1.\" $NetBSD: sysctl.7,v 1.29 2009/12/07 23:48:01 wiz Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd December 7, 2009 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Sh Top level names 72The top level names are defined with a CTL_ prefix in 73.Aq Pa sys/sysctl.h , 74and are as follows. 75The next and subsequent levels down are found in the include files 76listed here, and described in separate sections below. 77.Bl -column security CTL_SECURITY "Next level names" "High kernel limits" 78.It Sy Name Constant Next level names Description 79.It kern CTL_KERN sys/sysctl.h High kernel limits 80.It vm CTL_VM uvm/uvm_param.h Virtual memory 81.It vfs CTL_VFS sys/mount.h Filesystem 82.It net CTL_NET sys/socket.h Networking 83.It debug CTL_DEBUG sys/sysctl.h Debugging 84.It hw CTL_HW sys/sysctl.h Generic CPU, I/O 85.It machdep CTL_MACHDEP sys/sysctl.h Machine dependent 86.It user CTL_USER sys/sysctl.h User-level 87.It ddb CTL_DDB sys/sysctl.h In-kernel debugger 88.It proc CTL_PROC sys/sysctl.h Per-process 89.It vendor CTL_VENDOR ? Vendor specific 90.It emul CTL_EMUL sys/sysctl.h Emulation settings 91.It security CTL_SECURITY sys/sysctl.h Security settings 92.El 93.Sh The debug.* subtree 94The debugging variables vary from system to system. 95A debugging variable may be added or deleted without need to recompile 96.Nm 97to know about it. 98Each time it runs, 99.Nm 100gets the list of debugging variables from the kernel and 101displays their current values. 102The system defines twenty 103.Va ( struct ctldebug ) 104variables named 105.Dv debug0 106through 107.Dv debug19 . 108They are declared as separate variables so that they can be 109individually initialized at the location of their associated variable. 110The loader prevents multiple use of the same variable by issuing errors 111if a variable is initialized in more than one place. 112For example, to export the variable 113.Dv dospecialcheck 114as a debugging variable, the following declaration would be used: 115.Bd -literal -offset indent -compact 116int dospecialcheck = 1; 117struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 118.Ed 119.Pp 120Note that the dynamic implementation of 121.Nm 122currently in use largely makes this particular 123.Nm 124interface obsolete. 125See 126.Xr sysctl 8 127.\" and 128.\" .Xr sysctl 9 129for more information. 130.Sh The vfs.* subtree 131A distinguished second level name, 132.Li vfs.generic ( VFS_GENERIC ) , 133is used to get general information about all filesystems. 134It has the following third level identifiers: 135.Bl -tag -width compact 136.It vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 137The highest valid filesystem type number. 138.It vfs.generic.conf ( VFS_CONF ) 139Returns configuration information about the file-system type given as a fourth 140level identifier. 141.El 142.Pp 143The remaining second level identifiers are the file-system names, identified 144by the type number returned by a 145.Xr statvfs 2 146call or from 147.Li vfs.generic.conf . 148The third level identifiers available for each filesystem 149are given in the header file that defines the mount 150argument structure for that filesystem. 151.Sh The hw.* subtree 152The string and integer information available for the 153.Li hw 154level is detailed below. 155The changeable column shows whether a process with appropriate 156privilege may change the value. 157.Bl -column "hw.acpi.supported_states" "integer" "Changeable" -offset indent 158.It Sy Second level name Type Changeable 159.It hw.acpi.supported_states string no 160.It hw.alignbytes integer no 161.It hw.byteorder integer no 162.It hw.cnmagic string yes 163.It hw.disknames string no 164.It hw.diskstats struct no 165.It hw.machine string no 166.It hw.machine_arch string no 167.It hw.model string no 168.It hw.ncpu integer no 169.It hw.pagesize integer no 170.It hw.physmem integer no 171.It hw.physmem64 quad no 172.It hw.usermem integer no 173.It hw.usermem64 quad no 174.El 175.Pp 176.Bl -tag -width "123456" 177.It Li hw.acpi.support_states 178List of possible 179.Tn ACPI 180sleep states. 181The list can contain the following values: 182.Bl -tag -width XS1X 183.It S0 184fully running 185.It S1 186power on suspend (CPU and hard disks are off) 187.It S2 188similar to S3, usually not implemented 189.It S3 190suspend-to-RAM 191.It S4 192suspend-to-disk (needs BIOS support) 193.It S5 194power off 195.El 196.It Li hw.alignbytes ( HW_ALIGNBYTES ) 197Alignment constraint for all possible data types. 198This shows the value 199.Dv ALIGNBYTES 200in 201.Pa /usr/include/machine/param.h , 202at the kernel compilation time. 203.It Li hw.byteorder ( HW_BYTEORDER ) 204The byteorder (4,321, or 1,234). 205.It Li hw.cnmagic ( HW_CNMAGIC ) 206The console magic key sequence. 207.It Li hw.disknames ( HW_DISKNAMES ) 208The list of (space separated) disk device names on the system. 209.It Li hw.iostatnames ( HW_IOSTATNAMES ) 210A space separated list of devices that will have I/O statistics 211collected on them. 212.It Li hw.iostats ( HW_IOSTATS ) 213Return statistical information on the NFS mounts, disk and tape 214devices on the system. 215An array of 216.Va struct io_sysctl 217structures is returned, 218whose size depends on the current number of such objects in the system. 219The third level name is the size of the 220.Va struct io_sysctl . 221The type of object can be determined by examining the 222.Va type 223element of 224.Va struct io_sysctl . 225Which can be 226.Dv IOSTAT_DISK 227(disk drive), 228.Dv IOSTAT_TAPE 229(tape drive), or 230.Dv IOSTAT_NFS 231(NFS mount). 232.It Li hw.machine ( HW_MACHINE ) 233The machine class. 234.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 235The machine CPU class. 236.It Li hw.model ( HW_MODEL ) 237The machine model. 238.It Li hw.ncpu ( HW_NCPU ) 239The number of CPUs. 240.It Li hw.pagesize ( HW_PAGESIZE ) 241The software page size. 242.It Li hw.physmem ( HW_PHYSMEM ) 243The bytes of physical memory as a 32-bit integer. 244.It Li hw.physmem64 ( HW_PHYSMEM64 ) 245The bytes of physical memory as a 64-bit integer. 246.It Li hw.usermem ( HW_USERMEM ) 247The bytes of non-kernel memory as a 32-bit integer. 248.It Li hw.usermem64 ( HW_USERMEM64 ) 249The bytes of non-kernel memory as a 64-bit integer. 250.El 251.Sh The kern.* subtree 252The string and integer information available for the 253.Li kern 254level is detailed below. 255The changeable column shows whether a process with appropriate 256privilege may change the value. 257The types of data currently available are process information, 258system vnodes, the open file entries, routing table entries, 259virtual memory statistics, load average history, and clock rate 260information. 261.Bl -column "kern.posix_reader_writer_locks" "struct kinfo_drivers" "not applicable" 262.It Sy Second level name Type Changeable 263.It kern.argmax integer no 264.It kern.autonicetime integer yes 265.It kern.autoniceval integer yes 266.It kern.boottime struct timeval no 267.It kern.bufq node not applicable 268.It kern.ccpu integer no 269.It kern.clockrate struct clockinfo no 270.It kern.consdev integer no 271.It kern.cp_id struct no 272.It kern.cp_time uint64_t[\|] no 273.It kern.defcorename string yes 274.It kern.domainname string yes 275.It kern.drivers struct kinfo_drivers no 276.It kern.file struct file no 277.It kern.forkfsleep integer yes 278.It kern.fscale integer no 279.It kern.fsync integer no 280.It kern.hardclock_ticks integer no 281.It kern.hostid integer yes 282.It kern.hostname string yes 283.It kern.iov_max integer no 284.It kern.job_control integer no 285.It kern.labeloffset integer no 286.It kern.labelsector integer no 287.It kern.login_name_max integer no 288.It kern.logsigexit integer yes 289.It kern.mapped_files integer no 290.It kern.maxfiles integer yes 291.It kern.maxpartitions integer no 292.It kern.maxphys integer no 293.It kern.maxproc integer yes 294.It kern.maxptys integer yes 295.It kern.maxvnodes integer yes 296.It kern.mbuf node not applicable 297.It kern.memlock integer no 298.It kern.memlock_range integer no 299.It kern.memory_protection integer no 300.It kern.monotonic_clock integer no 301.It kern.msgbuf integer no 302.It kern.msgbufsize integer no 303.It kern.ngroups integer no 304.It kern.ntptime struct ntptimeval no 305.It kern.osrelease string no 306.It kern.osrev integer no 307.It kern.ostype string no 308.It kern.pipe node not applicable 309.It kern.posix1 integer no 310.It kern.posix_barriers integer no 311.It kern.posix_reader_writer_locks integer no 312.It kern.posix_semaphores integer no 313.It kern.posix_spin_locks integer no 314.It kern.posix_threads integer no 315.It kern.posix_timers integer no 316.It kern.proc struct kinfo_proc no 317.It kern.proc2 struct kinfo_proc2 no 318.It kern.proc_args string no 319.It kern.prof node not applicable 320.It kern.rawpartition integer no 321.It kern.root_device string no 322.It kern.root_partition integer no 323.It kern.rtc_offset integer yes 324.It kern.saved_ids integer no 325.It kern.securelevel integer raise only 326.It kern.synchronized_io integer no 327.It kern.ipc node not applicable 328.It kern.timecounter node not applicable 329.It kern.timex struct no 330.It kern.tkstat node not applicable 331.It kern.urandom integer no 332.It kern.version string no 333.It kern.vnode struct vnode no 334.El 335.Bl -tag -width "123456" 336.It Li kern.argmax ( KERN_ARGMAX ) 337The maximum bytes of argument to 338.Xr execve 2 . 339.It Li kern.autonicetime ( KERN_AUTONICETIME ) 340The number of seconds of CPU-time a non-root process may accumulate before 341having its priority lowered from the default to the value of KERN_AUTONICEVAL. 342If set to 0, automatic lowering of priority is not performed, and if set to \-1 343all non-root processes are immediately lowered. 344.It Li kern.autoniceval ( KERN_AUTONICEVAL ) 345The priority assigned for automatically niced processes. 346.It Li kern.boothowto 347Flags passed from the boot loader; see 348.Xr reboot 2 349for the meanings of the flags. 350.It Li kern.boottime ( KERN_BOOTTIME ) 351A 352.Va struct timeval 353structure is returned. 354This structure contains the time that the system was booted. 355.It Li kern.ccpu ( KERN_CCPU ) 356The scheduler exponential decay value. 357.It Li kern.clockrate ( KERN_CLOCKRATE ) 358A 359.Va struct clockinfo 360structure is returned. 361This structure contains the clock, statistics clock and profiling clock 362frequencies, the number of micro-seconds per hz tick, and the clock 363skew rate. 364.It Li kern.consdev ( KERN_CONSDEV ) 365Console device. 366.It Li kern.cp_id ( KERN_CP_ID ) 367Mapping of CPU number to CPU id. 368.It Li kern.cp_time ( KERN_CP_TIME ) 369Returns an array of CPUSTATES uint64_ts. 370This array contains the 371number of clock ticks spent in different CPU states. 372On multi-processor systems, the sum across all CPUs is returned unless 373appropriate space is given for one data set for each CPU. 374Data for a specific CPU can also be obtained by adding the number of the 375CPU at the end of the MIB, enlarging it by one. 376.It Li kern.defcorename ( KERN_DEFCORENAME ) 377Default template for the name of core dump files (see also 378.Li proc.pid.corename 379in the per-process variables 380.Li proc.* , 381and 382.Xr core 5 383for format of this template). 384The default value is 385.Nm %n.core 386and can be changed with the kernel configuration option 387.Cd options DEFCORENAME 388(see 389.Xr options 4 390). 391.It Li kern.domainname ( KERN_DOMAINNAME ) 392Get or set the YP domain name. 393.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 394Perform a crash dump on system panic. 395.It Li kern.drivers ( KERN_DRIVERS ) 396Return an array of 397.Va struct kinfo_drivers 398that contains the name and major device numbers of all the device drivers 399in the current kernel. 400The 401.Va d_name 402field is always a NUL terminated string. 403The 404.Va d_bmajor 405field will be set to \-1 if the driver doesn't have a block device. 406.It Li kern.file ( KERN_FILE ) 407Return the entire file table. 408The returned data consists of a single 409.Va struct filelist 410followed by an array of 411.Va struct file , 412whose size depends on the current number of such objects in the system. 413.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 414If 415.Xr fork 2 416system call fails due to limit on number of processes (either 417the global maxproc limit or user's one), wait for this many 418milliseconds before returning 419.Er EAGAIN 420error to process. 421Useful to keep heavily forking runaway processes in bay. 422Default zero (no sleep). 423Maximum is 20 seconds. 424.It Li kern.fscale ( KERN_FSCALE ) 425The kernel fixed-point scale factor. 426.It Li kern.fsync ( KERN_FSYNC ) 427Return 1 if the POSIX 1003.1b File Synchronization Option is available 428on this system, 429otherwise 0. 430.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 431Returns the number of 432.Xr hardclock 9 433ticks. 434.It Li kern.hostid ( KERN_HOSTID ) 435Get or set the host id. 436.It Li kern.hostname ( KERN_HOSTNAME ) 437Get or set the hostname. 438.It Li kern.iov_max ( KERN_IOV_MAX ) 439Return the maximum number of 440.Va iovec 441structures that a process has available for use with 442.Xr preadv 2 , 443.Xr pwritev 2 , 444.Xr readv 2 , 445.Xr recvmsg 2 , 446.Xr sendmsg 2 447and 448.Xr writev 2 . 449.It Li kern.job_control ( KERN_JOB_CONTROL ) 450Return 1 if job control is available on this system, otherwise 0. 451.It Li kern.labeloffset ( KERN_LABELOFFSET ) 452The offset within the sector specified by KERN_LABELSECTOR of the 453.Xr disklabel 5 . 454.It Li kern.labelsector ( KERN_LABELSECTOR ) 455The sector number containing the 456.Xr disklabel 5 . 457.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 458The size of the storage required for a login name, in bytes, 459including the terminating NUL. 460.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 461If this flag is non-zero, the kernel will 462.Xr log 9 463all process exits due to signals which create a 464.Xr core 5 465file, and whether the coredump was created. 466.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 467Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available 468on this system, 469otherwise 0. 470.It Li kern.maxfiles ( KERN_MAXFILES ) 471The maximum number of open files that may be open in the system. 472.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 473The maximum number of partitions allowed per disk. 474.It Li kern.maxphys ( KERN_MAXPHYS ) 475Maximum raw I/O transfer size. 476.It Li kern.maxproc ( KERN_MAXPROC ) 477The maximum number of simultaneous processes the system will allow. 478.It Li kern.maxptys ( KERN_MAXPTYS ) 479The maximum number of pseudo terminals. 480This value can be both raised and lowered, though it cannot 481be set lower than number of currently used ptys. 482See also 483.Xr pty 4 . 484.It Li kern.maxvnodes ( KERN_MAXVNODES ) 485The maximum number of vnodes available on the system. 486This can only be raised. 487.It Li kern.mbuf ( KERN_MBUF ) 488Return information about the mbuf control variables. 489Mbufs are data structures which store network packets and other data 490structures in the networking code, see 491.Xr mbuf 9 . 492The third level names for the mbuf variables are detailed below. 493The changeable column shows whether a process with appropriate 494privilege may change the value. 495.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent 496.It Sy Third level name Type Changeable 497.\" XXX Changeable? really? 498.It kern.mbuf.mblowat integer yes 499.It kern.mbuf.mclbytes integer yes 500.It kern.mbuf.mcllowat integer yes 501.It kern.mbuf.msize integer yes 502.It kern.mbuf.nmbclusters integer yes 503.El 504.Pp 505The variables are as follows: 506.Bl -tag -width "123456" 507.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 508The mbuf low water mark. 509.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 510The mbuf cluster size. 511.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 512The mbuf cluster low water mark. 513.It Li kern.mbuf.msize ( MBUF_MSIZE ) 514The mbuf base size. 515.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 516The limit on the number of mbuf clusters. 517The variable can only be increased, and only increased on machines with 518direct-mapped pool pages. 519.El 520.It Li kern.memlock ( KERN_MEMLOCK ) 521Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available 522on this system, 523otherwise 0. 524.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 525Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available 526on this system, 527otherwise 0. 528.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 529Returns 1 if the POSIX 1003.1b Memory Protection Option is available 530on this system, 531otherwise 0. 532.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 533Returns the standard version the implementation of the POSIX 1003.1b 534Monotonic Clock Option conforms to, 535otherwise 0. 536.It Li kern.msgbuf ( KERN_MSGBUF ) 537The kernel message buffer, rotated so that the head of the circular kernel 538message buffer is at the start of the returned data. 539The returned data may contain NUL bytes. 540.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 541The maximum number of characters that the kernel message buffer can hold. 542.It Li kern.ngroups ( KERN_NGROUPS ) 543The maximum number of supplemental groups. 544.It Li kern.ntptime ( KERN_NTPTIME ) 545A 546.Va struct ntptimeval 547structure is returned. 548This structure contains data used by the 549.Xr ntpd 8 550program. 551.It Li kern.osrelease ( KERN_OSRELEASE ) 552The system release string. 553.It Li kern.osrevision ( KERN_OSREV ) 554The system revision string. 555.It Li kern.ostype ( KERN_OSTYPE ) 556The system type string. 557.It Li kern.pipe ( KERN_PIPE ) 558Pipe settings. 559The third level names for the integer pipe settings is detailed below. 560The changeable column shows whether a process with appropriate 561privilege may change the value. 562.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 563.It Sy Third level name Type Changeable 564.It kern.pipe.kvasiz integer yes 565.It kern.pipe.maxbigpipes integer yes 566.It kern.pipe.maxkvasz integer yes 567.It kern.pipe.limitkva integer yes 568.It kern.pipe.nbigpipes integer yes 569.El 570.Pp 571The variables are as follows: 572.Bl -tag -width "123456" 573.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 574Amount of kernel memory consumed by pipe buffers. 575.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 576Maximum number of "big" pipes. 577.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 578Maximum amount of kernel memory to be used for pipes. 579.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 580Limit for direct transfers via page loan. 581.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 582Number of "big" pipes. 583.El 584.It Li kern.posix1version ( KERN_POSIX1 ) 585The version of ISO/IEC 9945 (POSIX 1003.1) with which the system 586attempts to comply. 587.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 588The version of 589.St -p1003.1 590and its 591Barriers 592option to which the system attempts to conform, 593otherwise 0. 594.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 595The version of 596.St -p1003.1 597and its 598Read-Write Locks 599option to which the system attempts to conform, 600otherwise 0. 601.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 602The version of 603.St -p1003.1 604and its 605Semaphores 606option to which the system attempts to conform, 607otherwise 0. 608.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 609The version of 610.St -p1003.1 611and its 612Spin Locks 613option to which the system attempts to conform, 614otherwise 0. 615.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 616The version of 617.St -p1003.1 618and its 619Threads 620option to which the system attempts to conform, 621otherwise 0. 622.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 623The version of 624.St -p1003.1 625and its 626Timers 627option to which the system attempts to conform, 628otherwise 0. 629.It Li kern.proc ( KERN_PROC ) 630Return the entire process table, or a subset of it. 631An array of 632.Va struct kinfo_proc 633structures is returned, 634whose size depends on the current number of such objects in the system. 635The third and fourth level numeric names are as follows: 636.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 637.It Sy Third level name Fourth level is: 638.It KERN_PROC_ALL None 639.It KERN_PROC_GID A group ID 640.It KERN_PROC_PID A process ID 641.It KERN_PROC_PGRP A process group 642.It KERN_PROC_RGID A real group ID 643.It KERN_PROC_RUID A real user ID 644.It KERN_PROC_SESSION A session ID 645.It KERN_PROC_TTY A tty device 646.It KERN_PROC_UID A user ID 647.El 648.It Li kern.proc2 ( KERN_PROC2 ) 649As for KERN_PROC, but an array of 650.Va struct kinfo_proc2 651structures are returned. 652The fifth level name is the size of the 653.Va struct kinfo_proc2 654and the sixth level name is the number of structures to return. 655.It Li kern.proc_args ( KERN_PROC_ARGS ) 656Return the argv or environment strings (or the number thereof) 657of a process. 658Multiple strings are returned separated by NUL characters. 659The third level name is the process ID. 660The fourth level name is as follows: 661.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent 662.It KERN_PROC_ARGV The argv strings 663.It KERN_PROC_ENV The environ strings 664.It KERN_PROC_NARGV The number of argv strings 665.It KERN_PROC_NENV The number of environ strings 666.El 667.It Li kern.profiling ( KERN_PROF ) 668Return profiling information about the kernel. 669If the kernel is not compiled for profiling, 670attempts to retrieve any of the KERN_PROF values will 671fail with 672.Er EOPNOTSUPP . 673The third level names for the string and integer profiling information 674is detailed below. 675The changeable column shows whether a process with appropriate 676privilege may change the value. 677.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 678.It Sy Third level name Type Changeable 679.It kern.profiling.count u_short[\|] yes 680.It kern.profiling.froms u_short[\|] yes 681.It kern.profiling.gmonparam struct gmonparam no 682.It kern.profiling.state integer yes 683.It kern.profiling.tos struct tostruct yes 684.El 685.Pp 686The variables are as follows: 687.Bl -tag -width "123456" 688.It Li kern.profiling.count ( GPROF_COUNT ) 689Array of statistical program counter counts. 690.It Li kern.profiling.froms ( GPROF_FROMS ) 691Array indexed by program counter of call-from points. 692.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 693Structure giving the sizes of the above arrays. 694.It Li kern.profiling.state ( GPROF_STATE ) 695Profiling state. 696If set to GMON_PROF_ON, starts profiling. 697If set to GMON_PROF_OFF, stops profiling. 698.It Li kern.profiling.tos ( GPROF_TOS ) 699Array of 700.Va struct tostruct 701describing destination of calls and their counts. 702.El 703.It Li kern.rawpartition ( KERN_RAWPARTITION ) 704The raw partition of a disk (a == 0). 705.It Li kern.root_device ( KERN_ROOT_DEVICE ) 706The name of the root device (e.g., 707.Dq wd0 ) . 708.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 709The root partition on the root device (a == 0). 710.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 711Return the offset of real time clock from UTC in minutes. 712.It Li kern.saved_ids ( KERN_SAVED_IDS ) 713Returns 1 if saved set-group and saved set-user ID is available. 714.It Li kern.sbmax ( KERN_SBMAX ) 715Maximum socket buffer size. 716.\" XXX units? 717.It Li kern.securelevel ( KERN_SECURELVL ) 718See 719.Xr secmodel_securelevel 9 . 720.It Li kern.somaxkva ( KERN_SOMAXKVA ) 721Maximum amount of kernel memory to be used for socket buffers. 722.\" XXX units? 723.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 724Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available 725on this system, 726otherwise 0. 727.It Li kern.ipc ( KERN_SYSVIPC ) 728Return information about the SysV IPC parameters. 729The third level names for the ipc variables are detailed below. 730.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 731.It Sy Third level name Type Changeable 732.It kern.ipc.sysvmsg integer no 733.It kern.ipc.sysvsem integer no 734.It kern.ipc.sysvshm integer no 735.It kern.ipc.sysvipc_info struct no 736.It kern.ipc.shmmax integer yes 737.It kern.ipc.shmmni integer yes 738.It kern.ipc.shmseg integer yes 739.It kern.ipc.shmmaxpgs integer yes 740.It kern.ipc.shm_use_phys integer yes 741.It kern.ipc.msgmni integer yes 742.It kern.ipc.msgseg integer yes 743.It kern.ipc.semmni integer yes 744.It kern.ipc.semmns integer yes 745.It kern.ipc.semmnu integer yes 746.El 747.Bl -tag -width "123456" 748.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 749Returns 1 if System V style message queue functionality is available 750on this system, 751otherwise 0. 752.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 753Returns 1 if System V style semaphore functionality is available 754on this system, 755otherwise 0. 756.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 757Returns 1 if System V style share memory functionality is available 758on this system, 759otherwise 0. 760.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 761Return System V style IPC configuration and run-time information. 762The fourth level name selects the System V style IPC facility. 763.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 764.It Sy Fourth level name Type 765.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 766.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 767.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 768.El 769.Pp 770.Bl -tag -width "123456" 771.It Li KERN_SYSVIPC_MSG_INFO 772Return information on the System V style message facility. 773The 774.Sy msg_sysctl_info 775structure is defined in 776.Aq Pa sys/msg.h . 777.It Li KERN_SYSVIPC_SEM_INFO 778Return information on the System V style semaphore facility. 779The 780.Sy sem_sysctl_info 781structure is defined in 782.Aq Pa sys/sem.h . 783.It Li KERN_SYSVIPC_SHM_INFO 784Return information on the System V style shared memory facility. 785The 786.Sy shm_sysctl_info 787structure is defined in 788.Aq Pa sys/shm.h . 789.El 790.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 791Max shared memory segment size in bytes. 792.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 793Max number of shared memory identifiers. 794.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 795Max shared memory segments per process. 796.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 797Max amount of shared memory in pages. 798.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 799Locking of shared memory in physical memory. 800If 0, memory can be swapped 801out, otherwise it will be locked in physical memory. 802.It Li kern.ipc.msgmni 803Max number of message queue identifiers. 804.It Li kern.ipc.msgseg 805Max number of number of message segments. 806.It Li kern.ipc.semmni 807Max number of number of semaphore identifiers. 808.It Li kern.ipc.semmns 809Max number of number of semaphores in system. 810.It Li kern.ipc.semmnu 811Max number of undo structures in system. 812.El 813.It Li kern.timecounter ( dynamic ) 814Display and control the timecounter source of the system. 815.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 816.It Sy Third level name Type Changeable 817.It kern.timecounter.choice string no 818.It kern.timecounter.hardware string yes 819.It kern.timecounter.timestepwarnings integer yes 820.El 821.Pp 822The variables are as follows: 823.Bl -tag -width "123456" 824.It Li kern.timecounter.choice ( dynamic ) 825The list of available timecounters with their quality and frequency. 826.It Li kern.timecounter.hardware ( dynamic ) 827The currently selected timecounter source. 828.It Li kern.timecounter.timestepwarnings ( dynamic ) 829If non-zero display a message each time the time is stepped. 830.El 831.It Li kern.timex ( KERN_TIMEX ) 832Not available. 833.It Li kern.tkstat ( KERN_TKSTAT ) 834Return information about the number of characters sent and received 835on ttys. 836The third level names for the tty statistic variables are detailed below. 837The changeable column shows whether a process 838with appropriate privilege may change the value. 839.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 840.It Sy Third level name Type Changeable 841.It kern.tkstat.cancc quad no 842.It kern.tkstat.nin quad no 843.It kern.tkstat.nout quad no 844.It kern.tkstat.rawcc quad no 845.El 846.Pp 847The variables are as follows: 848.Bl -tag -width "123456" 849.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 850The number of canonical input characters. 851.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 852The total number of input characters. 853.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 854The total number of output characters. 855.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 856The number of raw input characters. 857.El 858.It Li kern.urandom ( KERN_URND ) 859Random integer value. 860.It Li kern.veriexec 861Tunings for Verixec. 862.Bl -tag -width "123456" 863.It Li kern.veriexec.algorithms 864Returns a string with the supported algorithms in Veriexec. 865.It Li kern.veriexec.count 866Sub-nodes are added to this node as new mounts are monitored by Veriexec. 867Each mount will be under its own 868.No tableN 869node. 870Under each node there will be three variables, indicating the mount 871point, the file-system type, and the number of entries. 872.It Li kern.veriexec.strict 873Controls the strict level of Veriexec. 874See 875.Xr security 8 876for more information on each level's implications. 877.It Li kern.veriexec.verbose 878Controls the verbosity level of Veriexec. 879If 0, only the minimal 880indication required will be given about what's happening - fingerprint 881mismatches, removal of entries from the tables, modification of a 882fingerprinted file. 883If 1, more messages will be printed (ie., when a file with a valid 884fingerprint is accessed). 885Verbose level 2 is debug mode. 886.El 887.It Li kern.version ( KERN_VERSION ) 888The system version string. 889.It Li kern.vnode ( KERN_VNODE ) 890Return the entire vnode table. 891Note, the vnode table is not necessarily a consistent snapshot of 892the system. 893The returned data consists of an array whose size depends on the 894current number of such objects in the system. 895Each element of the array contains the kernel address of a vnode 896.Va struct vnode * 897followed by the vnode itself 898.Va struct vnode . 899.It Li kern.coredump.setid 900Settings related to set-id processes coredumps. 901By default, set-id processes do not dump core in situations where 902other processes would. 903The settings in this node allows an administrator to change this 904behavior. 905.Pp 906.Bl -tag -width "123456" 907.It Li kern.coredump.setid.dump 908If non-zero, set-id processes will dump core. 909.It Li kern.coredump.setid.group 910The group-id for the set-id processes' coredump. 911.It Li kern.coredump.setid.mode 912The mode for the set-id processes' coredump. 913See 914.Xr chmod 1 . 915.It Li kern.coredump.setid.owner 916The user-id that will be used as the owner of the set-id processes' 917coredump. 918.It Li kern.coredump.setid.path 919The path to which set-id processes' coredumps will be saved to. 920Same syntax as kern.defcorename. 921.El 922.\" XXX kern.lwp 923.El 924.Sh The machdep.* subtree 925The set of variables defined is architecture dependent. 926Most architectures define at least the following variables. 927.Bl -column "Second level name" "Type" "Changeable" -offset indent 928.It Sy Second level name Type Changeable 929.It Li CPU_CONSDEV dev_t no 930.El 931.Sh The net.* subtree 932The string and integer information available for the 933.Li net 934level is detailed below. 935The changeable column shows whether a process with appropriate 936privilege may change the value. 937The second and third levels are typically the protocol family and 938protocol number, though this is not always the case. 939.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 940.It Sy Second level name Type Changeable 941.It net.route routing messages no 942.It net.inet IPv4 values yes 943.It net.inet6 IPv6 values yes 944.It net.key IPsec key management values yes 945.El 946.Pp 947.Bl -tag -width "123456" 948.It Li net.route ( PF_ROUTE ) 949.\" XXX really? 950Return the entire routing table or a subset of it. 951The data is returned as a sequence of routing messages (see 952.Xr route 4 953for the header file, format and meaning). 954The length of each message is contained in the message header. 955.Pp 956The third level name is a protocol number, which is currently always 0. 957The fourth level name is an address family, which may be set to 0 to 958select all address families. 959The fifth and sixth level names are as follows: 960.Bl -column "Fifth level name" "Sixth level is:" -offset indent 961.It Sy Fifth level name Sixth level is: 962.It NET_RT_FLAGS rtflags 963.It NET_RT_DUMP None 964.It NET_RT_IFLIST None 965.El 966.It Li net.inet ( PF_INET ) 967Get or set various global information about the IPv4 968.Pq Internet Protocol version 4 . 969The third level name is the protocol. 970The fourth level name is the variable name. 971The currently defined protocols and names are: 972.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n 973.It Sy Protocol name Variable name Type Changeable 974.It arp down integer yes 975.It arp keep integer yes 976.It arp prune integer yes 977.It arp refresh integer yes 978.It carp allow integer yes 979.It carp preempt integer yes 980.It carp log integer yes 981.It carp arpbalance integer yes 982.It icmp errppslimit integer yes 983.It icmp maskrepl integer yes 984.It icmp rediraccept integer yes 985.It icmp redirtimeout integer yes 986.It icmp bmcastecho integer yes 987.It ip allowsrcrt integer yes 988.It ip anonportmax integer yes 989.It ip anonportmin integer yes 990.It ip checkinterface integer yes 991.It ip directed-broadcast integer yes 992.It ip do_loopback_cksum integer yes 993.It ip forwarding integer yes 994.It ip forwsrcrt integer yes 995.It ip gifttl integer yes 996.It ip grettl integer yes 997.It ip hashsize integer yes 998.It ip hostzerobroadcast integer yes 999.It ip lowportmin integer yes 1000.It ip lowportmax integer yes 1001.It ip maxflows integer yes 1002.It ip maxfragpackets integer yes 1003.It ip mtudisc integer yes 1004.It ip mtudisctimeout integer yes 1005.It ip random_id integer yes 1006.It ip redirect integer yes 1007.It ip subnetsarelocal integer yes 1008.It ip ttl integer yes 1009.It tcp rfc1323 integer yes 1010.It tcp sendspace integer yes 1011.It tcp recvspace integer yes 1012.It tcp mssdflt integer yes 1013.It tcp syn_cache_limit integer yes 1014.It tcp syn_bucket_limit integer yes 1015.It tcp syn_cache_interval integer yes 1016.It tcp init_win integer yes 1017.It tcp init_win_local integer yes 1018.It tcp mss_ifmtu integer yes 1019.It tcp win_scale integer yes 1020.It tcp timestamps integer yes 1021.It tcp compat_42 integer yes 1022.It tcp cwm integer yes 1023.It tcp cwm_burstsize integer yes 1024.It tcp ack_on_push integer yes 1025.It tcp keepidle integer yes 1026.It tcp keepintvl integer yes 1027.It tcp keepcnt integer yes 1028.It tcp slowhz integer no 1029.It tcp keepinit integer yes 1030.It tcp log_refused integer yes 1031.It tcp rstppslimit integer yes 1032.It tcp ident struct no 1033.It tcp drop struct no 1034.It tcp sack.enable integer yes 1035.It tcp sack.globalholes integer no 1036.It tcp sack.globalmaxholes integer yes 1037.It tcp sack.maxholes integer yes 1038.It tcp ecn.enable integer yes 1039.It tcp ecn.maxretries integer yes 1040.It tcp congctl.selected string yes 1041.It tcp congctl.available string yes 1042.It tcp abc.enable integer yes 1043.It tcp abc.aggressive integer yes 1044.It udp checksum integer yes 1045.It udp do_loopback_cksum integer yes 1046.It udp recvspace integer yes 1047.It udp sendspace integer yes 1048.El 1049.Pp 1050The variables are as follows: 1051.Bl -tag -width "123456" 1052.It Li arp.down 1053Failed ARP entry lifetime. 1054.It Li arp.keep 1055Valid ARP entry lifetime. 1056.It Li arp.prune 1057ARP cache pruning interval. 1058.It Li arp.refresh 1059ARP entry refresh interval. 1060.It Li carp.allow 1061If set to 0, incoming 1062.Xr carp 4 1063packets will not be processed. 1064If set to any other value, processing will occur. 1065Enabled by default. 1066.It Li carp.arpbalance 1067If set to any value other than 0, the ARP balancing functionality of 1068.Xr carp 4 1069is enabled. 1070When ARP requests are received for an IP address which is part of any virtual 1071host, carp will hash the source IP in the ARP request to select one of the 1072virtual hosts from the set of all the virtual hosts which have that IP address. 1073The master of that host will respond with the correct virtual MAC address. 1074Disabled by default. 1075.It Li carp.log 1076If set to any value other than 0, 1077.Xr carp 4 1078will log errors. 1079Disabled by default. 1080.It Li carp.preempt 1081If set to 0, 1082.Xr carp 4 1083will not attempt to become master if it is receiving advertisements from 1084another active master. 1085If set to any other value, carp will become master of the virtual host if it 1086believes it can send advertisements more frequently than the current master. 1087Disabled by default. 1088.It Li ip.allowsrcrt 1089If set to 1, the host accepts source routed packets. 1090.It Li ip.anonportmax 1091The highest port number to use for TCP and UDP ephemeral port allocation. 1092This cannot be set to less than 1024 or greater than 65535, and must 1093be greater than 1094.Li ip.anonportmin . 1095.It Li ip.anonportmin 1096The lowest port number to use for TCP and UDP ephemeral port allocation. 1097This cannot be set to less than 1024 or greater than 65535. 1098.It Li ip.checkinterface 1099If set to non-zero, the host will reject packets addressed to it 1100that arrive on an interface not bound to that address. 1101Currently, this must be disabled if ipnat is used to translate the 1102destination address to another local interface, or if addresses 1103are added to the loopback interface instead of the interface where 1104the packets for those packets are received. 1105.It Li ip.directed-broadcast 1106If set to 1, enables directed broadcast behavior for the host. 1107.It Li ip.do_loopback_cksum 1108Perform IP checksum on loopback. 1109.It Li ip.forwarding 1110If set to 1, enables IP forwarding for the host, 1111meaning that the host is acting as a router. 1112.It Li ip.forwsrcrt 1113If set to 1, enables forwarding of source-routed packets for the host. 1114This value may only be changed if the kernel security level is less than 1. 1115.It Li ip.gifttl 1116The maximum time-to-live (hop count) value for an IPv4 packet generated by 1117.Xr gif 4 1118tunnel interface. 1119.It Li ip.grettl 1120The maximum time-to-live (hop count) value for an IPv4 packet generated by 1121.Xr gre 4 1122tunnel interface. 1123.It Li ip.hashsize 1124The size of IPv4 Fast Forward hash table. 1125This value must be a power of 2 (64, 256...). 1126A larger hash table size results in fewer collisions. 1127Also see 1128.Li ip.maxflows . 1129.It Li ip.hostzerobroadcast 1130All zeroes address is broadcast address. 1131.It Li ip.lowportmax 1132The highest port number to use for TCP and UDP reserved port allocation. 1133This cannot be set to less than 0 or greater than 1024, and must 1134be greater than 1135.Li ip.lowportmin . 1136.It Li ip.lowportmin 1137The lowest port number to use for TCP and UDP reserved port allocation. 1138This cannot be set to less than 0 or greater than 1024, and must 1139be smaller than 1140.Li ip.lowportmax . 1141.It Li ip.maxflows 1142IPv4 Fast Forwarding is enabled by default. 1143If set to 0, IPv4 Fast Forwarding is disabled. 1144.Li ip.maxflows 1145controls the maximum amount of flows which can be created. 1146The default value is 256. 1147.It Li ip.maxfragpackets 1148The maximum number of fragmented packets the node will accept. 11490 means that the node will not accept any fragmented packets. 1150\-1 means that the node will accept as many fragmented packets as it receives. 1151The flag is provided basically for avoiding possible DoS attacks. 1152.It Li ip.mtudisc 1153If set to 1, enables Path MTU Discovery (RFC 1191). 1154When Path MTU Discovery is enabled, the transmitted TCP segment 1155size will be determined by the advertised maximum segment size 1156(MSS) from the remote end, as constrained by the path MTU. 1157If MTU Discovery is disabled, the transmitted segment size will 1158never be greater than 1159.Li tcp.mssdflt 1160(the local maximum segment size). 1161.It Li ip.mtudisctimeout 1162The number of seconds in which a route added by the Path MTU 1163Discovery engine will time out. 1164When the route times out, the Path 1165MTU Discovery engine will attempt to probe a larger path MTU. 1166.It Li ip.random_id 1167Assign random ip_id values. 1168.It Li ip.redirect 1169If set to 1, ICMP redirects may be sent by the host. 1170This option is ignored unless the host is routing IP packets, 1171and should normally be enabled on all systems. 1172.It Li ip.subnetsarelocal 1173If set to 1, subnets are to be considered local addresses. 1174.It Li ip.ttl 1175The maximum time-to-live (hop count) value for an IP packet sourced by 1176the system. 1177This value applies to normal transport protocols, not to ICMP. 1178.It Li icmp.errppslimit 1179The variable specifies the maximum number of outgoing ICMP error messages, 1180per second. 1181ICMP error messages that exceeded the value are subject to rate limitation 1182and will not go out from the node. 1183Negative value disables rate limitation. 1184.It Li icmp.maskrepl 1185If set to 1, ICMP network mask requests are to be answered. 1186.It Li icmp.rediraccept 1187If set to non-zero, the host will accept ICMP redirect packets. 1188Note that routers will never accept ICMP redirect packets, 1189and the variable is meaningful on IP hosts only. 1190.It Li icmp.redirtimeout 1191The variable specifies lifetime of routing entries generated by incoming 1192ICMP redirect. 1193This defaults to 600 seconds. 1194.It Li icmp.returndatabytes 1195Number of bytes to return in an ICMP error message. 1196.It Li icmp.bmcastecho 1197If set to 1, enables responding to ICMP echo or timestamp request to the 1198broadcast address. 1199.It Li tcp.ack_on_push 1200If set to 1, TCP is to immediately transmit an ACK upon reception of 1201a packet with PUSH set. 1202This can avoid losing a round trip time in some rare situations, 1203but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1204Use of this option is generally not recommended, but 1205the variable exists in case your configuration really needs it. 1206.It Li tcp.compat_42 1207If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1208Use of this option is not recommended, although it may be 1209required in order to communicate with extremely old TCP implementations. 1210.It Li tcp.cwm 1211If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1212Monitoring algorithm. 1213This algorithm prevents line-rate bursts of packets that could 1214otherwise occur when data begins flowing on an idle TCP connection. 1215These line-rate bursts can contribute to network and router congestion. 1216This can be particularly useful on World Wide Web servers 1217which support HTTP/1.1, which has lingering connections. 1218.It Li tcp.cwm_burstsize 1219The Congestion Window Monitoring allowed burst size, in terms 1220of packet count. 1221.It Li tcp.delack_ticks 1222Number of ticks to delay sending an ACK. 1223.It Li tcp.do_loopback_cksum 1224Perform TCP checksum on loopback. 1225.It Li tcp.init_win 1226A value indicating the TCP initial congestion window. 1227If this value is 0, an auto-tuning algorithm designed to use an initial 1228window of approximately 4K bytes is in use. 1229Otherwise, this value indicates a fixed number of packets. 1230.It Li tcp.init_win_local 1231Like 1232.Li tcp.init_win , 1233but used when communicating with hosts on a local network. 1234.It Li tcp.keepcnt 1235Number of keepalive probes sent before declaring a connection dead. 1236If set to zero, there is no limit; 1237keepalives will be sent until some kind of 1238response is received from the peer. 1239.It Li tcp.keepidle 1240Time a connection must be idle before keepalives are sent (if keepalives 1241are enabled for the connection). 1242See also tcp.slowhz. 1243.It Li tcp.keepintvl 1244Time after a keepalive probe is sent until, in the absence of any response, 1245another probe is sent. 1246See also tcp.slowhz. 1247.It Li tcp.log_refused 1248If set to 1, refused TCP connections to the host will be logged. 1249.It Li tcp.keepinit 1250Timeout in seconds during connection establishment. 1251.It Li tcp.mss_ifmtu 1252If set to 1, TCP calculates the outgoing maximum segment size based on 1253the MTU of the appropriate interface. 1254If set to 0, it is calculated based on the greater of the MTU of the 1255interface, and the largest (non-loopback) interface MTU on the system. 1256.It Li tcp.mssdflt 1257The default maximum segment size both advertised to the peer 1258and to use when either the peer does not advertise a maximum segment size to 1259us during connection setup or Path MTU Discovery 1260.Li ( ip.mtudisc ) 1261is disabled. 1262Do not change this value unless you really know what you are doing. 1263.It Li tcp.recvspace 1264The default TCP receive buffer size. 1265.It Li tcp.rfc1323 1266If set to 1, enables RFC 1323 extensions to TCP. 1267.It Li tcp.rstppslimit 1268The variable specifies the maximum number of outgoing TCP RST packets, 1269per second. 1270TCP RST packet that exceeded the value are subject to rate limitation 1271and will not go out from the node. 1272Negative value disables rate limitation. 1273.It Li tcp.ident 1274Return the user ID of a connected socket pair. 1275(RFC1413 Identification Protocol lookups.) 1276.It Li tcp.drop 1277Drop a TCP socket pair connection. 1278.It Li tcp.sack.enable 1279If set to 1, enables RFC 2018 Selective ACKnowledgement. 1280.It Li tcp.sack.globalholes 1281Global number of TCP SACK holes. 1282.It Li tcp.sack.globalmaxholes 1283Global maximum number of TCP SACK holes. 1284.It Li tcp.sack.maxholes 1285Maximum number of TCP SACK holes allowed per connection. 1286.It Li tcp.ecn.enable 1287If set to 1, enables RFC 3168 Explicit Congestion Notification. 1288.It Li tcp.ecn.maxretries 1289Number of times to retry sending the ECN-setup packet. 1290.It Li tcp.sendspace 1291The default TCP send buffer size. 1292.It Li tcp.slowhz 1293The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1294of a clock that ticks tcp.slowhz times per second. 1295(That is, their values 1296must be divided by the tcp.slowhz value to get times in seconds.) 1297.It Li tcp.syn_bucket_limit 1298The maximum number of entries allowed per hash bucket in the TCP 1299compressed state engine. 1300.It Li tcp.syn_cache_limit 1301The maximum number of entries allowed in the TCP compressed state 1302engine. 1303.It Li tcp.timestamps 1304If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1305used for measuring TCP round trip times, are enabled. 1306.It Li tcp.win_scale 1307If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1308for increasing the TCP window size, are enabled. 1309.It Li tcp.congctl.available 1310The available TCP congestion control algorithms. 1311.It Li tcp.congctl.selected 1312The currently selected TCP congestion control algorithm. 1313.It Li tcp.abc.enable 1314If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1315If set to 0, use traditional Packet Counting. 1316.It Li tcp.abc.aggressive 1317Choose the L parameter found in RFC 3465. 1318L is the maximum cwnd increase for an ack during slow start. 1319If set to 1, use L=2*SMSS. 1320If set to 0, use L=1*SMSS. 1321It has no effect unless tcp.abc.enable is set to 1. 1322.It Li udp.checksum 1323If set to 1, UDP checksums are being computed. 1324Received non-zero UDP checksums are always checked. 1325Disabling UDP checksums is strongly discouraged. 1326.It Li udp.sendspace 1327The default UDP send buffer size. 1328.It Li udp.recvspace 1329The default UDP receive buffer size. 1330.El 1331.Pp 1332For variables net.*.ipsec, please refer to 1333.Xr ipsec 4 . 1334.It Li net.inet6 ( PF_INET6 ) 1335Get or set various global information about the IPv6 1336.Pq Internet Protocol version 6 . 1337The third level name is the protocol. 1338The fourth level name is the variable name. 1339The currently defined protocols and names are: 1340.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent 1341.It Sy Protocol name Variable name Type Changeable 1342.It icmp6 errppslimit integer yes 1343.It icmp6 mtudisc_hiwat integer yes 1344.It icmp6 mtudisc_lowat integer yes 1345.It icmp6 nd6_debug integer yes 1346.It icmp6 nd6_delay integer yes 1347.It icmp6 nd6_maxnudhint integer yes 1348.It icmp6 nd6_mmaxtries integer yes 1349.It icmp6 nd6_prune integer yes 1350.It icmp6 nd6_umaxtries integer yes 1351.It icmp6 nd6_useloopback integer yes 1352.It icmp6 nodeinfo integer yes 1353.It icmp6 rediraccept integer yes 1354.It icmp6 redirtimeout integer yes 1355.It ip6 accept_rtadv integer yes 1356.It ip6 anonportmax integer yes 1357.It ip6 anonportmin integer yes 1358.It ip6 auto_flowlabel integer yes 1359.It ip6 dad_count integer yes 1360.It ip6 defmcasthlim integer yes 1361.It ip6 forwarding integer yes 1362.It ip6 gifhlim integer yes 1363.It ip6 hashsize integer yes 1364.It ip6 hlim integer yes 1365.It ip6 hdrnestlimit integer yes 1366.It ip6 kame_version string no 1367.It ip6 keepfaith integer yes 1368.It ip6 log_interval integer yes 1369.It ip6 lowportmax integer yes 1370.It ip6 lowportmin integer yes 1371.It ip6 maxflows integer yes 1372.It ip6 maxfragpackets integer yes 1373.It ip6 maxfrags integer yes 1374.It ip6 redirect integer yes 1375.It ip6 rr_prune integer yes 1376.It ip6 use_deprecated integer yes 1377.It ip6 v6only integer yes 1378.It udp6 do_loopback_cksum integer yes 1379.It udp6 recvspace integer yes 1380.It udp6 sendspace integer yes 1381.El 1382.Pp 1383The variables are as follows: 1384.Bl -tag -width "123456" 1385.It Li ip6.accept_rtadv 1386If set to non-zero, the node will accept ICMPv6 router advertisement packets 1387and autoconfigures address prefixes and default routers. 1388The node must be a host 1389.Pq not a router 1390for the option to be meaningful. 1391.It Li ip6.anonportmax 1392The highest port number to use for TCP and UDP ephemeral port allocation. 1393This cannot be set to less than 1024 or greater than 65535, and must 1394be greater than 1395.Li ip6.anonportmin . 1396.It Li ip6.anonportmin 1397The lowest port number to use for TCP and UDP ephemeral port allocation. 1398This cannot be set to less than 1024 or greater than 65535. 1399.It Li ip6.auto_flowlabel 1400On connected transport protocol packets, 1401fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1402.It Li ip6.dad_count 1403The variable configures number of IPv6 DAD 1404.Pq duplicated address detection 1405probe packets. 1406The packets will be generated when IPv6 interface addresses are configured. 1407.It Li ip6.defmcasthlim 1408The default hop limit value for an IPv6 multicast packet sourced by the node. 1409This value applies to all the transport protocols on top of IPv6. 1410There are APIs to override the value, as documented in 1411.Xr ip6 4 . 1412.It Li ip6.forwarding 1413If set to 1, enables IPv6 forwarding for the node, 1414meaning that the node is acting as a router. 1415If set to 0, disables IPv6 forwarding for the node, 1416meaning that the node is acting as a host. 1417IPv6 specification defines node behavior for 1418.Dq router 1419case and 1420.Dq host 1421case quite differently, and changing this variable during operation 1422may cause serious trouble. 1423It is recommended to configure the variable at bootstrap time, 1424and bootstrap time only. 1425.It Li ip6.gifhlim 1426The maximum hop limit value for an IPv6 packet generated by 1427.Xr gif 4 1428tunnel interface. 1429.It Li ip6.hdrnestlimit 1430The number of IPv6 extension headers permitted on incoming IPv6 packets. 1431If set to 0, the node will accept as many extension headers as possible. 1432.It Li ip6.hashsize 1433The size of IPv6 Fast Forward hash table. 1434This value must be a power of 2 (64, 256...). 1435A larger hash table size results in fewer collisions. 1436Also see 1437.Li ip6.maxflows . 1438.It Li ip6.hlim 1439The default hop limit value for an IPv6 unicast packet sourced by the node. 1440This value applies to all the transport protocols on top of IPv6. 1441There are APIs to override the value, as documented in 1442.Xr ip6 4 . 1443.It Li ip6.kame_version 1444The string identifies the version of KAME IPv6 stack implemented in the kernel. 1445.It Li ip6.keepfaith 1446If set to non-zero, it enables 1447.Dq FAITH 1448TCP relay IPv6-to-IPv4 translator code in the kernel. 1449Refer 1450.Xr faith 4 1451and 1452.Xr faithd 8 1453for detail. 1454.It Li ip6.log_interval 1455The variable controls amount of logs generated by IPv6 packet 1456forwarding engine, by setting interval between log output 1457.Pq in seconds . 1458.It Li ip6.lowportmax 1459The highest port number to use for TCP and UDP reserved port allocation. 1460This cannot be set to less than 0 or greater than 1024, and must 1461be greater than 1462.Li ip6.lowportmin . 1463.It Li ip6.lowportmin 1464The lowest port number to use for TCP and UDP reserved port allocation. 1465This cannot be set to less than 0 or greater than 1024, and must 1466be smaller than 1467.Li ip6.lowportmax . 1468.It Li ip6.maxflows 1469IPv6 Fast Forwarding is enabled by default. 1470If set to 0, IPv6 Fast Forwarding is disabled. 1471.Li ip6.maxflows 1472controls the maximum amount of flows which can be created. 1473The default value is 256. 1474.It Li ip6.maxfragpackets 1475The maximum number of fragmented packets the node will accept. 14760 means that the node will not accept any fragmented packets. 1477\-1 means that the node will accept as many fragmented packets as it receives. 1478The flag is provided basically for avoiding possible DoS attacks. 1479.It Li ip6.maxfrags 1480The maximum number of fragments the node will accept. 14810 means that the node will not accept any fragments. 1482\-1 means that the node will accept as many fragments as it receives. 1483The flag is provided basically for avoiding possible DoS attacks. 1484.It Li ip6.redirect 1485If set to 1, ICMPv6 redirects may be sent by the node. 1486This option is ignored unless the node is routing IP packets, 1487and should normally be enabled on all systems. 1488.It Li ip6.rr_prune 1489The variable specifies interval between IPv6 router renumbering prefix 1490babysitting, in seconds. 1491.It Li ip6.use_deprecated 1492The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1493.It Li ip6.v6only 1494The variable specifies initial value for 1495.Dv IPV6_V6ONLY 1496socket option for 1497.Dv AF_INET6 1498socket. 1499Please refer to 1500.Xr ip6 4 1501for detail. 1502.It Li icmp6.errppslimit 1503The variable specifies the maximum number of outgoing ICMPv6 error messages, 1504per second. 1505ICMPv6 error messages that exceeded the value are subject to rate limitation 1506and will not go out from the node. 1507Negative value disables rate limitation. 1508.It Li icmp6.mtudisc_hiwat 1509.It Li icmp6.mtudisc_lowat 1510The variables define the maximum number of routing table entries, 1511created due to path MTU discovery 1512.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1513When IPv6 path MTU discovery happens, we keep path MTU information into 1514the routing table. 1515If the number of routing table entries exceed the value, 1516the kernel will not attempt to keep the path MTU information. 1517.Li icmp6.mtudisc_hiwat 1518is used when we have verified ICMPv6 too big messages. 1519.Li icmp6.mtudisc_lowat 1520is used when we have unverified ICMPv6 too big messages. 1521Verification is performed by using address/port pairs kept in connected pcbs. 1522Negative value disables the upper limit. 1523.It Li icmp6.nd6_debug 1524If set to non-zero, kernel IPv6 neighbor discovery code will generate 1525debugging messages. 1526The debug outputs are useful to diagnose IPv6 interoperability issues. 1527The flag must be set to 0 for normal operation. 1528.It Li icmp6.nd6_delay 1529The variable specifies 1530.Dv DELAY_FIRST_PROBE_TIME 1531timing constant in IPv6 neighbor discovery specification 1532.Pq RFC 2461 , 1533in seconds. 1534.It Li icmp6.nd6_maxnudhint 1535IPv6 neighbor discovery permits upper layer protocols to supply reachability 1536hints, to avoid unnecessary neighbor discovery exchanges. 1537The variable defines the number of consecutive hints the neighbor discovery 1538layer will take. 1539For example, by setting the variable to 3, neighbor discovery layer 1540will take 3 consecutive hints in maximum. 1541After receiving 3 hints, neighbor discovery layer will perform 1542normal neighbor discovery process. 1543.It Li icmp6.nd6_mmaxtries 1544The variable specifies 1545.Dv MAX_MULTICAST_SOLICIT 1546constant in IPv6 neighbor discovery specification 1547.Pq RFC 2461 . 1548.It Li icmp6.nd6_prune 1549The variable specifies interval between IPv6 neighbor cache babysitting, 1550in seconds. 1551.It Li icmp6.nd6_umaxtries 1552The variable specifies 1553.Dv MAX_UNICAST_SOLICIT 1554constant in IPv6 neighbor discovery specification 1555.Pq RFC 2461 . 1556.It Li icmp6.nd6_useloopback 1557If set to non-zero, kernel IPv6 stack will use loopback interface for 1558local traffic. 1559.It Li icmp6.nodeinfo 1560The variable enables responses to ICMPv6 node information queries. 1561If you set the variable to 0, responses will not be generated for 1562ICMPv6 node information queries. 1563Since node information queries can have a security impact, it is 1564possible to fine tune which responses should be answered. 1565Two separate bits can be set. 1566.Bl -tag -width "12345" 1567.It 1 1568Respond to ICMPv6 FQDN queries, e.g. 1569.Li ping6 -w . 1570.It 2 1571Respond to ICMPv6 node addresses queries, e.g. 1572.Li ping6 -a . 1573.El 1574.It Li icmp6.rediraccept 1575If set to non-zero, the host will accept ICMPv6 redirect packets. 1576Note that IPv6 routers will never accept ICMPv6 redirect packets, 1577and the variable is meaningful on IPv6 hosts 1578.Pq non-router 1579only. 1580.It Li icmp6.redirtimeout 1581The variable specifies lifetime of routing entries generated by incoming 1582ICMPv6 redirect. 1583.It Li udp6.do_loopback_cksum 1584Perform UDP checksum on loopback. 1585.It Li udp6.recvspace 1586Default UDP receive buffer size. 1587.It Li udp6.sendspace 1588Default UDP send buffer size. 1589.El 1590.Pp 1591We reuse net.*.tcp for 1592.Tn TCP 1593over 1594.Tn IPv6 , 1595and therefore we do not have variables net.*.tcp6. 1596Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1597Please refer to 1598.Li PF_INET 1599section above. 1600For variables net.*.ipsec6, please refer to 1601.Xr ipsec 4 . 1602.It Li net.key ( PF_KEY ) 1603Get or set various global information about the IPsec key management. 1604The third level name is the variable name. 1605The currently defined variable and names are: 1606.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 1607.It Sy Variable name Type Changeable 1608.It debug integer yes 1609.It spi_try integer yes 1610.It spi_min_value integer yes 1611.It spi_max_value integer yes 1612.It larval_lifetime integer yes 1613.It blockacq_count integer yes 1614.It blockacq_lifetime integer yes 1615.It esp_keymin integer yes 1616.It esp_auth integer yes 1617.It ah_keymin integer yes 1618.El 1619.Pp 1620The variables are as follows: 1621.Bl -tag -width "123456" 1622.It Li debug 1623Turn on debugging message from within the kernel. 1624The value is a bitmap, as defined in 1625.Pa /usr/include/netkey/key_debug.h . 1626.It Li spi_try 1627The number of times the kernel will try to obtain an unique SPI 1628when it generates it from random number generator. 1629.It Li spi_min_value 1630Minimum SPI value when generating it within the kernel. 1631.It Li spi_max_value 1632Maximum SPI value when generating it within the kernel. 1633.It Li larval_lifetime 1634Lifetime for LARVAL SAD entries, in seconds. 1635.It Li blockacq_count 1636Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1637It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1638key management daemon. 1639.It Li blockacq_lifetime 1640Lifetime of ACQUIRE PF_KEY message. 1641.It Li esp_keymin 1642Minimum ESP key length, in bits. 1643The value is used when the kernel creates proposal payload 1644on ACQUIRE PF_KEY message. 1645.It Li esp_auth 1646Whether ESP authentication should be used or not. 1647Non-zero value indicates that ESP authentication should be used. 1648The value is used when the kernel creates proposal payload 1649on ACQUIRE PF_KEY message. 1650.It Li ah_keymin 1651Minimum AH key length, in bits, 1652The value is used when the kernel creates proposal payload 1653on ACQUIRE PF_KEY message. 1654.El 1655.El 1656.Sh The proc.* subtree 1657The string and integer information available for the 1658.Li proc 1659level is detailed below. 1660The changeable column shows whether a process with appropriate 1661privilege may change the value. 1662These values are per-process, 1663and as such may change from one process to another. 1664When a process is created, 1665the default values are inherited from its parent. 1666When a set-user-ID or set-group-ID binary is executed, the 1667value of PROC_PID_CORENAME is reset to the system default value. 1668The second level name is either the magic value PROC_CURPROC, which 1669points to the current process, or the PID of the target process. 1670.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 1671.It Sy Third level name Type Changeable 1672.It proc.pid.corename string yes 1673.It proc.pid.rlimit node not applicable 1674.It proc.pid.stopfork int yes 1675.It proc.pid.stopexec int yes 1676.It proc.pid.stopexit int yes 1677.El 1678.Bl -tag -width "123456" 1679.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1680The template used for the core dump file name (see 1681.Xr core 5 1682for details). 1683The base name must either be 1684.Nm core 1685or end with the suffix ``.core'' (the super-user may set arbitrary names). 1686By default it points to KERN_DEFCORENAME. 1687.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1688Return resources limits, as defined for the 1689.Xr getrlimit 2 1690and 1691.Xr setrlimit 2 1692system calls. 1693The fourth level name is one of: 1694.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA 1695.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1696The maximum amount of CPU time (in seconds) to be used by each process. 1697.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1698The largest size (in bytes) file that may be created. 1699.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1700The maximum size (in bytes) of the data segment for a process; 1701this defines how far a program may extend its break with the 1702.Xr sbrk 2 1703system call. 1704.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1705The maximum size (in bytes) of the stack segment for a process; 1706this defines how far a program's stack segment may be extended. 1707Stack extension is performed automatically by the system. 1708.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1709The largest size (in bytes) 1710.Pa core 1711file that may be created. 1712.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1713The maximum size (in bytes) to which a process's resident set size may 1714grow. 1715This imposes a limit on the amount of physical memory to be given to 1716a process; if memory is tight, the system will prefer to take memory 1717from processes that are exceeding their declared resident set size. 1718.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1719The maximum size (in bytes) which a process may lock into memory 1720using the 1721.Xr mlock 2 1722function. 1723.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1724The maximum number of simultaneous processes for this user id. 1725.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1726The maximum number of open files for this process. 1727.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE ) 1728The maximum size (in bytes) of the socket buffers 1729set by the 1730.Xr setsockopt 2 1731.Dv SO_RCVBUF 1732and 1733.Dv SO_SNDBUF 1734options. 1735.El 1736.Pp 1737The fifth level name is one of 1738.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or 1739.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1740to select respectively the soft or hard limit. 1741Both are of type integer. 1742.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1743If non zero, the process' children will be stopped after 1744.Xr fork 2 1745calls. 1746The children is created in the SSTOP state and is never scheduled 1747for running before being stopped. 1748This feature helps attaching a process with a debugger such as 1749.Xr gdb 1 1750before it had the opportunity to actually do anything. 1751.Pp 1752This value is inherited by the process's children, and it also 1753apply to emulation specific system calls that fork a new process, such as 1754.Fn sproc 1755or 1756.Fn clone . 1757.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1758If non zero, the process will be stopped on next 1759.Xr exec 3 1760call. 1761The process created by 1762.Xr exec 3 1763is created in the SSTOP state and is never scheduled for running 1764before being stopped. 1765This feature helps attaching a process with a debugger such as 1766.Xr gdb 1 1767before it had the opportunity to actually do anything. 1768.Pp 1769This value is inherited by the process's children. 1770.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 1771If non zero, the process will be stopped on when it has cause to exit, 1772either by way of calling 1773.Xr exit 3 , 1774.Xr _exit 2 , 1775or by the receipt of a specific signal. 1776The process is stopped before any of its resources or vm space is 1777released allowing examination of the termination state of a process 1778before it disappears. 1779This feature can be used to examine the final conditions of the 1780process's vmspace via 1781.Xr pmap 1 1782or its resource settings with 1783.Xr sysctl 8 1784before it disappears. 1785.Pp 1786This value is also inherited by the process's children. 1787.El 1788.Sh The user.* subtree ( CTL_USER ) 1789The string and integer information available for the 1790.Li user 1791level is detailed below. 1792The changeable column shows whether a process with appropriate 1793privilege may change the value. 1794.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 1795.It Sy Second level name Type Changeable 1796.It user.atexit_max integer no 1797.It user.bc_base_max integer no 1798.It user.bc_dim_max integer no 1799.It user.bc_scale_max integer no 1800.It user.bc_string_max integer no 1801.It user.coll_weights_max integer no 1802.It user.cs_path string no 1803.It user.expr_nest_max integer no 1804.It user.line_max integer no 1805.It user.posix2_c_bind integer no 1806.It user.posix2_c_dev integer no 1807.It user.posix2_char_term integer no 1808.It user.posix2_fort_dev integer no 1809.It user.posix2_fort_run integer no 1810.It user.posix2_localedef integer no 1811.It user.posix2_sw_dev integer no 1812.It user.posix2_upe integer no 1813.It user.posix2_version integer no 1814.It user.re_dup_max integer no 1815.It user.stream_max integer no 1816.It user.stream_max integer no 1817.It user.tzname_max integer no 1818.El 1819.Bl -tag -width "123456" 1820.It Li user.atexit_max ( USER_ATEXIT_MAX ) 1821The maximum number of functions that may be registered with 1822.Xr atexit 3 . 1823.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 1824The maximum ibase/obase values in the 1825.Xr bc 1 1826utility. 1827.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 1828The maximum array size in the 1829.Xr bc 1 1830utility. 1831.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 1832The maximum scale value in the 1833.Xr bc 1 1834utility. 1835.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 1836The maximum string length in the 1837.Xr bc 1 1838utility. 1839.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 1840The maximum number of weights that can be assigned to any entry of 1841the LC_COLLATE order keyword in the locale definition file. 1842.It Li user.cs_path ( USER_CS_PATH ) 1843Return a value for the 1844.Ev PATH 1845environment variable that finds all the standard utilities. 1846.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 1847The maximum number of expressions that can be nested within 1848parenthesis by the 1849.Xr expr 1 1850utility. 1851.It Li user.line_max ( USER_LINE_MAX ) 1852The maximum length in bytes of a text-processing utility's input 1853line. 1854.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 1855Return 1 if the system supports at least one terminal type capable of 1856all operations described in POSIX 1003.2, otherwise 0. 1857.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 1858Return 1 if the system's C-language development facilities support the 1859C-Language Bindings Option, otherwise 0. 1860.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 1861Return 1 if the system supports the C-Language Development Utilities Option, 1862otherwise 0. 1863.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 1864Return 1 if the system supports the FORTRAN Development Utilities Option, 1865otherwise 0. 1866.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 1867Return 1 if the system supports the FORTRAN Runtime Utilities Option, 1868otherwise 0. 1869.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 1870Return 1 if the system supports the creation of locales, otherwise 0. 1871.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 1872Return 1 if the system supports the Software Development Utilities Option, 1873otherwise 0. 1874.It Li user.posix2_upe ( USER_POSIX2_UPE ) 1875Return 1 if the system supports the User Portability Utilities Option, 1876otherwise 0. 1877.It Li user.posix2_version ( USER_POSIX2_VERSION ) 1878The version of POSIX 1003.2 with which the system attempts to comply. 1879.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 1880The maximum number of repeated occurrences of a regular expression 1881permitted when using interval notation. 1882.It Li user.stream_max ( USER_STREAM_MAX ) 1883The minimum maximum number of streams that a process may have open 1884at any one time. 1885.It Li user.tzname_max ( USER_TZNAME_MAX ) 1886The minimum maximum number of types supported for the name of a 1887timezone. 1888.El 1889.Sh The vm.* subtree ( CTL_VM ) 1890The string and integer information available for the 1891.Li vm 1892level is detailed below. 1893The changeable column shows whether a process with appropriate 1894privilege may change the value. 1895.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 1896.It Sy Second level name Type Changeable 1897.It vm.anonmax int yes 1898.It vm.anonmin int yes 1899.It vm.bufcache int yes 1900.It vm.bufmem int no 1901.It vm.bufmem_hiwater int yes 1902.It vm.bufmem_lowater int yes 1903.It vm.execmax int yes 1904.It vm.execmin int yes 1905.It vm.filemax int yes 1906.It vm.filemin int yes 1907.It vm.loadavg struct loadavg no 1908.It vm.maxslp int no 1909.It vm.nkmempages int no 1910.It vm.uspace int no 1911.It vm.uvmexp struct uvmexp no 1912.It vm.uvmexp2 struct uvmexp_sysctl no 1913.It vm.vmmeter struct vmtotal no 1914.El 1915.Pp 1916.Bl -tag -width "123456" 1917.It Li vm.anonmax ( VM_ANONMAX ) 1918The percentage of physical memory which will be reclaimed 1919from other types of memory usage to store anonymous application data. 1920.It Li vm.anonmin ( VM_ANONMIN ) 1921The percentage of physical memory which will be always be available for 1922anonymous application data. 1923.It Li vm.bufcache ( VM_BUFCACHE ) 1924The percentage of physical memory which will be available 1925for the buffer cache. 1926.It Li vm.bufmem ( VM_BUFMEM ) 1927The amount of kernel memory that is being used by the buffer cache. 1928.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 1929The minimum amount of kernel memory to reserve for the 1930buffer cache. 1931.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 1932The maximum amount of kernel memory to be used for the 1933buffer cache. 1934.It Li vm.execmax ( VM_EXECMAX ) 1935The percentage of physical memory which will be reclaimed 1936from other types of memory usage to store cached executable data. 1937.It Li vm.execmin ( VM_EXECMIN ) 1938The percentage of physical memory which will be always be available for 1939cached executable data. 1940.It Li vm.filemax ( VM_FILEMAX ) 1941The percentage of physical memory which will be reclaimed 1942from other types of memory usage to store cached file data. 1943.It Li vm.filemin ( VM_FILEMIN ) 1944The percentage of physical memory which will be always be available for 1945cached file data. 1946.It Li vm.loadavg ( VM_LOADAVG ) 1947Return the load average history. 1948The returned data consists of a 1949.Va struct loadavg . 1950.It Li vm.maxslp ( VM_MAXSLP ) 1951The value of the maxslp kernel global variable. 1952.It Li vm.vmmeter ( VM_METER ) 1953Return system wide virtual memory statistics. 1954The returned data consists of a 1955.Va struct vmtotal . 1956.It Li vm.uspace ( VM_USPACE ) 1957The number of bytes allocated for each kernel stack. 1958.It Li vm.uvmexp ( VM_UVMEXP ) 1959Return system wide virtual memory statistics. 1960The returned data consists of a 1961.Va struct uvmexp . 1962.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 1963Return system wide virtual memory statistics. 1964The returned data consists of a 1965.Va struct uvmexp_sysctl . 1966.\" XXX vm.idlezero 1967.El 1968.Sh The ddb.* subtree ( CTL_DDB ) 1969The integer information available for the 1970.Li ddb 1971level is detailed below. 1972The changeable column shows whether a process with appropriate 1973privilege may change the value. 1974.\" XXX sort 1975.Bl -column "Second level name" "integer" "Changeable" -offset indent 1976.It Sy Second level name Type Changeable 1977.It ddb.radix integer yes 1978.It ddb.maxoff integer yes 1979.It ddb.lines integer yes 1980.It ddb.tabstops integer yes 1981.It ddb.onpanic integer yes 1982.It ddb.fromconsole integer yes 1983.El 1984.Pp 1985.Bl -tag -width "123456" 1986.It Li ddb.radix ( DBCTL_RADIX ) 1987The input and output radix. 1988.It Li ddb.maxoff ( DBCTL_MAXOFF ) 1989The maximum symbol offset. 1990.It Li ddb.lines ( DBCTL_LINES ) 1991Number of display lines. 1992.It Li ddb.tabstops ( DBCTL_TABSTOPS ) 1993Tab width. 1994.It Li ddb.onpanic ( DBCTL_ONPANIC ) 1995If non-zero, DDB will be entered if the kernel panics. 1996.It Li ddb.fromconsole ( DBCTL_FROMCONSOLE ) 1997If not zero, DDB may be entered by sending a break on a serial 1998console or by a special key sequence on a graphics console. 1999.\" XXX tee_msgbuf maxwidth commandonenter 2000.El 2001.Pp 2002These MIB nodes are also available as variables from within the DDB. 2003See 2004.Xr ddb 4 2005for more details. 2006.Sh The security.* subtree ( CTL_SECURITY ) 2007The 2008.Li security 2009level contains various security-related settings for 2010the system. 2011Available settings are detailed below. 2012.Pp 2013.Bl -tag -width "123456" 2014.It Li security.curtain 2015If non-zero, will filter return objects according to the user-id 2016requesting information about them, preventing from users any 2017access to objects they don't own. 2018.Pp 2019At the moment, it affects 2020.Xr ps 1 , 2021.Xr netstat 1 2022(for 2023.Dv PF_INET , 2024.Dv PF_INET6 , 2025and 2026.Dv PF_UNIX 2027PCBs), and 2028.Xr w 1 . 2029.It Li security.models 2030.Nx 2031supports pluggable security models. 2032Every security model used, whether if loaded as a module or built with the system, 2033is required to add an entry to this node with at least one element, 2034.Dq name , 2035indicating the name of the security model. 2036.Pp 2037In addition to the name, any settings and other information private to the 2038security model will be available under this node. 2039See 2040.Xr secmodel 9 2041for more information. 2042.It Li security.pax 2043Settings for PaX -- exploit mitigation features. 2044For more information on any of the PaX features, please see 2045.Xr paxctl 8 2046and 2047.Xr security 8 . 2048.Pp 2049.Bl -tag -width "123456" 2050.It Li security.pax.aslr.enable 2051Enable PaX ASLR (Address Space Layout Randomization). 2052.Pp 2053The value of this 2054knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2055explicit enable. 2056.It Li security.pax.aslr.global 2057Specifies the default global policy for programs without an 2058explicit enable/disable flag. 2059.Pp 2060When non-zero, all programs will get PaX ASLR, except those exempted with 2061.Xr paxctl 8 . 2062Otherwise, all programs will not get PaX ASLR, except those specifically 2063marked as such with 2064.Xr paxctl 8 . 2065.It Li security.pax.mprotect.enable 2066Enable PaX MPROTECT restrictions. 2067.Pp 2068These are 2069.Xr mprotect 2 2070restrictions to better enforce a W^X policy. 2071The value of this 2072knob must be non-zero for PaX MPROTECT to be enabled, even if a 2073program is set to explicit enable. 2074.It Li security.pax.mprotect.global 2075Specifies the default global policy for programs without an 2076explicit enable/disable flag. 2077.Pp 2078When non-zero, all programs will get the PaX MPROTECT restrictions, 2079except those exempted with 2080.Xr paxctl 8 . 2081Otherwise, all programs will not get the PaX MPROTECT restrictions, 2082except those specifically marked as such with 2083.Xr paxctl 8 . 2084.It Li security.pax.segvguard.enable 2085Enable PaX Segvguard. 2086.Pp 2087PaX Segvguard can detect and prevent certain exploitation attempts, where 2088an attacker may try for example to brute-force function return addresses 2089of respawning daemons. 2090.Pp 2091.Em Note : 2092The 2093.Nx 2094interface and implementation of the Segvguard is still experimental, and may 2095change in future releases. 2096.It Li security.pax.segvguard.global 2097Specifies the default global policy for programs without an 2098explicit enable/disable flag. 2099.Pp 2100When non-zero, all programs will get the PaX Segvguard, 2101except those exempted with 2102.Xr paxctl 8 . 2103Otherwise, no program will get the PaX Segvguard restrictions, 2104except those specifically marked as such with 2105.Xr paxctl 8 . 2106.It Li security.pax.segvguard.expiry_timeout 2107If the max number was not reached within this timeout (in seconds), the entry 2108will expire. 2109.It Li security.pax.segvguard.suspend_timeout 2110Number of seconds to suspend a user from running a faulting program when the 2111limit was exceeded. 2112.It Li security.pax.segvguard.max_crashes 2113Max number of segfaults a program can receive before suspension. 2114.El 2115.El 2116.Sh The vendor.* subtree ( CTL_VENDOR ) 2117The 2118.Li vendor 2119toplevel name is reserved to be used by vendors who wish to 2120have their own private MIB tree. 2121Intended use is to store values under 2122.Dq vendor.\*[Lt]yourname\*[Gt].* . 2123.Sh SEE ALSO 2124.Xr sysctl 3 , 2125.Xr ipsec 4 , 2126.Xr tcp 4 , 2127.Xr security 8 , 2128.Xr sysctl 8 2129.Sh HISTORY 2130The 2131.Nm 2132variables first appeared in 2133.Bx 4.4 . 2134