1.\" $NetBSD: sysctl.7,v 1.24 2009/09/11 19:43:26 wiz Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd September 11, 2009 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Sh Top level names 72The top level names are defined with a CTL_ prefix in 73.Aq Pa sys/sysctl.h , 74and are as follows. 75The next and subsequent levels down are found in the include files 76listed here, and described in separate sections below. 77.Bl -column security CTL_SECURITY "Next level names" "High kernel limits" 78.It Sy Name Constant Next level names Description 79.It kern CTL_KERN sys/sysctl.h High kernel limits 80.It vm CTL_VM uvm/uvm_param.h Virtual memory 81.It vfs CTL_VFS sys/mount.h Filesystem 82.It net CTL_NET sys/socket.h Networking 83.It debug CTL_DEBUG sys/sysctl.h Debugging 84.It hw CTL_HW sys/sysctl.h Generic CPU, I/O 85.It machdep CTL_MACHDEP sys/sysctl.h Machine dependent 86.It user CTL_USER sys/sysctl.h User-level 87.It ddb CTL_DDB sys/sysctl.h In-kernel debugger 88.It proc CTL_PROC sys/sysctl.h Per-process 89.It vendor CTL_VENDOR ? Vendor specific 90.It emul CTL_EMUL sys/sysctl.h Emulation settings 91.It security CTL_SECURITY sys/sysctl.h Security settings 92.El 93.Sh The debug.* subtree 94The debugging variables vary from system to system. 95A debugging variable may be added or deleted without need to recompile 96.Nm 97to know about it. 98Each time it runs, 99.Nm 100gets the list of debugging variables from the kernel and 101displays their current values. 102The system defines twenty 103.Va ( struct ctldebug ) 104variables named 105.Dv debug0 106through 107.Dv debug19 . 108They are declared as separate variables so that they can be 109individually initialized at the location of their associated variable. 110The loader prevents multiple use of the same variable by issuing errors 111if a variable is initialized in more than one place. 112For example, to export the variable 113.Dv dospecialcheck 114as a debugging variable, the following declaration would be used: 115.Bd -literal -offset indent -compact 116int dospecialcheck = 1; 117struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 118.Ed 119.Pp 120Note that the dynamic implementation of 121.Nm 122currently in use largely makes this particular 123.Nm 124interface obsolete. 125See 126.Xr sysctl 8 127.\" and 128.\" .Xr sysctl 9 129for more information. 130.Sh The vfs.* subtree 131A distinguished second level name, 132.Li vfs.generic ( VFS_GENERIC ) , 133is used to get general information about all filesystems. 134One of its third level identifiers is 135.Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 136that gives the highest valid filesystem type number. 137Its other third level identifier is 138.Li vfs.generic.conf ( VFS_CONF ) 139that returns configuration information about the filesystem 140type given as a fourth level identifier. 141The remaining second level identifiers are the 142filesystem type number returned by a 143.Xr statvfs 2 144call or from 145.Li vfs.generic.conf . 146The third level identifiers available for each filesystem 147are given in the header file that defines the mount 148argument structure for that filesystem. 149.Sh The hw.* subtree 150The string and integer information available for the 151.Li hw 152level is detailed below. 153The changeable column shows whether a process with appropriate 154privilege may change the value. 155.Bl -column "hw.acpi.supported_states" "integer" "Changeable" -offset indent 156.It Sy Second level name Type Changeable 157.It hw.acpi.supported_states string no 158.It hw.alignbytes integer no 159.It hw.byteorder integer no 160.It hw.cnmagic string yes 161.It hw.disknames string no 162.It hw.diskstats struct no 163.It hw.machine string no 164.It hw.machine_arch string no 165.It hw.model string no 166.It hw.ncpu integer no 167.It hw.pagesize integer no 168.It hw.physmem integer no 169.It hw.physmem64 quad no 170.It hw.usermem integer no 171.It hw.usermem64 quad no 172.El 173.Pp 174.Bl -tag -width "123456" 175.It Li hw.acpi.support_states 176List of possible 177.Tn ACPI 178sleep states. 179The list can contain the following values: 180.Bl -tag -width XS1X 181.It S0 182fully running 183.It S1 184power on suspend (CPU and hard disks are off) 185.It S2 186similar to S3, usually not implemented 187.It S3 188suspend-to-RAM 189.It S4 190suspend-to-disk (needs BIOS support) 191.It S5 192power off 193.El 194.It Li hw.alignbytes ( HW_ALIGNBYTES ) 195Alignment constraint for all possible data types. 196This shows the value 197.Dv ALIGNBYTES 198in 199.Pa /usr/include/machine/param.h , 200at the kernel compilation time. 201.It Li hw.byteorder ( HW_BYTEORDER ) 202The byteorder (4,321, or 1,234). 203.It Li hw.cnmagic ( HW_CNMAGIC ) 204The console magic key sequence. 205.It Li hw.disknames ( HW_DISKNAMES ) 206The list of (space separated) disk device names on the system. 207.It Li hw.iostatnames ( HW_IOSTATNAMES ) 208A space separated list of devices that will have I/O statistics 209collected on them. 210.It Li hw.iostats ( HW_IOSTATS ) 211Return statistical information on the NFS mounts, disk and tape 212devices on the system. 213An array of 214.Va struct io_sysctl 215structures is returned, 216whose size depends on the current number of such objects in the system. 217The third level name is the size of the 218.Va struct io_sysctl . 219The type of object can be determined by examining the 220.Va type 221element of 222.Va struct io_sysctl . 223Which can be 224.Dv IOSTAT_DISK 225(disk drive), 226.Dv IOSTAT_TAPE 227(tape drive), or 228.Dv IOSTAT_NFS 229(NFS mount). 230.It Li hw.machine ( HW_MACHINE ) 231The machine class. 232.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 233The machine CPU class. 234.It Li hw.model ( HW_MODEL ) 235The machine model. 236.It Li hw.ncpu ( HW_NCPU ) 237The number of CPUs. 238.It Li hw.pagesize ( HW_PAGESIZE ) 239The software page size. 240.It Li hw.physmem ( HW_PHYSMEM ) 241The bytes of physical memory as a 32-bit integer. 242.It Li hw.physmem64 ( HW_PHYSMEM64 ) 243The bytes of physical memory as a 64-bit integer. 244.It Li hw.usermem ( HW_USERMEM ) 245The bytes of non-kernel memory as a 32-bit integer. 246.It Li hw.usermem64 ( HW_USERMEM64 ) 247The bytes of non-kernel memory as a 64-bit integer. 248.El 249.Sh The kern.* subtree 250The string and integer information available for the 251.Li kern 252level is detailed below. 253The changeable column shows whether a process with appropriate 254privilege may change the value. 255The types of data currently available are process information, 256system vnodes, the open file entries, routing table entries, 257virtual memory statistics, load average history, and clock rate 258information. 259.Bl -column "kern.posix_reader_writer_locks" "struct kinfo_drivers" "not applicable" 260.It Sy Second level name Type Changeable 261.It kern.argmax integer no 262.It kern.autonicetime integer yes 263.It kern.autoniceval integer yes 264.It kern.boottime struct timeval no 265.It kern.bufq node not applicable 266.It kern.ccpu integer no 267.It kern.clockrate struct clockinfo no 268.It kern.consdev integer no 269.It kern.cp_id struct no 270.It kern.cp_time uint64_t[\|] no 271.It kern.defcorename string yes 272.It kern.domainname string yes 273.It kern.drivers struct kinfo_drivers no 274.It kern.file struct file no 275.It kern.forkfsleep integer yes 276.It kern.fscale integer no 277.It kern.fsync integer no 278.It kern.hardclock_ticks integer no 279.It kern.hostid integer yes 280.It kern.hostname string yes 281.It kern.iov_max integer no 282.It kern.job_control integer no 283.It kern.labeloffset integer no 284.It kern.labelsector integer no 285.It kern.login_name_max integer no 286.It kern.logsigexit integer yes 287.It kern.mapped_files integer no 288.It kern.maxfiles integer yes 289.It kern.maxpartitions integer no 290.It kern.maxphys integer no 291.It kern.maxproc integer yes 292.It kern.maxptys integer yes 293.It kern.maxvnodes integer yes 294.It kern.mbuf node not applicable 295.It kern.memlock integer no 296.It kern.memlock_range integer no 297.It kern.memory_protection integer no 298.It kern.monotonic_clock integer no 299.It kern.msgbuf integer no 300.It kern.msgbufsize integer no 301.It kern.ngroups integer no 302.It kern.ntptime struct ntptimeval no 303.It kern.osrelease string no 304.It kern.osrev integer no 305.It kern.ostype string no 306.It kern.pipe node not applicable 307.It kern.posix1 integer no 308.It kern.posix_barriers integer no 309.It kern.posix_reader_writer_locks integer no 310.It kern.posix_semaphores integer no 311.It kern.posix_spin_locks integer no 312.It kern.posix_threads integer no 313.It kern.posix_timers integer no 314.It kern.proc struct kinfo_proc no 315.It kern.proc2 struct kinfo_proc2 no 316.It kern.proc_args string no 317.It kern.prof node not applicable 318.It kern.rawpartition integer no 319.It kern.root_device string no 320.It kern.root_partition integer no 321.It kern.rtc_offset integer yes 322.It kern.saved_ids integer no 323.It kern.securelevel integer raise only 324.It kern.synchronized_io integer no 325.It kern.ipc node not applicable 326.It kern.timecounter node not applicable 327.It kern.timex struct no 328.It kern.tkstat node not applicable 329.It kern.urandom integer no 330.It kern.version string no 331.It kern.vnode struct vnode no 332.El 333.Bl -tag -width "123456" 334.It Li kern.argmax ( KERN_ARGMAX ) 335The maximum bytes of argument to 336.Xr execve 2 . 337.It Li kern.autonicetime ( KERN_AUTONICETIME ) 338The number of seconds of CPU-time a non-root process may accumulate before 339having its priority lowered from the default to the value of KERN_AUTONICEVAL. 340If set to 0, automatic lowering of priority is not performed, and if set to \-1 341all non-root processes are immediately lowered. 342.It Li kern.autoniceval ( KERN_AUTONICEVAL ) 343The priority assigned for automatically niced processes. 344.It Li kern.boothowto 345Flags passed from the boot loader; see 346.Xr reboot 2 347for the meanings of the flags. 348.It Li kern.boottime ( KERN_BOOTTIME ) 349A 350.Va struct timeval 351structure is returned. 352This structure contains the time that the system was booted. 353.It Li kern.ccpu ( KERN_CCPU ) 354The scheduler exponential decay value. 355.It Li kern.clockrate ( KERN_CLOCKRATE ) 356A 357.Va struct clockinfo 358structure is returned. 359This structure contains the clock, statistics clock and profiling clock 360frequencies, the number of micro-seconds per hz tick, and the clock 361skew rate. 362.It Li kern.consdev ( KERN_CONSDEV ) 363Console device. 364.It Li kern.cp_id ( KERN_CP_ID ) 365Mapping of CPU number to CPU id. 366.It Li kern.cp_time ( KERN_CP_TIME ) 367Returns an array of CPUSTATES uint64_ts. 368This array contains the 369number of clock ticks spent in different CPU states. 370On multi-processor systems, the sum across all CPUs is returned unless 371appropriate space is given for one data set for each CPU. 372Data for a specific CPU can also be obtained by adding the number of the 373CPU at the end of the MIB, enlarging it by one. 374.It Li kern.defcorename ( KERN_DEFCORENAME ) 375Default template for the name of core dump files (see also 376.Li proc.pid.corename 377in the per-process variables 378.Li proc.* , 379and 380.Xr core 5 381for format of this template). 382The default value is 383.Nm %n.core 384and can be changed with the kernel configuration option 385.Cd options DEFCORENAME 386(see 387.Xr options 4 388). 389.It Li kern.domainname ( KERN_DOMAINNAME ) 390Get or set the YP domain name. 391.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 392Perform a crash dump on system panic. 393.It Li kern.drivers ( KERN_DRIVERS ) 394Return an array of 395.Va struct kinfo_drivers 396that contains the name and major device numbers of all the device drivers 397in the current kernel. 398The 399.Va d_name 400field is always a NUL terminated string. 401The 402.Va d_bmajor 403field will be set to \-1 if the driver doesn't have a block device. 404.It Li kern.file ( KERN_FILE ) 405Return the entire file table. 406The returned data consists of a single 407.Va struct filelist 408followed by an array of 409.Va struct file , 410whose size depends on the current number of such objects in the system. 411.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 412If 413.Xr fork 2 414system call fails due to limit on number of processes (either 415the global maxproc limit or user's one), wait for this many 416milliseconds before returning 417.Er EAGAIN 418error to process. 419Useful to keep heavily forking runaway processes in bay. 420Default zero (no sleep). 421Maximum is 20 seconds. 422.It Li kern.fscale ( KERN_FSCALE ) 423The kernel fixed-point scale factor. 424.It Li kern.fsync ( KERN_FSYNC ) 425Return 1 if the POSIX 1003.1b File Synchronization Option is available 426on this system, 427otherwise 0. 428.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 429Returns the number of 430.Xr hardclock 9 431ticks. 432.It Li kern.hostid ( KERN_HOSTID ) 433Get or set the host id. 434.It Li kern.hostname ( KERN_HOSTNAME ) 435Get or set the hostname. 436.It Li kern.iov_max ( KERN_IOV_MAX ) 437Return the maximum number of 438.Va iovec 439structures that a process has available for use with 440.Xr preadv 2 , 441.Xr pwritev 2 , 442.Xr readv 2 , 443.Xr recvmsg 2 , 444.Xr sendmsg 2 445and 446.Xr writev 2 . 447.It Li kern.job_control ( KERN_JOB_CONTROL ) 448Return 1 if job control is available on this system, otherwise 0. 449.It Li kern.labeloffset ( KERN_LABELOFFSET ) 450The offset within the sector specified by KERN_LABELSECTOR of the 451.Xr disklabel 5 . 452.It Li kern.labelsector ( KERN_LABELSECTOR ) 453The sector number containing the 454.Xr disklabel 5 . 455.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 456The size of the storage required for a login name, in bytes, 457including the terminating NUL. 458.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 459If this flag is non-zero, the kernel will 460.Xr log 9 461all process exits due to signals which create a 462.Xr core 5 463file, and whether the coredump was created. 464.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 465Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available 466on this system, 467otherwise 0. 468.It Li kern.maxfiles ( KERN_MAXFILES ) 469The maximum number of open files that may be open in the system. 470.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 471The maximum number of partitions allowed per disk. 472.It Li kern.maxphys ( KERN_MAXPHYS ) 473Maximum raw I/O transfer size. 474.It Li kern.maxproc ( KERN_MAXPROC ) 475The maximum number of simultaneous processes the system will allow. 476.It Li kern.maxptys ( KERN_MAXPTYS ) 477The maximum number of pseudo terminals. 478This value can be both raised and lowered, though it cannot 479be set lower than number of currently used ptys. 480See also 481.Xr pty 4 . 482.It Li kern.maxvnodes ( KERN_MAXVNODES ) 483The maximum number of vnodes available on the system. 484This can only be raised. 485.It Li kern.mbuf ( KERN_MBUF ) 486Return information about the mbuf control variables. 487Mbufs are data structures which store network packets and other data 488structures in the networking code, see 489.Xr mbuf 9 . 490The third level names for the mbuf variables are detailed below. 491The changeable column shows whether a process with appropriate 492privilege may change the value. 493.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent 494.It Sy Third level name Type Changeable 495.\" XXX Changeable? really? 496.It kern.mbuf.mblowat integer yes 497.It kern.mbuf.mclbytes integer yes 498.It kern.mbuf.mcllowat integer yes 499.It kern.mbuf.msize integer yes 500.It kern.mbuf.nmbclusters integer yes 501.El 502.Pp 503The variables are as follows: 504.Bl -tag -width "123456" 505.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 506The mbuf low water mark. 507.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 508The mbuf cluster size. 509.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 510The mbuf cluster low water mark. 511.It Li kern.mbuf.msize ( MBUF_MSIZE ) 512The mbuf base size. 513.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 514The limit on the number of mbuf clusters. 515The variable can only be increased, and only increased on machines with 516direct-mapped pool pages. 517.El 518.It Li kern.memlock ( KERN_MEMLOCK ) 519Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available 520on this system, 521otherwise 0. 522.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 523Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available 524on this system, 525otherwise 0. 526.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 527Returns 1 if the POSIX 1003.1b Memory Protection Option is available 528on this system, 529otherwise 0. 530.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 531Returns the standard version the implementation of the POSIX 1003.1b 532Monotonic Clock Option conforms to, 533otherwise 0. 534.It Li kern.msgbuf ( KERN_MSGBUF ) 535The kernel message buffer, rotated so that the head of the circular kernel 536message buffer is at the start of the returned data. 537The returned data may contain NUL bytes. 538.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 539The maximum number of characters that the kernel message buffer can hold. 540.It Li kern.ngroups ( KERN_NGROUPS ) 541The maximum number of supplemental groups. 542.It Li kern.ntptime ( KERN_NTPTIME ) 543A 544.Va struct ntptimeval 545structure is returned. 546This structure contains data used by the 547.Xr ntpd 8 548program. 549.It Li kern.osrelease ( KERN_OSRELEASE ) 550The system release string. 551.It Li kern.osrevision ( KERN_OSREV ) 552The system revision string. 553.It Li kern.ostype ( KERN_OSTYPE ) 554The system type string. 555.It Li kern.pipe ( KERN_PIPE ) 556Pipe settings. 557The third level names for the integer pipe settings is detailed below. 558The changeable column shows whether a process with appropriate 559privilege may change the value. 560.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 561.It Sy Third level name Type Changeable 562.It kern.pipe.kvasiz integer yes 563.It kern.pipe.maxbigpipes integer yes 564.It kern.pipe.maxkvasz integer yes 565.It kern.pipe.limitkva integer yes 566.It kern.pipe.nbigpipes integer yes 567.El 568.Pp 569The variables are as follows: 570.Bl -tag -width "123456" 571.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 572Amount of kernel memory consumed by pipe buffers. 573.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 574Maximum number of "big" pipes. 575.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 576Maximum amount of kernel memory to be used for pipes. 577.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 578Limit for direct transfers via page loan. 579.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 580Number of "big" pipes. 581.El 582.It Li kern.posix1version ( KERN_POSIX1 ) 583The version of ISO/IEC 9945 (POSIX 1003.1) with which the system 584attempts to comply. 585.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 586The version of 587.St -p1003.1 588and its 589Barriers 590option to which the system attempts to conform, 591otherwise 0. 592.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 593The version of 594.St -p1003.1 595and its 596Read-Write Locks 597option to which the system attempts to conform, 598otherwise 0. 599.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 600The version of 601.St -p1003.1 602and its 603Semaphores 604option to which the system attempts to conform, 605otherwise 0. 606.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 607The version of 608.St -p1003.1 609and its 610Spin Locks 611option to which the system attempts to conform, 612otherwise 0. 613.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 614The version of 615.St -p1003.1 616and its 617Threads 618option to which the system attempts to conform, 619otherwise 0. 620.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 621The version of 622.St -p1003.1 623and its 624Timers 625option to which the system attempts to conform, 626otherwise 0. 627.It Li kern.proc ( KERN_PROC ) 628Return the entire process table, or a subset of it. 629An array of 630.Va struct kinfo_proc 631structures is returned, 632whose size depends on the current number of such objects in the system. 633The third and fourth level numeric names are as follows: 634.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 635.It Sy Third level name Fourth level is: 636.It KERN_PROC_ALL None 637.It KERN_PROC_GID A group ID 638.It KERN_PROC_PID A process ID 639.It KERN_PROC_PGRP A process group 640.It KERN_PROC_RGID A real group ID 641.It KERN_PROC_RUID A real user ID 642.It KERN_PROC_SESSION A session ID 643.It KERN_PROC_TTY A tty device 644.It KERN_PROC_UID A user ID 645.El 646.It Li kern.proc2 ( KERN_PROC2 ) 647As for KERN_PROC, but an array of 648.Va struct kinfo_proc2 649structures are returned. 650The fifth level name is the size of the 651.Va struct kinfo_proc2 652and the sixth level name is the number of structures to return. 653.It Li kern.proc_args ( KERN_PROC_ARGS ) 654Return the argv or environment strings (or the number thereof) 655of a process. 656Multiple strings are returned separated by NUL characters. 657The third level name is the process ID. 658The fourth level name is as follows: 659.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent 660.It KERN_PROC_ARGV The argv strings 661.It KERN_PROC_ENV The environ strings 662.It KERN_PROC_NARGV The number of argv strings 663.It KERN_PROC_NENV The number of environ strings 664.El 665.It Li kern.profiling ( KERN_PROF ) 666Return profiling information about the kernel. 667If the kernel is not compiled for profiling, 668attempts to retrieve any of the KERN_PROF values will 669fail with 670.Er EOPNOTSUPP . 671The third level names for the string and integer profiling information 672is detailed below. 673The changeable column shows whether a process with appropriate 674privilege may change the value. 675.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 676.It Sy Third level name Type Changeable 677.It kern.profiling.count u_short[\|] yes 678.It kern.profiling.froms u_short[\|] yes 679.It kern.profiling.gmonparam struct gmonparam no 680.It kern.profiling.state integer yes 681.It kern.profiling.tos struct tostruct yes 682.El 683.Pp 684The variables are as follows: 685.Bl -tag -width "123456" 686.It Li kern.profiling.count ( GPROF_COUNT ) 687Array of statistical program counter counts. 688.It Li kern.profiling.froms ( GPROF_FROMS ) 689Array indexed by program counter of call-from points. 690.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 691Structure giving the sizes of the above arrays. 692.It Li kern.profiling.state ( GPROF_STATE ) 693Profiling state. 694If set to GMON_PROF_ON, starts profiling. 695If set to GMON_PROF_OFF, stops profiling. 696.It Li kern.profiling.tos ( GPROF_TOS ) 697Array of 698.Va struct tostruct 699describing destination of calls and their counts. 700.El 701.It Li kern.rawpartition ( KERN_RAWPARTITION ) 702The raw partition of a disk (a == 0). 703.It Li kern.root_device ( KERN_ROOT_DEVICE ) 704The name of the root device (e.g., 705.Dq wd0 ) . 706.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 707The root partition on the root device (a == 0). 708.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 709Return the offset of real time clock from UTC in minutes. 710.It Li kern.saved_ids ( KERN_SAVED_IDS ) 711Returns 1 if saved set-group and saved set-user ID is available. 712.It Li kern.sbmax ( KERN_SBMAX ) 713Maximum socket buffer size. 714.\" XXX units? 715.It Li kern.securelevel ( KERN_SECURELVL ) 716The system security level. 717This level may be raised by processes with appropriate privilege. 718It may only be lowered by process 1. 719.It Li kern.somaxkva ( KERN_SOMAXKVA ) 720Maximum amount of kernel memory to be used for socket buffers. 721.\" XXX units? 722.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 723Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available 724on this system, 725otherwise 0. 726.It Li kern.ipc ( KERN_SYSVIPC ) 727Return information about the SysV IPC parameters. 728The third level names for the ipc variables are detailed below. 729.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 730.It Sy Third level name Type Changeable 731.It kern.ipc.sysvmsg integer no 732.It kern.ipc.sysvsem integer no 733.It kern.ipc.sysvshm integer no 734.It kern.ipc.sysvipc_info struct no 735.It kern.ipc.shmmax integer yes 736.It kern.ipc.shmmni integer yes 737.It kern.ipc.shmseg integer yes 738.It kern.ipc.shmmaxpgs integer yes 739.It kern.ipc.shm_use_phys integer yes 740.It kern.ipc.msgmni integer yes 741.It kern.ipc.msgseg integer yes 742.It kern.ipc.semmni integer yes 743.It kern.ipc.semmns integer yes 744.It kern.ipc.semmnu integer yes 745.El 746.Bl -tag -width "123456" 747.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 748Returns 1 if System V style message queue functionality is available 749on this system, 750otherwise 0. 751.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 752Returns 1 if System V style semaphore functionality is available 753on this system, 754otherwise 0. 755.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 756Returns 1 if System V style share memory functionality is available 757on this system, 758otherwise 0. 759.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 760Return System V style IPC configuration and run-time information. 761The fourth level name selects the System V style IPC facility. 762.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 763.It Sy Fourth level name Type 764.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 765.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 766.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 767.El 768.Pp 769.Bl -tag -width "123456" 770.It Li KERN_SYSVIPC_MSG_INFO 771Return information on the System V style message facility. 772The 773.Sy msg_sysctl_info 774structure is defined in 775.Aq Pa sys/msg.h . 776.It Li KERN_SYSVIPC_SEM_INFO 777Return information on the System V style semaphore facility. 778The 779.Sy sem_sysctl_info 780structure is defined in 781.Aq Pa sys/sem.h . 782.It Li KERN_SYSVIPC_SHM_INFO 783Return information on the System V style shared memory facility. 784The 785.Sy shm_sysctl_info 786structure is defined in 787.Aq Pa sys/shm.h . 788.El 789.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 790Max shared memory segment size in bytes. 791.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 792Max number of shared memory identifiers. 793.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 794Max shared memory segments per process. 795.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 796Max amount of shared memory in pages. 797.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 798Locking of shared memory in physical memory. 799If 0, memory can be swapped 800out, otherwise it will be locked in physical memory. 801.It Li kern.ipc.msgmni 802Max number of message queue identifiers. 803.It Li kern.ipc.msgseg 804Max number of number of message segments. 805.It Li kern.ipc.semmni 806Max number of number of semaphore identifiers. 807.It Li kern.ipc.semmns 808Max number of number of semaphores in system. 809.It Li kern.ipc.semmnu 810Max number of undo structures in system. 811.El 812.It Li kern.timecounter ( dynamic ) 813Display and control the timecounter source of the system. 814.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 815.It Sy Third level name Type Changeable 816.It kern.timecounter.choice string no 817.It kern.timecounter.hardware string yes 818.It kern.timecounter.timestepwarnings integer yes 819.El 820.Pp 821The variables are as follows: 822.Bl -tag -width "123456" 823.It Li kern.timecounter.choice ( dynamic ) 824The list of available timecounters with their quality and frequency. 825.It Li kern.timecounter.hardware ( dynamic ) 826The currently selected timecounter source. 827.It Li kern.timecounter.timestepwarnings ( dynamic ) 828If non-zero display a message each time the time is stepped. 829.El 830.It Li kern.timex ( KERN_TIMEX ) 831Not available. 832.It Li kern.tkstat ( KERN_TKSTAT ) 833Return information about the number of characters sent and received 834on ttys. 835The third level names for the tty statistic variables are detailed below. 836The changeable column shows whether a process 837with appropriate privilege may change the value. 838.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 839.It Sy Third level name Type Changeable 840.It kern.tkstat.cancc quad no 841.It kern.tkstat.nin quad no 842.It kern.tkstat.nout quad no 843.It kern.tkstat.rawcc quad no 844.El 845.Pp 846The variables are as follows: 847.Bl -tag -width "123456" 848.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 849The number of canonical input characters. 850.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 851The total number of input characters. 852.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 853The total number of output characters. 854.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 855The number of raw input characters. 856.El 857.It Li kern.urandom ( KERN_URND ) 858Random integer value. 859.It Li kern.veriexec 860Tunings for Verixec. 861.Bl -tag -width "123456" 862.It Li kern.veriexec.algorithms 863Returns a string with the supported algorithms in Veriexec. 864.It Li kern.veriexec.count 865Sub-nodes are added to this node as new mounts are monitored by Veriexec. 866Each mount will be under its own 867.No tableN 868node. 869Under each node there will be three variables, indicating the mount 870point, the file-system type, and the number of entries. 871.It Li kern.veriexec.strict 872Controls the strict level of Veriexec. 873See 874.Xr security 8 875for more information on each level's implications. 876.It Li kern.veriexec.verbose 877Controls the verbosity level of Veriexec. 878If 0, only the minimal 879indication required will be given about what's happening - fingerprint 880mismatches, removal of entries from the tables, modification of a 881fingerprinted file. 882If 1, more messages will be printed (ie., when a file with a valid 883fingerprint is accessed). 884Verbose level 2 is debug mode. 885.El 886.It Li kern.version ( KERN_VERSION ) 887The system version string. 888.It Li kern.vnode ( KERN_VNODE ) 889Return the entire vnode table. 890Note, the vnode table is not necessarily a consistent snapshot of 891the system. 892The returned data consists of an array whose size depends on the 893current number of such objects in the system. 894Each element of the array contains the kernel address of a vnode 895.Va struct vnode * 896followed by the vnode itself 897.Va struct vnode . 898.It Li kern.coredump.setid 899Settings related to set-id processes coredumps. 900By default, set-id processes do not dump core in situations where 901other processes would. 902The settings in this node allows an administrator to change this 903behavior. 904.Pp 905.Bl -tag -width "123456" 906.It Li kern.coredump.setid.dump 907If non-zero, set-id processes will dump core. 908.It Li kern.coredump.setid.group 909The group-id for the set-id processes' coredump. 910.It Li kern.coredump.setid.mode 911The mode for the set-id processes' coredump. 912See 913.Xr chmod 1 . 914.It Li kern.coredump.setid.owner 915The user-id that will be used as the owner of the set-id processes' 916coredump. 917.It Li kern.coredump.setid.path 918The path to which set-id processes' coredumps will be saved to. 919Same syntax as kern.defcorename. 920.El 921.\" XXX kern.lwp 922.El 923.Sh The machdep.* subtree 924The set of variables defined is architecture dependent. 925Most architectures define at least the following variables. 926.Bl -column "Second level name" "Type" "Changeable" -offset indent 927.It Sy Second level name Type Changeable 928.It Li CPU_CONSDEV dev_t no 929.El 930.Sh The net.* subtree 931The string and integer information available for the 932.Li net 933level is detailed below. 934The changeable column shows whether a process with appropriate 935privilege may change the value. 936The second and third levels are typically the protocol family and 937protocol number, though this is not always the case. 938.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 939.It Sy Second level name Type Changeable 940.It net.route routing messages no 941.It net.inet IPv4 values yes 942.It net.inet6 IPv6 values yes 943.It net.key IPsec key management values yes 944.El 945.Pp 946.Bl -tag -width "123456" 947.It Li net.route ( PF_ROUTE ) 948.\" XXX really? 949Return the entire routing table or a subset of it. 950The data is returned as a sequence of routing messages (see 951.Xr route 4 952for the header file, format and meaning). 953The length of each message is contained in the message header. 954.Pp 955The third level name is a protocol number, which is currently always 0. 956The fourth level name is an address family, which may be set to 0 to 957select all address families. 958The fifth and sixth level names are as follows: 959.Bl -column "Fifth level name" "Sixth level is:" -offset indent 960.It Sy Fifth level name Sixth level is: 961.It NET_RT_FLAGS rtflags 962.It NET_RT_DUMP None 963.It NET_RT_IFLIST None 964.El 965.It Li net.inet ( PF_INET ) 966Get or set various global information about the IPv4 967.Pq Internet Protocol version 4 . 968The third level name is the protocol. 969The fourth level name is the variable name. 970The currently defined protocols and names are: 971.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n 972.It Sy Protocol name Variable name Type Changeable 973.It arp down integer yes 974.It arp keep integer yes 975.It arp prune integer yes 976.It arp refresh integer yes 977.It carp allow integer yes 978.It carp preempt integer yes 979.It carp log integer yes 980.It carp arpbalance integer yes 981.It icmp errppslimit integer yes 982.It icmp maskrepl integer yes 983.It icmp rediraccept integer yes 984.It icmp redirtimeout integer yes 985.It ip allowsrcrt integer yes 986.It ip anonportmax integer yes 987.It ip anonportmin integer yes 988.It ip checkinterface integer yes 989.It ip directed-broadcast integer yes 990.It ip do_loopback_cksum integer yes 991.It ip forwarding integer yes 992.It ip forwsrcrt integer yes 993.It ip gifttl integer yes 994.It ip grettl integer yes 995.It ip hashsize integer yes 996.It ip hostzerobroadcast integer yes 997.It ip lowportmin integer yes 998.It ip lowportmax integer yes 999.It ip maxflows integer yes 1000.It ip maxfragpackets integer yes 1001.It ip mtudisc integer yes 1002.It ip mtudisctimeout integer yes 1003.It ip random_id integer yes 1004.It ip redirect integer yes 1005.It ip subnetsarelocal integer yes 1006.It ip ttl integer yes 1007.It tcp rfc1323 integer yes 1008.It tcp sendspace integer yes 1009.It tcp recvspace integer yes 1010.It tcp mssdflt integer yes 1011.It tcp syn_cache_limit integer yes 1012.It tcp syn_bucket_limit integer yes 1013.It tcp syn_cache_interval integer yes 1014.It tcp init_win integer yes 1015.It tcp init_win_local integer yes 1016.It tcp mss_ifmtu integer yes 1017.It tcp win_scale integer yes 1018.It tcp timestamps integer yes 1019.It tcp compat_42 integer yes 1020.It tcp cwm integer yes 1021.It tcp cwm_burstsize integer yes 1022.It tcp ack_on_push integer yes 1023.It tcp keepidle integer yes 1024.It tcp keepintvl integer yes 1025.It tcp keepcnt integer yes 1026.It tcp slowhz integer no 1027.It tcp keepinit integer yes 1028.It tcp log_refused integer yes 1029.It tcp rstppslimit integer yes 1030.It tcp ident struct no 1031.It tcp drop struct no 1032.It tcp sack.enable integer yes 1033.It tcp sack.globalholes integer no 1034.It tcp sack.globalmaxholes integer yes 1035.It tcp sack.maxholes integer yes 1036.It tcp ecn.enable integer yes 1037.It tcp ecn.maxretries integer yes 1038.It tcp congctl.selected string yes 1039.It tcp congctl.available string yes 1040.It tcp abc.enable integer yes 1041.It tcp abc.aggressive integer yes 1042.It udp checksum integer yes 1043.It udp do_loopback_cksum integer yes 1044.It udp recvspace integer yes 1045.It udp sendspace integer yes 1046.El 1047.Pp 1048The variables are as follows: 1049.Bl -tag -width "123456" 1050.It Li arp.down 1051Failed ARP entry lifetime. 1052.It Li arp.keep 1053Valid ARP entry lifetime. 1054.It Li arp.prune 1055ARP cache pruning interval. 1056.It Li arp.refresh 1057ARP entry refresh interval. 1058.It Li carp.allow 1059If set to 0, incoming 1060.Xr carp 4 1061packets will not be processed. 1062If set to any other value, processing will occur. 1063Enabled by default. 1064.It Li carp.arpbalance 1065If set to any value other than 0, the ARP balancing functionality of 1066.Xr carp 4 1067is enabled. 1068When ARP requests are received for an IP address which is part of any virtual 1069host, carp will hash the source IP in the ARP request to select one of the 1070virtual hosts from the set of all the virtual hosts which have that IP address. 1071The master of that host will respond with the correct virtual MAC address. 1072Disabled by default. 1073.It Li carp.log 1074If set to any value other than 0, 1075.Xr carp 4 1076will log errors. 1077Disabled by default. 1078.It Li carp.preempt 1079If set to 0, 1080.Xr carp 4 1081will not attempt to become master if it is receiving advertisements from 1082another active master. 1083If set to any other value, carp will become master of the virtual host if it 1084believes it can send advertisements more frequently than the current master. 1085Disabled by default. 1086.It Li ip.allowsrcrt 1087If set to 1, the host accepts source routed packets. 1088.It Li ip.anonportmax 1089The highest port number to use for TCP and UDP ephemeral port allocation. 1090This cannot be set to less than 1024 or greater than 65535, and must 1091be greater than 1092.Li ip.anonportmin . 1093.It Li ip.anonportmin 1094The lowest port number to use for TCP and UDP ephemeral port allocation. 1095This cannot be set to less than 1024 or greater than 65535. 1096.It Li ip.checkinterface 1097If set to non-zero, the host will reject packets addressed to it 1098that arrive on an interface not bound to that address. 1099Currently, this must be disabled if ipnat is used to translate the 1100destination address to another local interface, or if addresses 1101are added to the loopback interface instead of the interface where 1102the packets for those packets are received. 1103.It Li ip.directed-broadcast 1104If set to 1, enables directed broadcast behavior for the host. 1105.It Li ip.do_loopback_cksum 1106Perform IP checksum on loopback. 1107.It Li ip.forwarding 1108If set to 1, enables IP forwarding for the host, 1109meaning that the host is acting as a router. 1110.It Li ip.forwsrcrt 1111If set to 1, enables forwarding of source-routed packets for the host. 1112This value may only be changed if the kernel security level is less than 1. 1113.It Li ip.gifttl 1114The maximum time-to-live (hop count) value for an IPv4 packet generated by 1115.Xr gif 4 1116tunnel interface. 1117.It Li ip.grettl 1118The maximum time-to-live (hop count) value for an IPv4 packet generated by 1119.Xr gre 4 1120tunnel interface. 1121.It Li ip.hashsize 1122The size of IPv4 Fast Forward hash table. 1123This value must be a power of 2 (64, 256...). 1124A larger hash table size results in fewer collisions. 1125Also see 1126.Li ip.maxflows . 1127.It Li ip.hostzerobroadcast 1128All zeroes address is broadcast address. 1129.It Li ip.lowportmax 1130The highest port number to use for TCP and UDP reserved port allocation. 1131This cannot be set to less than 0 or greater than 1024, and must 1132be greater than 1133.Li ip.lowportmin . 1134.It Li ip.lowportmin 1135The lowest port number to use for TCP and UDP reserved port allocation. 1136This cannot be set to less than 0 or greater than 1024, and must 1137be smaller than 1138.Li ip.lowportmax . 1139.It Li ip.maxflows 1140IPv4 Fast Forwarding is enabled by default. 1141If set to 0, IPv4 Fast Forwarding is disabled. 1142.Li ip.maxflows 1143controls the maximum amount of flows which can be created. 1144The default value is 256. 1145.It Li ip.maxfragpackets 1146The maximum number of fragmented packets the node will accept. 11470 means that the node will not accept any fragmented packets. 1148\-1 means that the node will accept as many fragmented packets as it receives. 1149The flag is provided basically for avoiding possible DoS attacks. 1150.It Li ip.mtudisc 1151If set to 1, enables Path MTU Discovery (RFC 1191). 1152When Path MTU Discovery is enabled, the transmitted TCP segment 1153size will be determined by the advertised maximum segment size 1154(MSS) from the remote end, as constrained by the path MTU. 1155If MTU Discovery is disabled, the transmitted segment size will 1156never be greater than 1157.Li tcp.mssdflt 1158(the local maximum segment size). 1159.It Li ip.mtudisctimeout 1160The number of seconds in which a route added by the Path MTU 1161Discovery engine will time out. 1162When the route times out, the Path 1163MTU Discovery engine will attempt to probe a larger path MTU. 1164.It Li ip.random_id 1165Assign random ip_id values. 1166.It Li ip.redirect 1167If set to 1, ICMP redirects may be sent by the host. 1168This option is ignored unless the host is routing IP packets, 1169and should normally be enabled on all systems. 1170.It Li ip.subnetsarelocal 1171If set to 1, subnets are to be considered local addresses. 1172.It Li ip.ttl 1173The maximum time-to-live (hop count) value for an IP packet sourced by 1174the system. 1175This value applies to normal transport protocols, not to ICMP. 1176.It Li icmp.errppslimit 1177The variable specifies the maximum number of outgoing ICMP error messages, 1178per second. 1179ICMP error messages that exceeded the value are subject to rate limitation 1180and will not go out from the node. 1181Negative value disables rate limitation. 1182.It Li icmp.maskrepl 1183If set to 1, ICMP network mask requests are to be answered. 1184.It Li icmp.rediraccept 1185If set to non-zero, the host will accept ICMP redirect packets. 1186Note that routers will never accept ICMP redirect packets, 1187and the variable is meaningful on IP hosts only. 1188.It Li icmp.redirtimeout 1189The variable specifies lifetime of routing entries generated by incoming 1190ICMP redirect. 1191This defaults to 600 seconds. 1192.It Li icmp.returndatabytes 1193Number of bytes to return in an ICMP error message. 1194.It Li tcp.ack_on_push 1195If set to 1, TCP is to immediately transmit an ACK upon reception of 1196a packet with PUSH set. 1197This can avoid losing a round trip time in some rare situations, 1198but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1199Use of this option is generally not recommended, but 1200the variable exists in case your configuration really needs it. 1201.It Li tcp.compat_42 1202If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1203Use of this option is not recommended, although it may be 1204required in order to communicate with extremely old TCP implementations. 1205.It Li tcp.cwm 1206If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1207Monitoring algorithm. 1208This algorithm prevents line-rate bursts of packets that could 1209otherwise occur when data begins flowing on an idle TCP connection. 1210These line-rate bursts can contribute to network and router congestion. 1211This can be particularly useful on World Wide Web servers 1212which support HTTP/1.1, which has lingering connections. 1213.It Li tcp.cwm_burstsize 1214The Congestion Window Monitoring allowed burst size, in terms 1215of packet count. 1216.It Li tcp.delack_ticks 1217Number of ticks to delay sending an ACK. 1218.It Li tcp.do_loopback_cksum 1219Perform TCP checksum on loopback. 1220.It Li tcp.init_win 1221A value indicating the TCP initial congestion window. 1222If this value is 0, an auto-tuning algorithm designed to use an initial 1223window of approximately 4K bytes is in use. 1224Otherwise, this value indicates a fixed number of packets. 1225.It Li tcp.init_win_local 1226Like 1227.Li tcp.init_win , 1228but used when communicating with hosts on a local network. 1229.It Li tcp.keepcnt 1230Number of keepalive probes sent before declaring a connection dead. 1231If set to zero, there is no limit; 1232keepalives will be sent until some kind of 1233response is received from the peer. 1234.It Li tcp.keepidle 1235Time a connection must be idle before keepalives are sent (if keepalives 1236are enabled for the connection). 1237See also tcp.slowhz. 1238.It Li tcp.keepintvl 1239Time after a keepalive probe is sent until, in the absence of any response, 1240another probe is sent. 1241See also tcp.slowhz. 1242.It Li tcp.log_refused 1243If set to 1, refused TCP connections to the host will be logged. 1244.It Li tcp.keepinit 1245Timeout in seconds during connection establishment. 1246.It Li tcp.mss_ifmtu 1247If set to 1, TCP calculates the outgoing maximum segment size based on 1248the MTU of the appropriate interface. 1249If set to 0, it is calculated based on the greater of the MTU of the 1250interface, and the largest (non-loopback) interface MTU on the system. 1251.It Li tcp.mssdflt 1252The default maximum segment size both advertised to the peer 1253and to use when either the peer does not advertise a maximum segment size to 1254us during connection setup or Path MTU Discovery 1255.Li ( ip.mtudisc ) 1256is disabled. 1257Do not change this value unless you really know what you are doing. 1258.It Li tcp.recvspace 1259The default TCP receive buffer size. 1260.It Li tcp.rfc1323 1261If set to 1, enables RFC 1323 extensions to TCP. 1262.It Li tcp.rstppslimit 1263The variable specifies the maximum number of outgoing TCP RST packets, 1264per second. 1265TCP RST packet that exceeded the value are subject to rate limitation 1266and will not go out from the node. 1267Negative value disables rate limitation. 1268.It Li tcp.ident 1269Return the user ID of a connected socket pair. 1270(RFC1413 Identification Protocol lookups.) 1271.It Li tcp.drop 1272Drop a TCP socket pair connection. 1273.It Li tcp.sack.enable 1274If set to 1, enables RFC 2018 Selective ACKnowledgement. 1275.It Li tcp.sack.globalholes 1276Global number of TCP SACK holes. 1277.It Li tcp.sack.globalmaxholes 1278Global maximum number of TCP SACK holes. 1279.It Li tcp.sack.maxholes 1280Maximum number of TCP SACK holes allowed per connection. 1281.It Li tcp.ecn.enable 1282If set to 1, enables RFC 3168 Explicit Congestion Notification. 1283.It Li tcp.ecn.maxretries 1284Number of times to retry sending the ECN-setup packet. 1285.It Li tcp.sendspace 1286The default TCP send buffer size. 1287.It Li tcp.slowhz 1288The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1289of a clock that ticks tcp.slowhz times per second. 1290(That is, their values 1291must be divided by the tcp.slowhz value to get times in seconds.) 1292.It Li tcp.syn_bucket_limit 1293The maximum number of entries allowed per hash bucket in the TCP 1294compressed state engine. 1295.It Li tcp.syn_cache_limit 1296The maximum number of entries allowed in the TCP compressed state 1297engine. 1298.It Li tcp.timestamps 1299If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1300used for measuring TCP round trip times, are enabled. 1301.It Li tcp.win_scale 1302If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1303for increasing the TCP window size, are enabled. 1304.It Li tcp.congctl.available 1305The available TCP congestion control algorithms. 1306.It Li tcp.congctl.selected 1307The currently selected TCP congestion control algorithm. 1308.It Li tcp.abc.enable 1309If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1310If set to 0, use traditional Packet Counting. 1311.It Li tcp.abc.aggressive 1312Choose the L parameter found in RFC 3465. 1313L is the maximum cwnd increase for an ack during slow start. 1314If set to 1, use L=2*SMSS. 1315If set to 0, use L=1*SMSS. 1316It has no effect unless tcp.abc.enable is set to 1. 1317.It Li udp.checksum 1318If set to 1, UDP checksums are being computed. 1319Received non-zero UDP checksums are always checked. 1320Disabling UDP checksums is strongly discouraged. 1321.It Li udp.sendspace 1322The default UDP send buffer size. 1323.It Li udp.recvspace 1324The default UDP receive buffer size. 1325.El 1326.Pp 1327For variables net.*.ipsec, please refer to 1328.Xr ipsec 4 . 1329.It Li net.inet6 ( PF_INET6 ) 1330Get or set various global information about the IPv6 1331.Pq Internet Protocol version 6 . 1332The third level name is the protocol. 1333The fourth level name is the variable name. 1334The currently defined protocols and names are: 1335.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent 1336.It Sy Protocol name Variable name Type Changeable 1337.It icmp6 errppslimit integer yes 1338.It icmp6 mtudisc_hiwat integer yes 1339.It icmp6 mtudisc_lowat integer yes 1340.It icmp6 nd6_debug integer yes 1341.It icmp6 nd6_delay integer yes 1342.It icmp6 nd6_maxnudhint integer yes 1343.It icmp6 nd6_mmaxtries integer yes 1344.It icmp6 nd6_prune integer yes 1345.It icmp6 nd6_umaxtries integer yes 1346.It icmp6 nd6_useloopback integer yes 1347.It icmp6 nodeinfo integer yes 1348.It icmp6 rediraccept integer yes 1349.It icmp6 redirtimeout integer yes 1350.It ip6 accept_rtadv integer yes 1351.It ip6 anonportmax integer yes 1352.It ip6 anonportmin integer yes 1353.It ip6 auto_flowlabel integer yes 1354.It ip6 dad_count integer yes 1355.It ip6 defmcasthlim integer yes 1356.It ip6 forwarding integer yes 1357.It ip6 gifhlim integer yes 1358.It ip6 hashsize integer yes 1359.It ip6 hlim integer yes 1360.It ip6 hdrnestlimit integer yes 1361.It ip6 kame_version string no 1362.It ip6 keepfaith integer yes 1363.It ip6 log_interval integer yes 1364.It ip6 lowportmax integer yes 1365.It ip6 lowportmin integer yes 1366.It ip6 maxflows integer yes 1367.It ip6 maxfragpackets integer yes 1368.It ip6 maxfrags integer yes 1369.It ip6 redirect integer yes 1370.It ip6 rr_prune integer yes 1371.It ip6 use_deprecated integer yes 1372.It ip6 v6only integer yes 1373.It udp6 do_loopback_cksum integer yes 1374.It udp6 recvspace integer yes 1375.It udp6 sendspace integer yes 1376.El 1377.Pp 1378The variables are as follows: 1379.Bl -tag -width "123456" 1380.It Li ip6.accept_rtadv 1381If set to non-zero, the node will accept ICMPv6 router advertisement packets 1382and autoconfigures address prefixes and default routers. 1383The node must be a host 1384.Pq not a router 1385for the option to be meaningful. 1386.It Li ip6.anonportmax 1387The highest port number to use for TCP and UDP ephemeral port allocation. 1388This cannot be set to less than 1024 or greater than 65535, and must 1389be greater than 1390.Li ip6.anonportmin . 1391.It Li ip6.anonportmin 1392The lowest port number to use for TCP and UDP ephemeral port allocation. 1393This cannot be set to less than 1024 or greater than 65535. 1394.It Li ip6.auto_flowlabel 1395On connected transport protocol packets, 1396fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1397.It Li ip6.dad_count 1398The variable configures number of IPv6 DAD 1399.Pq duplicated address detection 1400probe packets. 1401The packets will be generated when IPv6 interface addresses are configured. 1402.It Li ip6.defmcasthlim 1403The default hop limit value for an IPv6 multicast packet sourced by the node. 1404This value applies to all the transport protocols on top of IPv6. 1405There are APIs to override the value, as documented in 1406.Xr ip6 4 . 1407.It Li ip6.forwarding 1408If set to 1, enables IPv6 forwarding for the node, 1409meaning that the node is acting as a router. 1410If set to 0, disables IPv6 forwarding for the node, 1411meaning that the node is acting as a host. 1412IPv6 specification defines node behavior for 1413.Dq router 1414case and 1415.Dq host 1416case quite differently, and changing this variable during operation 1417may cause serious trouble. 1418It is recommended to configure the variable at bootstrap time, 1419and bootstrap time only. 1420.It Li ip6.gifhlim 1421The maximum hop limit value for an IPv6 packet generated by 1422.Xr gif 4 1423tunnel interface. 1424.It Li ip6.hdrnestlimit 1425The number of IPv6 extension headers permitted on incoming IPv6 packets. 1426If set to 0, the node will accept as many extension headers as possible. 1427.It Li ip6.hashsize 1428The size of IPv6 Fast Forward hash table. 1429This value must be a power of 2 (64, 256...). 1430A larger hash table size results in fewer collisions. 1431Also see 1432.Li ip6.maxflows . 1433.It Li ip6.hlim 1434The default hop limit value for an IPv6 unicast packet sourced by the node. 1435This value applies to all the transport protocols on top of IPv6. 1436There are APIs to override the value, as documented in 1437.Xr ip6 4 . 1438.It Li ip6.kame_version 1439The string identifies the version of KAME IPv6 stack implemented in the kernel. 1440.It Li ip6.keepfaith 1441If set to non-zero, it enables 1442.Dq FAITH 1443TCP relay IPv6-to-IPv4 translator code in the kernel. 1444Refer 1445.Xr faith 4 1446and 1447.Xr faithd 8 1448for detail. 1449.It Li ip6.log_interval 1450The variable controls amount of logs generated by IPv6 packet 1451forwarding engine, by setting interval between log output 1452.Pq in seconds . 1453.It Li ip6.lowportmax 1454The highest port number to use for TCP and UDP reserved port allocation. 1455This cannot be set to less than 0 or greater than 1024, and must 1456be greater than 1457.Li ip6.lowportmin . 1458.It Li ip6.lowportmin 1459The lowest port number to use for TCP and UDP reserved port allocation. 1460This cannot be set to less than 0 or greater than 1024, and must 1461be smaller than 1462.Li ip6.lowportmax . 1463.It Li ip6.maxflows 1464IPv6 Fast Forwarding is enabled by default. 1465If set to 0, IPv6 Fast Forwarding is disabled. 1466.Li ip6.maxflows 1467controls the maximum amount of flows which can be created. 1468The default value is 256. 1469.It Li ip6.maxfragpackets 1470The maximum number of fragmented packets the node will accept. 14710 means that the node will not accept any fragmented packets. 1472\-1 means that the node will accept as many fragmented packets as it receives. 1473The flag is provided basically for avoiding possible DoS attacks. 1474.It Li ip6.maxfrags 1475The maximum number of fragments the node will accept. 14760 means that the node will not accept any fragments. 1477\-1 means that the node will accept as many fragments as it receives. 1478The flag is provided basically for avoiding possible DoS attacks. 1479.It Li ip6.redirect 1480If set to 1, ICMPv6 redirects may be sent by the node. 1481This option is ignored unless the node is routing IP packets, 1482and should normally be enabled on all systems. 1483.It Li ip6.rr_prune 1484The variable specifies interval between IPv6 router renumbering prefix 1485babysitting, in seconds. 1486.It Li ip6.use_deprecated 1487The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1488.It Li ip6.v6only 1489The variable specifies initial value for 1490.Dv IPV6_V6ONLY 1491socket option for 1492.Dv AF_INET6 1493socket. 1494Please refer to 1495.Xr ip6 4 1496for detail. 1497.It Li icmp6.errppslimit 1498The variable specifies the maximum number of outgoing ICMPv6 error messages, 1499per second. 1500ICMPv6 error messages that exceeded the value are subject to rate limitation 1501and will not go out from the node. 1502Negative value disables rate limitation. 1503.It Li icmp6.mtudisc_hiwat 1504.It Li icmp6.mtudisc_lowat 1505The variables define the maximum number of routing table entries, 1506created due to path MTU discovery 1507.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1508When IPv6 path MTU discovery happens, we keep path MTU information into 1509the routing table. 1510If the number of routing table entries exceed the value, 1511the kernel will not attempt to keep the path MTU information. 1512.Li icmp6.mtudisc_hiwat 1513is used when we have verified ICMPv6 too big messages. 1514.Li icmp6.mtudisc_lowat 1515is used when we have unverified ICMPv6 too big messages. 1516Verification is performed by using address/port pairs kept in connected pcbs. 1517Negative value disables the upper limit. 1518.It Li icmp6.nd6_debug 1519If set to non-zero, kernel IPv6 neighbor discovery code will generate 1520debugging messages. 1521The debug outputs are useful to diagnose IPv6 interoperability issues. 1522The flag must be set to 0 for normal operation. 1523.It Li icmp6.nd6_delay 1524The variable specifies 1525.Dv DELAY_FIRST_PROBE_TIME 1526timing constant in IPv6 neighbor discovery specification 1527.Pq RFC 2461 , 1528in seconds. 1529.It Li icmp6.nd6_maxnudhint 1530IPv6 neighbor discovery permits upper layer protocols to supply reachability 1531hints, to avoid unnecessary neighbor discovery exchanges. 1532The variable defines the number of consecutive hints the neighbor discovery 1533layer will take. 1534For example, by setting the variable to 3, neighbor discovery layer 1535will take 3 consecutive hints in maximum. 1536After receiving 3 hints, neighbor discovery layer will perform 1537normal neighbor discovery process. 1538.It Li icmp6.nd6_mmaxtries 1539The variable specifies 1540.Dv MAX_MULTICAST_SOLICIT 1541constant in IPv6 neighbor discovery specification 1542.Pq RFC 2461 . 1543.It Li icmp6.nd6_prune 1544The variable specifies interval between IPv6 neighbor cache babysitting, 1545in seconds. 1546.It Li icmp6.nd6_umaxtries 1547The variable specifies 1548.Dv MAX_UNICAST_SOLICIT 1549constant in IPv6 neighbor discovery specification 1550.Pq RFC 2461 . 1551.It Li icmp6.nd6_useloopback 1552If set to non-zero, kernel IPv6 stack will use loopback interface for 1553local traffic. 1554.It Li icmp6.nodeinfo 1555The variable enables responses to ICMPv6 node information queries. 1556If you set the variable to 0, responses will not be generated for 1557ICMPv6 node information queries. 1558Since node information queries can have a security impact, it is 1559possible to fine tune which responses should be answered. 1560Two separate bits can be set. 1561.Bl -tag -width "12345" 1562.It 1 1563Respond to ICMPv6 FQDN queries, e.g. 1564.Li ping6 -w . 1565.It 2 1566Respond to ICMPv6 node addresses queries, e.g. 1567.Li ping6 -a . 1568.El 1569.It Li icmp6.rediraccept 1570If set to non-zero, the host will accept ICMPv6 redirect packets. 1571Note that IPv6 routers will never accept ICMPv6 redirect packets, 1572and the variable is meaningful on IPv6 hosts 1573.Pq non-router 1574only. 1575.It Li icmp6.redirtimeout 1576The variable specifies lifetime of routing entries generated by incoming 1577ICMPv6 redirect. 1578.It Li udp6.do_loopback_cksum 1579Perform UDP checksum on loopback. 1580.It Li udp6.recvspace 1581Default UDP receive buffer size. 1582.It Li udp6.sendspace 1583Default UDP send buffer size. 1584.El 1585.Pp 1586We reuse net.*.tcp for 1587.Tn TCP 1588over 1589.Tn IPv6 , 1590and therefore we do not have variables net.*.tcp6. 1591Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1592Please refer to 1593.Li PF_INET 1594section above. 1595For variables net.*.ipsec6, please refer to 1596.Xr ipsec 4 . 1597.It Li net.key ( PF_KEY ) 1598Get or set various global information about the IPsec key management. 1599The third level name is the variable name. 1600The currently defined variable and names are: 1601.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 1602.It Sy Variable name Type Changeable 1603.It debug integer yes 1604.It spi_try integer yes 1605.It spi_min_value integer yes 1606.It spi_max_value integer yes 1607.It larval_lifetime integer yes 1608.It blockacq_count integer yes 1609.It blockacq_lifetime integer yes 1610.It esp_keymin integer yes 1611.It esp_auth integer yes 1612.It ah_keymin integer yes 1613.El 1614.Pp 1615The variables are as follows: 1616.Bl -tag -width "123456" 1617.It Li debug 1618Turn on debugging message from within the kernel. 1619The value is a bitmap, as defined in 1620.Pa /usr/include/netkey/key_debug.h . 1621.It Li spi_try 1622The number of times the kernel will try to obtain an unique SPI 1623when it generates it from random number generator. 1624.It Li spi_min_value 1625Minimum SPI value when generating it within the kernel. 1626.It Li spi_max_value 1627Maximum SPI value when generating it within the kernel. 1628.It Li larval_lifetime 1629Lifetime for LARVAL SAD entries, in seconds. 1630.It Li blockacq_count 1631Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1632It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1633key management daemon. 1634.It Li blockacq_lifetime 1635Lifetime of ACQUIRE PF_KEY message. 1636.It Li esp_keymin 1637Minimum ESP key length, in bits. 1638The value is used when the kernel creates proposal payload 1639on ACQUIRE PF_KEY message. 1640.It Li esp_auth 1641Whether ESP authentication should be used or not. 1642Non-zero value indicates that ESP authentication should be used. 1643The value is used when the kernel creates proposal payload 1644on ACQUIRE PF_KEY message. 1645.It Li ah_keymin 1646Minimum AH key length, in bits, 1647The value is used when the kernel creates proposal payload 1648on ACQUIRE PF_KEY message. 1649.El 1650.El 1651.Sh The proc.* subtree 1652The string and integer information available for the 1653.Li proc 1654level is detailed below. 1655The changeable column shows whether a process with appropriate 1656privilege may change the value. 1657These values are per-process, 1658and as such may change from one process to another. 1659When a process is created, 1660the default values are inherited from its parent. 1661When a set-user-ID or set-group-ID binary is executed, the 1662value of PROC_PID_CORENAME is reset to the system default value. 1663The second level name is either the magic value PROC_CURPROC, which 1664points to the current process, or the PID of the target process. 1665.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 1666.It Sy Third level name Type Changeable 1667.It proc.pid.corename string yes 1668.It proc.pid.rlimit node not applicable 1669.It proc.pid.stopfork int yes 1670.It proc.pid.stopexec int yes 1671.It proc.pid.stopexit int yes 1672.El 1673.Bl -tag -width "123456" 1674.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1675The template used for the core dump file name (see 1676.Xr core 5 1677for details). 1678The base name must either be 1679.Nm core 1680or end with the suffix ``.core'' (the super-user may set arbitrary names). 1681By default it points to KERN_DEFCORENAME. 1682.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1683Return resources limits, as defined for the 1684.Xr getrlimit 2 1685and 1686.Xr setrlimit 2 1687system calls. 1688The fourth level name is one of: 1689.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA 1690.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1691The maximum amount of CPU time (in seconds) to be used by each process. 1692.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1693The largest size (in bytes) file that may be created. 1694.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1695The maximum size (in bytes) of the data segment for a process; 1696this defines how far a program may extend its break with the 1697.Xr sbrk 2 1698system call. 1699.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1700The maximum size (in bytes) of the stack segment for a process; 1701this defines how far a program's stack segment may be extended. 1702Stack extension is performed automatically by the system. 1703.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1704The largest size (in bytes) 1705.Pa core 1706file that may be created. 1707.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1708The maximum size (in bytes) to which a process's resident set size may 1709grow. 1710This imposes a limit on the amount of physical memory to be given to 1711a process; if memory is tight, the system will prefer to take memory 1712from processes that are exceeding their declared resident set size. 1713.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1714The maximum size (in bytes) which a process may lock into memory 1715using the 1716.Xr mlock 2 1717function. 1718.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1719The maximum number of simultaneous processes for this user id. 1720.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1721The maximum number of open files for this process. 1722.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE ) 1723The maximum size (in bytes) of the socket buffers 1724set by the 1725.Xr setsockopt 2 1726.Dv SO_RCVBUF 1727and 1728.Dv SO_SNDBUF 1729options. 1730.El 1731.Pp 1732The fifth level name is one of 1733.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or 1734.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1735to select respectively the soft or hard limit. 1736Both are of type integer. 1737.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1738If non zero, the process' children will be stopped after 1739.Xr fork 2 1740calls. 1741The children is created in the SSTOP state and is never scheduled 1742for running before being stopped. 1743This feature helps attaching a process with a debugger such as 1744.Xr gdb 1 1745before it had the opportunity to actually do anything. 1746.Pp 1747This value is inherited by the process's children, and it also 1748apply to emulation specific system calls that fork a new process, such as 1749.Fn sproc 1750or 1751.Fn clone . 1752.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1753If non zero, the process will be stopped on next 1754.Xr exec 3 1755call. 1756The process created by 1757.Xr exec 3 1758is created in the SSTOP state and is never scheduled for running 1759before being stopped. 1760This feature helps attaching a process with a debugger such as 1761.Xr gdb 1 1762before it had the opportunity to actually do anything. 1763.Pp 1764This value is inherited by the process's children. 1765.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 1766If non zero, the process will be stopped on when it has cause to exit, 1767either by way of calling 1768.Xr exit 3 , 1769.Xr _exit 2 , 1770or by the receipt of a specific signal. 1771The process is stopped before any of its resources or vm space is 1772released allowing examination of the termination state of a process 1773before it disappears. 1774This feature can be used to examine the final conditions of the 1775process's vmspace via 1776.Xr pmap 1 1777or its resource settings with 1778.Xr sysctl 8 1779before it disappears. 1780.Pp 1781This value is also inherited by the process's children. 1782.El 1783.Sh The user.* subtree ( CTL_USER ) 1784The string and integer information available for the 1785.Li user 1786level is detailed below. 1787The changeable column shows whether a process with appropriate 1788privilege may change the value. 1789.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 1790.It Sy Second level name Type Changeable 1791.It user.atexit_max integer no 1792.It user.bc_base_max integer no 1793.It user.bc_dim_max integer no 1794.It user.bc_scale_max integer no 1795.It user.bc_string_max integer no 1796.It user.coll_weights_max integer no 1797.It user.cs_path string no 1798.It user.expr_nest_max integer no 1799.It user.line_max integer no 1800.It user.posix2_c_bind integer no 1801.It user.posix2_c_dev integer no 1802.It user.posix2_char_term integer no 1803.It user.posix2_fort_dev integer no 1804.It user.posix2_fort_run integer no 1805.It user.posix2_localedef integer no 1806.It user.posix2_sw_dev integer no 1807.It user.posix2_upe integer no 1808.It user.posix2_version integer no 1809.It user.re_dup_max integer no 1810.It user.stream_max integer no 1811.It user.stream_max integer no 1812.It user.tzname_max integer no 1813.El 1814.Bl -tag -width "123456" 1815.It Li user.atexit_max ( USER_ATEXIT_MAX ) 1816The maximum number of functions that may be registered with 1817.Xr atexit 3 . 1818.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 1819The maximum ibase/obase values in the 1820.Xr bc 1 1821utility. 1822.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 1823The maximum array size in the 1824.Xr bc 1 1825utility. 1826.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 1827The maximum scale value in the 1828.Xr bc 1 1829utility. 1830.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 1831The maximum string length in the 1832.Xr bc 1 1833utility. 1834.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 1835The maximum number of weights that can be assigned to any entry of 1836the LC_COLLATE order keyword in the locale definition file. 1837.It Li user.cs_path ( USER_CS_PATH ) 1838Return a value for the 1839.Ev PATH 1840environment variable that finds all the standard utilities. 1841.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 1842The maximum number of expressions that can be nested within 1843parenthesis by the 1844.Xr expr 1 1845utility. 1846.It Li user.line_max ( USER_LINE_MAX ) 1847The maximum length in bytes of a text-processing utility's input 1848line. 1849.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 1850Return 1 if the system supports at least one terminal type capable of 1851all operations described in POSIX 1003.2, otherwise 0. 1852.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 1853Return 1 if the system's C-language development facilities support the 1854C-Language Bindings Option, otherwise 0. 1855.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 1856Return 1 if the system supports the C-Language Development Utilities Option, 1857otherwise 0. 1858.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 1859Return 1 if the system supports the FORTRAN Development Utilities Option, 1860otherwise 0. 1861.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 1862Return 1 if the system supports the FORTRAN Runtime Utilities Option, 1863otherwise 0. 1864.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 1865Return 1 if the system supports the creation of locales, otherwise 0. 1866.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 1867Return 1 if the system supports the Software Development Utilities Option, 1868otherwise 0. 1869.It Li user.posix2_upe ( USER_POSIX2_UPE ) 1870Return 1 if the system supports the User Portability Utilities Option, 1871otherwise 0. 1872.It Li user.posix2_version ( USER_POSIX2_VERSION ) 1873The version of POSIX 1003.2 with which the system attempts to comply. 1874.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 1875The maximum number of repeated occurrences of a regular expression 1876permitted when using interval notation. 1877.It Li user.stream_max ( USER_STREAM_MAX ) 1878The minimum maximum number of streams that a process may have open 1879at any one time. 1880.It Li user.tzname_max ( USER_TZNAME_MAX ) 1881The minimum maximum number of types supported for the name of a 1882timezone. 1883.El 1884.Sh The vm.* subtree ( CTL_VM ) 1885The string and integer information available for the 1886.Li vm 1887level is detailed below. 1888The changeable column shows whether a process with appropriate 1889privilege may change the value. 1890.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 1891.It Sy Second level name Type Changeable 1892.It vm.anonmax int yes 1893.It vm.anonmin int yes 1894.It vm.bufcache int yes 1895.It vm.bufmem int no 1896.It vm.bufmem_hiwater int yes 1897.It vm.bufmem_lowater int yes 1898.It vm.execmax int yes 1899.It vm.execmin int yes 1900.It vm.filemax int yes 1901.It vm.filemin int yes 1902.It vm.loadavg struct loadavg no 1903.It vm.maxslp int no 1904.It vm.nkmempages int no 1905.It vm.uspace int no 1906.It vm.uvmexp struct uvmexp no 1907.It vm.uvmexp2 struct uvmexp_sysctl no 1908.It vm.vmmeter struct vmtotal no 1909.El 1910.Pp 1911.Bl -tag -width "123456" 1912.It Li vm.anonmax ( VM_ANONMAX ) 1913The percentage of physical memory which will be reclaimed 1914from other types of memory usage to store anonymous application data. 1915.It Li vm.anonmin ( VM_ANONMIN ) 1916The percentage of physical memory which will be always be available for 1917anonymous application data. 1918.It Li vm.bufcache ( VM_BUFCACHE ) 1919The percentage of physical memory which will be available 1920for the buffer cache. 1921.It Li vm.bufmem ( VM_BUFMEM ) 1922The amount of kernel memory that is being used by the buffer cache. 1923.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 1924The minimum amount of kernel memory to reserve for the 1925buffer cache. 1926.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 1927The maximum amount of kernel memory to be used for the 1928buffer cache. 1929.It Li vm.execmax ( VM_EXECMAX ) 1930The percentage of physical memory which will be reclaimed 1931from other types of memory usage to store cached executable data. 1932.It Li vm.execmin ( VM_EXECMIN ) 1933The percentage of physical memory which will be always be available for 1934cached executable data. 1935.It Li vm.filemax ( VM_FILEMAX ) 1936The percentage of physical memory which will be reclaimed 1937from other types of memory usage to store cached file data. 1938.It Li vm.filemin ( VM_FILEMIN ) 1939The percentage of physical memory which will be always be available for 1940cached file data. 1941.It Li vm.loadavg ( VM_LOADAVG ) 1942Return the load average history. 1943The returned data consists of a 1944.Va struct loadavg . 1945.It Li vm.maxslp ( VM_MAXSLP ) 1946The value of the maxslp kernel global variable. 1947.It Li vm.vmmeter ( VM_METER ) 1948Return system wide virtual memory statistics. 1949The returned data consists of a 1950.Va struct vmtotal . 1951.It Li vm.uspace ( VM_USPACE ) 1952The number of bytes allocated for each kernel stack. 1953.It Li vm.uvmexp ( VM_UVMEXP ) 1954Return system wide virtual memory statistics. 1955The returned data consists of a 1956.Va struct uvmexp . 1957.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 1958Return system wide virtual memory statistics. 1959The returned data consists of a 1960.Va struct uvmexp_sysctl . 1961.\" XXX vm.idlezero 1962.El 1963.Sh The ddb.* subtree ( CTL_DDB ) 1964The integer information available for the 1965.Li ddb 1966level is detailed below. 1967The changeable column shows whether a process with appropriate 1968privilege may change the value. 1969.\" XXX sort 1970.Bl -column "Second level name" "integer" "Changeable" -offset indent 1971.It Sy Second level name Type Changeable 1972.It ddb.radix integer yes 1973.It ddb.maxoff integer yes 1974.It ddb.lines integer yes 1975.It ddb.tabstops integer yes 1976.It ddb.onpanic integer yes 1977.It ddb.fromconsole integer yes 1978.El 1979.Pp 1980.Bl -tag -width "123456" 1981.It Li ddb.radix ( DBCTL_RADIX ) 1982The input and output radix. 1983.It Li ddb.maxoff ( DBCTL_MAXOFF ) 1984The maximum symbol offset. 1985.It Li ddb.lines ( DBCTL_LINES ) 1986Number of display lines. 1987.It Li ddb.tabstops ( DBCTL_TABSTOPS ) 1988Tab width. 1989.It Li ddb.onpanic ( DBCTL_ONPANIC ) 1990If non-zero, DDB will be entered if the kernel panics. 1991.It Li ddb.fromconsole ( DBCTL_FROMCONSOLE ) 1992If not zero, DDB may be entered by sending a break on a serial 1993console or by a special key sequence on a graphics console. 1994.\" XXX tee_msgbuf maxwidth commandonenter 1995.El 1996.Pp 1997These MIB nodes are also available as variables from within the DDB. 1998See 1999.Xr ddb 4 2000for more details. 2001.Sh The security.* subtree ( CTL_SECURITY ) 2002The 2003.Li security 2004level contains various security-related settings for 2005the system. 2006Available settings are detailed below. 2007.Pp 2008.Bl -tag -width "123456" 2009.It Li security.curtain 2010If non-zero, will filter return objects according to the user-id 2011requesting information about them, preventing from users any 2012access to objects they don't own. 2013.Pp 2014At the moment, it affects 2015.Xr ps 1 , 2016.Xr netstat 1 2017(for 2018.Dv PF_INET , 2019.Dv PF_INET6 , 2020and 2021.Dv PF_UNIX 2022PCBs), and 2023.Xr w 1 . 2024.It Li security.models 2025.Nx 2026supports pluggable security models. 2027Every security model used, whether if loaded as a module or built with the system, 2028is required to add an entry to this node with at least one element, 2029.Dq name , 2030indicating the name of the security model. 2031.Pp 2032In addition to the name, any settings and other information private to the 2033security model will be available under this node. 2034See 2035.Xr secmodel 9 2036for more information. 2037.It Li security.pax 2038Settings for PaX -- exploit mitigation features. 2039For more information on any of the PaX features, please see 2040.Xr paxctl 8 2041and 2042.Xr security 8 . 2043.Pp 2044.Bl -tag -width "123456" 2045.It Li security.pax.aslr.enable 2046Enable PaX ASLR (Address Space Layout Randomization). 2047.Pp 2048The value of this 2049knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2050explicit enable. 2051.It Li security.pax.aslr.global 2052Specifies the default global policy for programs without an 2053explicit enable/disable flag. 2054.Pp 2055When non-zero, all programs will get PaX ASLR, except those exempted with 2056.Xr paxctl 8 . 2057Otherwise, all programs will not get PaX ASLR, except those specifically 2058marked as such with 2059.Xr paxctl 8 . 2060.It Li security.pax.mprotect.enable 2061Enable PaX MPROTECT restrictions. 2062.Pp 2063These are 2064.Xr mprotect 2 2065restrictions to better enforce a W^X policy. 2066The value of this 2067knob must be non-zero for PaX MPROTECT to be enabled, even if a 2068program is set to explicit enable. 2069.It Li security.pax.mprotect.global 2070Specifies the default global policy for programs without an 2071explicit enable/disable flag. 2072.Pp 2073When non-zero, all programs will get the PaX MPROTECT restrictions, 2074except those exempted with 2075.Xr paxctl 8 . 2076Otherwise, all programs will not get the PaX MPROTECT restrictions, 2077except those specifically marked as such with 2078.Xr paxctl 8 . 2079.It Li security.pax.segvguard.enable 2080Enable PaX Segvguard. 2081.Pp 2082PaX Segvguard can detect and prevent certain exploitation attempts, where 2083an attacker may try for example to brute-force function return addresses 2084of respawning daemons. 2085.Pp 2086.Em Note : 2087The 2088.Nx 2089interface and implementation of the Segvguard is still experimental, and may 2090change in future releases. 2091.It Li security.pax.segvguard.global 2092Specifies the default global policy for programs without an 2093explicit enable/disable flag. 2094.Pp 2095When non-zero, all programs will get the PaX Segvguard, 2096except those exempted with 2097.Xr paxctl 8 . 2098Otherwise, no program will get the PaX Segvguard restrictions, 2099except those specifically marked as such with 2100.Xr paxctl 8 . 2101.It Li security.pax.segvguard.expiry_timeout 2102If the max number was not reached within this timeout (in seconds), the entry 2103will expire. 2104.It Li security.pax.segvguard.suspend_timeout 2105Number of seconds to suspend a user from running a faulting program when the 2106limit was exceeded. 2107.It Li security.pax.segvguard.max_crashes 2108Max number of segfaults a program can receive before suspension. 2109.El 2110.El 2111.Sh The vendor.* subtree ( CTL_VENDOR ) 2112The 2113.Li vendor 2114toplevel name is reserved to be used by vendors who wish to 2115have their own private MIB tree. 2116Intended use is to store values under 2117.Dq vendor.\*[Lt]yourname\*[Gt].* . 2118.Sh SEE ALSO 2119.Xr sysctl 3 , 2120.Xr ipsec 4 , 2121.Xr tcp 4 , 2122.Xr security 8 , 2123.Xr sysctl 8 2124.Sh HISTORY 2125The 2126.Nm 2127variables first appeared in 2128.Bx 4.4 . 2129