1.\" $NetBSD: sysctl.7,v 1.167 2024/03/07 23:03:55 gutteridge Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd March 7, 2024 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Ss Top level names 72The top level names are defined with a 73.Va CTL_ 74prefix in 75.In sys/sysctl.h , 76and are as follows. 77The next and subsequent levels down are found in the include files 78listed here, and described in separate sections below. 79.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits" 80.It Sy Name Ta Sy Constant Ta Sy Next level names Ta Sy Description 81.It kern Ta Dv CTL_KERN Ta In sys/sysctl.h Ta High kernel limits 82.It vm Ta Dv CTL_VM Ta In uvm/uvm_param.h Ta Virtual memory 83.It vfs Ta Dv CTL_VFS Ta In sys/mount.h Ta Filesystem 84.It net Ta Dv CTL_NET Ta In sys/socket.h Ta Networking 85.It debug Ta Dv CTL_DEBUG Ta In sys/sysctl.h Ta Debugging 86.It hw Ta Dv CTL_HW Ta In sys/sysctl.h Ta Generic CPU, I/O 87.It machdep Ta Dv CTL_MACHDEP Ta In sys/sysctl.h Ta Machine dependent 88.It user Ta Dv CTL_USER Ta In sys/sysctl.h Ta User-level 89.It ddb Ta Dv CTL_DDB Ta In sys/sysctl.h Ta In-kernel debugger 90.It proc Ta Dv CTL_PROC Ta In sys/sysctl.h Ta Per-process 91.It vendor Ta Dv CTL_VENDOR Ta ? Ta Vendor specific 92.It emul Ta Dv CTL_EMUL Ta In sys/sysctl.h Ta Emulation settings 93.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h Ta Security settings 94.El 95.Ss The debug.* subtree 96The debugging variables vary from system to system. 97A debugging variable may be added or deleted without need to recompile 98.Nm 99to know about it. 100Each time it runs, 101.Nm 102gets the list of debugging variables from the kernel and 103displays their current values. 104The system defines twenty 105.Vt ( struct ctldebug ) 106variables named 107.Dv debug0 108through 109.Dv debug19 . 110They are declared as separate variables so that they can be 111individually initialized at the location of their associated variable. 112The loader prevents multiple use of the same variable by issuing errors 113if a variable is initialized in more than one place. 114For example, to export the variable 115.Va dospecialcheck 116as a debugging variable, the following declaration would be used: 117.Pp 118.Bd -literal -offset indent -compact 119int dospecialcheck = 1; 120struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck }; 121.Ed 122.Pp 123Note that the dynamic implementation of 124.Nm 125currently in use largely makes this particular 126.Nm 127interface obsolete. 128See 129.Xr sysctl 8 130.\" and 131.\" .Xr sysctl 9 132for more information. 133.Ss The vfs.* subtree 134A distinguished second level name, 135.Li vfs.generic ( Dv VFS_GENERIC ) , 136is used to get general information about all file systems. 137It has the following third level identifiers: 138.Bl -tag -width "123456" 139.It Li vfs.generic.maxtypenum ( Dv VFS_MAXTYPENUM ) 140The highest valid file system type number. 141.It Li vfs.generic.conf ( Dv VFS_CONF ) 142Returns configuration information about the file system type given as a fourth 143level identifier. 144.It Li vfs.generic.usermount ( Dv VFS_USERMOUNT ) 145Controls whether users other than the super-user can mount file 146systems. 147Defaults to 148.Li 0 , 149so only the super-user can mount file systems. 150.Pp 151File systems mounted by unprivileged users must be mounted with the 152.Li nodev 153and 154.Li nosuid 155.Xr mount 8 156options. 157.It Li vfs.generic.magiclinks ( Dv VFS_MAGICLINKS ) 158Controls whether expansion of variables is going to be performed on 159pathnames or not. 160Defaults to 161.Li 0 , 162no variable expansion. 163Variables are of the form 164.Li @name 165and the variables supported are described in 166.Xr symlink 7 167under 168.Dq "MAGIC SYMLINKS" . 169.El 170.Pp 171A second level name for controlling the 172.Xr wapbl 4 173(Write Ahead Physical Block Logging file system journaling) 174capabilities with the following third level identifiers: 175.Bl -tag -width "123456" 176.It Li vfs.wapbl.flush_disk_cache 177Controls whether to attempt to flush the disk cache on each commit. 178It defaults to 1 and it should always be on to ensure integrity 179of file system metadata in the event of a power loss. 180For slow disks, turning it off can improve performance. 181.It Li vfs.wapbl.verbose_commit 182For each transaction log commit, print the number of bytes written 183and the time it took to commit as seconds.nanoseconds. 184.El 185.Pp 186The remaining second level identifiers are the file system names, identified 187by the type number returned by a 188.Xr statvfs 2 189call or from 190.Li vfs.generic.conf . 191.Pp 192The third level identifiers available for each file system 193are given in the header file that defines the mount 194argument structure for that file system. 195.Ss The hw.* subtree 196The string and integer information available for the 197.Li hw 198level is detailed below. 199The changeable column shows whether a process with appropriate 200privilege may change the value. 201.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent 202.It Sy Second level name Ta Sy Type Ta Sy Changeable 203.It hw.alignbytes integer no 204.It hw.byteorder integer no 205.It hw.cnmagic string yes 206.It hw.disknames string no 207.It hw.diskstats struct no 208.It hw.machine string no 209.It hw.machine_arch string no 210.It hw.model string no 211.It hw.ncpu integer no 212.It hw.ncpuonline integer no 213.It hw.pagesize integer no 214.It hw.physmem integer no 215.It hw.physmem64 quad no 216.It hw.usermem integer no 217.It hw.usermem64 quad no 218.El 219.Bl -tag -width "123456" 220.It Li hw.alignbytes ( Dv HW_ALIGNBYTES ) 221Alignment constraint for all possible data types. 222This shows the value 223.Dv ALIGNBYTES 224in 225.In machine/param.h , 226at the kernel compilation time. 227.It Li hw.byteorder ( Dv HW_BYTEORDER ) 228The byteorder (4321, or 1234). 229.It Li hw.cnmagic ( Dv HW_CNMAGIC ) 230The console magic key sequence. 231.It Li hw.disknames ( Dv HW_DISKNAMES ) 232The list of (space separated) disk device names on the system. 233.It Li hw.iostatnames ( Dv HW_IOSTATNAMES ) 234A space separated list of devices that will have I/O statistics 235collected on them. 236.It Li hw.iostats ( Dv HW_IOSTATS ) 237Return statistical information on the NFS mounts, disk and tape 238devices on the system. 239An array of 240.Vt struct io_sysctl 241structures is returned, 242whose size depends on the current number of such objects in the system. 243The third level name is the size of the 244.Vt struct io_sysctl . 245The type of object can be determined by examining the 246.Va type 247element of 248.Vt struct io_sysctl . 249Which can be 250.Dv IOSTAT_DISK 251(disk drive), 252.Dv IOSTAT_TAPE 253(tape drive), or 254.Dv IOSTAT_NFS 255(NFS mount). 256.It Li hw.machine ( Dv HW_MACHINE ) 257The machine class. 258.It Li hw.machine_arch ( Dv HW_MACHINE_ARCH ) 259The machine CPU class. 260.It Li hw.model ( Dv HW_MODEL ) 261The machine model. 262.It Li hw.ncpu ( Dv HW_NCPU ) 263The number of CPUs configured. 264.It Li hw.ncpuonline ( Dv HW_NCPUONLINE ) 265The number of CPUs online. 266.It Li hw.pagesize ( Dv HW_PAGESIZE ) 267The software page size. 268.It Li hw.physmem ( Dv HW_PHYSMEM ) 269The bytes of physical memory as a 32-bit integer. 270.It Li hw.physmem64 ( Dv HW_PHYSMEM64 ) 271The bytes of physical memory as a 64-bit integer. 272.It Li hw.usermem ( Dv HW_USERMEM ) 273The bytes of non-kernel memory as a 32-bit integer. 274.It Li hw.usermem64 ( Dv HW_USERMEM64 ) 275The bytes of non-kernel memory as a 64-bit integer. 276.El 277.Ss The kern.* subtree 278This subtree includes data generally related to the kernel. 279The string and integer information available for the 280.Li kern 281level is detailed below. 282The changeable column shows whether a process with appropriate 283privilege may change the value. 284.Bl -column "kern.posix_reader_writer_locks" \ 285"struct kinfo_drivers" "not applicable" 286.It Sy Second level name Ta Sy Type Ta Sy Changeable 287.It kern.aio_listio_max integer yes 288.It kern.aio_max integer yes 289.It kern.arandom integer no 290.It kern.argmax integer no 291.It kern.boothowto integer no 292.It kern.boottime struct timespec no 293.It kern.buildinfo string no 294.\".It kern.bufq node not applicable 295.It kern.ccpu integer no 296.It kern.clockrate struct clockinfo no 297.It kern.consdev integer no 298.It kern.coredump node not applicable 299.It kern.cp_id struct no 300.It kern.cp_time uint64_t[\|] no 301.It kern.cryptodevallowsoft integer yes 302.It kern.defcorename string yes 303.It kern.detachall integer yes 304.It kern.domainname string yes 305.It kern.drivers struct kinfo_drivers no 306.It kern.dump_on_panic integer yes 307.It kern.expose_address integer yes 308.It kern.file struct file no 309.It kern.forkfsleep integer yes 310.It kern.fscale integer no 311.It kern.fsync integer no 312.It kern.hardclock_ticks integer no 313.It kern.heartbeat.max_period integer yes 314.It kern.hostid integer yes 315.It kern.hostname string yes 316.It kern.iov_max integer no 317.It kern.ipc node not applicable 318.It kern.job_control integer no 319.It kern.labeloffset integer no 320.It kern.labelsector integer no 321.It kern.login_name_max integer no 322.It kern.logsigexit integer yes 323.It kern.lwp struct kinfo_lwp yes 324.It kern.mapped_files integer no 325.It kern.maxfiles integer yes 326.It kern.maxlwp integer yes 327.It kern.maxpartitions integer no 328.It kern.maxphys integer no 329.It kern.maxproc integer yes 330.It kern.maxptys integer yes 331.It kern.maxvnodes integer yes 332.It kern.messages integer yes 333.It kern.mbuf node not applicable 334.It kern.memlock integer no 335.It kern.memlock_range integer no 336.It kern.memory_protection integer no 337.It kern.module node not applicable 338.It kern.monotonic_clock integer no 339.It kern.mqueue node not applicable 340.It kern.msgbuf integer no 341.It kern.msgbufsize integer no 342.It kern.ngroups integer no 343.\".It kern.no_sa_support integer yes 344.It kern.ntptime struct ntptimeval no 345.It kern.osrelease string no 346.It kern.osrevision integer no 347.It kern.ostype string no 348.\".It kern.panic_now integer yes 349.It kern.pipe node not applicable 350.It kern.pool struct pool_sysctl no 351.\" .It kern.posix node not applicable 352.It kern.posix1version integer no 353.It kern.posix_aio integer no 354.It kern.posix_barriers integer no 355.It kern.posix_reader_writer_locks integer no 356.\".It kern.posix_sched integer yes 357.It kern.posix_semaphores integer no 358.It kern.posix_spin_locks integer no 359.It kern.posix_threads integer no 360.It kern.posix_timers integer no 361.It kern.proc struct kinfo_proc no 362.It kern.proc2 struct kinfo_proc2 no 363.It kern.proc_args string no 364.It kern.profiling node not applicable 365.\".It kern.pset node not applicable 366.It kern.rawpartition integer no 367.It kern.root_device string no 368.It kern.root_partition integer no 369.It kern.rtc_offset integer yes 370.It kern.saved_ids integer no 371.It kern.sbmax integer yes 372.It kern.sched node not applicable 373.It kern.securelevel integer raise only 374.It kern.sofixedbuf boolean yes 375.It kern.somaxkva integer yes 376.It kern.sooptions integer yes 377.It kern.synchronized_io integer no 378.It kern.timecounter node not applicable 379.It kern.timex struct no 380.It kern.tkstat node not applicable 381.It kern.tty node not applicable 382.It kern.urandom integer no 383.It kern.usercrypto integer yes 384.It kern.userasymcrypto integer yes 385.It kern.veriexec node not applicable 386.It kern.version string no 387.It kern.vnode struct vnode no 388.El 389.Bl -tag -width "123456" 390.It Li kern.aio_listio_max 391The maximum number of asynchronous I/O operations in a single list 392I/O call. 393Like with all variables related to 394.Xr aio 3 , 395the variable may be created and removed dynamically 396upon loading or unloading the corresponding kernel module. 397.It Li kern.aio_max 398The maximum number of asynchronous I/O operations. 399.It Li kern.arandom ( Dv KERN_ARND ) 400Returns independent uniformly distributed bytes at random each time, as 401many as requested up to 256, derived from the system entropy pool; see 402.Xr rnd 4 . 403.Pp 404Reading 405.Li kern.arandom 406is equivalent to reading up to 256 bytes at a time from 407.Pa /dev/urandom : 408reading 409.Li kern.arandom 410never blocks, and once the system entropy pool has full entropy, output 411subsequently read from 412.Li kern.arandom 413is fit for use as cryptographic key material. 414For example, the 415.Xr arc4random 3 416library routine uses 417.Li kern.arandom 418internally to seed a cryptographic pseudorandom number generator. 419.It Li kern.argmax ( Dv KERN_ARGMAX ) 420The maximum bytes of argument to 421.Xr execve 2 . 422.It Li kern.boothowto 423Flags passed from the boot loader; see 424.Xr reboot 2 425for the meanings of the flags. 426.It Li kern.boottime ( Dv KERN_BOOTTIME ) 427A 428.Vt struct timespec 429structure is returned. 430This structure contains the time that the system was booted. 431That time is defined (for this purpose) to be the time at 432which the kernel first started accumulating clock ticks. 433.It Li kern.bufq 434This variable contains information on the 435.Xr bufq 9 436subsystem. 437Currently, the only third level name implemented is 438.Dv kern.bufq.strategies 439which provides a list of buffer queue strategies currently available. 440.It Li kern.buildinfo 441When the kernel is built, the build environment may optionally provide 442arbitrary information to be stored in this variable. 443.It Li kern.ccpu ( Dv KERN_CCPU ) 444The scheduler exponential decay value. 445.It Li kern.clockrate ( Dv KERN_CLOCKRATE ) 446A 447.Vt struct clockinfo 448structure is returned. 449This structure contains the clock, statistics clock and profiling clock 450frequencies, the number of micro-seconds per hz tick, and the clock 451skew rate. 452Refer to 453.Xr hz 9 454for additional details. 455.It Li kern.consdev ( Dv KERN_CONSDEV ) 456Console device. 457.It Li kern.coredump 458Settings related to set-id processes coredumps. 459By default, set-id processes do not dump core in situations where 460other processes would. 461The settings in this node allows an administrator to change this 462behavior. 463.Pp 464The third level name is 465.Dv kern.coredump.setid 466and fourth level variables are described below. 467.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent 468.It Sy Fourth level name Ta Sy Type Ta Sy Changeable 469.It kern.coredump.setid.dump integer yes 470.It kern.coredump.setid.group integer yes 471.It kern.coredump.setid.mode integer yes 472.It kern.coredump.setid.owner integer yes 473.It kern.coredump.setid.path string yes 474.El 475.Bl -tag -width "123456" 476.It Li kern.coredump.setid.dump 477If non-zero, set-id processes will dump core. 478.It Li kern.coredump.setid.group 479The group-id for the set-id processes' coredump. 480.It Li kern.coredump.setid.mode 481The mode for the set-id processes' coredump. 482See 483.Xr chmod 1 . 484.It Li kern.coredump.setid.owner 485The user-id that will be used as the owner of the set-id processes' 486coredump. 487.It Li kern.coredump.setid.path 488The path to which set-id processes' coredumps will be saved to. 489Same syntax as kern.defcorename. 490.El 491.It Li kern.cp_id ( Dv KERN_CP_ID ) 492Mapping of CPU number to CPU id. 493.It Li kern.cp_time ( Dv KERN_CP_TIME ) 494Returns an array of 495.Dv CPUSTATES 496.Vt uint64_t Ns s . 497This array contains the 498number of clock ticks spent in different CPU states. 499On multi-processor systems, the sum across all CPUs is returned unless 500appropriate space is given for one data set for each CPU. 501Data for a specific CPU can also be obtained by adding the number of the 502CPU at the end of the MIB, enlarging it by one. 503.It Li kern.cryptodevallowsoft 504This variable controls userland access to hardware versus software transforms 505in the 506.Xr crypto 4 507system. 508The available values are as follows: 509.Bl -tag -width XX0 -offset indent 510.It Dv < 0 511Always force userlevel requests to use software transforms. 512.It Dv = 0 513If present, use hardware and grant userlevel requests for 514non-accelerated transforms (handling the latter in software). 515.It Dv > 0 516Allow user requests only for transforms which are hardware-accelerated. 517.El 518.It Li kern.defcorename ( Dv KERN_DEFCORENAME ) 519Default template for the name of core dump files (see also 520.Li proc.pid.corename 521in the per-process variables 522.Li proc.* , 523and 524.Xr core 5 525for format of this template). 526The default value is 527.Pa %n.core 528and can be changed with the kernel configuration option 529.Cd options DEFCORENAME 530(see 531.Xr options 4 532). 533.It Li kern.detachall 534Detach all devices at shutdown. 535.It Li kern.domainname ( Dv KERN_DOMAINNAME ) 536Get or set the YP domain name. 537.It Li kern.drivers ( Dv KERN_DRIVERS ) 538Return an array of 539.Vt struct kinfo_drivers 540that contains the name and major device numbers of all the device drivers 541in the current kernel. 542The 543.Va d_name 544field is always a NUL terminated string. 545The 546.Va d_bmajor 547field will be set to \-1 if the driver doesn't have a block device. 548.It Li kern.expose_address 549Expose kernel addresses in 550.Xr sysctl 3 551calls used by 552.Xr fstat 1 553and 554.Xr sockstat 1 . 555If it is set to 556.Dv 0 557access is not allowed. 558If it is set to 559.Dv 1 560then only processes that have opened 561.Pa /dev/kmem 562can have access. 563If it is set to 564.Dv 2 565every process is allowed. 566Defaults to 567.Dv 0 568for 569.Dv KASLR 570kernels 571and 572.Dv 1 573otherwise. 574Allowing general access renders KASLR ineffective; allowing only kmem 575accessing programs weakens KASLR if those programs can be subverted 576to leak the addresses. 577.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC ) 578Perform a crash dump on system 579.Xr panic 9 . 580.It Li kern.file ( Dv KERN_FILE ) 581Return the entire file table. 582The returned data consists of a single 583.Vt struct filelist 584followed by an array of 585.Vt struct file , 586whose size depends on the current number of such objects in the system. 587.It Li kern.forkfsleep ( Dv KERN_FORKFSLEEP ) 588If 589.Xr fork 2 590system call fails due to limit on number of processes (either 591the global maxproc limit or user's one), wait for this many 592milliseconds before returning 593.Er EAGAIN 594error to process. 595Useful to keep heavily forking runaway processes in bay. 596Default zero (no sleep). 597Maximum is 20 seconds. 598.It Li kern.fscale ( Dv KERN_FSCALE ) 599The kernel fixed-point scale factor. 600.It Li kern.fsync ( Dv KERN_FSYNC ) 601Return 1 if the 602.St -p1003.1b-93 603File Synchronization Option is available 604on this system, 605otherwise\ 0. 606.It Li kern.hardclock_ticks ( Dv KERN_HARDCLOCK_TICKS ) 607Returns the number of 608.Xr hardclock 9 609ticks. 610.It Li kern.heartbeat.max_period 611Time in seconds since the last 612.Cd options HEARTBEAT 613progress check has passed before it will trigger a panic. 614See 615.Xr options 4 . 616.It Li kern.hist 617This variable contains kernel history data if the kernel was 618configured for any of the options 619.Dv UVHMIST , 620.Dv USB_DEBUG , 621.Dv BIOHIST , 622or 623.Dv SCDEBUG . 624(See 625.Xr options 4 626for more details.) 627The third-level names correspond to each available history table. 628The values of the history tables are in an internal format, and can be 629decoded by the 630.Xr vmstat 1 631utility's 632.Fl U 633and 634.Fl u 635options; 636the 637.Fl l 638option can be used to see which tables are available. 639.It Li kern.hostid ( Dv KERN_HOSTID ) 640Get or set the host identifier. 641This is aimed to replace the legacy 642.Xr gethostid 3 643and 644.Xr sethostid 3 645system calls. 646.It Li kern.hostname ( Dv KERN_HOSTNAME ) 647Get or set the 648.Xr hostname 1 . 649.It Li kern.iov_max ( Dv KERN_IOV_MAX ) 650Return the maximum number of 651.Vt iovec 652structures that a process has available for use with 653.Xr preadv 2 , 654.Xr pwritev 2 , 655.Xr readv 2 , 656.Xr recvmsg 2 , 657.Xr sendmsg 2 658and 659.Xr writev 2 . 660.It Li kern.ipc ( Dv KERN_SYSVIPC ) 661Return information about the SysV IPC parameters. 662The third level names for the ipc variables are detailed below. 663.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 664.It Sy Third level name Ta Sy Type Ta Sy Changeable 665.It kern.ipc.sysvmsg integer no 666.It kern.ipc.sysvsem integer no 667.It kern.ipc.sysvshm integer no 668.It kern.ipc.sysvipc_info struct no 669.It kern.ipc.shmmax integer yes 670.It kern.ipc.shmmni integer yes 671.It kern.ipc.shmseg integer yes 672.It kern.ipc.shmmaxpgs integer yes 673.It kern.ipc.shm_use_phys integer yes 674.It kern.ipc.msgmni integer yes 675.It kern.ipc.msgseg integer yes 676.It kern.ipc.semmni integer yes 677.It kern.ipc.semmns integer yes 678.It kern.ipc.semmnu integer yes 679.El 680.Bl -tag -width "123456" 681.It Li kern.ipc.sysvmsg ( Dv KERN_SYSVIPC_MSG ) 682Returns 1 if System V style message queue functionality is available 683on this system, 684otherwise\ 0. 685.It Li kern.ipc.sysvsem ( Dv KERN_SYSVIPC_SEM ) 686Returns 1 if System V style semaphore functionality is available 687on this system, 688otherwise\ 0. 689.It Li kern.ipc.sysvshm ( Dv KERN_SYSVIPC_SHM ) 690Returns 1 if System V style share memory functionality is available 691on this system, 692otherwise\ 0. 693.It Li kern.ipc.sysvipc_info ( Dv KERN_SYSVIPC_INFO ) 694Return System V style IPC configuration and run-time information. 695The fourth level name selects the System V style IPC facility. 696.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 697.It Sy Fourth level name Ta Sy Type 698.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 699.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 700.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 701.El 702.Bl -tag -width "123456" 703.It Li KERN_SYSVIPC_MSG_INFO 704Return information on the System V style message facility. 705The 706.Sy msg_sysctl_info 707structure is defined in 708.In sys/msg.h . 709.It Li KERN_SYSVIPC_SEM_INFO 710Return information on the System V style semaphore facility. 711The 712.Sy sem_sysctl_info 713structure is defined in 714.In sys/sem.h . 715.It Li KERN_SYSVIPC_SHM_INFO 716Return information on the System V style shared memory facility. 717The 718.Sy shm_sysctl_info 719structure is defined in 720.In sys/shm.h . 721.El 722.It Li kern.ipc.shmmax ( Dv KERN_SYSVIPC_SHMMAX ) 723Max shared memory segment size in bytes. 724.It Li kern.ipc.shmmni ( Dv KERN_SYSVIPC_SHMMNI ) 725Max number of shared memory identifiers. 726.It Li kern.ipc.shmseg ( Dv KERN_SYSVIPC_SHMSEG ) 727Max shared memory segments per process. 728.It Li kern.ipc.shmmaxpgs ( Dv KERN_SYSVIPC_SHMMAXPGS ) 729Max amount of shared memory in pages. 730.It Li kern.ipc.shm_use_phys ( Dv KERN_SYSVIPC_SHMUSEPHYS ) 731Locking of shared memory in physical memory. 732If 0, memory can be swapped 733out, otherwise it will be locked in physical memory. 734.It Li kern.ipc.msgmni 735Max number of message queue identifiers. 736.It Li kern.ipc.msgseg 737Max number of number of message segments. 738.It Li kern.ipc.semmni 739Max number of number of semaphore identifiers. 740.It Li kern.ipc.semmns 741Max number of number of semaphores in system. 742.It Li kern.ipc.semmnu 743Max number of undo structures in system. 744.El 745.It Li kern.job_control ( Dv KERN_JOB_CONTROL ) 746Return 1 if job control is available on this system, otherwise\ 0. 747.It Li kern.labeloffset ( Dv KERN_LABELOFFSET ) 748The offset within the sector specified by 749.Dv KERN_LABELSECTOR 750of the 751.Xr disklabel 5 . 752.It Li kern.labelsector ( Dv KERN_LABELSECTOR ) 753The sector number containing the 754.Xr disklabel 5 . 755.It Li kern.login_name_max ( Dv KERN_LOGIN_NAME_MAX ) 756The size of the storage required for a login name, in bytes, 757including the terminating NUL. 758.It Li kern.logsigexit ( Dv KERN_LOGSIGEXIT ) 759If this flag is non-zero, the kernel will 760.Xr log 9 761all process exits due to signals which create a 762.Xr core 5 763file, and whether the coredump was created. 764.It Li kern.lwp ( Dv KERN_LWP ) 765Returns information about the current light-weight process. 766The 767.Sy kinfo_lwp 768structure is defined in 769.In sys/sysctl.h . 770.It Li kern.mapped_files ( Dv KERN_MAPPED_FILES ) 771Returns 1 if the 772.St -p1003.1b-93 773Memory Mapped Files Option is available on this system, 774otherwise\ 0. 775.It Li kern.maxfiles ( Dv KERN_MAXFILES ) 776The maximum number of open files that may be open in the system. 777This also controls the maximum file locks per unprivileged user 778enforced by 779.Xr fcntl 2 780and 781.Xr flock 2 . 782.It Li kern.maxpartitions ( Dv KERN_MAXPARTITIONS ) 783The maximum number of partitions allowed per disk. 784.It Li kern.maxlwp 785The maximum number of Lightweight Processes (threads) the system allows 786per uid. 787.It Li kern.maxphys ( Dv KERN_MAXPHYS ) 788Maximum raw I/O transfer size. 789.It Li kern.maxproc ( Dv KERN_MAXPROC ) 790The maximum number of simultaneous processes the system will allow. 791.It Li kern.maxptys ( Dv KERN_MAXPTYS ) 792The maximum number of pseudo terminals. 793This value can be both raised and lowered, though it cannot 794be set lower than number of currently used ptys. 795See also 796.Xr pty 4 . 797.It Li kern.maxvnodes ( Dv KERN_MAXVNODES ) 798The maximum number of vnodes available on the system. 799This cannot be lowered below the number of currently active vnodes. 800.It Li kern.mbuf ( Dv KERN_MBUF ) 801Return information about the mbuf control variables. 802Mbufs are data structures which store network packets and other data 803structures in the networking code, see 804.Xr mbuf 9 . 805The third level names for the mbuf variables are detailed below. 806The changeable column shows whether a process with appropriate 807privilege may change the value. 808.Bl -column "kern.mbuf.nmbclusters_limit" "integer" "Changeable" -offset indent 809.It Sy Third level name Ta Sy Type Ta Sy Changeable 810.\" XXX Changeable? really? 811.It kern.mbuf.mblowat integer yes 812.It kern.mbuf.mclbytes integer yes 813.It kern.mbuf.mcllowat integer yes 814.It kern.mbuf.msize integer yes 815.It kern.mbuf.nmbclusters integer yes 816.It kern.mbuf.nmbclusters_limit integer no 817.El 818.Pp 819The variables are as follows: 820.Bl -tag -width "123456" 821.It Li kern.mbuf.mblowat ( Dv MBUF_MBLOWAT ) 822The mbuf low water mark. 823.It Li kern.mbuf.mclbytes ( Dv MBUF_MCLBYTES ) 824The mbuf cluster size. 825.It Li kern.mbuf.mcllowat ( Dv MBUF_MCLLOWAT ) 826The mbuf cluster low water mark. 827.It Li kern.mbuf.msize ( Dv MBUF_MSIZE ) 828The mbuf base size. 829.It Li kern.mbuf.nmbclusters ( Dv MBUF_NMBCLUSTERS ) 830The limit on the number of mbuf clusters. 831The variable can only be increased, and only increased on machines with 832direct-mapped pool pages. 833.It Li kern.mbuf.nmbclusters_limit ( Dv MBUF_NMBCLUSTERS_LIMIT ) 834The limit of nmbclusters. 835.El 836.It Li kern.memlock ( Dv KERN_MEMLOCK ) 837Returns 1 if the 838.St -p1003.1b-93 839Process Memory Locking Option is available on this system, 840otherwise\ 0. 841.It Li kern.memlock_range ( Dv KERN_MEMLOCK_RANGE ) 842Returns 1 if the 843.St -p1003.1b-93 844Range Memory Locking Option is available on this system, 845otherwise\ 0. 846.It Li kern.memory_protection ( Dv KERN_MEMORY_PROTECTION ) 847Returns 1 if the 848.St -p1003.1b-93 849Memory Protection Option is available on this system, 850otherwise\ 0. 851.It Li kern.messages 852Kernel console message verbosity. 853See 854.Aq Pa sys/reboot.h 855.Bl -column "verbosity" "setting" -offset indent 856.It Sy Value Ta Sy Verbosity Ta Sy sys/reboot.h equivalent 857.It 0 Ta Silent Ta Sy AB_SILENT 858.It 1 Ta Quiet Ta Sy AB_QUIET 859.It 2 Ta Normal Ta Sy AB_NORMAL 860.It 3 Ta Verbose Ta Sy AB_VERBOSE 861.It 4 Ta Debug Ta Sy AB_DEBUG 862.El 863.It Li kern.module 864Settings related to kernel modules. 865The third level names for the settings are described below. 866.Bl -column "kern.module.autounload_unsafe" "integer" "Changeable" -offset indent 867.It Sy Third level name Ta Sy Type Ta Sy Changeable 868.It kern.module.autoload integer yes 869.It kern.module.autounload_unsafe integer yes 870.It kern.module.autotime integer yes 871.It kern.module.verbose boolean yes 872.El 873.Pp 874The variables are as follows: 875.Bl -tag -width 6n 876.It Li kern.module.autoload 877A boolean that controls whether kernel modules are loaded automatically. 878See 879.Xr module 7 880for details. 881.It Li kern.module.autounload_unsafe 882A boolean that controls whether the kernel will autounload modules that 883were automatically loaded and have not been audited for autounload. 884.Pp 885By default, only modules that have been audited will be autounloaded, 886and only if they were autoloaded to begin with. 887.It Li kern.module.autotime 888An integer that controls the delay before an attempt is made to 889automatically unload a module that was auto-loaded. 890Setting this value to zero disables the auto-unload function. 891.It Li kern.module.verbose 892A boolean that enables or disables verbose 893debug messages related to kernel modules. 894.El 895.It Li kern.monotonic_clock ( Dv KERN_MONOTONIC_CLOCK ) 896Returns the standard version the implementation of the 897.St -p1003.1b-93 898Monotonic Clock Option conforms to, 899otherwise\ 0. 900.It Li kern.mqueue 901Settings related to POSIX message queues; see 902.Xr mqueue 3 . 903This node is created dynamically when 904the corresponding kernel module is loaded. 905The third level names for the settings are described below. 906.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent 907.It Sy Third level name Ta Sy Type Ta Sy Changeable 908.It kern.mqueue.mq_open_max integer yes 909.It kern.mqueue.mq_prio_max integer yes 910.It kern.mqueue.mq_max_msgsize integer yes 911.It kern.mqueue.mq_def_maxmsg integer yes 912.It kern.mqueue.mq_max_maxmsg integer yes 913.El 914.Pp 915The variables are: 916.Bl -tag -width "123456" 917.It Li kern.mqueue.mq_open_max 918The maximum number of message queue descriptors any single process can open. 919.It Li kern.mqueue.mq_prio_max 920The maximum priority of a message. 921.It Li kern.mqueue.mq_max_msgsize 922The maximum size of a message in a message queue. 923.It Li kern.mqueue.mq_def_maxmsg 924The default maximum message count. 925.It Li kern.mqueue.mq_max_maxmsg 926The maximum number of messages in a message queue. 927.El 928.It Li kern.msgbuf ( Dv KERN_MSGBUF ) 929The kernel message buffer, rotated so that the head of the circular kernel 930message buffer is at the start of the returned data. 931The returned data may contain NUL bytes. 932.It Li kern.msgbufsize ( Dv KERN_MSGBUFSIZE ) 933The maximum number of characters that the kernel message buffer can hold. 934.It Li kern.ngroups ( Dv KERN_NGROUPS ) 935The maximum number of supplemental groups. 936.\" .It Li kern.no_sa_support 937.\" XXX: Undocumented. 938.It Li kern.ntptime ( Dv KERN_NTPTIME ) 939A 940.Vt struct ntptimeval 941structure is returned. 942This structure contains data used by the 943.Xr ntpd 8 944program. 945.It Li kern.osrelease ( Dv KERN_OSRELEASE ) 946The system release string. 947.It Li kern.osrevision ( Dv KERN_OSREV ) 948The system revision, expressed as an integer. 949.It Li kern.ostype ( Dv KERN_OSTYPE ) 950The system type string. 951.\".It Li kern.panic_now 952.\" XXX: Undocumented. 953.It Li kern.pipe ( Dv KERN_PIPE ) 954Pipe settings. 955The third level names for the integer pipe settings is detailed below. 956The changeable column shows whether a process with appropriate 957privilege may change the value. 958.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 959.It Sy Third level name Ta Sy Type Ta Sy Changeable 960.It kern.pipe.kvasiz integer yes 961.It kern.pipe.maxbigpipes integer yes 962.It kern.pipe.maxkvasz integer yes 963.It kern.pipe.limitkva integer yes 964.It kern.pipe.nbigpipes integer yes 965.El 966.Pp 967The variables are as follows: 968.Bl -tag -width "123456" 969.It Li kern.pipe.kvasiz ( Dv KERN_PIPE_KVASIZ ) 970Amount of kernel memory consumed by pipe buffers. 971.It Li kern.pipe.maxbigpipes ( Dv KERN_PIPE_MAXBIGPIPES ) 972Maximum number of 973.Dq big 974pipes. 975.It Li kern.pipe.maxkvasz ( Dv KERN_PIPE_MAXKVASZ ) 976Maximum amount of kernel memory to be used for pipes. 977.It Li kern.pipe.limitkva ( Dv KERN_PIPE_LIMITKVA ) 978Limit for direct transfers via page loan. 979.It Li kern.pipe.nbigpipes ( Dv KERN_PIPE_NBIGPIPES ) 980Number of 981.Dq big 982pipes. 983.El 984.It Li kern.pool 985Provides statistics about the 986.Xr pool 9 987and 988.Xr pool_cache 9 989subsystems. 990.\" XXX: Undocumented .It Li kern.posix ( ? ) 991.\" This is a node in which the only variable is semmax. 992.It Li kern.posix1version ( Dv KERN_POSIX1 ) 993The version of ISO/IEC 9945 994.Pq St -p1003.1 995with which the system attempts to comply. 996.It Li kern.posix_aio 997The version of 998.St -p1003.1 999and its Asynchronous I/O option to which the system attempts to conform. 1000.It Li kern.posix_barriers ( Dv KERN_POSIX_BARRIERS ) 1001The version of 1002.St -p1003.1 1003and its 1004Barriers 1005option to which the system attempts to conform, 1006otherwise\ 0. 1007.It Li kern.posix_reader_writer_locks ( Dv KERN_POSIX_READER_WRITER_LOCKS ) 1008The version of 1009.St -p1003.1 1010and its 1011Read-Write Locks 1012option to which the system attempts to conform, 1013otherwise\ 0. 1014.\".It Li kern.posix_sched 1015.\" XXX: Undocumented. 1016.It Li kern.posix_semaphores ( Dv KERN_POSIX_SEMAPHORES ) 1017The version of 1018.St -p1003.1 1019and its 1020Semaphores 1021option to which the system attempts to conform, 1022otherwise\ 0. 1023.It Li kern.posix_spin_locks ( Dv KERN_POSIX_SPIN_LOCKS ) 1024The version of 1025.St -p1003.1 1026and its 1027Spin Locks 1028option to which the system attempts to conform, 1029otherwise\ 0. 1030.It Li kern.posix_threads ( Dv KERN_POSIX_THREADS ) 1031The version of 1032.St -p1003.1 1033and its 1034Threads 1035option to which the system attempts to conform, 1036otherwise\ 0. 1037.It Li kern.posix_timers ( Dv KERN_POSIX_TIMERS ) 1038The version of 1039.St -p1003.1 1040and its 1041Timers 1042option to which the system attempts to conform, 1043otherwise\ 0. 1044.It Li kern.proc ( Dv KERN_PROC ) 1045Return the entire process table, or a subset of it. 1046An array of 1047.Vt struct kinfo_proc 1048structures is returned, 1049whose size depends on the current number of such objects in the system. 1050The third and fourth level numeric names are as follows: 1051.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 1052.It Sy Third level name Ta Sy Fourth level is : 1053.It KERN_PROC_ALL None 1054.It KERN_PROC_GID A group ID 1055.It KERN_PROC_PID A process ID 1056.It KERN_PROC_PGRP A process group 1057.It KERN_PROC_RGID A real group ID 1058.It KERN_PROC_RUID A real user ID 1059.It KERN_PROC_SESSION A session ID 1060.It KERN_PROC_TTY A tty device 1061.It KERN_PROC_UID A user ID 1062.El 1063.It Li kern.proc2 ( Dv KERN_PROC2 ) 1064As for 1065.Dv KERN_PROC , 1066but an array of 1067.Vt struct kinfo_proc2 1068structures are returned. 1069The fifth level name is the size of the 1070.Vt struct kinfo_proc2 1071and the sixth level name is the number of structures to return. 1072.It Li kern.proc_args ( Dv KERN_PROC_ARGS ) 1073Return the argv or environment strings (or the number thereof) 1074of a process. 1075Multiple strings are returned separated by NUL characters. 1076The third level name is the process ID. 1077The fourth level name is as follows: 1078.Bl -column "KERN_PROG_PATHNAME" "The full pathname of the executable" -offset indent 1079.It Dv KERN_PROC_ARGV The argv strings 1080.It Dv KERN_PROC_ENV The environ strings 1081.It Dv KERN_PROC_NARGV The number of argv strings 1082.It Dv KERN_PROC_NENV The number of environ strings 1083.It Dv KERN_PROC_PATHNAME The full pathname of the executable 1084.It Dv KERN_PROC_CWD The current working directory 1085.El 1086.It Li kern.profiling ( Dv KERN_PROF ) 1087Return profiling information about the kernel. 1088If the kernel is not compiled for profiling, 1089attempts to retrieve any of the 1090.Dv KERN_PROF 1091values will fail with 1092.Er EOPNOTSUPP . 1093The third level names for the string and integer profiling information 1094is detailed below. 1095The changeable column shows whether a process with appropriate 1096privilege may change the value. 1097.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 1098.It Sy Third level name Ta Sy Type Ta Sy Changeable 1099.It kern.profiling.count u_short[\|] yes 1100.It kern.profiling.froms u_short[\|] yes 1101.It kern.profiling.gmonparam struct gmonparam no 1102.It kern.profiling.state integer yes 1103.It kern.profiling.tos struct tostruct yes 1104.El 1105.Pp 1106The variables are as follows: 1107.Bl -tag -width "123456" 1108.It Li kern.profiling.count ( Dv GPROF_COUNT ) 1109Array of statistical program counter counts. 1110.It Li kern.profiling.froms ( Dv GPROF_FROMS ) 1111Array indexed by program counter of call-from points. 1112.It Li kern.profiling.gmonparams ( Dv GPROF_GMONPARAM ) 1113Structure giving the sizes of the above arrays. 1114.It Li kern.profiling.state ( Dv GPROF_STATE ) 1115Profiling state. 1116If set to 1117.Dv GMON_PROF_ON , 1118starts profiling. 1119If set to 1120.Dv GMON_PROF_OFF , 1121stops profiling. 1122.It Li kern.profiling.tos ( Dv GPROF_TOS ) 1123Array of 1124.Vt struct tostruct 1125describing destination of calls and their counts. 1126.El 1127.\" .It Li kern.pset 1128.\" XXX: Undocumented. 1129.It Li kern.rawpartition ( Dv KERN_RAWPARTITION ) 1130The raw partition of a disk (a == 0). 1131.It Li kern.root_device ( Dv KERN_ROOT_DEVICE ) 1132The name of the root device (e.g., 1133.Dq wd0 ) . 1134.It Li kern.root_partition ( Dv KERN_ROOT_PARTITION ) 1135The root partition on the root device (a == 0). 1136.It Li kern.rtc_offset ( Dv KERN_RTC_OFFSET ) 1137Return the offset of real time clock from UTC in minutes. 1138.It Li kern.saved_ids ( Dv KERN_SAVED_IDS ) 1139Returns 1 if saved set-group and saved set-user ID is available. 1140.It Li kern.sbmax ( Dv KERN_SBMAX ) 1141Maximum socket buffer size in bytes. 1142.It Li kern.securelevel ( Dv KERN_SECURELVL ) 1143See 1144.Xr secmodel_securelevel 9 . 1145.It Li kern.sched ( dynamic ) 1146Influence the scheduling of LWPs, their priorisation and how they are 1147distributed on and moved between CPUs. 1148.Bl -column "kern.sched.balance_period" "integer" "Changeable" -offset indent 1149.It Sy Third level name Sy Type Sy Changeable 1150.It kern.sched.cacheht_time integer yes 1151.It kern.sched.balance_period integer yes 1152.It kern.sched.average_weight integer yes 1153.It kern.sched.min_catch integer yes 1154.It kern.sched.timesoftints integer yes 1155.It kern.sched.kpreempt_pri integer yes 1156.It kern.sched.upreempt_pri integer yes 1157.It kern.sched.maxts integer yes 1158.It kern.sched.mints integer yes 1159.It kern.sched.name string no 1160.It kern.sched.rtts integer no 1161.It kern.sched.pri_min integer no 1162.It kern.sched.pri_max integer no 1163.El 1164.Pp 1165The variables are as follows: 1166.Bl -tag -width "123456" 1167.It Li kern.sched.cacheht_time ( dynamic ) 1168Cache hotness time in which a LWP is kept on one particular CPU 1169and not moved to another CPU. 1170This reduces the overhead of flushing and reloading caches. 1171Defaults to 3ms. 1172Needs to be given in 1173.Dq hz 1174units, see 1175.Xr mstohz 9 . 1176.It Li kern.sched.balance_period ( dynamic ) 1177Interval at which the CPU queues are checked for re-balancing. 1178Defaults to 300ms. 1179Needs to be given in 1180.Dq hz 1181units, see 1182.Xr mstohz 9 . 1183.It Li kern.sched.average_weight ( dynamic ) 1184Can be used to influence how likely LWPs are to be migrated from 1185one CPU's queue of LWPs that are ready to run to a different, idle CPU. 1186The value gives the percentage for weighting the average count of 1187migratable threads from the past against the current number of 1188migratable threads. 1189A small value gives more weight to the past, a larger values more weight 1190on the current situation. 1191Defaults to 50 and must be between 0 and 100. 1192.It Li kern.sched.min_catch ( dynamic ) 1193Minimum count of migratable (runnable) threads for catching (stealing) 1194from another CPU. 1195Defaults to 1 but can be increased to decrease chance of thread 1196migration between CPUs. 1197.It Li kern.sched.timesoftints ( dynamic ) 1198Enable tracking of CPU time for soft interrupts 1199as part of a LWP's real execution time. 1200Set to a non-zero value to enable, 1201and see 1202.Xr ps 1 1203for printing CPU times. 1204.It Li kern.sched.kpreempt_pri ( dynamic ) 1205Minimum priority to trigger kernel preemption. 1206.It Li kern.sched.upreempt_pri ( dynamic ) 1207Minimum priority to trigger user preemption. 1208.It Li kern.sched.maxts ( dynamic ) 1209Scheduler specific maximal time quantum (in milliseconds). 1210Must be set to a value larger than 1211.Dq mints 1212and between 10 and 1213.Dq hz 1214as given by the 1215.Dv kern.clockrate 1216sysctl. 1217Provided by the M2 scheduler. 1218.It Li kern.sched.mints ( dynamic ) 1219Scheduler specific minimal time quantum (in milliseconds). 1220Must be set to a value smaller than 1221.Dq maxts 1222and between 1 and 1223.Dq hz 1224as given by the 1225.Dq kern.clockrate 1226sysctl. 1227Provided by the M2 scheduler. 1228.It Li kern.sched.name ( dynamic ) 1229Scheduler name. 1230Provided both by the M2 and the 4BSD scheduler. 1231.It Li kern.sched.rtts ( dynamic ) 1232Fixed scheduler specific round-robin time quantum in milliseconds. 1233Provided both by the M2 and the 4BSD scheduler. 1234.It Li kern.sched.pri_min ( dynamic ) 1235Minimal POSIX real-time priority. 1236See 1237.Xr sched 3 . 1238.It Li kern.sched.pri_max ( dynamic ) 1239Maximal POSIX real-time priority. 1240See 1241.Xr sched 3 . 1242.El 1243.It Li kern.sofixedbuf ( Dv KERN_SOFIXEDBUF ) 1244Prevent socket buffer autoscaling when a size is set with 1245.Dv SO_SNDBUF 1246or 1247.Dv SO_RCVBUF . 1248.It Li kern.somaxkva ( Dv KERN_SOMAXKVA ) 1249Maximum amount of kernel memory to be used for socket buffers in bytes. 1250.It Li kern.sooptions 1251Set the default socket option flags for 1252.Xr socket 2 1253creation. 1254See 1255.Xr setsockopt 2 1256for a list of supported flags. 1257.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO ) 1258Returns 1 if the 1259.St -p1003.1b-93 1260Synchronized I/O Option is available on this system, 1261otherwise\ 0. 1262.It Li kern.timecounter ( dynamic ) 1263Display and control the timecounter source of the system. 1264.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 1265.It Sy Third level name Ta Sy Type Ta Sy Changeable 1266.It kern.timecounter.choice string no 1267.It kern.timecounter.hardware string yes 1268.It kern.timecounter.timestepwarnings integer yes 1269.El 1270.Pp 1271The variables are as follows: 1272.Bl -tag -width "123456" 1273.It Li kern.timecounter.choice ( dynamic ) 1274The list of available timecounters with their quality and frequency. 1275.It Li kern.timecounter.hardware ( dynamic ) 1276The currently selected timecounter source. 1277.It Li kern.timecounter.timestepwarnings ( dynamic ) 1278If non-zero display a message each time the time is stepped. 1279.El 1280.It Li kern.timex ( Dv KERN_TIMEX ) 1281Not available. 1282.It Li kern.tkstat ( Dv KERN_TKSTAT ) 1283Return information about the number of characters sent and received 1284on ttys. 1285The third level names for the tty statistic variables are detailed below. 1286The changeable column shows whether a process 1287with appropriate privilege may change the value. 1288.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 1289.It Sy Third level name Ta Sy Type Ta Sy Changeable 1290.It kern.tkstat.cancc quad no 1291.It kern.tkstat.nin quad no 1292.It kern.tkstat.nout quad no 1293.It kern.tkstat.rawcc quad no 1294.El 1295.Pp 1296The variables are as follows: 1297.Bl -tag -width "123456" 1298.It Li kern.tkstat.cancc ( Dv KERN_TKSTAT_CANCC ) 1299The number of canonical input characters. 1300.It Li kern.tkstat.nin ( Dv KERN_TKSTAT_NIN ) 1301The total number of input characters. 1302.It Li kern.tkstat.nout ( Dv KERN_TKSTAT_NOUT ) 1303The total number of output characters. 1304.It Li kern.tkstat.rawcc ( Dv KERN_TKSTAT_RAWCC ) 1305The number of raw input characters. 1306.El 1307.It Li kern.tty 1308The third level names for the tty setup variables are detailed below. 1309The changeable column shows whether a process 1310with appropriate privilege may change the value. 1311.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent 1312.It Sy Third level name Ta Sy Type Ta Sy Changeable 1313.It kern.tty.qsize int yes 1314.El 1315.Pp 1316The variables are as follows: 1317.Bl -tag -width "123456" 1318.It Li kern.tty.qsize 1319Control/display the size of the default input and output queues selected 1320during tty creation. 1321Is converted to a power of two and its range is between 1322.Dv 1024 1323and 1324.Dv 65536 . 1325.El 1326.It Li kern.uidinfo 1327Resource usage for the current user. 1328.Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent 1329.It Sy Third level name Ta Sy Type Ta Sy Changeable 1330.It kern.uidinfo.proccnt integer no 1331.It kern.uidinfo.lwpcnt integer no 1332.It kern.uidinfo.lockcnt integer no 1333.It kern.uidinfo.semcnt integer no 1334.It kern.uidinfo.sbsize integer no 1335.El 1336.Bl -tag -width "123456" 1337.It Li kern.uidinfo.proccnt 1338Returns the number of active processes for the current user. 1339.It Li kern.uidinfo.lwpcnt 1340Returns the number of active threads for the current user; the first thread 1341of each process is not counted. 1342.It Li kern.uidinfo.lockcnt 1343Number of locks held by the current user. 1344.It Li kern.uidinfo.semcnt 1345Number of semaphores held by the current user. 1346.It Li kern.uidinfo.sbsize 1347Number of bytes in socket buffers allocated to the current user. 1348.El 1349.It Li kern.urandom ( Dv KERN_URND ) 1350Random integer value. 1351.It Li kern.usercrypto 1352When enabled, allows userland to 1353.Xr open 2 1354the 1355.Pa /dev/crypto 1356special device, used by the 1357.Xr crypto 4 1358system. 1359.It Li kern.userasymcrypto 1360Enables or disables the use of software asymmetric crypto support in the 1361.Xr crypto 4 1362system. 1363.It Li kern.veriexec 1364Runtime information for 1365.Xr veriexec 8 . 1366.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent 1367.It Sy Third level name Ta Sy Type Ta Sy Changeable 1368.It kern.veriexec.algorithms string no 1369.It kern.veriexec.count node not applicable 1370.It kern.veriexec.strict integer yes 1371.It kern.veriexec.verbose integer yes 1372.El 1373.Bl -tag -width "123456" 1374.It Li kern.veriexec.algorithms 1375Returns a string with the supported algorithms in Veriexec. 1376.It Li kern.veriexec.count 1377Sub-nodes are added to this node as new mounts are monitored by Veriexec. 1378Each mount will be under its own 1379.No tableN 1380node. 1381Under each node there will be three variables, indicating the mount 1382point, the file system type, and the number of entries. 1383.It Li kern.veriexec.strict 1384Controls the strict level of Veriexec. 1385See 1386.Xr security 7 1387for more information on each level's implications. 1388.It Li kern.veriexec.verbose 1389Controls the verbosity level of Veriexec. 1390If 0, only the minimal 1391indication required will be given about what's happening - fingerprint 1392mismatches, removal of entries from the tables, modification of a 1393fingerprinted file. 1394If 1, more messages will be printed (ie., when a file with a valid 1395fingerprint is accessed). 1396Verbose level 2 is debug mode. 1397.El 1398.It Li kern.version ( Dv KERN_VERSION ) 1399The system version string. 1400.It Li kern.vnode ( Dv KERN_VNODE ) 1401Return the entire vnode table. 1402Note, the vnode table is not necessarily a consistent snapshot of 1403the system. 1404The returned data consists of an array whose size depends on the 1405current number of such objects in the system. 1406Each element of the array contains the kernel address of a vnode 1407.Vt struct vnode * 1408followed by the vnode itself 1409.Vt struct vnode . 1410.El 1411.Ss The machdep.* subtree 1412The set of variables defined is architecture dependent. 1413Most architectures define at least the following variables. 1414.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent 1415.It Sy Second level name Ta Sy Type Ta Sy Changeable 1416.It Li machdep.booted_kernel string no 1417.El 1418.\" XXX: Document the above. 1419.Ss The net.* subtree 1420The string and integer information available for the 1421.Li net 1422level is detailed below. 1423The changeable column shows whether a process with appropriate 1424privilege may change the value. 1425The second and third levels are typically the protocol family and 1426protocol number, though this is not always the case. 1427.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 1428.It Sy Second level name Ta Sy Type Ta Sy Changeable 1429.It net.route routing messages no 1430.It net.inet IPv4 values yes 1431.It net.inet6 IPv6 values yes 1432.It net.key IPsec key management values yes 1433.El 1434.Bl -tag -width "123456" 1435.It Li net.route ( Dv PF_ROUTE ) 1436.\" XXX really? 1437Return the entire routing table or a subset of it. 1438The data is returned as a sequence of routing messages (see 1439.Xr route 4 1440for the header file, format and meaning). 1441The length of each message is contained in the message header. 1442.Pp 1443The third level name is a protocol number, which is currently always\ 0. 1444The fourth level name is an address family, which may be set to 0 to 1445select all address families. 1446The fifth and sixth level names are as follows: 1447.Bl -column "Fifth level name" "Sixth level is:" -offset indent 1448.It Sy Fifth level name Ta Sy Sixth level is : 1449.It NET_RT_FLAGS rtflags 1450.It NET_RT_DUMP None 1451.It NET_RT_IFLIST None 1452.El 1453.It Li net.inet ( Dv PF_INET ) 1454Get or set various global information about the IPv4 1455.Pq Internet Protocol version 4 . 1456The third level name is the protocol. 1457The fourth level name is the variable name. 1458The currently defined protocols and names are: 1459.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent 1460.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable 1461.It arp nd_delay integer yes 1462.It arp nd_bmaxtries integer yes 1463.It arp nd_umaxtries integer yes 1464.It arp nd_basereachable integer yes 1465.It arp nd_retrans integer yes 1466.It arp nd_nud integer yes 1467.It arp nd_maxnudhint integer yes 1468.It arp log_movements integer yes 1469.It arp log_permanent_modify integer yes 1470.It arp log_unknown_network integer yes 1471.It arp log_wrong_iface integer yes 1472.It carp allow integer yes 1473.It carp preempt integer yes 1474.It carp log integer yes 1475.It carp arpbalance integer yes 1476.It icmp errppslimit integer yes 1477.It icmp maskrepl integer yes 1478.It icmp rediraccept integer yes 1479.It icmp redirtimeout integer yes 1480.It icmp bmcastecho integer yes 1481.It icmp dynamic_rt_msg boolean yes 1482.It ip allowsrcrt integer yes 1483.It ip anonportalgo.selected string yes 1484.It ip anonportalgo.available string yes 1485.It ip anonportalgo.reserve struct yes 1486.It ip anonportmax integer yes 1487.It ip anonportmin integer yes 1488.It ip checkinterface integer yes 1489.It ip dad_count integer yes 1490.It ip directed-broadcast integer yes 1491.It ip do_loopback_cksum integer yes 1492.It ip forwarding integer yes 1493.It ip forwsrcrt integer yes 1494.It ip gifttl integer yes 1495.It ip grettl integer yes 1496.It ip hashsize integer yes 1497.It ip hostzerobroadcast integer yes 1498.It ip lowportmin integer yes 1499.It ip lowportmax integer yes 1500.It ip maxflows integer yes 1501.It ip maxfragpackets integer yes 1502.It ip mtudisc integer yes 1503.It ip mtudisctimeout integer yes 1504.It ip random_id integer yes 1505.It ip redirect integer yes 1506.It ip subnetsarelocal integer yes 1507.It ip ttl integer yes 1508.It tcp rfc1323 integer yes 1509.It tcp sendspace integer yes 1510.It tcp recvspace integer yes 1511.It tcp mssdflt integer yes 1512.It tcp syn_cache_limit integer yes 1513.It tcp syn_bucket_limit integer yes 1514.It tcp syn_cache_interval integer yes 1515.It tcp init_win integer yes 1516.It tcp init_win_local integer yes 1517.It tcp mss_ifmtu integer yes 1518.It tcp win_scale integer yes 1519.It tcp timestamps integer yes 1520.It tcp cwm integer yes 1521.It tcp cwm_burstsize integer yes 1522.It tcp ack_on_push integer yes 1523.It tcp keepidle integer yes 1524.It tcp keepintvl integer yes 1525.It tcp keepcnt integer yes 1526.It tcp slowhz integer no 1527.It tcp keepinit integer yes 1528.It tcp log_refused integer yes 1529.It tcp rstppslimit integer yes 1530.It tcp ident struct no 1531.It tcp drop struct no 1532.It tcp sack.enable integer yes 1533.It tcp sack.globalholes integer no 1534.It tcp sack.globalmaxholes integer yes 1535.It tcp sack.maxholes integer yes 1536.It tcp ecn.enable integer yes 1537.It tcp ecn.maxretries integer yes 1538.It tcp congctl.selected string yes 1539.It tcp congctl.available string yes 1540.It tcp abc.enable integer yes 1541.It tcp abc.aggressive integer yes 1542.It udp checksum integer yes 1543.It udp do_loopback_cksum integer yes 1544.It udp recvspace integer yes 1545.It udp sendspace integer yes 1546.El 1547.Pp 1548The variables are as follows: 1549.Bl -tag -width "123456" 1550.It Li arp.nd_delay 1551The delay in seconds before sending the first probe, 1552after it has been decided that the entry is stale. 1553.It Li arp.nd_bmaxtries 1554The maximum number of broadcasts send to discover the hardware address 1555claiming an IP address. 1556.It Li arp.nd_umaxtries 1557The maximum number of unicasts send to the hardware address to ensure 1558it still claims an IP address. 1559.It Li arp.nd_basereachable 1560The number of milliseconds the ARP entry is considered reachable before 1561probing reachability. 1562.It Li arp.nd_retrans 1563The number of milliseconds between ARP probes. 1564.It Li arp.nd_nud 1565If set to non-zero, perform Neighor Unreachability Detection. 1566.It Li arp.nd_maxnudhint 1567Neighbor discovery permits upper layer protocols to supply reachability 1568hints, to avoid unnecessary neighbor discovery exchanges. 1569The variable defines the number of consecutive hints the neighbor discovery 1570layer will take. 1571For example, by setting the variable to 3, neighbor discovery layer 1572will take 3 consecutive hints in maximum. 1573After receiving 3 hints, neighbor discovery layer will perform 1574normal neighbor discovery process. 1575.It Li carp.allow 1576If set to 0, incoming 1577.Xr carp 4 1578packets will not be processed. 1579If set to any other value, processing will occur. 1580Enabled by default. 1581.It Li carp.arpbalance 1582If set to any value other than 0, the ARP balancing functionality of 1583.Xr carp 4 1584is enabled. 1585When ARP requests are received for an IP address which is part of any virtual 1586host, carp will hash the source IP in the ARP request to select one of the 1587virtual hosts from the set of all the virtual hosts which have that IP address. 1588The master of that host will respond with the correct virtual MAC address. 1589Disabled by default. 1590.It Li carp.log 1591If set to any value other than 0, 1592.Xr carp 4 1593will log errors. 1594Disabled by default. 1595.It Li carp.preempt 1596If set to 0, 1597.Xr carp 4 1598will not attempt to become master if it is receiving advertisements from 1599another active master. 1600If set to any other value, carp will become master of the virtual host if it 1601believes it can send advertisements more frequently than the current master. 1602Disabled by default. 1603.It Li ip.allowsrcrt 1604If set to 1, the host accepts source routed packets. 1605.It Li ip.anonportalgo.available 1606The available RFC 6056 port randomization algorithms. 1607.It Li ip.anonportalgo.reserve 1608A bitmask of ports that will not be used during anonymous or privileged 1609port selection. 1610.It Li ip.anonportalgo.selected 1611The currently selected RFC 6056 port randomization algorithm; see 1612.Xr rfc6056 7 1613for details. 1614.It Li ip.anonportmax 1615The highest port number to use for TCP and UDP ephemeral port allocation. 1616This cannot be set to less than 1024 or greater than 65535, and must 1617be greater than 1618.Li ip.anonportmin . 1619.It Li ip.anonportmin 1620The lowest port number to use for TCP and UDP ephemeral port allocation. 1621This cannot be set to less than 1024 or greater than 65535. 1622.It Li ip.checkinterface 1623If set to non-zero, the host will reject packets addressed to it 1624that arrive on an interface not bound to that address. 1625Currently, this must be disabled if NAT is used to translate the 1626destination address to another local interface, or if addresses 1627are added to the loopback interface instead of the interface where 1628the packets for those packets are received. 1629.It Li ip.dad_count 1630The number of 1631.Xr arp 4 1632probes sent for Address Conflict Detection. 1633Set to 0 to disable this. 1634.It Li ip.directed-broadcast 1635If set to 1, enables directed broadcast behavior for the host. 1636.It Li ip.do_loopback_cksum 1637Perform IP checksum on loopback. 1638.It Li ip.forwarding 1639If set to 1, enables IP forwarding for the host, 1640meaning that the host is acting as a router. 1641.It Li ip.forwsrcrt 1642If set to 1, enables forwarding of source-routed packets for the host. 1643This value may only be changed if the kernel security level is less than 1. 1644.It Li ip.gifttl 1645The maximum time-to-live (hop count) value for an IPv4 packet generated by 1646.Xr gif 4 1647tunnel interface. 1648.It Li ip.grettl 1649The maximum time-to-live (hop count) value for an IPv4 packet generated by 1650.Xr gre 4 1651tunnel interface. 1652.It Li ip.hashsize 1653The size of IPv4 Fast Forward hash table. 1654This value must be a power of 2 (64, 256...). 1655A larger hash table size results in fewer collisions. 1656Also see 1657.Li ip.maxflows . 1658.It Li ip.hostzerobroadcast 1659All zeroes address is broadcast address. 1660.It Li ip.lowportmax 1661The highest port number to use for TCP and UDP reserved port allocation. 1662This cannot be set to less than 0 or greater than 1024, and must 1663be greater than 1664.Li ip.lowportmin . 1665.It Li ip.lowportmin 1666The lowest port number to use for TCP and UDP reserved port allocation. 1667This cannot be set to less than 0 or greater than 1024, and must 1668be smaller than 1669.Li ip.lowportmax . 1670.It Li ip.maxflows 1671IPv4 Fast Forwarding is enabled by default. 1672If set to 0, IPv4 Fast Forwarding is disabled. 1673.Li ip.maxflows 1674controls the maximum amount of flows which can be created. 1675The default value is 256. 1676.It Li ip.maxfragpackets 1677The maximum number of fragmented packets the node will accept. 16780 means that the node will not accept any fragmented packets. 1679\-1 means that the node will accept as many fragmented packets as it receives. 1680The flag is provided basically for avoiding possible DoS attacks. 1681.It Li ip.mtudisc 1682If set to 1, enables Path MTU Discovery (RFC 1191). 1683When Path MTU Discovery is enabled, the transmitted TCP segment 1684size will be determined by the advertised maximum segment size 1685(MSS) from the remote end, as constrained by the path MTU. 1686If MTU Discovery is disabled, the transmitted segment size will 1687never be greater than 1688.Li tcp.mssdflt 1689(the local maximum segment size). 1690.It Li ip.mtudisctimeout 1691The number of seconds in which a route added by the Path MTU 1692Discovery engine will time out. 1693When the route times out, the Path 1694MTU Discovery engine will attempt to probe a larger path MTU. 1695.It Li ip.random_id 1696Assign random ip_id values. 1697.It Li ip.redirect 1698If set to 1, ICMP redirects may be sent by the host. 1699This option is ignored unless the host is routing IP packets, 1700and should normally be enabled on all systems. 1701.It Li ip.subnetsarelocal 1702If set to 1, subnets are to be considered local addresses. 1703.It Li ip.ttl 1704The maximum time-to-live (hop count) value for an IP packet sourced by 1705the system. 1706This value applies to normal transport protocols, not to ICMP. 1707.It Li icmp.errppslimit 1708The variable specifies the maximum number of outgoing ICMP error messages, 1709per second. 1710ICMP error messages that exceeded the value are subject to rate limitation 1711and will not go out from the node. 1712Negative value disables rate limitation. 1713.It Li icmp.maskrepl 1714If set to 1, ICMP network mask requests are to be answered. 1715.It Li icmp.rediraccept 1716If set to non-zero, the host will accept ICMP redirect packets. 1717Note that routers will never accept ICMP redirect packets, 1718and the variable is meaningful on IP hosts only. 1719.It Li icmp.redirtimeout 1720The variable specifies lifetime of routing entries generated by incoming 1721ICMP redirect. 1722This defaults to 600 seconds. 1723.It Li icmp.returndatabytes 1724Number of bytes to return in an ICMP error message. 1725.It Li icmp.bmcastecho 1726If set to 1, enables responding to ICMP echo or timestamp request to the 1727broadcast address. 1728.It Li icmp.dynamic_rt_msg 1729A boolean that the kernel sends routing message for RTM_DYNAMIC or not. 1730If set to true, sends such routing message. 1731.It Li tcp.ack_on_push 1732If set to 1, TCP is to immediately transmit an ACK upon reception of 1733a packet with PUSH set. 1734This can avoid losing a round trip time in some rare situations, 1735but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1736Use of this option is generally not recommended, but 1737the variable exists in case your configuration really needs it. 1738.It Li tcp.cwm 1739If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1740Monitoring algorithm. 1741This algorithm prevents line-rate bursts of packets that could 1742otherwise occur when data begins flowing on an idle TCP connection. 1743These line-rate bursts can contribute to network and router congestion. 1744This can be particularly useful on World Wide Web servers 1745which support HTTP/1.1, which has lingering connections. 1746.It Li tcp.cwm_burstsize 1747The Congestion Window Monitoring allowed burst size, in terms 1748of packet count. 1749.It Li tcp.delack_ticks 1750Number of ticks to delay sending an ACK. 1751.It Li tcp.do_loopback_cksum 1752Perform TCP checksum on loopback. 1753.It Li tcp.init_win 1754A value indicating the TCP initial congestion window. 1755The valid range 1756is 0 to 10 (maximum specified by RFC6928), 1757with a default of 4 (approximately 4K per RFC3390). 1758.It Li tcp.init_win_local 1759Like 1760.Li tcp.init_win , 1761but used when communicating with hosts on a local network. 1762.It Li tcp.keepcnt 1763Number of keepalive probes sent before declaring a connection dead. 1764If set to zero, there is no limit; 1765keepalives will be sent until some kind of 1766response is received from the peer. 1767.It Li tcp.keepidle 1768Time a connection must be idle before keepalives are sent (if keepalives 1769are enabled for the connection). 1770See also tcp.slowhz. 1771.It Li tcp.keepintvl 1772Time after a keepalive probe is sent until, in the absence of any response, 1773another probe is sent. 1774See also tcp.slowhz. 1775.It Li tcp.log_refused 1776If set to 1, refused TCP connections to the host will be logged. 1777.It Li tcp.keepinit 1778Timeout in seconds during connection establishment. 1779.It Li tcp.mss_ifmtu 1780If set to 1, TCP calculates the outgoing maximum segment size based on 1781the MTU of the appropriate interface. 1782If set to 0, it is calculated based on the greater of the MTU of the 1783interface, and the largest (non-loopback) interface MTU on the system. 1784.It Li tcp.mssdflt 1785The default maximum segment size both advertised to the peer 1786and to use when either the peer does not advertise a maximum segment size to 1787us during connection setup or Path MTU Discovery 1788.Li ( ip.mtudisc ) 1789is disabled. 1790Do not change this value unless you really know what you are doing. 1791.It Li tcp.recvspace 1792The default TCP receive buffer size. 1793.It Li tcp.rfc1323 1794If set to 1, enables RFC 1323 extensions to TCP. 1795.It Li tcp.rstppslimit 1796The variable specifies the maximum number of outgoing TCP RST packets, 1797per second. 1798TCP RST packet that exceeded the value are subject to rate limitation 1799and will not go out from the node. 1800Negative value disables rate limitation. 1801.It Li tcp.ident 1802Return the user ID of a connected socket pair. 1803(RFC1413 Identification Protocol lookups.) 1804.It Li tcp.drop 1805Drop a TCP socket pair connection. 1806.It Li tcp.sack.enable 1807If set to 1, enables RFC 2018 Selective ACKnowledgement. 1808.It Li tcp.sack.globalholes 1809Global number of TCP SACK holes. 1810.It Li tcp.sack.globalmaxholes 1811Global maximum number of TCP SACK holes. 1812.It Li tcp.sack.maxholes 1813Maximum number of TCP SACK holes allowed per connection. 1814.It Li tcp.ecn.enable 1815If set to 1, enables RFC 3168 Explicit Congestion Notification. 1816.It Li tcp.ecn.maxretries 1817Number of times to retry sending the ECN-setup packet. 1818.It Li tcp.sendspace 1819The default TCP send buffer size. 1820.It Li tcp.slowhz 1821The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1822of a clock that ticks tcp.slowhz times per second. 1823(That is, their values 1824must be divided by the tcp.slowhz value to get times in seconds.) 1825.It Li tcp.syn_bucket_limit 1826The maximum number of entries allowed per hash bucket in the TCP 1827compressed state engine. 1828.It Li tcp.syn_cache_limit 1829The maximum number of entries allowed in the TCP compressed state 1830engine. 1831.It Li tcp.timestamps 1832If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1833used for measuring TCP round trip times, are enabled. 1834.It Li tcp.win_scale 1835If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1836for increasing the TCP window size, are enabled. 1837.It Li tcp.congctl.available 1838The available TCP congestion control algorithms. 1839.It Li tcp.congctl.selected 1840The currently selected TCP congestion control algorithm. 1841.It Li tcp.abc.enable 1842If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1843If set to 0, use traditional Packet Counting. 1844.It Li tcp.abc.aggressive 1845Choose the L parameter found in RFC 3465. 1846L is the maximum cwnd increase for an ack during slow start. 1847If set to 1, use L=2*SMSS. 1848If set to 0, use L=1*SMSS. 1849It has no effect unless tcp.abc.enable is set to 1. 1850.It Li udp.checksum 1851If set to 1, UDP checksums are being computed. 1852Received non-zero UDP checksums are always checked. 1853Disabling UDP checksums is strongly discouraged. 1854.It Li udp.recvspace 1855The default UDP receive buffer size. 1856.It Li udp.sendspace 1857The default UDP send buffer size. 1858.El 1859.Pp 1860For variables net.*.ipsec, please refer to 1861.Xr ipsec 4 . 1862.It Li net.inet6 ( Dv PF_INET6 ) 1863Get or set various global information about the IPv6 1864.Pq Internet Protocol version 6 . 1865The third level name is the protocol. 1866The fourth level name is the variable name. 1867The currently defined protocols and names are: 1868.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent 1869.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable 1870.It icmp6 errppslimit integer yes 1871.It icmp6 mtudisc_hiwat integer yes 1872.It icmp6 mtudisc_lowat integer yes 1873.It icmp6 nd6_debug integer yes 1874.It icmp6 nd6_delay integer yes 1875.It icmp6 nd6_maxnudhint integer yes 1876.It icmp6 nd6_mmaxtries integer yes 1877.It icmp6 nd6_prune integer yes 1878.It icmp6 nd6_umaxtries integer yes 1879.It icmp6 nd6_useloopback integer yes 1880.It icmp6 nodeinfo integer yes 1881.It icmp6 rediraccept integer yes 1882.It icmp6 redirtimeout integer yes 1883.It icmp6 reflect_pmtu boolean yes 1884.It icmp6 dynamic_rt_msg boolean yes 1885.It ip6 accept_rtadv integer yes 1886.It ip6 addctlpolicy struct in6_addrpolicy no 1887.It ip6 anonportalgo.selected string yes 1888.It ip6 anonportalgo.available string yes 1889.It ip6 anonportalgo.reserve struct yes 1890.It ip6 anonportmax integer yes 1891.It ip6 anonportmin integer yes 1892.It ip6 auto_flowlabel integer yes 1893.It ip6 dad_count integer yes 1894.It ip6 defmcasthlim integer yes 1895.It ip6 forwarding integer yes 1896.It ip6 gifhlim integer yes 1897.It ip6 hashsize integer yes 1898.It ip6 hlim integer yes 1899.It ip6 hdrnestlimit integer yes 1900.It ip6 kame_version string no 1901.It ip6 keepfaith integer yes 1902.It ip6 log_interval integer yes 1903.It ip6 lowportmax integer yes 1904.It ip6 lowportmin integer yes 1905.It ip6 maxdynroutes integer yes 1906.It ip6 maxifprefixes integer yes 1907.It ip6 maxifdefrouters integer yes 1908.It ip6 maxflows integer yes 1909.It ip6 maxfragpackets integer yes 1910.It ip6 maxfrags integer yes 1911.It ip6 neighborgcthresh integer yes 1912.It ip6 param_rt_msg integer yes 1913.It ip6 redirect integer yes 1914.It ip6 rr_prune integer yes 1915.It ip6 use_deprecated integer yes 1916.It ip6 v6only integer yes 1917.It udp6 do_loopback_cksum integer yes 1918.It udp6 recvspace integer yes 1919.It udp6 sendspace integer yes 1920.El 1921.Pp 1922The variables are as follows: 1923.Bl -tag -width "123456" 1924.It Li ip6.accept_rtadv 1925If set to non-zero, the node will accept ICMPv6 router advertisement packets 1926and autoconfigures address prefixes and default routers. 1927The node must be a host 1928.Pq not a router 1929for the option to be meaningful. 1930.It Li ip6.anonportalgo.available 1931The available RFC 6056 port randomization algorithms. 1932.It Li ip6.anonportalgo.reserve 1933A bitmask of ports that will not be used during anonymous or privileged 1934port selection. 1935.It Li ip6.anonportalgo.selected 1936The currently selected RFC 6056 port randomization algorithm; see 1937.Xr rfc6056 7 1938for details. 1939.It Li ip6.anonportmax 1940The highest port number to use for TCP and UDP ephemeral port allocation. 1941This cannot be set to less than 1024 or greater than 65535, and must 1942be greater than 1943.Li ip6.anonportmin . 1944.It Li ip6.anonportmin 1945The lowest port number to use for TCP and UDP ephemeral port allocation. 1946This cannot be set to less than 1024 or greater than 65535. 1947.It Li ip6.auto_flowlabel 1948On connected transport protocol packets, 1949fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1950.It Li ip6.dad_count 1951The variable configures number of IPv6 DAD 1952.Pq duplicated address detection 1953probe packets. 1954The packets will be generated when IPv6 interface addresses are configured. 1955.It Li ip6.defmcasthlim 1956The default hop limit value for an IPv6 multicast packet sourced by the node. 1957This value applies to all the transport protocols on top of IPv6. 1958There are APIs to override the value, as documented in 1959.Xr ip6 4 . 1960.It Li ip6.forwarding 1961If set to 1, enables IPv6 forwarding for the node, 1962meaning that the node is acting as a router. 1963If set to 0, disables IPv6 forwarding for the node, 1964meaning that the node is acting as a host. 1965IPv6 specification defines node behavior for 1966.Dq router 1967case and 1968.Dq host 1969case quite differently, and changing this variable during operation 1970may cause serious trouble. 1971It is recommended to configure the variable at bootstrap time, 1972and bootstrap time only. 1973.It Li ip6.gifhlim 1974The maximum hop limit value for an IPv6 packet generated by 1975.Xr gif 4 1976tunnel interface. 1977.It Li ip6.hdrnestlimit 1978The number of IPv6 extension headers permitted on incoming IPv6 packets. 1979If set to 0, the node will accept as many extension headers as possible. 1980.It Li ip6.hashsize 1981The size of IPv6 Fast Forward hash table. 1982This value must be a power of 2 (64, 256, ...). 1983A larger hash table size results in fewer collisions. 1984Also see 1985.Li ip6.maxflows . 1986.It Li ip6.hlim 1987The default hop limit value for an IPv6 unicast packet sourced by the node. 1988This value applies to all the transport protocols on top of IPv6. 1989There are APIs to override the value, as documented in 1990.Xr ip6 4 . 1991.It Li ip6.kame_version 1992The string identifies the version of KAME IPv6 stack implemented in the kernel. 1993.It Li ip6.keepfaith 1994If set to non-zero, it enables 1995.Dq FAITH 1996TCP relay IPv6-to-IPv4 translator code in the kernel. 1997Refer 1998.Xr faith 4 1999and 2000.Xr faithd 8 2001for detail. 2002.It Li ip6.log_interval 2003The variable controls amount of logs generated by IPv6 packet 2004forwarding engine, by setting interval between log output 2005.Pq in seconds . 2006.It Li ip6.lowportmax 2007The highest port number to use for TCP and UDP reserved port allocation. 2008This cannot be set to less than 0 or greater than 1024, and must 2009be greater than 2010.Li ip6.lowportmin . 2011.It Li ip6.lowportmin 2012The lowest port number to use for TCP and UDP reserved port allocation. 2013This cannot be set to less than 0 or greater than 1024, and must 2014be smaller than 2015.Li ip6.lowportmax . 2016.It Li ip6.maxdynroutes 2017Maximum number of routes created by redirect. 2018Set it to negative to disable. 2019The default value is 4096. 2020.It Li ip6.maxifprefixes 2021Maximum number of prefixes created by route advertisements per interface. 2022Set it to negative to disable. 2023The default value is 16. 2024.It Li ip6.maxifdefrouters 16 2025Maximum number of default routers created by route advertisements per interface. 2026Set it to negative to disable. 2027The default value is 16. 2028.It Li ip6.maxflows 2029IPv6 Fast Forwarding is enabled by default. 2030If set to 0, IPv6 Fast Forwarding is disabled. 2031.Li ip6.maxflows 2032controls the maximum amount of flows which can be created. 2033The default value is 256. 2034.It Li ip6.maxfragpackets 2035The maximum number of fragmented packets the node will accept. 20360 means that the node will not accept any fragmented packets. 2037\-1 means that the node will accept as many fragmented packets as it receives. 2038The flag is provided basically for avoiding possible DoS attacks. 2039.It Li ip6.maxfrags 2040The maximum number of fragments the node will accept. 20410 means that the node will not accept any fragments. 2042\-1 means that the node will accept as many fragments as it receives. 2043The flag is provided basically for avoiding possible DoS attacks. 2044.It Li ip6.neighborgcthresh 2045Maximum number of entries in neighbor cache per interface. 2046Set to negative to disable. 2047The default value is 2048. 2048.It Li ip6.param_rt_msg 2049If set to 0, parameter changing routing message is suppressed. 2050If set to 1, parameter changing routing message is sent by RTM_NEWADDR. 2051Other values are undefined yet. 2052.It Li ip6.redirect 2053If set to 1, ICMPv6 redirects may be sent by the node. 2054This option is ignored unless the node is routing IP packets, 2055and should normally be enabled on all systems. 2056.It Li ip6.rr_prune 2057The variable specifies interval between IPv6 router renumbering prefix 2058babysitting, in seconds. 2059.It Li ip6.use_deprecated 2060The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 2061.It Li ip6.v6only 2062The variable specifies initial value for 2063.Dv IPV6_V6ONLY 2064socket option for 2065.Dv AF_INET6 2066socket. 2067Please refer to 2068.Xr ip6 4 2069for detail. 2070.It Li icmp6.errppslimit 2071The variable specifies the maximum number of outgoing ICMPv6 error messages, 2072per second. 2073ICMPv6 error messages that exceeded the value are subject to rate limitation 2074and will not go out from the node. 2075Negative value disables rate limitation. 2076.It Li icmp6.mtudisc_hiwat 2077.It Li icmp6.mtudisc_lowat 2078The variables define the maximum number of routing table entries, 2079created due to path MTU discovery 2080.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 2081When IPv6 path MTU discovery happens, we keep path MTU information into 2082the routing table. 2083If the number of routing table entries exceed the value, 2084the kernel will not attempt to keep the path MTU information. 2085.Li icmp6.mtudisc_hiwat 2086is used when we have verified ICMPv6 too big messages. 2087.Li icmp6.mtudisc_lowat 2088is used when we have unverified ICMPv6 too big messages. 2089Verification is performed by using address/port pairs kept in connected pcbs. 2090Negative value disables the upper limit. 2091.It Li icmp6.nd6_debug 2092If set to non-zero, kernel IPv6 neighbor discovery code will generate 2093debugging messages. 2094The debug outputs are useful to diagnose IPv6 interoperability issues. 2095The flag must be set to 0 for normal operation. 2096.It Li icmp6.nd6_delay 2097The variable specifies 2098.Dv DELAY_FIRST_PROBE_TIME 2099timing constant in IPv6 neighbor discovery specification 2100.Pq RFC 2461 , 2101in seconds. 2102.It Li icmp6.nd6_maxnudhint 2103Neighbor discovery permits upper layer protocols to supply reachability 2104hints, to avoid unnecessary neighbor discovery exchanges. 2105The variable defines the number of consecutive hints the neighbor discovery 2106layer will take. 2107For example, by setting the variable to 3, neighbor discovery layer 2108will take 3 consecutive hints in maximum. 2109After receiving 3 hints, neighbor discovery layer will perform 2110normal neighbor discovery process. 2111.It Li icmp6.nd6_mmaxtries 2112The variable specifies 2113.Dv MAX_MULTICAST_SOLICIT 2114constant in IPv6 neighbor discovery specification 2115.Pq RFC 2461 . 2116.It Li icmp6.nd6_prune 2117The variable specifies interval between IPv6 neighbor cache babysitting, 2118in seconds. 2119.It Li icmp6.nd6_umaxtries 2120The variable specifies 2121.Dv MAX_UNICAST_SOLICIT 2122constant in IPv6 neighbor discovery specification 2123.Pq RFC 2461 . 2124.It Li icmp6.nd6_useloopback 2125If set to non-zero, kernel IPv6 stack will use loopback interface for 2126local traffic. 2127.It Li icmp6.nodeinfo 2128The variable enables responses to ICMPv6 node information queries. 2129If you set the variable to 0, responses will not be generated for 2130ICMPv6 node information queries. 2131Since node information queries can have a security impact, it is 2132possible to fine tune which responses should be answered. 2133Two separate bits can be set. 2134.Bl -tag -width "12345" 2135.It 1 2136Respond to ICMPv6 FQDN queries, e.g. 2137.Li ping6 -w . 2138.It 2 2139Respond to ICMPv6 node addresses queries, e.g. 2140.Li ping6 -a . 2141.El 2142.It Li icmp6.rediraccept 2143If set to non-zero, the host will accept ICMPv6 redirect packets. 2144Note that IPv6 routers will never accept ICMPv6 redirect packets, 2145and the variable is meaningful on IPv6 hosts 2146.Pq non-router 2147only. 2148.It Li icmp6.redirtimeout 2149The variable specifies lifetime of routing entries generated by incoming 2150ICMPv6 redirect. 2151.It Li icmp6.reflect_pmtu 2152A boolean that icmpv6 reflecting uses path MTU discovery or not. 2153When not, icmpv6 reflecting uses IPV6_MINMTU. 2154.It Li icmp6.dynamic_rt_msg 2155A boolean that the kernel sends routing message for RTM_DYNAMIC or not. 2156If set to true, sends such routing message. 2157.It Li udp6.do_loopback_cksum 2158Perform UDP checksum on loopback. 2159.It Li udp6.recvspace 2160Default UDP receive buffer size. 2161.It Li udp6.sendspace 2162Default UDP send buffer size. 2163.El 2164.Pp 2165Variables net.inet6.tcp6.* and net.inet6.udp6.* have identical meanings to 2166net.inet.tcp.* and net.inet.udp.*, respectively. 2167Please refer to 2168.Li PF_INET 2169section above. 2170For variables net.*.ipsec6, please refer to 2171.Xr ipsec 4 . 2172.It Li net.key ( Dv PF_KEY ) 2173Get or set various global information about the IPsec key management. 2174The third level name is the variable name. 2175The currently defined variable and names are: 2176.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 2177.It Sy Variable Type Ta Sy Changeable 2178.It debug integer yes 2179.It enabled integer yes 2180.It used integer no 2181.It spi_try integer yes 2182.It spi_min_value integer yes 2183.It spi_max_value integer yes 2184.It larval_lifetime integer yes 2185.It blockacq_count integer yes 2186.It blockacq_lifetime integer yes 2187.It esp_keymin integer yes 2188.It esp_auth integer yes 2189.It ah_keymin integer yes 2190.It allow_different_idtype boolean yes 2191.El 2192The variables are as follows: 2193.Bl -tag -width "123456" 2194.It Li debug 2195Turn on debugging message from within the kernel. 2196The value is a bitmap, as defined in 2197.In netipsec/key_debug.h . 2198.It Li enabled 2199Control processing of IPsec control messages. 2200.Bl -tag -width indent 2201.It 0 2202Never allow IPsec processing 2203.It 1 2204Allow IPsec processing when SPD policies are present. 2205.It 2 2206Force IPsec processing even when SPD policies are not present. 2207.El 2208.It Li used 2209Based on if IPsec is enabled, and SPD rule existence, show if 2210IPsec is being used. 2211Note that currently once IPsec is being used, it cannot be disabled. 2212.It Li spi_try 2213The number of times the kernel will try to obtain an unique SPI 2214when it generates it from random number generator. 2215.It Li spi_min_value 2216Minimum SPI value when generating it within the kernel. 2217.It Li spi_max_value 2218Maximum SPI value when generating it within the kernel. 2219.It Li larval_lifetime 2220Lifetime for LARVAL SAD entries, in seconds. 2221.It Li blockacq_count 2222Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 2223It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 2224key management daemon. 2225.It Li blockacq_lifetime 2226Lifetime of ACQUIRE PF_KEY message. 2227.It Li esp_keymin 2228Minimum ESP key length, in bits. 2229The value is used when the kernel creates proposal payload 2230on ACQUIRE PF_KEY message. 2231.It Li esp_auth 2232Whether ESP authentication should be used or not. 2233Non-zero value indicates that ESP authentication should be used. 2234The value is used when the kernel creates proposal payload 2235on ACQUIRE PF_KEY message. 2236.It Li ah_keymin 2237Minimum AH key length, in bits, 2238The value is used when the kernel creates proposal payload 2239on ACQUIRE PF_KEY message. 2240.It Li allow_different_idtype 2241A boolean that allow or disallow different identifier types 2242on IDii and IDir. 2243Allowing that can improve interconnectivity to some VPN appliances. 2244.El 2245.It Li net.local ( Dv PF_LOCAL ) 2246Get or set various global information about 2247.Dv AF_LOCAL 2248type sockets. 2249For some variables, the third level name is the variable name: 2250.Bl -column "Variable" "integer" "Changeable" -offset indent 2251.It Sy Variable Type Ta Sy Changeable 2252.It inflight integer no 2253.It deferred integer no 2254.El 2255The variables are as follows: 2256.Bl -tag -width "123456" 2257.It Li inflight 2258The number of file descriptors currently passed between processes, 2259.Qq in flight . 2260.It Li deferred 2261The number of file descriptors passed between processes that have been 2262deferred for cleanup by a kernel task. 2263.El 2264.Pp 2265Other variables are specific to a socket type: 2266.Bl -column "seqpacket" "sendspace" "integer" "Changeable" -offset indent 2267.It Sy "Socket Type" Sy Variable Type Ta Sy Changeable 2268.It dgram pcblist struct no 2269.It dgram recvspace integer yes 2270.It dgram sendspace integer yes 2271.It seqpacket pcblist struct no 2272.It stream pcblist struct no 2273.It stream recvspace integer yes 2274.It stream sendspace integer yes 2275.El 2276The variables are as follows: 2277.Bl -tag -width "123456" 2278.It Li dgram.pcblist 2279The Protocol Control Block list structure for datagram sockets. 2280Parsed by 2281.Xr netstat 1 2282or 2283.Xr sockstat 1 . 2284.It Li dgram.recvspace 2285The default datagram receive buffer size. 2286.It Li dgram.sendspace 2287The default datagram send buffer size. 2288.It Li seqpacket.pcblist 2289The Protocol Control Block list structure for Sequential Packet sockets. 2290Parsed by 2291.Xr netstat 1 2292or 2293.Xr sockstat 1 . 2294.It Li stream.pcblist 2295The Protocol Control Block list structure for stream sockets. 2296Parsed by 2297.Xr netstat 1 2298or 2299.Xr sockstat 1 . 2300.It Li stream.recvspace 2301The default stream receive buffer size. 2302.It Li stream.sendspace 2303The default stream send buffer size. 2304.El 2305.El 2306.Ss The proc.* subtree 2307The string and integer information available for the 2308.Li proc 2309level is detailed below. 2310The changeable column shows whether a process with appropriate 2311privilege may change the value. 2312These values are per-process, 2313and as such may change from one process to another. 2314When a process is created, 2315the default values are inherited from its parent. 2316When a set-user-ID or set-group-ID binary is executed, the 2317value of PROC_PID_CORENAME is reset to the system default value. 2318The second level name is either the magic value PROC_CURPROC, which 2319points to the current process, or the PID of the target process. 2320.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 2321.It Sy Third level name Ta Sy Type Ta Sy Changeable 2322.It proc.pid.corename string yes 2323.It proc.pid.rlimit node not applicable 2324.It proc.pid.stopfork int yes 2325.It proc.pid.stopexec int yes 2326.It proc.pid.stopexit int yes 2327.It proc.pid.paxflags int no 2328.El 2329.Bl -tag -width "123456" 2330.It Li proc.pid.corename ( Dv PROC_PID_CORENAME ) 2331The template used for the core dump file name (see 2332.Xr core 5 2333for details). 2334The base name must either be 2335.Pa core 2336or end with the suffix 2337.Pa .core 2338(the super-user may set arbitrary names). 2339By default it points to 2340.Dv KERN_DEFCORENAME . 2341.It Li proc.pid.rlimit ( Dv PROC_PID_LIMIT ) 2342Return resources limits, as defined for the 2343.Xr getrlimit 2 2344and 2345.Xr setrlimit 2 2346system calls. 2347The fourth level name is one of: 2348.Bl -tag -width "123456" 2349.It Li proc.pid.rlimit.cputime ( Dv PROC_PID_LIMIT_CPU ) 2350The maximum amount of CPU time (in seconds) to be used by each process. 2351.It Li proc.pid.rlimit.filesize ( Dv PROC_PID_LIMIT_FSIZE ) 2352The largest size (in bytes) file that may be created. 2353.It Li proc.pid.rlimit.datasize ( Dv PROC_PID_LIMIT_DATA ) 2354The maximum size (in bytes) of the data segment for a process; 2355this defines how far a program may extend its break with the 2356.Xr sbrk 2 2357system call. 2358.It Li proc.pid.rlimit.stacksize ( Dv PROC_PID_LIMIT_STACK ) 2359The maximum size (in bytes) of the stack segment for a process; 2360this defines how far a program's stack segment may be extended. 2361Stack extension is performed automatically by the system. 2362.It Li proc.pid.rlimit.coredumpsize ( Dv PROC_PID_LIMIT_CORE ) 2363The largest size (in bytes) 2364.Pa core 2365file that may be created. 2366.It Li proc.pid.rlimit.memoryuse ( Dv PROC_PID_LIMIT_RSS ) 2367The maximum size (in bytes) to which a process's resident set size may 2368grow. 2369This imposes a limit on the amount of physical memory to be given to 2370a process; if memory is tight, the system will prefer to take memory 2371from processes that are exceeding their declared resident set size. 2372.It Li proc.pid.rlimit.memorylocked ( Dv PROC_PID_LIMIT_MEMLOCK ) 2373The maximum size (in bytes) which a process may lock into memory 2374using the 2375.Xr mlock 2 2376function. 2377.It Li proc.pid.rlimit.maxproc ( Dv PROC_PID_LIMIT_NPROC ) 2378The maximum number of simultaneous processes for this user id. 2379.It Li proc.pid.rlimit.descriptors ( Dv PROC_PID_LIMIT_NOFILE ) 2380The maximum number of open files for this process. 2381.It Li proc.pid.rlimit.sbsize ( Dv PROC_PID_LIMIT_SBSIZE ) 2382The maximum size (in bytes) of the socket buffers 2383set by the 2384.Xr setsockopt 2 2385.Dv SO_RCVBUF 2386and 2387.Dv SO_SNDBUF 2388options. 2389.It Li proc.pid.rlimit.vmemoryuse ( Dv PROC_PID_LIMIT_AS ) 2390The maximum size (in bytes) which a process can obtain. 2391.It Li proc.pid.rlimit.maxlwp ( Dv PROC_PID_LIMIT_NTHR ) 2392The maximum number of threads that cen be created and running at one time in 2393the process. 2394The first thread of each process is not counted against this. 2395.El 2396.Pp 2397The fifth level name is one of 2398.Li soft ( Dv PROC_PID_LIMIT_TYPE_SOFT ) 2399or 2400.Li hard ( Dv PROC_PID_LIMIT_TYPE_HARD ) , 2401to select respectively the soft or hard limit. 2402Both are of type integer. 2403.It Li proc.pid.stopfork ( Dv PROC_PID_STOPFORK ) 2404If non zero, the process' children will be stopped after 2405.Xr fork 2 2406calls. 2407The children are created in the SSTOP state and are never scheduled 2408for running before being stopped. 2409This feature enables attaching to a process with a debugger such as 2410.Xr gdb 1 2411before the process has the opportunity to actually do anything. 2412.Pp 2413This value is inherited by the process's children, and it also 2414applies to emulation specific system calls that fork a new process, such as 2415.Fn sproc 2416or 2417.Fn clone . 2418.It Li proc.pid.stopexec ( Dv PROC_PID_STOPEXEC ) 2419If non zero, the process will be stopped on the next 2420.Xr exec 3 2421call. 2422The process created by 2423.Xr exec 3 2424is created in the SSTOP state and is never scheduled for running 2425before being stopped. 2426This feature enables attaching to a process with a debugger such as 2427.Xr gdb 1 2428before the process has the opportunity to actually do anything. 2429.Pp 2430This value is inherited by the process's children. 2431.It Li proc.pid.stopexit ( Dv PROC_PID_STOPEXIT ) 2432If non zero, the process will be stopped when it has cause to exit, 2433either by way of calling 2434.Xr exit 3 , 2435.Xr _exit 2 , 2436or by the receipt of a specific signal. 2437The process is stopped before any of its resources or vm space is 2438released allowing examination of the termination state of the process 2439before it disappears. 2440This feature can be used to examine the final conditions of the 2441process's vmspace via 2442.Xr pmap 1 2443or its resource settings with 2444.Xr sysctl 8 2445before it disappears. 2446.Pp 2447This value is also inherited by the process's children. 2448.It Li proc.pid.paxflags ( Dv PROC_PID_PAXFLAGS ) 2449This read-only variable returns the current value of the process's pax 2450flags (see 2451.Xr paxctl 8 ) . 2452.El 2453.Ss The user.* subtree ( Dv CTL_USER ) 2454The string and integer information available for the 2455.Li user 2456level is detailed below. 2457The changeable column shows whether a process with appropriate 2458privilege may change the value. 2459.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 2460.It Sy Second level name Ta Sy Type Ta Sy Changeable 2461.It user.atexit_max integer no 2462.It user.bc_base_max integer no 2463.It user.bc_dim_max integer no 2464.It user.bc_scale_max integer no 2465.It user.bc_string_max integer no 2466.It user.coll_weights_max integer no 2467.It user.cs_path string no 2468.It user.expr_nest_max integer no 2469.It user.line_max integer no 2470.It user.posix2_c_bind integer no 2471.It user.posix2_c_dev integer no 2472.It user.posix2_char_term integer no 2473.It user.posix2_fort_dev integer no 2474.It user.posix2_fort_run integer no 2475.It user.posix2_localedef integer no 2476.It user.posix2_sw_dev integer no 2477.It user.posix2_upe integer no 2478.It user.posix2_version integer no 2479.It user.re_dup_max integer no 2480.It user.stream_max integer no 2481.It user.stream_max integer no 2482.It user.tzname_max integer no 2483.El 2484.Bl -tag -width "123456" 2485.It Li user.atexit_max ( Dv USER_ATEXIT_MAX ) 2486The maximum number of functions that may be registered with 2487.Xr atexit 3 . 2488.It Li user.bc_base_max ( Dv USER_BC_BASE_MAX ) 2489The maximum ibase/obase values in the 2490.Xr bc 1 2491utility. 2492.It Li user.bc_dim_max ( Dv USER_BC_DIM_MAX ) 2493The maximum array size in the 2494.Xr bc 1 2495utility. 2496.It Li user.bc_scale_max ( Dv USER_BC_SCALE_MAX ) 2497The maximum scale value in the 2498.Xr bc 1 2499utility. 2500.It Li user.bc_string_max ( Dv USER_BC_STRING_MAX ) 2501The maximum string length in the 2502.Xr bc 1 2503utility. 2504.It Li user.coll_weights_max ( Dv USER_COLL_WEIGHTS_MAX ) 2505The maximum number of weights that can be assigned to any entry of 2506the LC_COLLATE order keyword in the locale definition file. 2507.It Li user.cs_path ( USER_CS_PATH ) 2508Return a value for the 2509.Ev PATH 2510environment variable that finds all the standard utilities. 2511.It Li user.expr_nest_max ( Dv USER_EXPR_NEST_MAX ) 2512The maximum number of expressions that can be nested within 2513parenthesis by the 2514.Xr expr 1 2515utility. 2516.It Li user.line_max ( Dv USER_LINE_MAX ) 2517The maximum length in bytes of a text-processing utility's input 2518line. 2519.It Li user.posix2_char_term ( Dv USER_POSIX2_CHAR_TERM ) 2520Return 1 if the system supports at least one terminal type capable of 2521all operations described in 2522.St -p1003.2 , 2523otherwise\ 0. 2524.It Li user.posix2_c_bind ( Dv USER_POSIX2_C_BIND ) 2525Return 1 if the system's C-language development facilities support the 2526C-Language Bindings Option, otherwise\ 0. 2527.It Li user.posix2_c_dev ( Dv USER_POSIX2_C_DEV ) 2528Return 1 if the system supports the C-Language Development Utilities Option, 2529otherwise\ 0. 2530.It Li user.posix2_fort_dev ( Dv USER_POSIX2_FORT_DEV ) 2531Return 1 if the system supports the FORTRAN Development Utilities Option, 2532otherwise\ 0. 2533.It Li user.posix2_fort_run ( Dv USER_POSIX2_FORT_RUN ) 2534Return 1 if the system supports the FORTRAN Runtime Utilities Option, 2535otherwise\ 0. 2536.It Li user.posix2_localedef ( Dv USER_POSIX2_LOCALEDEF ) 2537Return 1 if the system supports the creation of locales, otherwise\ 0. 2538.It Li user.posix2_sw_dev ( Dv USER_POSIX2_SW_DEV ) 2539Return 1 if the system supports the Software Development Utilities Option, 2540otherwise\ 0. 2541.It Li user.posix2_upe ( Dv USER_POSIX2_UPE ) 2542Return 1 if the system supports the User Portability Utilities Option, 2543otherwise\ 0. 2544.It Li user.posix2_version ( Dv USER_POSIX2_VERSION ) 2545The version of 2546.St -p1003.2 2547with which the system attempts to comply. 2548.It Li user.re_dup_max ( Dv USER_RE_DUP_MAX ) 2549The maximum number of repeated occurrences of a regular expression 2550permitted when using interval notation. 2551.It Li user.stream_max ( Dv USER_STREAM_MAX ) 2552The minimum maximum number of streams that a process may have open 2553at any one time. 2554.It Li user.tzname_max ( Dv USER_TZNAME_MAX ) 2555The minimum maximum number of types supported for the name of a 2556timezone. 2557.El 2558.Ss The vm.* subtree ( Dv CTL_VM ) 2559The string and integer information available for the 2560.Li vm 2561level is detailed below. 2562The changeable column shows whether a process with appropriate 2563privilege may change the value. 2564.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 2565.It Sy Second level name Ta Sy Type Ta Sy Changeable 2566.It vm.anonmax int yes 2567.It vm.anonmin int yes 2568.It vm.bufcache int yes 2569.It vm.bufmem int no 2570.It vm.bufmem_hiwater int yes 2571.It vm.bufmem_lowater int yes 2572.It vm.execmax int yes 2573.It vm.execmin int yes 2574.It vm.filemax int yes 2575.It vm.filemin int yes 2576.It vm.loadavg struct loadavg no 2577.It vm.maxslp int no 2578.It vm.nkmempages int no 2579.It vm.uspace int no 2580.It vm.uvmexp struct uvmexp no 2581.It vm.uvmexp2 struct uvmexp_sysctl no 2582.It vm.vmmeter struct vmtotal no 2583.It vm.proc.map struct kinfo_vmentry no 2584.It vm.guard_size unsigned int no 2585.It vm.thread_guard_size unsigned int yes 2586.It vm.swap_encrypt bool yes 2587.El 2588.Bl -tag -width "123456" 2589.It Li vm.anonmax ( Dv VM_ANONMAX ) 2590The percentage of physical memory which will be reclaimed 2591from other types of memory usage to store anonymous application data. 2592.It Li vm.anonmin ( Dv VM_ANONMIN ) 2593The percentage of physical memory which will be always be available for 2594anonymous application data. 2595.It Li vm.bufcache ( Dv VM_BUFCACHE ) 2596The percentage of physical memory which will be available 2597for the buffer cache. 2598.It Li vm.bufmem ( Dv VM_BUFMEM ) 2599The amount of kernel memory that is being used by the buffer cache. 2600.It Li vm.bufmem_lowater ( Dv VM_BUFMEM_LOWATER ) 2601The minimum amount of kernel memory to reserve for the 2602buffer cache. 2603.It Li vm.bufmem_hiwater ( Dv VM_BUFMEM_HIWATER ) 2604The maximum amount of kernel memory to be used for the 2605buffer cache. 2606.It Li vm.execmax ( Dv VM_EXECMAX ) 2607The percentage of physical memory which will be reclaimed 2608from other types of memory usage to store cached executable data. 2609.It Li vm.execmin ( Dv VM_EXECMIN ) 2610The percentage of physical memory which will be always be available for 2611cached executable data. 2612.It Li vm.filemax ( Dv VM_FILEMAX ) 2613The percentage of physical memory which will be reclaimed 2614from other types of memory usage to store cached file data. 2615.It Li vm.filemin ( Dv VM_FILEMIN ) 2616The percentage of physical memory which will be always be available for 2617cached file data. 2618.It Li vm.loadavg ( Dv VM_LOADAVG ) 2619Return the load average history. 2620The returned data consists of a 2621.Vt struct loadavg . 2622.It Li vm.maxslp ( Dv VM_MAXSLP ) 2623The value of the maxslp kernel global variable. 2624.It Li vm.vmmeter ( Dv VM_METER ) 2625Return system wide virtual memory statistics. 2626The returned data consists of a 2627.Vt struct vmtotal . 2628.It vm.user_va0_disable 2629A flag which controls whether user processes can map virtual address\ 0. 2630.It Li vm.proc.map ( Dv VM_PROC ) 2631The third level is 2632.Dv VM_PROC_MAP , 2633the fourth is the pid of the process to display the vm object entries for, and 2634the fifth is the size of 2635.Vt struct kinfo_vmentry . 2636Returns an array of 2637.Vt struct kinfo_vmentry 2638objects. 2639.It Li vm.ubc_direct Bq Sy "EXPERIMENTAL" Ns No , default off 2640Use direct map for UBC I/O, avoiding need to map and unmap buffer memory. 2641Speeds up operation for fast I/O devices like NVMe, especially 2642on multi-CPU systems. 2643Only available on some architectures. 2644.It Li vm.uspace ( Dv VM_USPACE ) 2645The number of bytes allocated for each kernel stack. 2646.It Li vm.uvmexp ( Dv VM_UVMEXP ) 2647Return system wide virtual memory statistics. 2648The returned data consists of a 2649.Vt struct uvmexp . 2650.It Li vm.uvmexp2 ( Dv VM_UVMEXP2 ) 2651Return system wide virtual memory statistics. 2652The returned data consists of a 2653.Vt struct uvmexp_sysctl . 2654.It Li vm.guard_size 2655Return system wide guard size for the main thread of a program. 2656.It Li vm.thread_guard_size 2657Return system wide default size for the guard area of all other threads 2658of a program. 2659.It Li vm.swap_encrypt 2660If true, encrypt data while swapped out to disk. 2661.Pp 2662Each swap device maintains an independent AES-256 key, generated when 2663the first page is swapped to that device. 2664Each page is swapped independently using AES-CBC, with an 2665initialization vector chosen by the encryption under the AES-256 key of 2666the little-endian swap slot number padded to 128 bits with zeros. 2667(This is essentially the 2668.Xr cgd 4 2669.Sq encblkno1 2670method.) 2671.Pp 2672Changes to 2673.Li vm.swap_encrypt 2674only affect pages of swap newly written out. 2675To force encrypting or decrypting all existing swap, or to rekey 2676previously encrypted swap, you can remove the swap devices and re-add 2677them with 2678.Xr swapctl 8 , 2679with the caveat that whatever pages were already written to disk 2680unencrypted or encrypted with a compromised key may still be written to 2681disk afterward. 2682.El 2683.Ss The ddb.* subtree ( Dv CTL_DDB ) 2684The information available for the 2685.Li ddb 2686level is detailed below. 2687The changeable column shows whether a process with appropriate 2688privilege may change the value. 2689.Bl -column "Second level name" "integer" "Changeable" -offset indent 2690.It Sy Second level name Ta Sy Type Ta Sy Changeable 2691.It ddb.commandonenter string yes 2692.It ddb.dumpstack integer yes 2693.It ddb.fromconsole integer yes 2694.It ddb.lines integer yes 2695.It ddb.maxoff integer yes 2696.It ddb.maxwidth integer yes 2697.It ddb.onpanic integer yes 2698.It ddb.panicstackframes integer yes 2699.It ddb.radix integer yes 2700.It ddb.tabstops integer yes 2701.It ddb.tee_msgbuf integer yes 2702.El 2703.Bl -tag -width "123456" 2704.It Li ddb.commandonenter 2705If not empty, the string is used as the DDB command to be executed each time 2706DDB is entered. 2707.It Li ddb.dumpstack 2708A value of 1 causes a stack trace to be printed on entering ddb from a panic. 2709A value of 0 disables this behaviour. 2710The default value is 1. 2711.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE ) 2712If not zero, DDB may be entered by sending a break on a serial 2713console or by a special key sequence on a graphics console. 2714.It Li ddb.lines ( Dv DDBCTL_LINES ) 2715Number of display lines. 2716.It Li ddb.maxoff ( Dv DDBCTL_MAXOFF ) 2717The maximum symbol offset. 2718.It Li ddb.maxwidth ( Dv DDBCTL_MAXWIDTH ) 2719The maximum output line width. 2720.It Li ddb.onpanic ( Dv DDBCTL_ONPANIC ) 2721If greater than zero, DDB will be entered if the kernel panics. 2722A value of 1 causes the system to enter DDB on panic. 2723A value of 0 causes the kernel to attempt to print a stack trace, then 2724reboot, while a value of \-1 means neither a stack trace will be printed 2725nor DDB entered. 2726.It Li ddb.panicstackframes 2727Number of stack frames to display on panic. 2728Useful to avoid scrolling away the interesting frames on a glass tty. 2729Default value is 2730.Dv 65535 2731(all frames), useful value around 2732.Dv 10 . 2733.It Li ddb.radix ( Dv DDBCTL_RADIX ) 2734The input and output radix. 2735.It Li ddb.tabstops ( Dv DDBCTL_TABSTOPS ) 2736Tab width. 2737.It Li ddb.tee_msgbuf 2738If not zero, DDB will output also to the kernel message buffer. 2739.El 2740.Pp 2741Some of these MIB 2742nodes are also available as variables from within the debugger. 2743See 2744.Xr ddb 4 2745for more details. 2746.Ss The security.* subtree ( Dv CTL_SECURITY ) 2747The 2748.Li security 2749level contains various security-related settings for 2750the system. 2751The available second level names are: 2752.Bl -column "Second level name" "integer" "Changeable" -offset indent 2753.It Sy Second level name Ta Sy Type Ta Sy Changeable 2754.It Li security.curtain integer yes 2755.It Li security.models node not applicable 2756.It Li security.pax node not applicable 2757.El 2758.Pp 2759Available settings are detailed below. 2760.Bl -tag -width "123456" 2761.It Li security.curtain 2762If non-zero, will filter return objects according to the user ID 2763requesting information about them, preventing users from 2764accessing any objects they do not own. 2765.Pp 2766At the moment, it affects 2767.Xr ps 1 , 2768.Xr netstat 1 2769(for 2770.Dv PF_INET , 2771.Dv PF_INET6 , 2772and 2773.Dv PF_UNIX 2774PCBs), and 2775.Xr w 1 . 2776.It Li security.models 2777.Nx 2778supports pluggable security models. 2779Every security model used, whether if loaded as a module or built with the system, 2780is required to add an entry to this node with at least one element, 2781.Dq name , 2782indicating the name of the security model. 2783.Pp 2784In addition to the name, any settings and other information private to the 2785security model will be available under this node. 2786See 2787.Xr secmodel 9 2788for more information. 2789.It Li security.pax 2790Settings for PaX \(em exploit mitigation features. 2791For more information on any of the PaX features, please see 2792.Xr paxctl 8 2793and 2794.Xr security 7 . 2795The available third and fourth level names are: 2796.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ 2797-offset 2n 2798.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable 2799.It Li security.pax.aslr.enabled integer yes 2800.\".It Li security.pax.aslr.exec_len integer yes 2801.It Li security.pax.aslr.global integer yes 2802.\".It Li security.pax.aslr.mmap_len integer yes 2803.\".It Li security.pax.aslr.stack_len integer yes 2804.It Li security.pax.mprotect.enabled integer yes 2805.It Li security.pax.mprotect.global integer yes 2806.It Li security.pax.mprotect.ptrace integer yes 2807.It Li security.pax.segvguard.enabled integer yes 2808.It Li security.pax.segvguard.expiry_timeout integer yes 2809.It Li security.pax.segvguard.global integer yes 2810.It Li security.pax.segvguard.max_crashes integer yes 2811.It Li security.pax.segvguard.suspend_timeout integer yes 2812.El 2813.Bl -tag -width "123456" 2814.It Li security.pax.aslr.enabled 2815Enable PaX ASLR (Address Space Layout Randomization). 2816.Pp 2817The value of this 2818knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2819explicit enable. 2820.\".It Li security.pax.aslr.exec_len 2821.\" XXX: Undocumented. 2822.It Li security.pax.aslr.global 2823Specifies the default global policy for programs without an 2824explicit enable/disable flag. 2825.Pp 2826When non-zero, all programs will get PaX ASLR, except those exempted with 2827.Xr paxctl 8 . 2828Otherwise, all programs will not get PaX ASLR, except those specifically 2829marked as such with 2830.Xr paxctl 8 . 2831.\".It Li security.pax.aslr.mmap_len 2832.\" XXX: Undocumented. 2833.\" .It Li security.pax.aslr.stack_len 2834.\" XXX: Undocumented. 2835.It Li security.pax.mprotect.enabled 2836Enable PaX MPROTECT restrictions. 2837.Pp 2838These are 2839.Xr mprotect 2 2840restrictions to better enforce a W^X policy. 2841The value of this 2842knob must be non-zero for PaX MPROTECT to be enabled, even if a 2843program is set to explicit enable. 2844.It Li security.pax.mprotect.global 2845Specifies the default global policy for programs without an 2846explicit enable/disable flag. 2847.Pp 2848When non-zero, all programs will get the PaX MPROTECT restrictions, 2849except those exempted with 2850.Xr paxctl 8 . 2851Otherwise, all programs will not get the PaX MPROTECT restrictions, 2852except those specifically marked as such with 2853.Xr paxctl 8 . 2854.It Li security.pax.mprotect.ptrace 2855This variable allows 2856.Xr ptrace 2 2857to override PaX MPROTECT permissions. 2858It can have the following values: 2859.Bl -tag -width XX -compact 2860.It 0 2861Does not let override any permissions. 2862.It 1 2863Disables PaX MPROTECT from processes that start executing while traced (default). 2864.It 2 2865Bypasses PaX MPROTECT for all processes being traced. 2866.El 2867.It Li security.pax.segvguard.enabled 2868Enable PaX Segvguard. 2869.Pp 2870PaX Segvguard can detect and prevent certain exploitation attempts, where 2871an attacker may try for example to brute-force function return addresses 2872of respawning daemons. 2873.Pp 2874.Em Note : 2875The 2876.Nx 2877interface and implementation of the Segvguard is still experimental, and may 2878change in future releases. 2879.It Li security.pax.segvguard.expiry_timeout 2880If the max number was not reached within this timeout (in seconds), the entry 2881will expire. 2882.It Li security.pax.segvguard.global 2883Specifies the default global policy for programs without an 2884explicit enable/disable flag. 2885.Pp 2886When non-zero, all programs will get the PaX Segvguard, 2887except those exempted with 2888.Xr paxctl 8 . 2889Otherwise, no program will get the PaX Segvguard restrictions, 2890except those specifically marked as such with 2891.Xr paxctl 8 . 2892.It Li security.pax.segvguard.max_crashes 2893The maximum number of segfaults a program can receive before suspension. 2894.It Li security.pax.segvguard.suspend_timeout 2895Number of seconds to suspend a user from running a faulting program when the 2896limit was exceeded. 2897.El 2898.El 2899.Ss The vendor.* subtree ( Dv CTL_VENDOR ) 2900The 2901.Li vendor 2902toplevel name is reserved to be used by vendors who wish to 2903have their own private MIB tree. 2904Intended use is to store values under 2905.Dq vendor.<yourname>.* . 2906.Sh SEE ALSO 2907.Xr sysctl 3 , 2908.Xr ipsec 4 , 2909.Xr tcp 4 , 2910.Xr security 7 , 2911.Xr sysctl 8 2912.Sh HISTORY 2913The 2914.Nm 2915variables first appeared in 2916.Bx 4.4 . 2917