addition of new files to the system, and 915allow writing only to files opened before the strict level was raised. 916.It Li VERIEXEC_ALGORITHMS 917Returns a string with the supported algorithms in Verified Exec. 918.It Li VERIEXEC_COUNT 919Variables are added to this node as new hash tables are created to 920contain Verified Exec data for a new device. 921Each variable in the node 922will have a name in the form of 923.No dev_ Ns Aq id 924where 925.Aq id 926is the device id. 927For example, the variable for the root device may be dev_0. 928The value of this 929variable will be the amount of fingerprinted files on the device. 930.El 931.It Li KERN_VERSION 932The system version string. 933.It Li KERN_VNODE 934Return the entire vnode table. 935Note, the vnode table is not necessarily a consistent snapshot of 936the system. 937The returned data consists of an array whose size depends on the 938current number of such objects in the system. 939Each element of the array contains the kernel address of a vnode 940.Va struct vnode * 941followed by the vnode itself 942.Va struct vnode . 943.It Li KERN_HARDCLOCK_TICKS 944Returns the number of 945.Xr hardclock 9 946ticks. 947.El 948.Sh CTL_MACHDEP 949The set of variables defined is architecture dependent. 950Most architectures define at least the following variables. 951.Bl -column "CONSOLE_DEVICEXXX" "integerXXX" -offset indent 952.It Sy Second level name Type Changeable 953.It Li CPU_CONSDEV dev_t no 954.El 955.Sh CTL_NET 956The string and integer information available for the CTL_NET level 957is detailed below. 958The changeable column shows whether a process with appropriate 959privilege may change the value. 960The second and third levels are typically the protocol family and 961protocol number, though this is not always the case. 962.Bl -column "Second level nameXXXXXX" "routing messagesXXX" -offset indent 963.It Sy Second level name Type Changeable 964.It PF\_ROUTE routing messages no 965.It PF\_INET IPv4 values yes 966.It PF\_INET6 IPv6 values yes 967.It PF\_KEY IPsec key management values yes 968.El 969.Pp 970.Bl -tag -width "123456" 971.It Li PF_ROUTE 972Return the entire routing table or a subset of it. 973The data is returned as a sequence of routing messages (see 974.Xr route 4 975for the header file, format and meaning). 976The length of each message is contained in the message header. 977.Pp 978The third level name is a protocol number, which is currently always 0. 979The fourth level name is an address family, which may be set to 0 to 980select all address families. 981The fifth and sixth level names are as follows: 982.Bl -column "Fifth level nameXXXXXX" "Sixth level is:XXX" -offset indent 983.It Sy Fifth level name Sixth level is: 984.It NET\_RT\_FLAGS rtflags 985.It NET\_RT\_DUMP None 986.It NET\_RT\_IFLIST None 987.El 988.It Li PF_INET 989Get or set various global information about the IPv4 990.Pq Internet Protocol version 4 . 991The third level name is the protocol. 992The fourth level name is the variable name. 993The currently defined protocols and names are: 994.Bl -column "Protocol name" "Variable nameXX" "integer" "yes" -offset indent 995.It Sy Protocol name Variable name Type Changeable 996.It ip forwarding integer yes 997.It ip redirect integer yes 998.It ip ttl integer yes 999.It ip forwsrcrt integer yes 1000.It ip directed-broadcast integer yes 1001.It ip allowsrcrt integer yes 1002.It ip subnetsarelocal integer yes 1003.It ip mtudisc integer yes 1004.It ip anonportmin integer yes 1005.It ip anonportmax integer yes 1006.It ip mtudisctimeout integer yes 1007.It ip gifttl integer yes 1008.It ip grettl integer yes 1009.It ip lowportmin integer yes 1010.It ip lowportmax integer yes 1011.It ip maxfragpacket integer yes 1012.It ip checkinterface integer yes 1013.It icmp maskrepl integer yes 1014.It icmp errppslimit integer yes 1015.It icmp rediraccept integer yes 1016.It icmp redirtimeout integer yes 1017.It tcp rfc1323 integer yes 1018.It tcp sendspace integer yes 1019.It tcp recvspace integer yes 1020.It tcp mssdflt integer yes 1021.It tcp syn_cache_limit integer yes 1022.It tcp syn_bucket_limit integer yes 1023.It tcp syn_cache_interval integer yes 1024.It tcp init_win integer yes 1025.It tcp init_win_local integer yes 1026.It tcp mss_ifmtu integer yes 1027.It tcp sack integer yes 1028.It tcp win_scale integer yes 1029.It tcp timestamps integer yes 1030.It tcp compat_42 integer yes 1031.It tcp cwm integer yes 1032.It tcp cwm_burstsize integer yes 1033.It tcp ack_on_push integer yes 1034.It tcp keepidle integer yes 1035.It tcp keepintvl integer yes 1036.It tcp keepcnt integer yes 1037.It tcp slowhz integer no 1038.It tcp newreno integer yes 1039.It tcp log_refused integer yes 1040.It tcp rstppslimit integer yes 1041.It tcp ident struct no 1042.It udp checksum integer yes 1043.It udp sendspace integer yes 1044.It udp recvspace integer yes 1045.El 1046.Pp 1047The variables are as follows: 1048.Bl -tag -width "123456" 1049.It Li ip.forwarding 1050If set to 1, enables IP forwarding for the host, 1051meaning that the host is acting as a router. 1052.It Li ip.redirect 1053If set to 1, ICMP redirects may be sent by the host. 1054This option is ignored unless the host is routing IP packets, 1055and should normally be enabled on all systems. 1056.It Li ip.ttl 1057The maximum time-to-live (hop count) value for an IP packet sourced by 1058the system. 1059This value applies to normal transport protocols, not to ICMP. 1060.It Li ip.forwsrcrt 1061If set to 1, enables forwarding of source-routed packets for the host. 1062This value may only be changed if the kernel security level is less than 1. 1063.It Li ip.directed-broadcast 1064If set to 1, enables directed broadcast behavior for the host. 1065.It Li ip.allowsrcrt 1066If set to 1, the host accepts source routed packets. 1067.It Li ip.subnetsarelocal 1068If set to 1, subnets are to be considered local addresses. 1069.It Li ip.mtudisc 1070If set to 1, enables Path MTU Discovery (RFC 1191). 1071When Path MTU Discovery is enabled, the transmitted TCP segment 1072size will be determined by the advertised maximum segment size 1073(MSS) from the remote end, as constrained by the path MTU. 1074If MTU Discovery is disabled, the transmitted segment size will 1075never be greater than 1076.Li tcp.mssdflt 1077(the local maximum segment size). 1078.It Li ip.anonportmin 1079The lowest port number to use for TCP and UDP ephemeral port allocation. 1080This cannot be set to less than 1024 or greater than 65535. 1081.It Li ip.anonportmax 1082The highest port number to use for TCP and UDP ephemeral port allocation. 1083This cannot be set to less than 1024 or greater than 65535, and must 1084be greater than 1085.Li ip.anonportmin . 1086.It Li ip.mtudisctimeout 1087The number of seconds in which a route added by the Path MTU 1088Discovery engine will time out. 1089When the route times out, the Path 1090MTU Discovery engine will attempt to probe a larger path MTU. 1091.It Li ip.gifttl 1092The maximum time-to-live (hop count) value for an IPv4 packet generated by 1093.Xr gif 4 1094tunnel interface. 1095.It Li ip.grettl 1096The maximum time-to-live (hop count) value for an IPv4 packet generated by 1097.Xr gre 4 1098tunnel interface. 1099.It Li ip.lowportmin 1100The lowest port number to use for TCP and UDP reserved port allocation. 1101This cannot be set to less than 0 or greater than 1024, and must 1102be smaller than 1103.Li ip.lowportmax . 1104.It Li ip.lowportmax 1105The highest port number to use for TCP and UDP reserved port allocation. 1106This cannot be set to less than 0 or greater than 1024, and must 1107be greater than 1108.Li ip.lowportmin . 1109.It Li ip.maxfragpackets 1110The maximum number of fragmented packets the node will accept. 11110 means that the node will not accept any fragmented packets. 1112\-1 means that the node will accept as many fragmented packets as it receives. 1113The flag is provided basically for avoiding possible DoS attacks. 1114.It Li ip.checkinterface 1115If set to non-zero, the host will reject packets addressed to it 1116that arrive on an interface not bound to that address. 1117Currently, this must be disabled if ipnat is used to translate the 1118destination address to another local interface, or if addresses 1119are added to the loopback interface instead of the interface where 1120the packets for those packets are received. 1121.It Li icmp.maskrepl 1122If set to 1, ICMP network mask requests are to be answered. 1123.It Li icmp.errppslimit 1124The variable specifies the maximum number of outgoing ICMP error messages, 1125per second. 1126ICMP error messages that exceeded the value are subject to rate limitation 1127and will not go out from the node. 1128Negative value disables rate limitation. 1129.It Li icmp.rediraccept 1130If set to non-zero, the host will accept ICMP redirect packets. 1131Note that routers will never accept ICMP redirect packets, 1132and the variable is meaningful on IP hosts only. 1133.It Li icmp.redirtimeout 1134The variable specifies lifetime of routing entries generated by incoming 1135ICMP redirect. 1136This defaults to 600 seconds. 1137.It Li tcp.rfc1323 1138If set to 1, enables RFC 1323 extensions to TCP. 1139.It Li tcp.sendspace 1140The default TCP send buffer size. 1141.It Li tcp.recvspace 1142The default TCP receive buffer size. 1143.It Li tcp.mssdflt 1144The default maximum segment size both advertised to the peer 1145and to use when either the peer does not advertise a maximum segment size to 1146us during connection setup or Path MTU Discovery 1147.Li ( ip.mtudisc ) 1148is disabled. 1149Do not change this value unless you really know what you are doing. 1150.It Li tcp.syn_cache_limit 1151The maximum number of entries allowed in the TCP compressed state 1152engine. 1153.It Li tcp.syn_bucket_limit 1154The maximum number of entries allowed per hash bucket in the TCP 1155compressed state engine. 1156.It Li tcp.syn_cache_interval 1157The TCP compressed state engine's timer interval. 1158.It Li tcp.init_win 1159A value indicating the TCP initial congestion window. 1160If this value is 0, an auto-tuning algorithm designed to use an initial 1161window of approximately 4K bytes is in use. 1162Otherwise, this value indicates a fixed number of packets. 1163.It Li tcp.init_win_local 1164Like 1165.Li tcp.init_win , 1166but used when communicating with hosts on a local network. 1167.It Li tcp.mss_ifmtu 1168If set to 1, TCP calculates the outgoing maximum segment size based on 1169the MTU of the appropriate interface. 1170If set to 0, it is calculated based on the greater of the MTU of the 1171interface, and the largest (non-loopback) interface MTU on the system. 1172.It Li tcp.sack 1173If set to 1, enables RFC 2018 Selective ACKnowledgement. 1174.It Li tcp.win_scale 1175If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1176for increasing the TCP window size, are enabled. 1177.It Li tcp.timestamps 1178If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1179used for measuring TCP round trip times, are enabled. 1180.It Li tcp.compat_42 1181If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1182Use of this option is not recommended, although it may be 1183required in order to communicate with extremely old TCP implementations. 1184.It Li tcp.cwm 1185If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1186Monitoring algorithm. 1187This algorithm prevents line-rate bursts of packets that could 1188otherwise occur when data begins flowing on an idle TCP connection. 1189These line-rate bursts can contribute to network and router congestion. 1190This can be particularly useful on World Wide Web servers 1191which support HTTP/1.1, which has lingering connections. 1192.It Li tcp.cwm_burstsize 1193The Congestion Window Monitoring allowed burst size, in terms 1194of packet count. 1195.It Li tcp.ack_on_push 1196If set to 1, TCP is to immediately transmit an ACK upon reception of 1197a packet with PUSH set. 1198This can avoid losing a round trip time in some rare situations, 1199but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1200Use of this option is generally not recommended, but 1201the variable exists in case your configuration really needs it. 1202.It Li tcp.keepidle 1203Time a connection must be idle before keepalives are sent (if keepalives 1204are enabled for the connection). 1205See also tcp.slowhz. 1206.It Li tcp.keepintvl 1207Time after a keepalive probe is sent until, in the absence of any response, 1208another probe is sent. 1209See also tcp.slowhz. 1210.It Li tcp.keepcnt 1211Number of keepalive probes sent before declaring a connection dead. 1212If set to zero, there is no limit; 1213keepalives will be sent until some kind of 1214response is received from the peer. 1215.It Li tcp.slowhz 1216The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1217of a clock that ticks tcp.slowhz times per second. 1218(That is, their values 1219must be divided by the tcp.slowhz value to get times in seconds.) 1220.It Li tcp.newreno 1221If set to 1, enables the use of J. 1222Hoe's NewReno congestion control algorithm. 1223This algorithm improves the start-up behavior of TCP connections. 1224.It Li tcp.log_refused 1225If set to 1, refused TCP connections to the host will be logged. 1226.It Li tcp.rstppslimit 1227The variable specifies the maximum number of outgoing TCP RST packets, 1228per second. 1229TCP RST packet that exceeded the value are subject to rate limitation 1230and will not go out from the node. 1231Negative value disables rate limitation. 1232.It Li udp.checksum 1233If set to 1, UDP checksums are being computed. 1234Received non-zero UDP checksums are always checked. 1235Disabling UDP checksums is strongly discouraged. 1236.It Li udp.sendspace 1237The default UDP send buffer size. 1238.It Li udp.recvspace 1239The default UDP receive buffer size. 1240.El 1241.Pp 1242For variables net.*.ipsec, please refer to 1243.Xr ipsec 4 . 1244.It Li PF_INET6 1245Get or set various global information about the IPv6 1246.Pq Internet Protocol version 6 . 1247The third level name is the protocol. 1248The fourth level name is the variable name. 1249The currently defined protocols and names are: 1250.Bl -column "Protocol name" "Variable nameXX" "integer" "yes" -offset indent 1251.It Sy Protocol name Variable name Type Changeable 1252.It ip6 forwarding integer yes 1253.It ip6 redirect integer yes 1254.It ip6 hlim integer yes 1255.It ip6 maxfragpackets integer yes 1256.It ip6 accept_rtadv integer yes 1257.It ip6 keepfaith integer yes 1258.It ip6 log_interval integer yes 1259.It ip6 hdrnestlimit integer yes 1260.It ip6 dad_count integer yes 1261.It ip6 auto_flowlabel integer yes 1262.It ip6 defmcasthlim integer yes 1263.It ip6 gif_hlim integer yes 1264.It ip6 kame_version string no 1265.It ip6 use_deprecated integer yes 1266.It ip6 rr_prune integer yes 1267.It ip6 v6only integer yes 1268.It ip6 anonportmin integer yes 1269.It ip6 anonportmax integer yes 1270.It ip6 lowportmin integer yes 1271.It ip6 lowportmax integer yes 1272.It ip6 maxfrags integer yes 1273.It icmp6 rediraccept integer yes 1274.It icmp6 redirtimeout integer yes 1275.It icmp6 nd6_prune integer yes 1276.It icmp6 nd6_delay integer yes 1277.It icmp6 nd6_umaxtries integer yes 1278.It icmp6 nd6_mmaxtries integer yes 1279.It icmp6 nd6_useloopback integer yes 1280.It icmp6 nodeinfo integer yes 1281.It icmp6 errppslimit integer yes 1282.It icmp6 nd6_maxnudhint integer yes 1283.It icmp6 mtudisc_hiwat integer yes 1284.It icmp6 mtudisc_lowat integer yes 1285.It icmp6 nd6_debug integer yes 1286.It udp6 sendspace integer yes 1287.It udp6 recvspace integer yes 1288.El 1289.Pp 1290The variables are as follows: 1291.Bl -tag -width "123456" 1292.It Li ip6.forwarding 1293If set to 1, enables IPv6 forwarding for the node, 1294meaning that the node is acting as a router. 1295If set to 0, disables IPv6 forwarding for the node, 1296meaning that the node is acting as a host. 1297IPv6 specification defines node behavior for 1298.Dq router 1299case and 1300.Dq host 1301case quite differently, and changing this variable during operation 1302may cause serious trouble. 1303It is recommended to configure the variable at bootstrap time, 1304and bootstrap time only. 1305.It Li ip6.redirect 1306If set to 1, ICMPv6 redirects may be sent by the node. 1307This option is ignored unless the node is routing IP packets, 1308and should normally be enabled on all systems. 1309.It Li ip6.hlim 1310The default hop limit value for an IPv6 unicast packet sourced by the node. 1311This value applies to all the transport protocols on top of IPv6. 1312There are APIs to override the value, as documented in 1313.Xr ip6 4 . 1314.It Li ip6.maxfragpackets 1315The maximum number of fragmented packets the node will accept. 13160 means that the node will not accept any fragmented packets. 1317\-1 means that the node will accept as many fragmented packets as it receives. 1318The flag is provided basically for avoiding possible DoS attacks. 1319.It Li ip6.accept_rtadv 1320If set to non-zero, the node will accept ICMPv6 router advertisement packets 1321and autoconfigures address prefixes and default routers. 1322The node must be a host 1323.Pq not a router 1324for the option to be meaningful. 1325.It Li ip6.keepfaith 1326If set to non-zero, it enables 1327.Dq FAITH 1328TCP relay IPv6-to-IPv4 translator code in the kernel. 1329Refer 1330.Xr faith 4 1331and 1332.Xr faithd 8 1333for detail. 1334.It Li ip6.log_interval 1335The variable controls amount of logs generated by IPv6 packet 1336forwarding engine, by setting interval between log output 1337.Pq in seconds . 1338.It Li ip6.hdrnestlimit 1339The number of IPv6 extension headers permitted on incoming IPv6 packets. 1340If set to 0, the node will accept as many extension headers as possible. 1341.It Li ip6.dad_count 1342The variable configures number of IPv6 DAD 1343.Pq duplicated address detection 1344probe packets. 1345The packets will be generated when IPv6 interface addresses are configured. 1346.It Li ip6.auto_flowlabel 1347On connected transport protocol packets, 1348fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1349.It Li ip6.defmcasthlim 1350The default hop limit value for an IPv6 multicast packet sourced by the node. 1351This value applies to all the transport protocols on top of IPv6. 1352There are APIs to override the value, as documented in 1353.Xr ip6 4 . 1354.It Li ip6.gif_hlim 1355The maximum hop limit value for an IPv6 packet generated by 1356.Xr gif 4 1357tunnel interface. 1358.It Li ip6.kame_version 1359The string identifies the version of KAME IPv6 stack implemented in the kernel. 1360.It Li ip6.use_deprecated 1361The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1362.It Li ip6.rr_prune 1363The variable specifies interval between IPv6 router renumbering prefix 1364babysitting, in seconds. 1365.It Li ip6.v6only 1366The variable specifies initial value for 1367.Dv IPV6_V6ONLY 1368socket option for 1369.Dv AF_INET6 1370socket. 1371Please refer to 1372.Xr ip6 4 1373for detail. 1374.It Li ip6.anonportmin 1375The lowest port number to use for TCP and UDP ephemeral port allocation. 1376This cannot be set to less than 1024 or greater than 65535. 1377.It Li ip6.anonportmax 1378The highest port number to use for TCP and UDP ephemeral port allocation. 1379This cannot be set to less than 1024 or greater than 65535, and must 1380be greater than 1381.Li ip6.anonportmin . 1382.It Li ip6.lowportmin 1383The lowest port number to use for TCP and UDP reserved port allocation. 1384This cannot be set to less than 0 or greater than 1024, and must 1385be smaller than 1386.Li ip6.lowportmax . 1387.It Li ip6.lowportmax 1388The highest port number to use for TCP and UDP reserved port allocation. 1389This cannot be set to less than 0 or greater than 1024, and must 1390be greater than 1391.Li ip6.lowportmin . 1392.It Li ip6.maxfrags 1393The maximum number of fragments the node will accept. 13940 means that the node will not accept any fragments. 1395\-1 means that the node will accept as many fragments as it receives. 1396The flag is provided basically for avoiding possible DoS attacks. 1397.It Li icmp6.rediraccept 1398If set to non-zero, the host will accept ICMPv6 redirect packets. 1399Note that IPv6 routers will never accept ICMPv6 redirect packets, 1400and the variable is meaningful on IPv6 hosts 1401.Pq non-router 1402only. 1403.It Li icmp6.redirtimeout 1404The variable specifies lifetime of routing entries generated by incoming 1405ICMPv6 redirect. 1406.It Li icmp6.nd6_prune 1407The variable specifies interval between IPv6 neighbor cache babysitting, 1408in seconds. 1409.It Li icmp6.nd6_delay 1410The variable specifies 1411.Dv DELAY_FIRST_PROBE_TIME 1412timing constant in IPv6 neighbor discovery specification 1413.Pq RFC 2461 , 1414in seconds. 1415.It Li icmp6.nd6_umaxtries 1416The variable specifies 1417.Dv MAX_UNICAST_SOLICIT 1418constant in IPv6 neighbor discovery specification 1419.Pq RFC 2461 . 1420.It Li icmp6.nd6_mmaxtries 1421The variable specifies 1422.Dv MAX_MULTICAST_SOLICIT 1423constant in IPv6 neighbor discovery specification 1424.Pq RFC 2461 . 1425.It Li icmp6.nd6_useloopback 1426If set to non-zero, kernel IPv6 stack will use loopback interface for 1427local traffic. 1428.It Li icmp6.nodeinfo 1429The variable enables responses to ICMPv6 node information queries. 1430If you set the variable to 0, responses will not be generated for 1431ICMPv6 node information queries. 1432Since node information queries can have a security impact, it is 1433possible to fine tune which responses should be answered. 1434Two separate bits can be set. 1435.Bl -tag -width "12345" 1436.It 1 1437Respond to ICMPv6 FQDN queries, e.g. 1438.Li ping6 -w . 1439.It 2 1440Respond to ICMPv6 node addresses queries, e.g. 1441.Li ping6 -a . 1442.El 1443.It Li icmp6.errppslimit 1444The variable specifies the maximum number of outgoing ICMPv6 error messages, 1445per second. 1446ICMPv6 error messages that exceeded the value are subject to rate limitation 1447and will not go out from the node. 1448Negative value disables rate limitation. 1449.It Li icmp6.nd6_maxnudhint 1450IPv6 neighbor discovery permits upper layer protocols to supply reachability 1451hints, to avoid unnecessary neighbor discovery exchanges. 1452The variable defines the number of consecutive hints the neighbor discovery 1453layer will take. 1454For example, by setting the variable to 3, neighbor discovery layer 1455will take 3 consecutive hints in maximum. 1456After receiving 3 hints, neighbor discovery layer will perform 1457normal neighbor discovery process. 1458.It Li icmp6.mtudisc_hiwat 1459.It Li icmp6.mtudisc_lowat 1460The variables define the maximum number of routing table entries, 1461created due to path MTU discovery 1462.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1463When IPv6 path MTU discovery happens, we keep path MTU information into 1464the routing table. 1465If the number of routing table entries exceed the value, 1466the kernel will not attempt to keep the path MTU information. 1467.Li icmp6.mtudisc_hiwat 1468is used when we have verified ICMPv6 too big messages. 1469.Li icmp6.mtudisc_lowat 1470is used when we have unverified ICMPv6 too big messages. 1471Verification is performed by using address/port pairs kept in connected pcbs. 1472Negative value disables the upper limit. 1473.It Li icmp6.nd6_debug 1474If set to non-zero, kernel IPv6 neighbor discovery code will generate 1475debugging messages. 1476The debug outputs are useful to diagnose IPv6 interoperability issues. 1477The flag must be set to 0 for normal operation. 1478.El 1479.Pp 1480We reuse net.*.tcp for 1481.Tn TCP 1482over 1483.Tn IPv6 , 1484and therefore we do not have variables net.*.tcp6. 1485Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1486Please refer to 1487.Li PF_INET 1488section above. 1489For variables net.*.ipsec6, please refer to 1490.Xr ipsec 4 . 1491.It Li PF_KEY 1492Get or set various global information about the IPsec key management. 1493The third level name is the variable name. 1494The currently defined variable and names are: 1495.Bl -column "blockacq_lifetime" "integer" "yes" -offset indent 1496.It Sy Variable name Type Changeable 1497.It debug integer yes 1498.It spi_try integer yes 1499.It spi_min_value integer yes 1500.It spi_max_value integer yes 1501.It larval_lifetime integer yes 1502.It blockacq_count integer yes 1503.It blockacq_lifetime integer yes 1504.It esp_keymin integer yes 1505.It esp_auth integer yes 1506.It ah_keymin integer yes 1507.El 1508The variables are as follows: 1509.Bl -tag -width "123456" 1510.It Li debug 1511Turn on debugging message from within the kernel. 1512The value is a bitmap, as defined in 1513.Pa /usr/include/netkey/key_debug.h . 1514.It Li spi_try 1515The number of times the kernel will try to obtain an unique SPI 1516when it generates it from random number generator. 1517.It Li spi_min_value 1518Minimum SPI value when generating it within the kernel. 1519.It Li spi_max_value 1520Maximum SPI value when generating it within the kernel. 1521.It Li larval_lifetime 1522Lifetime for LARVAL SAD entries, in seconds. 1523.It Li blockacq_count 1524Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1525It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1526key management daemon. 1527.It Li blockacq_lifetime 1528Lifetime of ACQUIRE PF_KEY message. 1529.It Li esp_keymin 1530Minimum ESP key length, in bits. 1531The value is used when the kernel creates proposal payload 1532on ACQUIRE PF_KEY message. 1533.It Li esp_auth 1534Whether ESP authentication should be used or not. 1535Non-zero value indicates that ESP authentication should be used. 1536The value is used when the kernel creates proposal payload 1537on ACQUIRE PF_KEY message. 1538.It Li ah_keymin 1539Minimum AH key length, in bits, 1540The value is used when the kernel creates proposal payload 1541on ACQUIRE PF_KEY message. 1542.El 1543.El 1544.Sh CTL_PROC 1545The string and integer information available for the CTL_PROC 1546is detailed below. 1547The changeable column shows whether a process with appropriate 1548privilege may change the value. 1549These values are per-process, 1550and as such may change from one process to another. 1551When a process is created, 1552the default values are inherited from its parent. 1553When a set-user-ID or set-group-ID binary is executed, the 1554value of PROC_PID_CORENAME is reset to the system default value. 1555The second level name is either the magic value PROC_CURPROC, which 1556points to the current process, or the PID of the target process. 1557.Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" "yes" -offset indent 1558.It Sy Third level name Type Changeable 1559.It PROC\_PID\_CORENAME string yes 1560.It PROC\_PID\_LIMIT node not applicable 1561.It PROC\_PID\_STOPFORK int yes 1562.It PROC\_PID\_STOPEXEC int yes 1563.It PROC\_PID\_STOPEXIT int yes 1564.El 1565.Bl -tag -width "123456" 1566.Pp 1567.It Li PROC_PID_CORENAME 1568The template used for the core dump file name (see 1569.Xr core 5 1570for details). 1571The base name must either be 1572.Nm core 1573or end with the suffix ``.core'' (the super-user may set arbitrary names). 1574By default it points to KERN_DEFCORENAME. 1575.It Li PROC_PID_LIMIT 1576Return resources limits, as defined for the 1577.Xr getrlimit 2 1578and 1579.Xr setrlimit 2 1580system calls. 1581The fourth level name is one of: 1582.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA 1583.It Li PROC_PID_LIMIT_CPU 1584The maximum amount of CPU time (in seconds) to be used by each process. 1585.It Li PROC_PID_LIMIT_FSIZE 1586The largest size (in bytes) file that may be created. 1587.It Li PROC_PID_LIMIT_DATA 1588The maximum size (in bytes) of the data segment for a process; 1589this defines how far a program may extend its break with the 1590.Xr sbrk 2 1591system call. 1592.It Li PROC_PID_LIMIT_STACK 1593The maximum size (in bytes) of the stack segment for a process; 1594this defines how far a program's stack segment may be extended. 1595Stack extension is performed automatically by the system. 1596.It Li PROC_PID_LIMIT_CORE 1597The largest size (in bytes) 1598.Pa core 1599file that may be created. 1600.It Li PROC_PID_LIMIT_RSS 1601The maximum size (in bytes) to which a process's resident set size may 1602grow. 1603This imposes a limit on the amount of physical memory to be given to 1604a process; if memory is tight, the system will prefer to take memory 1605from processes that are exceeding their declared resident set size. 1606.It Li PROC_PID_LIMIT_MEMLOCK 1607The maximum size (in bytes) which a process may lock into memory 1608using the 1609.Xr mlock 2 1610function. 1611.It Li PROC_PID_LIMIT_NPROC 1612The maximum number of simultaneous processes for this user id. 1613.It Li PROC_PID_LIMIT_NOFILE 1614The maximum number of open files for this process. 1615.El 1616.Pp 1617The fifth level name is one of PROC_PID_LIMIT_TYPE_SOFT or 1618PROC_PID_LIMIT_TYPE_HARD, to select respectively the soft or hard limit. 1619Both are of type integer. 1620.It Li PROC_PID_STOPFORK 1621If non zero, the process' children will be stopped after 1622.Xr fork 2 1623calls. 1624The children is created in the SSTOP state and is never scheduled 1625for running before being stopped. 1626This feature helps attaching a process with a debugger such as 1627.Xr gdb 1 1628before it had the opportunity to actually do anything. 1629.Pp 1630This value is inherited by the process's children, and it also 1631apply to emulation specific system calls that fork a new process, such as 1632.Fn sproc 1633or 1634.Fn clone . 1635.It Li PROC_PID_STOPEXEC 1636If non zero, the process will be stopped on next 1637.Xr exec 3 1638call. 1639The process created by 1640.Xr exec 3 1641is created in the SSTOP state and is never scheduled for running 1642before being stopped. 1643This feature helps attaching a process with a debugger such as 1644.Xr gdb 1 1645before it had the opportunity to actually do anything. 1646.Pp 1647This value is inherited by the process's children. 1648.It Li PROC_PID_STOPEXIT 1649If non zero, the process will be stopped on when it has cause to exit, 1650either by way of calling 1651.Xr exit 3 , 1652.Xr _exit 2 , 1653or by the receipt of a specific signal. 1654The process is stopped before any of its resources or vm space is 1655released allowing examination of the termination state of a process 1656before it disappears. 1657This feature can be used to examine the final conditions of the 1658process's vmspace via 1659.Xr pmap 1 1660or its resource settings with 1661.Xr sysctl 8 1662before it disappears. 1663.Pp 1664This value is also inherited by the process's children. 1665.El 1666.Sh CTL_USER 1667The string and integer information available for the CTL_USER level 1668is detailed below. 1669The changeable column shows whether a process with appropriate 1670privilege may change the value. 1671.Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" -offset indent 1672.It Sy Second level name Type Changeable 1673.It USER\_BC\_BASE\_MAX integer no 1674.It USER\_BC\_DIM\_MAX integer no 1675.It USER\_BC\_SCALE\_MAX integer no 1676.It USER\_BC\_STRING\_MAX integer no 1677.It USER\_COLL\_WEIGHTS\_MAX integer no 1678.It USER\_CS\_PATH string no 1679.It USER\_EXPR\_NEST\_MAX integer no 1680.It USER\_LINE\_MAX integer no 1681.It USER\_POSIX2\_CHAR\_TERM integer no 1682.It USER\_POSIX2\_C\_BIND integer no 1683.It USER\_POSIX2\_C\_DEV integer no 1684.It USER\_POSIX2\_FORT\_DEV integer no 1685.It USER\_POSIX2\_FORT\_RUN integer no 1686.It USER\_POSIX2\_LOCALEDEF integer no 1687.It USER\_POSIX2\_SW\_DEV integer no 1688.It USER\_POSIX2\_UPE integer no 1689.It USER\_POSIX2\_VERSION integer no 1690.It USER\_RE\_DUP\_MAX integer no 1691.It USER\_STREAM\_MAX integer no 1692.It USER\_TZNAME\_MAX integer no 1693.It USER\_ATEXIT\_MAX integer no 1694.El 1695.Bl -tag -width "123456" 1696.Pp 1697.It Li USER_BC_BASE_MAX 1698The maximum ibase/obase values in the 1699.Xr bc 1 1700utility. 1701.It Li USER_BC_DIM_MAX 1702The maximum array size in the 1703.Xr bc 1 1704utility. 1705.It Li USER_BC_SCALE_MAX 1706The maximum scale value in the 1707.Xr bc 1 1708utility. 1709.It Li USER_BC_STRING_MAX 1710The maximum string length in the 1711.Xr bc 1 1712utility. 1713.It Li USER_COLL_WEIGHTS_MAX 1714The maximum number of weights that can be assigned to any entry of 1715the LC_COLLATE order keyword in the locale definition file. 1716.It Li USER_CS_PATH 1717Return a value for the 1718.Ev PATH 1719environment variable that finds all the standard utilities. 1720.It Li USER_EXPR_NEST_MAX 1721The maximum number of expressions that can be nested within 1722parenthesis by the 1723.Xr expr 1 1724utility. 1725.It Li USER_LINE_MAX 1726The maximum length in bytes of a text-processing utility's input 1727line. 1728.It Li USER_POSIX2_CHAR_TERM 1729Return 1 if the system supports at least one terminal type capable of 1730all operations described in POSIX 1003.2, otherwise 0. 1731.It Li USER_POSIX2_C_BIND 1732Return 1 if the system's C-language development facilities support the 1733C-Language Bindings Option, otherwise 0. 1734.It Li USER_POSIX2_C_DEV 1735Return 1 if the system supports the C-Language Development Utilities Option, 1736otherwise 0. 1737.It Li USER_POSIX2_FORT_DEV 1738Return 1 if the system supports the FORTRAN Development Utilities Option, 1739otherwise 0. 1740.It Li USER_POSIX2_FORT_RUN 1741Return 1 if the system supports the FORTRAN Runtime Utilities Option, 1742otherwise 0. 1743.It Li USER_POSIX2_LOCALEDEF 1744Return 1 if the system supports the creation of locales, otherwise 0. 1745.It Li USER_POSIX2_SW_DEV 1746Return 1 if the system supports the Software Development Utilities Option, 1747otherwise 0. 1748.It Li USER_POSIX2_UPE 1749Return 1 if the system supports the User Portability Utilities Option, 1750otherwise 0. 1751.It Li USER_POSIX2_VERSION 1752The version of POSIX 1003.2 with which the system attempts to comply. 1753.It Li USER_RE_DUP_MAX 1754The maximum number of repeated occurrences of a regular expression 1755permitted when using interval notation. 1756.ne 1i 1757.It Li USER_STREAM_MAX 1758The minimum maximum number of streams that a process may have open 1759at any one time. 1760.It Li USER_TZNAME_MAX 1761The minimum maximum number of types supported for the name of a 1762timezone. 1763.It Li USER_ATEXIT_MAX 1764The maximum number of functions that may be registered with 1765.Xr atexit 3 . 1766.El 1767.Sh CTL_VM 1768The string and integer information available for the CTL_VM level 1769is detailed below. 1770The changeable column shows whether a process with appropriate 1771privilege may change the value. 1772.Bl -column "Second level nameXXXXXX" "struct loadavgXXX" -offset indent 1773.It Sy Second level name Type Changeable 1774.It VM\_ANONMAX int yes 1775.It VM\_ANONMIN int yes 1776.It VM\_BUFCACHE int yes 1777.It VM\_BUFMEM int no 1778.It VM\_BUFMEM_LOWATER int yes 1779.It VM\_BUFMEM_HIWATER int yes 1780.It VM\_EXECMAX int yes 1781.It VM\_EXECMIN int yes 1782.It VM\_FILEMAX int yes 1783.It VM\_FILEMIN int yes 1784.It VM\_LOADAVG struct loadavg no 1785.It VM\_MAXSLP int no 1786.It VM\_METER struct vmtotal no 1787.It VM\_NKMEMPAGES int no 1788.It VM\_USPACE int no 1789.It VM\_UVMEXP struct uvmexp no 1790.It VM\_UVMEXP2 struct uvmexp_sysctl no 1791.El 1792.Pp 1793.Bl -tag -width "123456" 1794.It Li VM_ANONMAX 1795The percentage of physical memory which will be reclaimed 1796from other types of memory usage to store anonymous application data. 1797.It Li VM_ANONMIN 1798The percentage of physical memory which will be always be available for 1799anonymous application data. 1800.It Li VM_BUFCACHE 1801The percentage of kernel memory which will be available 1802for the buffer cache. 1803.It Li VM_BUFMEM 1804The amount of kernel memory that is being used by the buffer cache. 1805.It Li VM_BUFMEM_LOWATER 1806The minimum amount of kernel memory to reserve for the 1807buffer cache. 1808.It Li VM_BUFMEM_HIWATER 1809The maximum amount of kernel memory to be used for the 1810buffer cache. 1811.It Li VM_EXECMAX 1812The percentage of physical memory which will be reclaimed 1813from other types of memory usage to store cached executable data. 1814.It Li VM_EXECMIN 1815The percentage of physical memory which will be always be available for 1816cached executable data. 1817.It Li VM_FILEMAX 1818The percentage of physical memory which will be reclaimed 1819from other types of memory usage to store cached file data. 1820.It Li VM_FILEMIN 1821The percentage of physical memory which will be always be available for 1822cached file data. 1823.It Li VM_LOADAVG 1824Return the load average history. 1825The returned data consists of a 1826.Va struct loadavg . 1827.It Li VM_MAXSLP 1828The value of the maxslp kernel global variable. 1829.It Li VM_METER 1830Return system wide virtual memory statistics. 1831The returned data consists of a 1832.Va struct vmtotal . 1833.It Li VM_USPACE 1834The number of bytes allocated for each kernel stack. 1835.It Li VM_UVMEXP 1836Return system wide virtual memory statistics. 1837The returned data consists of a 1838.Va struct uvmexp . 1839.It Li VM_UVMEXP2 1840Return system wide virtual memory statistics. 1841The returned data consists of a 1842.Va struct uvmexp_sysctl . 1843.El 1844.Sh CTL_DDB 1845The integer information available for the CTL_DDB level is detailed below. 1846The changeable column shows whether a process with appropriate 1847privilege may change the value. 1848.Bl -column "DBCTL_TABSTOPSXXX" "integerXXX" -offset indent 1849.It Sy Second level name Type Changeable 1850.It DBCTL\_RADIX integer yes 1851.It DBCTL\_MAXOFF integer yes 1852.It DBCTL\_LINES integer yes 1853.It DBCTL\_TABSTOPS integer yes 1854.It DBCTL\_ONPANIC integer yes 1855.It DBCTL\_FROMCONSOLE integer yes 1856.El 1857.Pp 1858.Bl -tag -width "123456" 1859.It Li DBCTL_RADIX 1860The input and output radix. 1861.It Li DBCTL_MAXOFF 1862The maximum symbol offset. 1863.It Li DBCTL_LINES 1864Number of display lines. 1865.It Li DBCTL_TABSTOPS 1866Tab width. 1867.It Li DBCTL_ONPANIC 1868If non-zero, DDB will be entered when the kernel panics. 1869.It Li DBCTL_FROMCONSOLE 1870If not zero, DDB may be entered by sending a break on a serial 1871console or by a special key sequence on a graphics console. 1872.El 1873.Pp 1874These MIB nodes are also available as variables from within the DDB. 1875See 1876.Xr ddb 4 1877for more details. 1878.Sh CTL_SECURITY 1879The security level contains various security-related settings for 1880the system. Available settings are detailed below. 1881.Bl -column "SECURITY_CURTAIN" "integerXXX" -offset indent 1882.It Sy Second level name Type Changeable 1883.It SECURITY_CURTAIN integer yes 1884.El 1885.Pp 1886.Bl -tag -width "123456" 1887.It Li SECURITY_CURTAIN 1888If non-zero, will filter return objects according to the user-id 1889requesting information about them, preventing from users any 1890access to objects they don't own. 1891.Pp 1892At the moment, it affects 1893.Xr ps 1 , 1894.Xr netstat 1 1895(for 1896.Dv PF_INET , 1897.Dv PF_INET6 , 1898and 1899.Dv PF_UNIX 1900PCBs), and 1901.Xr w 1 . 1902.El 1903.Sh CTL_VENDOR 1904The "vendor" toplevel name is reserved to be used by vendors who wish to 1905have their own private MIB tree. 1906Intended use is to store values under 1907.Dq vendor.\*[Lt]yourname\*[Gt].* . 1908.Sh DYNAMIC OPERATIONS 1909Several meta-identifiers are provided to perform operations on the 1910.Nm 1911tree itself, or support alternate means of accessing the data 1912instrumented by the 1913.Nm 1914tree. 1915.Bl -column CTLXCREATESYMXXX 1916.It Sy Name Description 1917.It CTL\_QUERY Retrieve a mapping of names to numbers below a given node 1918.It CTL\_CREATE Create a new node 1919.It CTL\_CREATESYM Create a new node by its kernel symbol 1920.It CTL\_DESTROY Destroy a node 1921.It CTL\_DESCRIBE Retrieve node descriptions 1922.El 1923.Pp 1924The core interface to all of these meta-functions is the structure 1925that the kernel uses to describe the tree internally, as defined in 1926.Aq Pa sys/sysctl.h 1927as: 1928.Pp 1929.Bd -literal 1930struct sysctlnode { 1931 uint32_t sysctl_flags; /* flags and type */ 1932 int32_t sysctl_num; /* mib number */ 1933 char sysctl_name[SYSCTL_NAMELEN]; /* node name */ 1934 uint32_t sysctl_ver; /* node's version vs. rest of tree */ 1935 uint32_t __rsvd; 1936 union { 1937 struct { 1938 uint32_t suc_csize; /* size of child node array */ 1939 uint32_t suc_clen; /* number of valid children */ 1940 struct sysctlnode* suc_child; /* array of child nodes */ 1941 } scu_child; 1942 struct { 1943 void *sud_data; /* pointer to external data */ 1944 size_t sud_offset; /* offset to data */ 1945 } scu_data; 1946 int32_t scu_alias; /* node this node refers to */ 1947 int32_t scu_idata; /* immediate "int" data */ 1948 u_quad_t scu_qdata; /* immediate "u_quad_t" data */ 1949 } sysctl_un; 1950 size_t _sysctl_size; /* size of instrumented data */ 1951 sysctlfn _sysctl_func; /* access helper function */ 1952 struct sysctlnode *sysctl_parent; /* parent of this node */ 1953 const char *sysctl_desc; /* description of node */ 1954}; 1955 1956#define sysctl_csize sysctl_un.scu_child.suc_csize 1957#define sysctl_clen sysctl_un.scu_child.suc_clen 1958#define sysctl_child sysctl_un.scu_child.suc_child 1959#define sysctl_data sysctl_un.scu_data.sud_data 1960#define sysctl_offset sysctl_un.scu_data.sud_offset 1961#define sysctl_alias sysctl_un.scu_alias 1962#define sysctl_idata sysctl_un.scu_idata 1963#define sysctl_qdata sysctl_un.scu_qdata 1964.Ed 1965.Pp 1966Querying the tree to discover the name to number mapping permits 1967dynamic discovery of all the data that the tree currently has 1968instrumented. 1969For example, to discover all the nodes below the 1970CTL_VFS node: 1971.Pp 1972.Bd -literal -offset indent -compact 1973struct sysctlnode query, vfs[128]; 1974int mib[2]; 1975size_t len; 1976.sp 1977mib[0] = CTL_VFS; 1978mib[1] = CTL_QUERY; 1979memset(\*[Am]query, 0, sizeof(query)); 1980query.sysctl_flags = SYSCTL_VERSION; 1981len = sizeof(vfs); 1982sysctl(mib, 2, \*[Am]vfs[0], \*[Am]len, \*[Am]query, sizeof(query)); 1983.Ed 1984.Pp 1985Note that a reference to an empty node with 1986.Fa sysctl_flags 1987set to 1988.Dv SYSCTL_VERSION 1989is passed to sysctl in order to indicate the version that the program 1990is using. 1991All dynamic operations passing nodes into sysctl require that the 1992version be explicitly specified. 1993.Pp 1994Creation and destruction of nodes works by constructing part of a new 1995node description (or a description of the existing node) and invoking 1996CTL_CREATE (or CTL_CREATESYM) or CTL_DESTROY at the parent of the new 1997node, with a pointer to the new node passed via the 1998.Fa new 1999and 2000.Fa newlen 2001arguments. 2002If valid values for 2003.Fa old 2004and 2005.Fa oldlenp 2006are passed, a copy of the new node once in the tree will be returned. 2007If the create operation fails because a node with the same name or MIB 2008number exists, a copy of the conflicting node will be returned. 2009.Pp 2010The minimum requirements for creating a node are setting the 2011.Fa sysctl_flags 2012to indicate the new node's type, 2013.Fa sysctl_num 2014to either the new node's number (or CTL_CREATE or CTL_CREATESYM if a 2015dynamically allocated MIB number is acceptable), 2016.Fa sysctl_size 2017to the size of the data to be instrumented (which must agree with the 2018given type), and 2019.Fa sysctl_name 2020must be set to the new node's name. 2021Nodes that are not of type 2022.Dq node 2023must also have some description of the data to be instrumented, which 2024will vary depending on what is to be instrumented. 2025.Pp 2026If existing kernel data is to be covered by this new node, its address 2027should be given in 2028.Fa sysctl_data 2029or, if CTL_CREATESYM is used, 2030.Fa sysctl_data 2031should be set to a string containing its name from the kernel's symbol 2032table. 2033If new data is to be instrumented and an initial value is available, 2034the new integer or quad type data should be placed into either 2035.Fa sysctl_idata 2036or 2037.Fa sysctl_qdata , 2038respectively, along with the SYSCTL_IMMEDIATE flag being set, or 2039.Fa sysctl_data 2040should be set to point to a copy of the new data, and the 2041SYSCTL_OWNDATA flag must be set. 2042This latter method is the only way that new string and struct type 2043nodes can be initialized. 2044Invalid kernel addresses are accepted, but any attempt to access those 2045nodes will return an error. 2046.Pp 2047The 2048.Fa sysctl_csize , 2049.Fa sysctl_clen , 2050.Fa sysctl_child , 2051.Fa sysctl_parent , 2052and 2053.Fa sysctl_alias 2054members are used by the kernel to link the tree together and must be 2055.Dv NULL 2056or 0. 2057Nodes created in this manner cannot have helper functions, so 2058.Fa sysctl_func 2059must also be 2060.Dv NULL . 2061If the 2062.Fa sysctl_ver 2063member is non-zero, it must match either the version of the parent or 2064the version at the root of the MIB or an error is returned. 2065This can be used to ensure that nodes are only added or removed from a 2066known state of the tree. 2067Note: It may not be possible to determine the version at the root 2068of the tree. 2069.Pp 2070This example creates a new subtree and adds a node to it that controls the 2071.Fa audiodebug 2072kernel variable, thereby making it tunable at at any time, without 2073needing to use 2074.Xr ddb 4 2075or 2076.Xr kvm 3 2077to alter the kernel's memory directly. 2078.Pp 2079.Bd -literal -offset indent -compact 2080struct sysctlnode node; 2081int mib[2]; 2082size_t len; 2083.sp 2084mib[0] = CTL_CREATE; /* create at top-level */ 2085len = sizeof(node); 2086memset(\*[Am]node, 0, len); 2087node.sysctl_flags = SYSCTL_VERSION|CTLFLAG_READWRITE|CTLTYPE_NODE; 2088snprintf(node.sysctl_name, sizeof(node.sysctl_name), "local"); 2089node.sysctl_num = CTL_CREATE; /* request dynamic MIB number */ 2090sysctl(\*[Am]mib[0], 1, \*[Am]node, \*[Am]len, \*[Am]node, len); 2091.sp 2092mib[0] = node.sysctl_num; /* use new MIB number */ 2093mib[1] = CTL_CREATESYM; /* create at second level */ 2094len = sizeof(node); 2095memset(\*[Am]node, 0, len); 2096node.sysctl_flags = SYSCTL_VERSION|CTLFLAG_READWRITE|CTLTYPE_INT; 2097snprintf(node.sysctl_name, sizeof(node.sysctl_name), "audiodebug"); 2098node.sysctl_num = CTL_CREATE; 2099node.sysctl_data = "audiodebug"; /* kernel symbol to be used */ 2100sysctl(\*[Am]mib[0], 2, NULL, NULL, \*[Am]node, len); 2101.Ed 2102.Pp 2103The process for deleting nodes is similar, but less data needs to 2104be supplied. 2105Only the 2106.Fa sysctl_num 2107field 2108needs to be filled in; almost all other fields must be left blank. 2109The 2110.Fa sysctl_name 2111and/or 2112.Fa sysctl_ver 2113fields can be filled in with the name and version of the existing node 2114as additional checks on what will be deleted. 2115If all the given data fail to match any node, nothing will be deleted. 2116If valid values for 2117.Fa old 2118and 2119.Fa oldlenp 2120are supplied and a node is deleted, a copy of what was in the MIB tree 2121will be returned. 2122.Pp 2123This sample code shows the deletion of the two nodes created in the 2124above example: 2125.Pp 2126.Bd -literal -offset indent -compact 2127int mib[2]; 2128.sp 2129len = sizeof(node); 2130memset(\*[Am]node, 0, len); 2131node.sysctl_flags = SYSCTL_VERSION; 2132.sp 2133mib[0] = 3214; /* assumed number for "local" */ 2134mib[1] = CTL_DESTROY; 2135node.sysctl_num = 3215; /* assumed number for "audiodebug" */ 2136sysctl(\*[Am]mib[0], 2, NULL, NULL, \*[Am]node, len); 2137.sp 2138mib[0] = CTL_DESTROY; 2139node.sysctl_num = 3214; /* now deleting "local" */ 2140sysctl(\*[Am]mib[0], 1, NULL, NULL, \*[Am]node, len); 2141.Ed 2142.Pp 2143Descriptions of each of the nodes can also be retrieved, if they are 2144available. 2145Descriptions can be retrieved in bulk at each level or on a per-node 2146basis. 2147The layout of the buffer into which the descriptions are returned is a 2148series of variable length structures, each of which describes its own 2149size. 2150The length indicated includes the terminating 2151.Sq nul 2152character. 2153Nodes that have no description or where the description is not 2154available are indicated by an empty string. 2155The 2156.Fa descr_ver 2157will match the 2158.Fa sysctl_ver 2159value for a given node, so that descriptions for nodes whose number 2160have been recycled can be detected and ignored or discarded. 2161.Pp 2162.Bd -literal 2163struct sysctldesc { 2164 int32_t descr_num; /* mib number of node */ 2165 uint32_t descr_ver; /* version of node */ 2166 uint32_t descr_len; /* length of description string */ 2167 char descr_str[1]; /* not really 1...see above */ 2168}; 2169.Ed 2170.Pp 2171The 2172.Fn NEXT_DESCR 2173macro can be used to skip to the next description in the retrieved 2174list. 2175.Pp 2176.Bd -literal -offset indent -compact 2177struct sysctlnode desc; 2178struct sysctldesc *d; 2179char buf[1024]; 2180int mib[2]; 2181size_t len; 2182.sp 2183/* retrieve kern-level descriptions */ 2184mib[0] = CTL_KERN; 2185mib[1] = CTL_DESCRIBE; 2186d = (struct sysctldesc *)\*[Am]buf[0]; 2187len = sizeof(buf); 2188sysctl(mib, 2, d, \*[Am]len, NULL, 0); 2189while ((caddr_t)d \*[Lt] (caddr_t)\*[Am]buf[len]) { 2190 printf("node %d: %.*s\\n", d-\*[Gt]descr_num, d-\*[Gt]descr_len, 2191 d-\*[Gt]descr_str); 2192 d = NEXT_DESCR(d); 2193} 2194.sp 2195/* retrieve description for kern.securelevel */ 2196memset(\*[Am]desc, 0, sizeof(desc)); 2197desc.sysctl_flags = SYSCTL_VERSION; 2198desc.sysctl_num = KERN_SECURELEVEL; 2199d = (struct sysctldesc *)\*[Am]buf[0]; 2200len = sizeof(buf); 2201sysctl(mib, 2, d, \*[Am]len, \*[Am]desc, sizeof(desc)); 2202printf("kern.securelevel: %.*s\\n", d-\*[Gt]descr_len, d-\*[Gt]descr_str); 2203.Ed 2204.Pp 2205Descriptions can also be set as follows, subject to the following rules: 2206.Pp 2207.Bl -bullet -compact 2208.It 2209The kernel securelevel is at zero or lower 2210.It 2211The caller has super-user privileges 2212.It 2213The node does not currently have a description 2214.It 2215The node is not marked as 2216.Dq permanent 2217.El 2218.Pp 2219.Bd -literal -offset indent -compact 2220struct sysctlnode desc; 2221int mib[2]; 2222.sp 2223/* presuming the given top-level node was just added... */ 2224mib[0] = 3214; /* mib numbers taken from previous examples */ 2225mib[1] = CTL_DESCRIBE; 2226memset(\*[Am]desc, 0, sizeof(desc)); 2227desc.sysctl_flags = SYSCTL_VERSION; 2228desc.sysctl_num = 3215; 2229desc.sysctl_desc = "audio debug control knob"; 2230sysctl(mib, 2, NULL, NULL, \*[Am]desc, sizeof(desc)); 2231.Ed 2232.Pp 2233Upon successfully setting a description, the new description will be 2234returned in the space indicated by the 2235.Fa oldp 2236and 2237.Fa oldlenp 2238arguments. 2239.Pp 2240The 2241.Fa sysctl_flags 2242field in the struct sysctlnode contains the sysctl version, node type 2243information, and a number of flags. 2244The macros 2245.Fn SYSCTL_VERS , 2246.Fn SYSCTL_TYPE , 2247and 2248.Fn SYSCTL_FLAGS 2249can be used to access the different fields. 2250Valid flags are: 2251.Bl -column CTLFLAGXPERMANENTXXX 2252.It Sy Name Description 2253.It CTLFLAG\_READONLY Node is read-only 2254.It CTLFLAG\_READONLY1 Node becomes read-only at securelevel 1 2255.It CTLFLAG\_READONLY2 Node becomes read-only at securelevel 2 2256.It CTLFLAG\_READWRITE Node is writable by the superuser 2257.It CTLFLAG\_ANYWRITE Node is writable by anyone 2258.It CTLFLAG\_PRIVATE Node is readable only by the superuser 2259.It CTLFLAG\_PERMANENT Node cannot be removed (cannot be set by 2260processes) 2261.It CTLFLAG\_OWNDATA Node owns data and does not instrument 2262existing data 2263.It CTLFLAG\_IMMEDIATE Node contains instrumented data and does not 2264instrument existing data 2265.It CTLFLAG\_HEX Node's contents should be displayed in a hexadecimal 2266form 2267.It CTLFLAG\_ROOT Node is the root of a tree (cannot be set at 2268any time) 2269.It CTLFLAG\_ANYNUMBER Node matches any MIB number (cannot be set by 2270processes) 2271.It CTLFLAG\_HIDDEN Node not displayed by default 2272.It CTLFLAG\_ALIAS Node refers to a sibling node (cannot be set 2273by processes) 2274.It CTLFLAG\_OWNDESC Node owns its own description string space 2275.El 2276.Sh RETURN VALUES 2277If the call to 2278.Nm 2279is successful, the number of bytes copied out is returned. 2280Otherwise \-1 is returned and 2281.Va errno 2282is set appropriately. 2283.Sh FILES 2284.Bl -tag -width \*[Lt]netinet6/udp6Xvar.h\*[Gt] -compact 2285.It Aq Pa sys/sysctl.h 2286definitions for top level identifiers, second level kernel and hardware 2287identifiers, and user level identifiers 2288.It Aq Pa sys/socket.h 2289definitions for second level network identifiers 2290.It Aq Pa sys/gmon.h 2291definitions for third level profiling identifiers 2292.It Aq Pa uvm/uvm_param.h 2293definitions for second level virtual memory identifiers 2294.It Aq Pa netinet/in.h 2295definitions for third level IPv4/v6 identifiers and 2296fourth level IPv4/v6 identifiers 2297.It Aq Pa netinet/icmp_var.h 2298definitions for fourth level ICMP identifiers 2299.It Aq Pa netinet/icmp6.h 2300definitions for fourth level ICMPv6 identifiers 2301.It Aq Pa netinet/tcp_var.h 2302definitions for fourth level TCP identifiers 2303.It Aq Pa netinet/udp_var.h 2304definitions for fourth level UDP identifiers 2305.It Aq Pa netinet6/udp6_var.h 2306definitions for fourth level IPv6 UDP identifiers 2307.It Aq Pa netinet6/ipsec.h 2308definitions for fourth level IPsec identifiers 2309.It Aq Pa netkey/key_var.h 2310definitions for third level PF_KEY identifiers 2311.It Aq Pa machine/cpu.h 2312definitions for second level machdep identifiers 2313.El 2314.Sh ERRORS 2315The following errors may be reported: 2316.Bl -tag -width Er 2317.It Bq Er EFAULT 2318The buffer 2319.Fa name , 2320.Fa oldp , 2321.Fa newp , 2322or length pointer 2323.Fa oldlenp 2324contains an invalid address, or the requested value is temporarily 2325unavailable. 2326.It Bq Er EINVAL 2327The 2328.Fa name 2329array is zero or greater than CTL_MAXNAME. 2330.It Bq Er EINVAL 2331A non-null 2332.Fa newp 2333is given and its specified length in 2334.Fa newlen 2335is too large or too small, or the given value is not acceptable for 2336the given node. 2337.It Bq Er ENOMEM 2338The length pointed to by 2339.Fa oldlenp 2340is too short to hold the requested value. 2341.It Bq Er EISDIR 2342The 2343.Fa name 2344array specifies an intermediate rather than terminal name. 2345.It Bq Er ENOTDIR 2346The 2347.Fa name 2348array specifies a node below a node that addresses data. 2349.It Bq Er ENOENT 2350The 2351.Fa name 2352array specifies a node that does not exist in the tree. 2353.It Bq Er ENOENT 2354An attempt was made to destroy a node that does not exist, or to 2355create or destroy a node below a node that does not exist. 2356.It Bq Er ENOTEMPTY 2357An attempt was made to destroy a node that still has children. 2358.It Bq Er EOPNOTSUPP 2359The 2360.Fa name 2361array specifies a value that is unknown or a meta-operation was 2362attempted that the requested node does not support. 2363.It Bq Er EPERM 2364An attempt is made to set a read-only value. 2365.It Bq Er EPERM 2366A process without appropriate privilege attempts to set a value or to 2367create or destroy a node. 2368.It Bq Er EPERM 2369An attempt to change a value protected by the current kernel security 2370level is made. 2371.El 2372.Sh SEE ALSO 2373.Xr ipsec 4 , 2374.Xr tcp 4 , 2375.Xr sysctl 8 2376.\" .Xr sysctl 9 2377.Sh HISTORY 2378The 2379.Nm 2380function first appeared in 2381.Bx 4.4 . 2382